CN104731914A - Method for detecting user abnormal behavior based on behavior similarity - Google Patents
Method for detecting user abnormal behavior based on behavior similarity Download PDFInfo
- Publication number
- CN104731914A CN104731914A CN201510130732.7A CN201510130732A CN104731914A CN 104731914 A CN104731914 A CN 104731914A CN 201510130732 A CN201510130732 A CN 201510130732A CN 104731914 A CN104731914 A CN 104731914A
- Authority
- CN
- China
- Prior art keywords
- similarity
- behavior
- user
- url
- user behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Abstract
The invention discloses a method for detecting a user abnormal behavior based on behavior similarity and belongs to the field of computer information security. The method comprises the steps of calculating time similarity, place similarity and URL similarity which are relative to a user behavior according to characteristic parameters, wherein the characteristic parameters represent the user behavior and are obtained from a Web log, and forming user behavior similarity through integrated computation; comparing the user behavior similarity. If a large change exists, then a substantial change of the user behavior is reflected, and the detection of the user abnormal behavior is achieved. Compared with the prior art, the user abnormal behavior is detected comprehensively by the adoption of various factors, and high detection efficiency and high accuracy are achieved.
Description
Technical field
The present invention relates to field of computer information security, specifically a kind of user's anomaly detection method of Behavior-based control similarity.
Background technology
Handle official business the progressively ripe epoch at mobile Internet and BYOD, information and network security also faces new challenges.Network user's abnormal behaviour becomes one of network faces and threatens greatly.So-called abnormal behaviour, refers to corresponding with normal behaviour, and that is implemented by the network user or malicious attacker normally runs to network the behavior impacted, such as, propagate malicious code, ddos attack etc.These behaviors can cause network service quality sharply to decline, and offered load increases the weight of consequences such as even paralysing.And along with the fast development of cloud computing and large data, new variant and the new behavior of network user's abnormal behaviour emerge in an endless stream, and its threat is also day by day serious.
Therefore no matter be strengthen the management and control to user behavior, or the normal operation of Logistics networks, all requirement can be implemented to detect fast and accurately to the abnormal behaviour of the network user.How effectively to detect and to block user's abnormal behaviour, to become the study hotspot in industry field.
Usually adopt the method such as port scanning, message characteristic fields match to analyse in depth to obtain feature to abnormal behaviour in prior art, thus realize the detection of network user's abnormal behaviour.But along with user's abnormal behaviour constantly changes, the cost that dependence manually obtains feature to abnormal behaviour analysis is more and more higher even unfeasible.Along with the development of artificial intelligence technology, machine learning is used to from network data, automatically calculate abnormal behaviour pattern, extract its feature more, thus automatically produces detected rule, significantly reduces cost of development.
In machine learning, conventional measuring similarity function mainly contains three kinds: the cosine similarity of cosine similarity, relevant similarity and correction.Cosine similarity function is widely used in the vectorial similarity of measurement, and it can directly be used for weighing the similarity degree between node scoring behavior.
Summary of the invention
Technical assignment of the present invention is for above-mentioned the deficiencies in the prior art, provides a kind of user's anomaly detection method of Behavior-based control similarity.
In network environment, user behavior generally has the character of similarity, portrays with similarity.Compared with normal behaviour similarity, there is larger difference in abnormal behaviour similarity.Based on this, the inventive method achieves the detection of user's abnormal behaviour.
Technical assignment of the present invention realizes in the following manner: a kind of user's anomaly detection method of Behavior-based control similarity, be characterized in the characteristic parameter of the method according to the characterizing consumer behavior obtained from Web daily record, calculate the time similarity relevant to user behavior, place similarity, URL similarity, and COMPREHENSIVE CALCULATING forms user behavior similarity; By comparing user behavior similarity, if there is change by a relatively large margin, then reflecting the substantial change of user behavior, realizing the detection of user's abnormal behaviour.
As preferably, said method comprises the following steps:
(1) characteristic parameter extraction
By obtaining the characteristic parameter of characterizing consumer behavior to Web log analysis, and describe by tuple;
(2) behavior Similarity Measure: according to user behavior characteristic parameter tuple, quantizes the parameter participating in Similarity Measure, then utilizes measuring similarity function in machine learning, calculates the time similarity S relevant to user behavior respectively
t, place similarity S
iwith URL similarity S
u
Then according to time similarity S
t, place similarity S
iwith URL similarity S
ufor the influence degree of user behavior similarity, calculate the user behavior similarity in user access path, as the index of user's unusual checking;
(3) unusual checking
User behavior similarity in the user access path of comparison step (two) gained, if amplitude of variation exceedes certain behavior similarity threshold values, then corresponding user behavior shows as abnormal behaviour.
