CN117675387B - Network security risk prediction method and system based on user behavior analysis - Google Patents
Network security risk prediction method and system based on user behavior analysis Download PDFInfo
- Publication number
- CN117675387B CN117675387B CN202311704449.1A CN202311704449A CN117675387B CN 117675387 B CN117675387 B CN 117675387B CN 202311704449 A CN202311704449 A CN 202311704449A CN 117675387 B CN117675387 B CN 117675387B
- Authority
- CN
- China
- Prior art keywords
- request
- access
- risk
- user
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000006399 behavior Effects 0.000 claims abstract description 161
- 238000012502 risk assessment Methods 0.000 claims abstract description 87
- 238000012544 monitoring process Methods 0.000 claims abstract description 69
- 238000007726 management method Methods 0.000 claims abstract description 9
- 238000005457 optimization Methods 0.000 claims abstract description 9
- 238000004364 calculation method Methods 0.000 claims description 27
- 238000007418 data mining Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 9
- 238000007621 cluster analysis Methods 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 230000007274 generation of a signal involved in cell-cell signaling Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000013075 data extraction Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a network security risk prediction method and system based on user behavior analysis, and relates to network security technology, the method includes: receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address; performing request risk assessment to generate a request risk index; when the request risk index meets a preset request risk index threshold, responding to request information of a user, and monitoring access behaviors of the user in real time to obtain behavior monitoring data; constructing a behavior feature recognition channel; performing user access risk assessment on the behavior monitoring data to obtain an access risk assessment index; and when the access risk assessment index meets a preset access risk index threshold, generating a network risk early warning signal to perform access optimization management. The method can solve the technical problem of poor accuracy of network security risk prediction, can improve the accuracy of network security risk prediction and improve the protection capability of network security.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and more particularly, to a method and system for predicting network security risk based on user behavior analysis.
Background
With the development of computer networks, the openness, the sharing property and the interconnection degree of the computer networks are gradually enlarged, and meanwhile, the network security problem is more and more brought, and in the field of network security, user behavior analysis is mainly used for identifying the access behaviors of users, and risk prediction is carried out according to behavior identification results, so that corresponding protection measures are formulated. The existing user behavior analysis method has the problem that the analysis fineness is low, so that the analysis result accuracy is poor, and the unknown network security risk cannot be accurately predicted.
The existing network security risk prediction method has the following defects: the accuracy of the analysis result of the user behavior is poor due to insufficient fineness of the analysis of the user behavior, and the accuracy of the network security risk prediction is poor.
Disclosure of Invention
Therefore, in order to solve the above technical problems, the technical solution adopted in the embodiments of the present disclosure is as follows:
The network security risk prediction method based on user behavior analysis comprises the following steps: receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address; performing request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index; when the request risk index meets a preset request risk index threshold, responding to request information of a user, and monitoring access behaviors of the user in real time to obtain behavior monitoring data; calling a user historical access behavior log and performing data mining to construct a behavior feature recognition channel; performing user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index; and when the access risk assessment index meets a preset access risk index threshold, generating a network risk early warning signal, and performing access optimization management according to the network risk early warning signal.
A network security risk prediction system based on user behavior analysis, comprising: the access request information receiving module is used for receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address; the request risk index generation module is used for carrying out request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index; the user behavior monitoring module is used for responding to the request information of the user when the request risk index meets a preset request risk index threshold value, and monitoring the access behavior of the user in real time to obtain behavior monitoring data; the behavior feature recognition channel construction module is used for retrieving a user history access behavior log and carrying out data mining to construct a behavior feature recognition channel; the access risk assessment module is used for carrying out user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index; the network risk early warning signal generation module is used for generating a network risk early warning signal when the access risk assessment index meets a preset access risk index threshold value, and performing access optimization management according to the network risk early warning signal.
By adopting the technical method, compared with the prior art, the technical progress of the present disclosure has the following points:
the method can solve the technical problems that the accuracy of the analysis result of the user behavior is poor and the accuracy of the network security risk prediction is poor due to insufficient fineness of the analysis of the user behavior in the existing network security risk prediction method. Receiving access request information of a user, wherein the access request information comprises a target request program, a current request time and a request IP address; performing request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index; when the request risk index meets a preset request risk index threshold, responding to request information of a user, and monitoring access behaviors of the user in real time to obtain behavior monitoring data; calling a user historical access behavior log and performing data mining to construct a behavior feature recognition channel; performing user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index; and when the access risk assessment index meets a preset access risk index threshold, generating a network risk early warning signal, and performing access optimization management according to the network risk early warning signal. By the method, accuracy of network security risk prediction can be improved, potential threats can be found out in time and processed, so that protection capability of network security is improved, and loss caused by network security accidents is reduced or avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are used in the description of the embodiments will be briefly described below.
FIG. 1 is a schematic flow chart of a network security risk prediction method based on user behavior analysis;
FIG. 2 is a schematic flow chart of a method for constructing a behavior feature recognition channel in a network security risk prediction method based on user behavior analysis;
Fig. 3 is a schematic structural diagram of a network security risk prediction system based on user behavior analysis.
Reference numerals illustrate: the system comprises an access request information receiving module 01, a request risk index generating module 02, a user behavior monitoring module 03, a behavior characteristic identification channel constructing module 04, an access risk evaluating module 05 and a network risk early warning signal generating module 06.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
Based on the above description, as shown in fig. 1, the present disclosure provides a network security risk prediction method based on user behavior analysis, including:
The user behavior analysis refers to comprehensive analysis of various behavior characteristics when a user accesses the system, and performs risk prediction on the access process of the user according to the behavior analysis result, and further formulates corresponding protection measures according to the risk prediction result so as to achieve the purpose of improving the network security protection capability.
The method provided by the application is used for accurately analyzing the access behaviors of the user and predicting the existing network security risk according to the analysis result of the user behaviors, so as to achieve the aim of improving the accuracy of predicting the network security risk, thereby timely discovering and processing the potential threat and reducing or avoiding the loss caused by the network security accident.
Receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address;
In the embodiment of the present application, first, access request information of a user is received, where the access request information includes a target request program, a current request time and a request IP address, and the target request program refers to a program type requested by the user, for example: weChat, taobao, hundred degrees and other contents; the current request time refers to a request time node of a user; the request IP address refers to an IP address of a user using the device. By obtaining access request information, raw data support is provided for next step user request risk analysis.
Performing request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index;
In the embodiment of the application, user request risk assessment is carried out according to the target request program, the current request time and the request IP address, and a request risk index is generated according to a risk assessment result.
In one embodiment, the method further comprises:
retrieving a user history request log and extracting user history request data of the target request program;
Extracting a user history request IP based on the user history request data, and setting the user history request IP with highest occurrence frequency as a conventional request IP;
Performing access time feature analysis based on the user history request data to obtain a conventional request period and a conventional request frequency;
Performing request risk assessment on the current request time and the request IP address according to the conventional request IP, the conventional request period and the conventional request frequency to obtain a request risk index;
the method for carrying out request risk assessment comprises the following steps:
constructing a request risk calculation function:
Wherein, R is the request risk index of the current visit, v 1、v2、v3 is the weight coefficient of the request period risk index, the request frequency risk index and the request IP risk index respectively; t 2 is the maximum or minimum of the regular request period; t 1 is the current request time, and T 3 is the last adjacent request time; t 0 is the unit request duration, and is obtained through calculation of the conventional request frequency; p is a request IP risk index, when the request IP address is a conventional request IP, P is 0.8, and when the request IP address does not belong to the conventional request IP, P is 1.5;
And carrying out request risk assessment on the current request time and the request IP address according to the request risk calculation function.
In the embodiment of the present application, firstly, a user history request log is retrieved, and user history request data of the target request program is extracted according to the user history request log, where the user history request data includes a plurality of user history requests IP, a plurality of history request times, a history request frequency, and the like, where the history request frequency may be set based on a number of requests of a user in a preset time period, and the preset time period may be set based on actual conditions, for example: the number of times the user requests the program is 10 times within 1 month, and the history request frequency may be set to 10.
Extracting user history request IP according to the user history request data, obtaining a plurality of user history request IPs, and setting the user history request IP with highest occurrence frequency in the plurality of history request IPs as a conventional request IP, wherein the conventional request IP represents common request equipment of a user. Performing access time feature analysis based on the user history request data, firstly, extracting a plurality of user history request times and a plurality of history request frequencies from the user history request data; extracting earliest time and latest time in a plurality of user history request time to set a conventional request period; extracting the plurality of historical request frequencies, carrying out average value calculation on the extracted historical request frequencies, and setting an average value calculation result as a conventional request frequency. For example: historical request frequencies within nearly 3 months are obtained and are respectively 10, 12 and 8, and then average calculation is carried out on the three historical request frequencies, so that the request frequency average value is obtained and is 10, and the conventional request frequency is set.
And then carrying out request risk assessment on the current request time and the request IP address according to the conventional request IP, the conventional request period and the conventional request frequency, and firstly, acquiring a request risk calculation function, wherein the request risk calculation function expression is as follows: In the request risk calculation function expression, R is a request risk index of the current access, v 1、v2、v3 is a weight coefficient of a request period risk index, a request frequency risk index and a request IP risk index, wherein the value of v 1、v2、v3 can be set according to the influence degree of the request period risk index, the request frequency risk index and the request IP risk index on the request risk index, the larger the influence degree is, the larger the corresponding weight coefficient is, the weight coefficient can be set by using the existing variation coefficient method, wherein the variation coefficient method is a weighting method commonly used by a person skilled in the art, and the development is not performed here; t 2 is the maximum value or the minimum value of the conventional request period, calculation can be performed according to the deviation time of the request time node from the maximum value or the minimum value in the conventional request period, the setting with smaller deviation time is selected as T 2;T1, the current request time is selected, and T 3 is the adjacent last request time; t 0 is the unit request duration, obtained by the conventional request frequency calculation, for example: assuming that the conventional request frequency is 10, representing that the number of times of user request target programs is 10 within 1 month, assuming that 30 days exist in one month, the unit request duration is 3 days; p is a request IP risk index, P is 0.8 when the request IP address is a conventional request IP, and P is 1.5 when the request IP address does not belong to the conventional request IP, wherein the value of P can be modified according to practical situations by a person skilled in the art.