Further, tuple (ID, IP, R, the t of characteristic parameter described in step one
r, t
d, M, P, Ref, UA) describe, the wherein ID of ID unique identification user; IP represents the client ip address sent request; Certain URL request of R unique identification; t
rfor the request time of current URL; t
dfor browsing duration; M represents requesting method; P representation page access path; Ref represents that request access is originated; UA is two tuple-sets be made up of variable, variate-value, is used for describing outer environment state and current behavior to the impact (parametric variable transmitted in P and variate-value) of environment.
In step 2:
Time similarity S
t: adopt cosine similarity function, include but not limited to t to by main relevant parameters
rand t
dtime arrow similarity computing time formed;
Place similarity S
i: adopt cosine similarity function, include but not limited to ID to by main relevant parameters, vector calculation place, the place similarity that parameter relevant to client address in IP and UA is formed;
URL similarity S
u: adopt editing distance, include but not limited to R to by main relevant parameters, the parametric variable that in M, P, Ref and UA, access path is transmitted and the URL vector calculation URL similarity that variate-value is formed.
In order to embody the difference of time similarity, place similarity and URL similarity influence degree, when carrying out user behavior Similarity Measure in step 2, different weight coefficients can be given according to time similarity, place similarity and URL similarity for the influence degree of user behavior similarity.
Compared with prior art, user's anomaly detection method of Behavior-based control similarity of the present invention adopts many factors comprehensive detection user abnormal behaviour, has higher detection efficiency and accuracy.
Accompanying drawing explanation
Accompanying drawing 1 is the schematic diagram of the user's anomaly detection method that the present invention is based on behavior similarity.
Embodiment
Be described in detail below with the user anomaly detection method of specific embodiment to Behavior-based control similarity of the present invention with reference to Figure of description.
Embodiment:
Detection method of the present invention, according to the characteristic parameter of the characterizing consumer behavior obtained from Web daily record, calculates the time similarity relevant to user behavior, place similarity, URL similarity, and COMPREHENSIVE CALCULATING forms user behavior similarity; By comparing user behavior similarity, if there is change by a relatively large margin, then reflecting the substantial change of user behavior, realizing the detection of user's abnormal behaviour.User's anomaly detection method of this Behavior-based control similarity adopts many factors comprehensive detection user abnormal behaviour, has higher detection efficiency and accuracy.User's anomaly detection method principle of this method is as shown in Figure 1:
(1) characteristic parameter extraction: by obtaining the characteristic parameter of characterizing consumer behavior to Web log analysis, with tuple (ID, IP, R, t
r, t
d, M, P, Ref, UA) describe, the wherein ID of ID unique identification user; IP represents the client ip address sent request; Certain URL request of R unique identification; t
rfor the request time of current URL; t
dfor browsing duration; M represents requesting method; P representation page access path; Ref represents that request access is originated; UA is two tuple-sets be made up of variable, variate-value, is used for describing outer environment state and current behavior to the impact (parametric variable transmitted in P and variate-value) of environment.
(2) behavior Similarity Measure: according to user behavior characteristic parameter tuple, quantizes the parameter participating in Similarity Measure, then utilizes measuring similarity function in machine learning, calculates the time similarity S relevant to user behavior respectively
t, place similarity S
iwith URL similarity S
u:
(a) time similarity S
t: adopt cosine similarity function, include but not limited to t to by main relevant parameters
rand t
dtime arrow similarity computing time formed;
(b) place similarity S
i: adopt cosine similarity function, include but not limited to ID to by main relevant parameters, vector calculation place, the place similarity that parameter relevant to client address in IP and UA is formed;
(c) URL similarity S
u: adopt editing distance, include but not limited to R to by main relevant parameters, the parametric variable that in M, P, Ref and UA, access path is transmitted and the URL vector calculation URL similarity that variate-value is formed.
According to time similarity, place similarity and the URL similarity influence degree for user behavior similarity, give different weight coefficients, form the computing formula of user behavior similarity:
S=α*S
t+β*S
i+γ*S
u
According to user behavior calculating formula of similarity, calculate the user behavior similarity in user access path P, as the index of user's unusual checking.