And then carrying out request risk assessment on the current request time and the request IP address according to the request risk calculation function to obtain a request risk index, wherein the larger the request risk index is, the larger the risk of a program request by a user is represented. By constructing the request risk calculation function, the request risk of the user can be accurately evaluated, and the accuracy and efficiency of obtaining the request risk index are improved.
When the request risk index meets a preset request risk index threshold, responding to request information of a user, and monitoring access behaviors of the user in real time to obtain behavior monitoring data;
In the embodiment of the application, the preset request risk index threshold is obtained, and the preset request risk index threshold can be set by a person skilled in the art according to the actual security requirement, wherein the higher the security requirement is, the smaller the preset request risk index threshold is. Judging the request risk index according to the preset request risk index threshold, and responding to request information of a user if the request risk index is smaller than the preset request risk index threshold and the request risk index is lower than the preset request risk index threshold; when the request risk index is larger than or equal to the preset request risk index threshold, the user request risk degree is characterized to be higher, at the moment, identity verification is needed to be carried out on the user, and whether to respond to the user request information is judged according to the verification result.
And after responding to the request information of the user, monitoring the access behavior of the user in real time to obtain behavior monitoring data.
In one embodiment, the method further comprises:
Acquiring a preset monitoring time window, and monitoring the access behavior of a user in real time in the preset monitoring time window;
the behavior monitoring data comprises page content, page stay time and page operation steps, wherein the page content, the page stay time and the page operation steps have corresponding relations.
In the embodiment of the present application, first, a preset monitoring time window is obtained, where the preset monitoring time window may be set based on actual conditions, and the smaller the preset monitoring time window, the higher the behavior monitoring accuracy, for example: the method comprises the steps of setting a preset monitoring time window to be 10 seconds, then monitoring the access behaviors of a user in real time in the preset monitoring time window to obtain behavior monitoring data, wherein the behavior monitoring data comprise a plurality of page monitoring data sets, the page monitoring data comprise page contents, page stay time and page operation steps, the page contents, the page stay time and the page operation steps have corresponding relations, namely, each time a page changes, one page monitoring data set is obtained. By obtaining behavior monitoring data, data support is provided for the next step of user behavior analysis.
Calling a user historical access behavior log and performing data mining to construct a behavior feature recognition channel;
In the embodiment of the application, firstly, a user history access behavior log is called, access behavior feature mining is carried out based on the user history access behavior log, and a behavior feature recognition channel is constructed according to a data mining result.
As shown in fig. 2, in one embodiment, the method further comprises:
extracting user historical access behavior data based on the user historical access log, wherein the historical access behavior data comprises a plurality of historical access page contents, a plurality of historical page stay times and a plurality of historical page operation steps;
Performing cluster analysis on the historical access page contents to obtain a plurality of access content cluster sets;
In the embodiment of the application, firstly, the user historical access behavior data in the user historical access behavior access log is extracted to obtain the user historical access behavior data, wherein the historical access behavior data comprises a plurality of historical access page contents, a plurality of historical page stay times and a plurality of historical page operation steps; and then carrying out cluster analysis on the historical access page contents to obtain a plurality of access content cluster sets.
In one embodiment, the method further comprises:
randomly selecting N clustering center points in the historical access page contents, wherein N is an integer greater than 5;
Sequentially calculating the distances between other historical access page contents in the plurality of historical access page contents and the N clustering center points, and adding the historical access page contents to clusters corresponding to the clustering center with the smallest distance to obtain N clustering clusters;
performing distance average calculation on the historical access page contents in the N clusters, and taking the historical access page contents with the smallest average distance as updated cluster centroids;
and continuously performing iterative clustering, stopping clustering when the updated clustering centroid tends to be stable, and outputting the current clustering result as a plurality of access content clustering sets.
In the embodiment of the present application, first, N cluster center points are randomly selected from the plurality of historical access page contents, where the value of N can be set by a person skilled in the art according to the actual data size, where the larger the data size is, the larger N is, and in general, N is an integer greater than 5. And then sequentially calculating the distances between other historical access page contents in the plurality of historical access page contents and the N clustering center points, and adding the other historical access page contents into the category corresponding to the clustering center with the smallest distance to obtain N clustering clusters. Then performing distance average calculation on the historical access page contents in the N clusters, and taking the historical access page contents with the smallest average distance in the N clusters as updated cluster centroids; and then taking the updated cluster centroid as a cluster center point, continuously performing iterative clustering, stopping clustering when the updated cluster centroid tends to be stable, namely no change occurs any more, and outputting the current clustering result as a plurality of access content clustering sets.
Through utilizing a Kmeans clustering algorithm to perform clustering analysis on the contents of the plurality of historical access pages, the clustering time can be saved, the clustering efficiency can be improved, and meanwhile, the accuracy of obtaining a plurality of access content clustering sets can be improved.
Sequentially carrying out content feature analysis on the plurality of access content clustering sets to obtain a plurality of content feature sets;
Establishing a mapping relation between the plurality of content feature sets and conventional historical residence time and conventional historical page operation steps, wherein the conventional historical residence time is a residence time average value of residence time of a plurality of historical pages corresponding to the content feature sets, and the conventional historical page operation steps are single steps with highest occurrence frequency in the plurality of historical page operation steps corresponding to the content feature sets;
And constructing a behavior feature comparison table based on the mapping relation, embedding the behavior feature comparison table into a behavior feature recognition channel, and generating the behavior feature recognition channel.
In the embodiment of the application, a plurality of historical page stay time sets and a plurality of historical page operation step sets corresponding to the plurality of content feature sets are obtained, stay time average value calculation is sequentially carried out on the plurality of page stay time sets, and the stay time average value is used as the conventional historical stay time of the corresponding page stay time set to obtain a plurality of conventional historical stay times. Sequentially extracting single steps with highest occurrence frequency from the plurality of historical page operation step sets, wherein the historical page operation steps comprise a plurality of operation steps, for example: collecting, adding, praying and the like, and forming a conventional historical page operation step according to a plurality of single steps with highest occurrence frequency to obtain a plurality of conventional historical page operation steps.
And then establishing a mapping relation between the plurality of content feature sets and conventional historical residence time and conventional historical page operation steps. And based on the mapping relation, taking the content feature set as a child node, taking the corresponding conventional historical residence time and conventional historical page operation steps as leaf nodes of the child node, constructing a behavior feature comparison table, and embedding the behavior feature comparison table into a behavior feature recognition channel to generate the behavior feature recognition channel.
By constructing the behavior feature recognition channel based on the user history access behavior data, support is provided for user behavior feature recognition, and accuracy of user behavior feature recognition can be improved.
Performing user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index;
In the embodiment of the application, the behavior monitoring data is subjected to user behavior feature recognition according to the behavior feature recognition channel, and the user access risk assessment is performed according to the behavior feature recognition result to obtain an access risk assessment index.
In one embodiment, the method further comprises:
inputting page content of the behavior monitoring data into the behavior feature recognition channel for content matching to obtain a first conventional residence time and a first conventional operation step;
performing similarity analysis on the page residence time according to the first conventional residence time to generate a first similarity coefficient;
Performing similarity analysis on the page operation step according to the first conventional operation step to generate a second similarity coefficient;
and based on the access risk assessment function, carrying out user access risk assessment according to the first similarity coefficient and the second similarity coefficient, and generating an access risk assessment index.
In one embodiment, the method further comprises:
Wherein the access risk assessment function expression is:
F=w1·S1+w2·S2;
wherein F is an access risk assessment index, w 1、w2 is the weight of the first similarity coefficient and the second similarity coefficient, and S 1 is the first similarity coefficient; s 2 is a second similarity coefficient; t d is the first conventional residence time, T c is the conventional residence time, N is the total number of operating steps in the first conventional operating step, Z i is the ith operating step in the first conventional operating step; z i is the ith operation step of the page operation steps.
In the embodiment of the present application, firstly, page content of the behavior monitoring data is input into the behavior feature recognition channel to perform content matching, where content matching may be performed by performing similarity calculation on content features, for example: image similarity, text similarity, etc., and the similarity is highest as a content matching result. And then obtaining a first conventional stay time and a first conventional operation step according to the content matching result, wherein the first conventional stay time and the first conventional operation step are conventional historical stay time and conventional historical page operation steps corresponding to the content feature set in the behavior feature comparison table.
Constructing an access risk assessment function, wherein the expression of the access risk assessment function is as follows:
F=w1·S1+w2·S2;
In the access risk assessment function expression, F is an access risk assessment index, w 1、w2 is the weight of a first similarity coefficient and a second similarity coefficient respectively, wherein the value of w 1、w2 can be set according to the influence degree of the first similarity coefficient and the second similarity coefficient on the access risk assessment index, and the larger the influence degree of that index is, the larger the corresponding weight is, and the weight can be set by the existing variation coefficient method; s 1 is a first similarity coefficient; s 2 is a second similarity coefficient; t d is the first conventional dwell time, T c is the page dwell time, N is the total number of operating steps in the first conventional operating steps, Z i is the ith operating step in the first conventional operating steps, wherein the ith operating step is any one of the N operating steps; z i is the ith operation step of the page operation steps.