(3), because the behavior similarity of abnormal behaviour is compared with the behavior similarity of normal behaviour, there is larger differential magnitude in unusual checking: compare the user behavior similarity in user access path P.If differential magnitude exceedes certain behavior similarity threshold values δ, then corresponding user behavior shows as abnormal behaviour.Formalized description is as follows:
|S
k-S
j|≥δ
For the ease of setting forth, illustrate with concrete Web request below.
1. characteristic parameter extraction: obtain the Nginx Web daily record in certain time range, resolves according to journal format and obtains user ID ID, IP address, request R, request time t
r, browse duration t
d, requesting method M, page access path P, request access source Ref, the information such as two tuple-set UA, and use many element group representations, thus form the sequence of user's web access;
2. Similarity Measure: the parameter participating in Similarity Measure is quantized, utilizes cosine similarity function in machine learning, difference similarity computing time, place similarity; For URL similarity, editing distance can be adopted to calculate.According to time similarity, place similarity and the URL similarity influence degree for user behavior similarity, select different weight coefficients, utilize behavior calculating formula of similarity, calculate the user behavior similarity in user's web access sequence;
3. unusual checking: setting behavior similarity threshold values, compares the user behavior similarity in user's web access sequence.If differential magnitude is greater than behavior similarity threshold values, then corresponding user behavior shows as abnormal behaviour.
Claims (5)
1. user's anomaly detection method of a Behavior-based control similarity, it is characterized in that: the method is according to the characteristic parameter of the characterizing consumer behavior obtained from Web daily record, calculate the time similarity relevant to user behavior, place similarity, URL similarity, and COMPREHENSIVE CALCULATING forms user behavior similarity; By comparing user behavior similarity, if there is change by a relatively large margin, then reflecting the substantial change of user behavior, realizing the detection of user's abnormal behaviour.
2. user's anomaly detection method of Behavior-based control similarity according to claim 1, is characterized in that: the method comprises the following steps:
(1) characteristic parameter extraction
By obtaining the characteristic parameter of characterizing consumer behavior to Web log analysis, and describe by tuple;
(2) behavior Similarity Measure: according to user behavior characteristic parameter tuple, quantizes the parameter participating in Similarity Measure, then utilizes measuring similarity function in machine learning, calculates the time similarity S relevant to user behavior respectively
t, place similarity S
iwith URL similarity S
u
Then according to time similarity S
t, place similarity S
iwith URL similarity S
ufor the influence degree of user behavior similarity, calculate the user behavior similarity in user access path, as the index of user's unusual checking;
(3) unusual checking
User behavior similarity in the user access path of comparison step (two) gained, if amplitude of variation exceedes certain behavior similarity threshold values, then corresponding user behavior shows as abnormal behaviour.
3. user's anomaly detection method of Behavior-based control similarity according to claim 2, is characterized in that: the tuple of characteristic parameter described in step one (ID, IP, R, t
r, t
d, M, P, Ref, UA) describe, the wherein ID of ID unique identification user; IP represents the client ip address sent request; Certain URL request of R unique identification; t
rfor the request time of current URL; t
dfor browsing duration; M represents requesting method; P representation page access path; Ref represents that request access is originated; UA is two tuple-sets be made up of variable, variate-value, is used for describing outer environment state and current behavior to the impact of environment.
4. user's anomaly detection method of Behavior-based control similarity according to claim 3, is characterized in that: in step 2,
Time similarity S
t: adopt cosine similarity function, include but not limited to t to by main relevant parameters
rand t
dtime arrow similarity computing time formed;
Place similarity S
i: adopt cosine similarity function, include but not limited to ID to by main relevant parameters, vector calculation place, the place similarity that parameter relevant to client address in IP and UA is formed;
URL similarity S
u: adopt editing distance, include but not limited to R to by main relevant parameters, the parametric variable that in M, P, Ref and UA, access path is transmitted and the URL vector calculation URL similarity that variate-value is formed.