By constructing the access risk assessment function, the access risk of the user can be accurately assessed, and the efficiency and accuracy of obtaining the access risk assessment index are improved.
Based on the access risk assessment function, carrying out similarity analysis on the page stay time according to the first conventional stay time to generate a first similarity coefficient; performing similarity analysis on the page operation step according to the first conventional operation step to generate a second similarity coefficient; and then, carrying out user access risk calculation according to the first similarity coefficient and the second similarity coefficient to generate an access risk assessment index. By obtaining the access risk assessment index, the risk degree of the user in the access process can be accurately obtained, so that support is provided for the next step of network risk early warning.
And when the access risk assessment index meets a preset access risk index threshold, generating a network risk early warning signal, and performing access optimization management according to the network risk early warning signal.
In the embodiment of the application, the access risk assessment index is judged according to the preset access risk index threshold, the preset access risk index threshold can be set according to the actual network security protection capability, wherein the higher the network security protection capability is, the larger the preset access risk index threshold is, when the access risk assessment index is larger than the preset access risk index threshold, the current user access risk is represented to be beyond the network security protection capability range, and the higher the risk is, the network risk early warning signal is generated. And then performing access optimization management according to the network risk early warning signal, for example: and (3) carrying out identity authentication again on the user or improving the security protection capability of the current network. The method can solve the technical problems that the accuracy of the network security risk prediction is poor due to the fact that the accuracy of the analysis result of the user behavior is poor as the accuracy of the analysis result of the user behavior is insufficient in the existing network security risk prediction method, can improve the accuracy of the network security risk prediction, discover potential threats in time and process the potential threats, and therefore the protection capability of network security is improved, and loss caused by network security accidents is reduced or avoided.
In one embodiment, a network security risk prediction system based on user behavior analysis is provided as shown in fig. 3, comprising: an access request information receiving module 01, a request risk index generating module 02, a user behavior monitoring module 03, a behavior characteristic identification channel constructing module 04, an access risk evaluating module 05, a network risk early warning signal generating module 06, wherein:
an access request information receiving module 01, wherein the access request information receiving module 01 is used for receiving access request information of a user, and the access request information comprises a target request program, a current request time and a request IP address;
A request risk index generation module 02, where the request risk index generation module 02 is configured to perform request risk assessment based on the target request program, the current request time, and the request IP address, and generate a request risk index;
The user behavior monitoring module 03 is configured to respond to request information of a user when the request risk index meets a preset request risk index threshold, and monitor access behaviors of the user in real time to obtain behavior monitoring data;
The behavior feature recognition channel construction module 04 is used for retrieving a user history access behavior log and performing data mining to construct a behavior feature recognition channel;
the access risk assessment module 05 is used for carrying out user access risk assessment on the behavior monitoring data based on the behavior feature identification channel to obtain an access risk assessment index;
The network risk early warning signal generating module 06, where the network risk early warning signal generating module 06 is configured to generate a network risk early warning signal when the access risk assessment index meets a preset access risk index threshold, and perform access optimization management according to the network risk early warning signal.
In one embodiment, the system further comprises:
The user history request data extraction module is used for retrieving a user history request log and extracting user history request data of the target request program;
The conventional request IP setting module is used for extracting a user history request IP based on the user history request data and setting the user history request IP with the highest occurrence frequency as the conventional request IP;
The access time characteristic analysis module is used for carrying out access time characteristic analysis based on the user history request data to obtain a conventional request period and a conventional request frequency;
The request risk assessment module is used for carrying out request risk assessment on the current request time and the request IP address according to the conventional request IP, the conventional request period and the conventional request frequency to obtain a request risk index;
The risk calculation function module refers to a method for carrying out request risk assessment, wherein the method comprises the following steps:
constructing a request risk calculation function:
The function parameter module is used for indicating that R is a request risk index accessed at the time, and v 1、v2、v3 is a weight coefficient of a request period risk index, a request frequency risk index and a request IP risk index respectively; t 2 is the maximum or minimum of the regular request period; t 1 is the current request time, and T 3 is the last adjacent request time; t 0 is the unit request duration, and is obtained through calculation of the conventional request frequency; p is a request IP risk index, when the request IP address is a conventional request IP, P is 0.8, and when the request IP address does not belong to the conventional request IP, P is 1.5;
And the request risk assessment module is used for carrying out request risk assessment on the current request time and the request IP address according to the request risk calculation function.
In one embodiment, the system further comprises:
The system comprises a preset monitoring time window acquisition module, a monitoring time window detection module and a monitoring time window detection module, wherein the preset monitoring time window acquisition module is used for acquiring a preset monitoring time window and monitoring the access behavior of a user in real time in the preset monitoring time window;
The behavior monitoring data module is characterized in that the behavior monitoring data comprises page content, page stay time and page operation steps, wherein the page content, the page stay time and the page operation steps have corresponding relations.
In one embodiment, the system further comprises:
The system comprises a user historical access behavior data extraction module, a user historical access behavior data storage module and a user data storage module, wherein the user historical access behavior data extraction module is used for extracting user historical access behavior data based on the user historical behavior access log, and the historical access behavior data comprises a plurality of historical access page contents, a plurality of historical page stay times and a plurality of historical page operation steps;
the access content clustering set obtaining module is used for carrying out clustering analysis on the historical access page contents to obtain a plurality of access content clustering sets;
the content feature set obtaining module is used for sequentially carrying out content feature analysis on the plurality of access content clustering sets to obtain a plurality of content feature sets;
The mapping relation establishing module is used for establishing mapping relation between the plurality of content feature sets, conventional historical residence time and conventional historical page operation steps, wherein the conventional historical residence time is residence time average value of residence time of a plurality of historical pages corresponding to the content feature sets, and the conventional historical page operation steps are single steps with highest occurrence frequency in the plurality of historical page operation steps corresponding to the content feature sets;
The behavior feature recognition channel generation module is used for constructing a behavior feature comparison table based on the mapping relation, embedding the behavior feature comparison table into the behavior feature recognition channel and generating the behavior feature recognition channel.
In one embodiment, the system further comprises:
The cluster center point selection module is used for randomly selecting N cluster center points in the historical access page contents, wherein N is an integer greater than 5;
The cluster obtaining module is used for sequentially calculating the distances between other historical access page contents in the plurality of historical access page contents and the N clustering center points, and adding the historical access page contents to clusters corresponding to the clustering center with the minimum distance to obtain N clustering clusters;
the updated clustering centroid tripod module is used for calculating the distance average value of the historical access page contents in the N clustering clusters, and taking the historical access page contents with the smallest average value distance as updated clustering centroids;
And the visit content clustering set setting module is used for continuously performing iterative clustering, stopping clustering when the updated clustering centroid tends to be stable, and outputting the current clustering result as a plurality of visit content clustering sets.
In one embodiment, the system further comprises:
The content matching module is used for inputting the page content of the behavior monitoring data into the behavior characteristic identification channel to perform content matching, so as to obtain first conventional residence time and first conventional operation steps;
The first similarity coefficient generation module is used for carrying out similarity analysis on the page residence time according to the first conventional residence time to generate a first similarity coefficient;
the second similarity coefficient generation module is used for carrying out similarity analysis on the page operation steps according to the first conventional operation steps to generate a second similarity coefficient;
The access risk assessment index generation module is used for carrying out user access risk assessment according to the first similarity coefficient and the second similarity coefficient based on an access risk assessment function and generating an access risk assessment index.
In one embodiment, the system further comprises:
an access risk assessment function module, wherein the access risk assessment function module is expressed as follows:
F=w1·S1+w2·S2;
The function parameter module is used for determining whether F is an access risk assessment index, w 1、w2 is the weight of the first similarity coefficient and the second similarity coefficient respectively, and S 1 is the first similarity coefficient; s 2 is a second similarity coefficient; t d is the first conventional dwell time, T c is the page dwell time, N is the total number of operating steps in the first conventional operating step, Z i is the ith operating step in the first conventional operating step; z i is the ith operation step of the page operation steps.
In summary, compared with the prior art, the embodiments of the present disclosure have the following technical effects:
(1) By multi-index analysis of the user request information and the user access behavior characteristics, the accuracy of the user behavior analysis result can be improved, so that the accuracy of network security risk prediction can be improved, potential threats can be found and processed in time, the protection capability of network security is improved, and the loss caused by network security accidents is reduced or avoided.
(2) By constructing a request risk calculation function, the request risk of the user can be accurately evaluated, and the accuracy and efficiency of obtaining the request risk index are improved; by constructing the access risk assessment function, the access risk of the user can be accurately assessed, and the efficiency and accuracy of obtaining the access risk assessment index are improved, so that support is provided for improving the accuracy of predicting the network security risk.
The above examples merely represent a few embodiments of the present disclosure and are not to be construed as limiting the scope of the invention. Accordingly, various alterations, modifications and variations may be made by those having ordinary skill in the art without departing from the scope of the disclosed concept as defined by the following claims and all such alterations, modifications and variations are intended to be included within the scope of the present disclosure.