5. user's anomaly detection method of Behavior-based control similarity according to claim 3, it is characterized in that: when carrying out user behavior Similarity Measure in step 2, give different weight coefficients according to time similarity, place similarity and URL similarity for the influence degree of user behavior similarity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510130732.7A CN104731914A (en) | 2015-03-24 | 2015-03-24 | Method for detecting user abnormal behavior based on behavior similarity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510130732.7A CN104731914A (en) | 2015-03-24 | 2015-03-24 | Method for detecting user abnormal behavior based on behavior similarity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104731914A true CN104731914A (en) | 2015-06-24 |
Family
ID=53455801
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510130732.7A Pending CN104731914A (en) | 2015-03-24 | 2015-03-24 | Method for detecting user abnormal behavior based on behavior similarity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104731914A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337987A (en) * | 2015-11-20 | 2016-02-17 | 同济大学 | Network user identity authentication method and system |
| CN106294881A (en) * | 2016-08-30 | 2017-01-04 | 五八同城信息技术有限公司 | information identifying method and device |
| CN106603296A (en) * | 2016-12-20 | 2017-04-26 | 北京奇虎科技有限公司 | Log processing method and device |
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
| CN107104973A (en) * | 2017-05-09 | 2017-08-29 | 北京潘达互娱科技有限公司 | The method of calibration and device of user behavior |
| CN107579956A (en) * | 2017-08-07 | 2018-01-12 | 北京奇安信科技有限公司 | The detection method and device of a kind of user behavior |
| CN107707547A (en) * | 2017-09-29 | 2018-02-16 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and equipment of a kind of ddos attack |
| CN107770129A (en) * | 2016-08-17 | 2018-03-06 | 华为技术有限公司 | Method and apparatus for detecting user behavior |
| CN108122116A (en) * | 2016-11-29 | 2018-06-05 | 腾讯科技(深圳)有限公司 | A kind of monitoring and managing method and system of product promotion channel |
| CN108388593A (en) * | 2018-01-31 | 2018-08-10 | 北京奇艺世纪科技有限公司 | A kind of anti-stealing link method, device and content server |
| CN109409189A (en) * | 2018-08-20 | 2019-03-01 | 国政通科技有限公司 | Dangerous person's recognition methods and device based on network trace |
| CN109583472A (en) * | 2018-10-30 | 2019-04-05 | 中国科学院计算技术研究所 | A kind of web log user identification method and system |
| CN110414212A (en) * | 2019-08-05 | 2019-11-05 | 国网电子商务有限公司 | A kind of multidimensional characteristic dynamic identity authentication method and system towards power business |
| CN110782342A (en) * | 2019-10-29 | 2020-02-11 | 北京明略软件系统有限公司 | Method and device for verifying correctness of new channel feature engineering based on binary classification model |
| CN112861891A (en) * | 2019-11-27 | 2021-05-28 | 中国电信股份有限公司 | User behavior abnormity detection method and device |
| CN113810338A (en) * | 2020-06-12 | 2021-12-17 | 中国电信股份有限公司 | Abnormal service address detection method and device, and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050071741A1 (en) * | 2003-09-30 | 2005-03-31 | Anurag Acharya | Information retrieval based on historical data |
| CN101166102A (en) * | 2006-09-21 | 2008-04-23 | 索尼株式会社 | Information processing device and method |
| CN101615186A (en) * | 2009-07-28 | 2009-12-30 | 东北大学 | A kind of BBS user's abnormal behaviour auditing method based on Hidden Markov theory |
-
2015
- 2015-03-24 CN CN201510130732.7A patent/CN104731914A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050071741A1 (en) * | 2003-09-30 | 2005-03-31 | Anurag Acharya | Information retrieval based on historical data |
| CN101166102A (en) * | 2006-09-21 | 2008-04-23 | 索尼株式会社 | Information processing device and method |
| CN101615186A (en) * | 2009-07-28 | 2009-12-30 | 东北大学 | A kind of BBS user's abnormal behaviour auditing method based on Hidden Markov theory |
Non-Patent Citations (2)
| Title |
|---|
| 董富强: "《网络用户行为分析研究及其应用》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 陈云芳 等: "《基于用户行为分析的入侵检测应用模型的研究》", 《微机发展》 * |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337987B (en) * | 2015-11-20 | 2018-07-03 | 同济大学 | A kind of method for authentication of identification of network user and system |
| CN105337987A (en) * | 2015-11-20 | 2016-02-17 | 同济大学 | Network user identity authentication method and system |
| CN106936781B (en) * | 2015-12-29 | 2019-11-15 | 亿阳安全技术有限公司 | A kind of determination method and device of user's operation behavior |
| CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
| CN107770129A (en) * | 2016-08-17 | 2018-03-06 | 华为技术有限公司 | Method and apparatus for detecting user behavior |