Claims (7)
1. A network security risk prediction method based on user behavior analysis, the method comprising:
Receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address;
Performing request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index;
when the request risk index meets a preset request risk index threshold, responding to request information of a user, and monitoring access behaviors of the user in real time to obtain behavior monitoring data;
Calling a user historical access behavior log and performing data mining to construct a behavior feature recognition channel;
Performing user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index;
when the access risk assessment index meets a preset access risk index threshold, generating a network risk early warning signal, and performing access optimization management according to the network risk early warning signal;
Wherein the performing request risk assessment based on the target request program, the current request time and the request IP address, generating a request risk index, further includes:
retrieving a user history request log and extracting user history request data of the target request program;
Extracting a user history request IP based on the user history request data, and setting the user history request IP with highest occurrence frequency as a conventional request IP;
Performing access time feature analysis based on the user history request data to obtain a conventional request period and a conventional request frequency;
Performing request risk assessment on the current request time and the request IP address according to the conventional request IP, the conventional request period and the conventional request frequency to obtain a request risk index;
the method for carrying out request risk assessment comprises the following steps:
constructing a request risk calculation function:
Wherein, R is a request risk index of the current access, v 1、v2、v3 is a weight coefficient of a request period risk index, a request frequency risk index and a request IP risk index respectively, T 2 is a maximum value or a minimum value of the conventional request period, T 1 is a current request time, T 3 is a last adjacent request time, T 0 is a unit request time length, and P is a request IP risk index obtained by the conventional request frequency calculation, when the request IP address is a conventional request IP, P is 0.8, and when the request IP address does not belong to the conventional request IP, P is 1.5;
And carrying out request risk assessment on the current request time and the request IP address according to the request risk calculation function.
2. The method of claim 1, wherein the monitoring and the monitoring of the access behavior of the user in real time to obtain behavior monitoring data further comprises:
Acquiring a preset monitoring time window, and monitoring the access behavior of a user in real time in the preset monitoring time window;
the behavior monitoring data comprises page content, page stay time and page operation steps, wherein the page content, the page stay time and the page operation steps have corresponding relations.
3. The method of claim 1, wherein the retrieving the user history access behavior log and the data mining construct a behavior feature recognition channel, further comprises:
Extracting user historical access behavior data based on the user historical access behavior log, wherein the historical access behavior data comprises a plurality of historical access page contents, a plurality of historical page stay times and a plurality of historical page operation steps;
Performing cluster analysis on the historical access page contents to obtain a plurality of access content cluster sets;
Sequentially carrying out content feature analysis on the plurality of access content clustering sets to obtain a plurality of content feature sets;
Establishing a mapping relation between the plurality of content feature sets and conventional historical residence time and conventional historical page operation steps, wherein the conventional historical residence time is a residence time average value of residence time of a plurality of historical pages corresponding to the content feature sets, and the conventional historical page operation steps are single steps with highest occurrence frequency in the plurality of historical page operation steps corresponding to the content feature sets;
And constructing a behavior feature comparison table based on the mapping relation, embedding the behavior feature comparison table into a behavior feature recognition channel, and generating the behavior feature recognition channel.
4. The method of claim 3, wherein performing cluster analysis on the plurality of historical access page content to obtain a plurality of access content cluster sets, further comprises:
randomly selecting N clustering center points in the historical access page contents, wherein N is an integer greater than 5;
Sequentially calculating the distances between other historical access page contents in the plurality of historical access page contents and the N clustering center points, and adding the historical access page contents to clusters corresponding to the clustering center with the smallest distance to obtain N clustering clusters;
performing distance average calculation on the historical access page contents in the N clusters, and taking the historical access page contents with the smallest average distance as updated cluster centroids;
and continuously performing iterative clustering, stopping clustering when the updated clustering centroid tends to be stable, and outputting the current clustering result as a plurality of access content clustering sets.
5. The method of claim 2, wherein the performing a user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index further comprises:
inputting page content of the behavior monitoring data into the behavior feature recognition channel for content matching to obtain a first conventional residence time and a first conventional operation step;
performing similarity analysis on the page residence time according to the first conventional residence time to generate a first similarity coefficient;
Performing similarity analysis on the page operation step according to the first conventional operation step to generate a second similarity coefficient;
and based on the access risk assessment function, carrying out user access risk assessment according to the first similarity coefficient and the second similarity coefficient, and generating an access risk assessment index.
6. The method of claim 5, wherein the method further comprises:
Wherein the access risk assessment function expression is:
F=w1·S1+w2·S2;
Wherein F is an access risk assessment index, w 1、w2 is the weight of the first similarity coefficient and the second similarity coefficient, respectively, S 1 is the first similarity coefficient, S 2 is the second similarity coefficient, T d is the first conventional residence time, T C is the page residence time, N is the total number of operation steps in the first conventional operation step, Z i is the i-th operation step in the first conventional operation step, and Z i is the i-th operation step in the page operation step.