| CN106294881A (en) * | 2016-08-30 | 2017-01-04 | 五八同城信息技术有限公司 | information identifying method and device |
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN106789885B (en) * | 2016-11-17 | 2021-11-16 | 国家电网公司 | User abnormal behavior detection and analysis method under big data environment |
| CN108122116A (en) * | 2016-11-29 | 2018-06-05 | 腾讯科技(深圳)有限公司 | A kind of monitoring and managing method and system of product promotion channel |
| CN106603296A (en) * | 2016-12-20 | 2017-04-26 | 北京奇虎科技有限公司 | Log processing method and device |
| CN107104973A (en) * | 2017-05-09 | 2017-08-29 | 北京潘达互娱科技有限公司 | The method of calibration and device of user behavior |
| CN107579956A (en) * | 2017-08-07 | 2018-01-12 | 北京奇安信科技有限公司 | The detection method and device of a kind of user behavior |
| CN107579956B (en) * | 2017-08-07 | 2021-05-11 | 奇安信科技集团股份有限公司 | User behavior detection method and device |
| CN107707547A (en) * | 2017-09-29 | 2018-02-16 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and equipment of a kind of ddos attack |
| CN108388593A (en) * | 2018-01-31 | 2018-08-10 | 北京奇艺世纪科技有限公司 | A kind of anti-stealing link method, device and content server |
| CN109409189A (en) * | 2018-08-20 | 2019-03-01 | 国政通科技有限公司 | Dangerous person's recognition methods and device based on network trace |
| CN109583472A (en) * | 2018-10-30 | 2019-04-05 | 中国科学院计算技术研究所 | A kind of web log user identification method and system |
| CN110414212A (en) * | 2019-08-05 | 2019-11-05 | 国网电子商务有限公司 | A kind of multidimensional characteristic dynamic identity authentication method and system towards power business |
| CN110782342A (en) * | 2019-10-29 | 2020-02-11 | 北京明略软件系统有限公司 | Method and device for verifying correctness of new channel feature engineering based on binary classification model |
| CN112861891A (en) * | 2019-11-27 | 2021-05-28 | 中国电信股份有限公司 | User behavior abnormity detection method and device |
| CN112861891B (en) * | 2019-11-27 | 2023-11-28 | 中国电信股份有限公司 | User behavior abnormality detection method and device |
| CN113810338A (en) * | 2020-06-12 | 2021-12-17 | 中国电信股份有限公司 | Abnormal service address detection method and device, and computer readable storage medium |
| CN113810338B (en) * | 2020-06-12 | 2023-11-03 | 中国电信股份有限公司 | Abnormal service address detection method and device, and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104731914A (en) | Method for detecting user abnormal behavior based on behavior similarity | |
| US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
| US9462009B1 (en) | Detecting risky domains | |
| CN105447113B (en) | A kind of information analysis method based on big data | |
| CN108920947A (en) | A kind of method for detecting abnormality and device based on the modeling of log figure | |
| CN103793650A (en) | Static analysis method and static analysis device for Android application program | |
| CN105072089A (en) | WEB malicious scanning behavior abnormity detection method and system | |
| Yao et al. | Multi-source alert data understanding for security semantic discovery based on rough set theory | |
| Chen et al. | A mutual information based federated learning framework for edge computing networks | |
| CN110162973B (en) | Webshell file detection method and device | |
| TWI656778B (en) | Malicious domain detection method combining network information and network traffic | |
| CN111787002A (en) | Method and system for analyzing service data network security | |
| CN110581856A (en) | malicious code detection method and system | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN106850344B (en) | Encryption method for recognizing flux based on stream gradient guiding | |
| CN109962916B (en) | Multi-attribute-based industrial internet security situation evaluation method | |
| CN105516164B (en) | Based on point shape and the P2P botnet detection method that adaptively merges | |
| CN103701821B (en) | File type identification method and device | |
| JP4559462B2 (en) | Anomaly detection method, apparatus, program, and recording medium due to communication related structure change | |
| CN113919239B (en) | Intelligent internal threat detection method and system based on space-time feature fusion | |
| CN111565201B (en) | Multi-attribute-based industrial internet security assessment method and system | |
| CN114338233A (en) | Network attack detection method and system based on flow analysis | |
| CN106936650B (en) | Network traffic safety processing method and device | |
| CN109636575B (en) | Terminal risk detection method, device, equipment and readable storage medium | |
| US20170213038A1 (en) | Misuseablity analysis for it infrastructure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150624 |