7. A cyber-security risk prediction system based on user behavior analysis, characterized by the steps for performing any one of the cyber-security risk prediction methods based on user behavior analysis as claimed in claims 1-6, the system comprising:
The access request information receiving module is used for receiving access request information of a user, wherein the access request information comprises a target request program, current request time and a request IP address;
The request risk index generation module is used for carrying out request risk assessment based on the target request program, the current request time and the request IP address, and generating a request risk index;
The user behavior monitoring module is used for responding to the request information of the user when the request risk index meets a preset request risk index threshold value, and monitoring the access behavior of the user in real time to obtain behavior monitoring data;
The behavior feature recognition channel construction module is used for retrieving a user history access behavior log and carrying out data mining to construct a behavior feature recognition channel;
The access risk assessment module is used for carrying out user access risk assessment on the behavior monitoring data based on the behavior feature recognition channel to obtain an access risk assessment index;
The network risk early warning signal generation module is used for generating a network risk early warning signal when the access risk assessment index meets a preset access risk index threshold value, and performing access optimization management according to the network risk early warning signal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704449.1A CN117675387B (en) | 2023-12-12 | 2023-12-12 | Network security risk prediction method and system based on user behavior analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311704449.1A CN117675387B (en) | 2023-12-12 | 2023-12-12 | Network security risk prediction method and system based on user behavior analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117675387A CN117675387A (en) | 2024-03-08 |
| CN117675387B true CN117675387B (en) | 2024-06-14 |
Family
ID=90067931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311704449.1A Active CN117675387B (en) | 2023-12-12 | 2023-12-12 | Network security risk prediction method and system based on user behavior analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675387B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118174960A (en) * | 2024-05-10 | 2024-06-11 | 华能信息技术有限公司 | User operation auditing method and system of micro-service architecture |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598525A (en) * | 2022-03-09 | 2022-06-07 | 中国医学科学院阜外医院 | IP automatic blocking method and device for network attack |
| CN116938543A (en) * | 2023-07-07 | 2023-10-24 | 中国大唐集团科学技术研究总院有限公司 | Abnormal access behavior identification method and system of electric power facility management platform |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10754936B1 (en) * | 2013-03-13 | 2020-08-25 | United Services Automobile Associate (USAA) | Behavioral profiling method and system to authenticate a user |
| US9798883B1 (en) * | 2014-10-06 | 2017-10-24 | Exabeam, Inc. | System, method, and computer program product for detecting and assessing security risks in a network |
| CN109242740A (en) * | 2018-07-18 | 2019-01-18 | 平安科技(深圳)有限公司 | Identity information risk assessment method, apparatus, computer equipment and storage medium |
| CN112348310A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Risk assessment method and system for network behaviors |
| CN114553541B (en) * | 2022-02-17 | 2024-02-06 | 苏州良医汇网络科技有限公司 | Method, device, equipment and storage medium for checking anti-crawlers in grading mode |
| CN116633615A (en) * | 2023-05-23 | 2023-08-22 | 之江实验室 | Access control method based on blockchain and risk assessment |
-
2023
- 2023-12-12 CN CN202311704449.1A patent/CN117675387B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598525A (en) * | 2022-03-09 | 2022-06-07 | 中国医学科学院阜外医院 | IP automatic blocking method and device for network attack |
| CN116938543A (en) * | 2023-07-07 | 2023-10-24 | 中国大唐集团科学技术研究总院有限公司 | Abnormal access behavior identification method and system of electric power facility management platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117675387A (en) | 2024-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111428231B (en) | Safety processing method, device and equipment based on user behaviors | |
| CN107666490B (en) | A kind of suspicious domain name detection method and device | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| EP4319054A2 (en) | Identifying legitimate websites to remove false positives from domain discovery analysis | |
| CN111818198B (en) | Domain name detection method, domain name detection device, equipment and medium | |
| CN117675387B (en) | Network security risk prediction method and system based on user behavior analysis | |
| CN110855648B (en) | Early warning control method and device for network attack | |
| WO2020056968A1 (en) | Data denoising method and apparatus, computer device, and storage medium | |
| CN117216660A (en) | Method and device for detecting abnormal points and abnormal clusters based on time sequence network traffic integration | |
| CN110162958B (en) | Method, apparatus and recording medium for calculating comprehensive credit score of device | |
| CN112528022A (en) | Method for extracting characteristic words corresponding to theme categories and identifying text theme categories | |
| CN113315851A (en) | Domain name detection method, device and storage medium | |
| CN113704328A (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN113746952B (en) | DGA domain name detection method and device, electronic equipment and computer storage medium | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| CN113901441A (en) | User abnormal request detection method, device, equipment and storage medium | |
| Zhu et al. | Effective phishing website detection based on improved BP neural network and dual feature evaluation | |
| CN117527369A (en) | Hash function-based android malicious attack monitoring method and system | |
| CN117236699A (en) | Network risk identification method and system based on big data analysis | |
| CN109992960B (en) | Counterfeit parameter detection method and device, electronic equipment and storage medium | |
| CN116707859A (en) | Feature rule extraction method and device, and network intrusion detection method and device | |
| CN111475380B (en) | Log analysis method and device | |
| CN115952492A (en) | Intrusion detection method and device for power engineering control system and storage medium | |
| Wang | Botnet Detection via Machine Learning Techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |