[go: up one dir, main page]

CN107517203B - User behavior baseline establishing method and device - Google Patents

User behavior baseline establishing method and device Download PDF

Info

Publication number
CN107517203B
CN107517203B CN201710671859.9A CN201710671859A CN107517203B CN 107517203 B CN107517203 B CN 107517203B CN 201710671859 A CN201710671859 A CN 201710671859A CN 107517203 B CN107517203 B CN 107517203B
Authority
CN
China
Prior art keywords
user
user behavior
time
session set
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710671859.9A
Other languages
Chinese (zh)
Other versions
CN107517203A (en
Inventor
高浩浩
白敏�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc filed Critical Qax Technology Group Inc
Priority to CN201710671859.9A priority Critical patent/CN107517203B/en
Publication of CN107517203A publication Critical patent/CN107517203A/en
Application granted granted Critical
Publication of CN107517203B publication Critical patent/CN107517203B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明实施例公开一种用户行为基线建立方法及装置,其中,方法包括:获取用户行为日志样本集合;基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。利用本发明实施例可在后续将会话集与会话集作比较,预设时间段与预设时间段作比较,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,能够较易合理的发现用户异常行为,提高用户异常行为的识别概率。

Figure 201710671859

Embodiments of the present invention disclose a method and device for establishing a user behavior baseline, wherein the method includes: acquiring a user behavior log sample set; based on the user behavior log sample set, according to a time axis, taking the session set as a minimum time statistical unit, establishing User behavior baselines of session sets of users and user groups; based on the session set user behavior baselines of users and user groups, and according to the time axis, establish user behavior baselines of users and user groups with preset time periods as time units. By using the embodiment of the present invention, the session set can be compared with the session set, and the preset time period can be compared with the preset time period. Compared with the prior art where a session or a single log is used as the minimum time statistical unit, the comparison can be made. It is easy to find abnormal user behavior reasonably and improve the recognition probability of abnormal user behavior.

Figure 201710671859

Description

一种用户行为基线建立方法及装置A method and device for establishing a user behavior baseline

技术领域technical field

本发明实施例涉及网络安全技术领域,具体涉及一种用户行为基线建立方法及装置。Embodiments of the present invention relate to the technical field of network security, and in particular, to a method and device for establishing a user behavior baseline.

背景技术Background technique

计算机网络和移动互联网应用的快速发展,给社会工作和生活带来极大便利,但各种网络安全问题所造成的威胁和损失也越来越大。而且,随着网络应用技术的高速发展,用户的网络行为越来越多样化,对网络用户的行为进行识别,发现异常行为事件,保证网络的安全更显得尤为重要。The rapid development of computer networks and mobile Internet applications has brought great convenience to social work and life, but the threats and losses caused by various network security issues are also increasing. Moreover, with the rapid development of network application technology, the network behaviors of users are becoming more and more diverse. It is more important to identify the behaviors of network users, find abnormal behavior events, and ensure network security.

目前,一般通过对用户行为日志进行分析,来判定用户行为是否异常。At present, whether the user behavior is abnormal is generally determined by analyzing the user behavior log.

鉴于此,如何对用户行为日志进行分析,以提高用户异常行为的识别概率成为目前需要解决的技术问题。In view of this, how to analyze the user behavior log to improve the identification probability of abnormal user behavior has become a technical problem that needs to be solved at present.

发明内容SUMMARY OF THE INVENTION

由于现有方法存在上述问题,本发明实施例提出一种用户行为基线建立方法及装置。Due to the above-mentioned problems in the existing methods, the embodiments of the present invention provide a method and apparatus for establishing a user behavior baseline.

第一方面,本发明实施例提出一种用户行为基线建立方法,包括:In a first aspect, an embodiment of the present invention provides a method for establishing a user behavior baseline, including:

获取用户行为日志样本集合;Obtain a collection of user behavior log samples;

基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;Based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, establish the session set user behavior baseline of the user and the user group;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。Based on the session set user behavior baseline of the user and the user group, and according to the time axis, a user behavior baseline of the user and the user group with a preset time period as a time unit is established.

可选地,所述基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线,包括:Optionally, based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, establish the session set user behavior baseline of the user and the user group, including:

基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,通过获取每一用户及每一用户组在一个会话集内的用户行为信息,建立用户及用户组的会话集用户行为基线。Based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, by acquiring the user behavior information of each user and each user group in a session set, a session set of users and user groups is established. User behavior baseline.

可选地,所述在一个会话集内的用户行为信息,包括:在一个会话集内的各类动作次数、下载或上传数据量大小,访问频率和时间长度。Optionally, the user behavior information in a session set includes: the number of actions of various types in a session set, the amount of data downloaded or uploaded, the frequency of access and the length of time.

可选地,所述预设时间段包括:每天、每周、每月和每季度;Optionally, the preset time period includes: daily, weekly, monthly and quarterly;

相应地,所述基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线,包括:Correspondingly, the user behavior baseline of the session set based on the user and the user group, according to the time axis, establishes the user behavior baseline of the user and the user group with a preset time period as the time unit, including:

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以天为时间单位,通过获取每一用户及每一用户组每天的用户行为信息,建立用户及用户组的每天用户行为基线;Based on the session set user behavior baselines of the users and user groups, according to the time axis, with days as the time unit, by acquiring the daily user behavior information of each user and each user group, establish the daily user behavior baseline of the user and the user group ;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以周为时间单位,通过获取每一用户及每一用户组每周的用户行为信息,建立用户及用户组的每周用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, weekly user behavior information of each user and each user group is obtained by obtaining weekly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以月为时间单位,通过获取每一用户及每一用户组每月的用户行为信息,建立用户及用户组的每月用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, the monthly user behavior information of each user and each user group is obtained by obtaining the monthly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以季度为时间单位,通过获取每一用户及每一用户组每季度的用户行为信息,建立用户及用户组的每季度用户行为基线。Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with the quarter as the time unit, by acquiring the user behavior information of each user and each user group in each quarter, establish the quarterly users of the user and the user group. behavioral baseline.

可选地,所述每天的用户行为信息,包括:每天的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址和源物理地址;Optionally, the daily user behavior information includes: the number of sessions per day, the number of actions of various types, the size of the data volume, the session set time period of the visit, the overall access time, the source IP address and the source physical address;

所述每周的用户行为信息,包括:每周的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本周访问的天数;The weekly user behavior information includes: the number of sessions per week, the number of actions of various types, the size of the data volume, the time period of the session set accessed, the overall access time, the source IP address, the source physical address, and the number of sessions accessed this week. days;

所述每月的用户行为信息,包括:每月的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本月访问的天数;The monthly user behavior information includes: the number of sessions per month, the number of actions of various types, the size of the data volume, the time period of the session set accessed, the overall access time, the source IP address, the source physical address, and the number of sessions accessed this month. days;

所述每季度的用户行为信息,包括:每季度的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本季度访问的天数。The quarterly user behavior information includes: the number of sessions per quarter, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, source physical days.

可选地,所述会话集的划分是基于所述用户行为日志样本集合,判断相邻两次操作的时间间隔是否小于等于会话集的超时时间间隔;若是,则将所述相邻两次操作划分到同一会话集里,否则,将所述相邻两次操作划分到不同的会话集里。Optionally, the division of the session set is based on the user behavior log sample set to determine whether the time interval between two adjacent operations is less than or equal to the timeout interval of the session set; if so, then the two adjacent operations are divided. Divide into the same session set, otherwise, divide the two adjacent operations into different session sets.

可选地,所述会话集的超时时间间隔是基于所述用户行为日志样本集合,学习用户的操作间隔长短,通过聚合得到的;Optionally, the timeout interval of the session set is obtained by aggregation based on the user behavior log sample set, learning the length of the user's operation interval;

或者,or,

所述会话集的超时时间间隔是根据实际情况预先设置的。The timeout interval of the session set is preset according to the actual situation.

第二方面,本发明实施例还提出一种用户行为基线建立装置,包括:In a second aspect, an embodiment of the present invention further provides an apparatus for establishing a user behavior baseline, including:

获取模块,用于获取用户行为日志样本集合;The acquisition module is used to acquire a collection of user behavior log samples;

第一建立模块,用于基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;a first establishment module, configured to establish a session set user behavior baseline of a user and a user group based on the user behavior log sample set, according to the time axis, and taking the session set as the minimum time statistical unit;

第二建立模块,用于基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。The second establishment module is configured to establish a user behavior baseline of the user and the user group with a preset time period as a time unit according to the time axis based on the session set user behavior baseline of the user and the user group.

可选地,所述第一建立模块,具体用于Optionally, the first establishment module is specifically used for

基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,通过获取每一用户及每一用户组在一个会话集内的用户行为信息,建立用户及用户组的会话集用户行为基线。Based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, by acquiring the user behavior information of each user and each user group in a session set, a session set of users and user groups is established. User behavior baseline.

可选地,所述在一个会话集内的用户行为信息,包括:在一个会话集内的各类动作次数、下载或上传数据量大小,访问频率和时间长度。Optionally, the user behavior information in a session set includes: the number of actions of various types in a session set, the amount of data downloaded or uploaded, the frequency of access and the length of time.

可选地,所述预设时间段包括:每天、每周、每月和每季度;Optionally, the preset time period includes: daily, weekly, monthly and quarterly;

相应地,所述第二建立模块,具体用于Correspondingly, the second establishment module is specifically used for

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以天为时间单位,通过获取每一用户及每一用户组每天的用户行为信息,建立用户及用户组的每天用户行为基线;Based on the session set user behavior baselines of the users and user groups, according to the time axis, with days as the time unit, by acquiring the daily user behavior information of each user and each user group, establish the daily user behavior baseline of the user and the user group ;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以周为时间单位,通过获取每一用户及每一用户组每周的用户行为信息,建立用户及用户组的每周用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, weekly user behavior information of each user and each user group is obtained by obtaining weekly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以月为时间单位,通过获取每一用户及每一用户组每月的用户行为信息,建立用户及用户组的每月用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, the monthly user behavior information of each user and each user group is obtained by obtaining the monthly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以季度为时间单位,通过获取每一用户及每一用户组每季度的用户行为信息,建立用户及用户组的每季度用户行为基线。Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with the quarter as the time unit, by acquiring the user behavior information of each user and each user group in each quarter, establish the quarterly users of the user and the user group. behavioral baseline.

可选地,所述每天的用户行为信息,包括:每天的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址和源物理地址;Optionally, the daily user behavior information includes: the number of sessions per day, the number of actions of various types, the size of the data volume, the session set time period of the visit, the overall access time, the source IP address and the source physical address;

所述每周的用户行为信息,包括:每周的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本周访问的天数;The weekly user behavior information includes: the number of sessions per week, the number of actions of various types, the size of the data volume, the time period of the session set accessed, the overall access time, the source IP address, the source physical address, and the number of sessions accessed this week. days;

所述每月的用户行为信息,包括:每月的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本月访问的天数;The monthly user behavior information includes: the number of sessions per month, the number of actions of various types, the size of the data volume, the time period of the session set accessed, the overall access time, the source IP address, the source physical address, and the number of sessions accessed this month. days;

所述每季度的用户行为信息,包括:每季度的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本季度访问的天数。The quarterly user behavior information includes: the number of sessions per quarter, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, source physical days.

可选地,所述会话集的划分是基于所述用户行为日志样本集合,判断相邻两次操作的时间间隔是否小于等于会话集的超时时间间隔;若是,则将所述相邻两次操作划分到同一会话集里,否则,将所述相邻两次操作划分到不同的会话集里。Optionally, the division of the session set is based on the user behavior log sample set to determine whether the time interval between two adjacent operations is less than or equal to the timeout interval of the session set; if so, then the two adjacent operations are divided. Divide into the same session set, otherwise, divide the two adjacent operations into different session sets.

可选地,所述会话集的超时时间间隔是基于所述用户行为日志样本集合,学习用户的操作间隔长短,通过聚合得到的;Optionally, the timeout interval of the session set is obtained by aggregation based on the user behavior log sample set, learning the length of the user's operation interval;

或者,or,

所述会话集的超时时间间隔是根据实际情况预先设置的。The timeout interval of the session set is preset according to the actual situation.

第三方面,本发明实施例还提出一种电子设备,包括:处理器、存储器、总线及存储在存储器上并可在处理器上运行的计算机程序;In a third aspect, an embodiment of the present invention further provides an electronic device, including: a processor, a memory, a bus, and a computer program stored in the memory and running on the processor;

其中,所述处理器,存储器通过所述总线完成相互间的通信;Wherein, the processor and the memory communicate with each other through the bus;

所述处理器执行所述计算机程序时实现上述方法。The above method is implemented when the processor executes the computer program.

第四方面,本发明实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现上述方法。In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, where a computer program is stored on the non-transitory computer-readable storage medium, and the computer program implements the foregoing method when executed by a processor.

由上述技术方案可知,本发明实施例通过获取用户行为日志样本集合,基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线,基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线,由此,后续可以通过将会话集与会话集作比较,预设时间段与预设时间段作比较,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,较易合理的发现用户异常行为,提高用户异常行为的识别概率。It can be known from the above technical solutions that in the embodiment of the present invention, by acquiring a user behavior log sample set, based on the user behavior log sample set, according to the time axis, and taking the session set as the minimum time statistical unit, the session set user behavior of the user and the user group is established. Baseline, based on the user behavior baseline of the session set of the user and the user group, and according to the time axis, establish the user behavior baseline of the user and the user group with the preset time period as the time unit. For comparison, the preset time period is compared with the preset time period. Compared with the prior art where a session or a single log is used as the minimum time statistical unit, it is easier to reasonably find abnormal user behaviors and improve the identification probability of abnormal user behaviors. .

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative efforts.

图1为本发明一实施例提供的一种用户行为基线建立方法的流程示意图;1 is a schematic flowchart of a method for establishing a user behavior baseline according to an embodiment of the present invention;

图2为本发明一实施例提供的一种用户行为基线建立装置的结构示意图;FIG. 2 is a schematic structural diagram of an apparatus for establishing a user behavior baseline according to an embodiment of the present invention;

图3为本发明一实施例提供的电子设备的逻辑框图。FIG. 3 is a logical block diagram of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图,对本发明的具体实施方式作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The specific embodiments of the present invention will be further described below with reference to the accompanying drawings. The following examples are only used to illustrate the technical solutions of the present invention more clearly, and cannot be used to limit the protection scope of the present invention.

图1示出了本发明一实施例提供的一种用户行为基线建立方法的流程示意图,如图1所示,本实施例的用户行为基线建立方法,包括:FIG. 1 shows a schematic flowchart of a method for establishing a user behavior baseline provided by an embodiment of the present invention. As shown in FIG. 1 , the method for establishing a user behavior baseline in this embodiment includes:

S101、获取用户行为日志样本集合。S101. Obtain a set of user behavior log samples.

可以理解的是,用户行为日志样本集合中可以包括多条用户行为日志样本。It can be understood that the set of user behavior log samples may include multiple user behavior log samples.

S102、基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元(即最小分析单元),建立用户及用户组的会话集用户行为基线。S102. Based on the user behavior log sample set, and according to the time axis, with the session set as the minimum time statistical unit (ie, the minimum analysis unit), establish a session set user behavior baseline of the user and the user group.

在具体应用中,所述会话集的划分可以基于所述用户行为日志样本集合,判断相邻两次操作的时间间隔是否小于等于会话集的超时时间间隔;若相邻两次操作的时间间隔小于等于会话集的超时时间间隔,则将所述相邻两次操作划分到同一会话集里,若相邻两次操作的时间间隔大于会话集的超时时间间隔,将所述相邻两次操作划分到不同的会话集里。In a specific application, the division of the session set may be based on the user behavior log sample set to determine whether the time interval between two adjacent operations is less than or equal to the timeout interval of the session set; if the time interval between two adjacent operations is less than or equal to equal to the timeout interval of the session set, then divide the two adjacent operations into the same session set. If the time interval between the two adjacent operations is greater than the timeout interval of the session set, divide the two adjacent operations into the same session set. into a different session set.

可以理解的是,用户在实际访问云或内网时,是以一个时间段为主的,即使本次访问退出,下次访问离本次访问很近,比如相差5分钟(小于会话集的超时时间间隔),则将这两次访问仍看作为一个会话集,即在一个分析单元里,而不是作为两个单独的会话来分析。It is understandable that when a user actually accesses the cloud or intranet, it is mainly for a period of time. Even if the current access exits, the next access is very close to the current one, for example, the difference is 5 minutes (less than the timeout of the session set). time interval), the two visits are still considered as a session set, that is, in one analysis unit, rather than as two separate sessions to be analyzed.

在具体应用中,所述会话集的超时时间间隔可以利用机器学习算法,即基于所述用户行为日志样本集合,学习用户的操作间隔长短,通过聚合得到一个较小的聚合间隔作为所述会话集的超时时间间隔;In a specific application, a machine learning algorithm can be used for the timeout interval of the session set, that is, based on the user behavior log sample set, the length of the user's operation interval is learned, and a smaller aggregation interval is obtained through aggregation as the session set the timeout interval;

或者,or,

所述会话集的超时时间间隔也可以根据实际情况进行预先设置,举例来说,可以根据具体的云服务设置所述会话集的超时时间间隔,例如,可以将所述会话集的超时时间间隔设置为1小时。The timeout interval of the session set can also be preset according to the actual situation. For example, the timeout interval of the session set can be set according to a specific cloud service. For example, the timeout interval of the session set can be set. for 1 hour.

S103、基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。S103. Based on the session set user behavior baseline of the user and the user group, and according to the time axis, establish a user behavior baseline of the user and the user group with a preset time period as a time unit.

其中,所述预设时间段可以包括:每天、每周、每月和每季度等,本实施例并不对其进行限制,也可以根据实际情况为其他预设时间段,例如每年等。The preset time period may include: every day, every week, every month, every quarter, etc., which are not limited in this embodiment, and may also be other preset time periods according to actual conditions, such as every year.

可以理解的是,在实际情况中许多获取到的用户行为日志,可能并没有登录退出日志,所以基于现有的单个会话建立用户行为基线并不现实。所以,在本实施例中,分析一个人或实体的行为,是看他集中在某一时间段内的操作,而不是单纯的以会话登录,退出来区分。比如,某恶意用户,凌晨2:00登录云服务并拖拽数据,2:30退出云服务。2:35再次登录云服务,3:00退出,则本实施例是以2:00到3:00这个时间段的会话集为单元来分析,而不是以2:00到2:30、2:35到3:00来分析。这样更能体现该用户一次操作内的动作,不因中间的一次退出而割裂前后操作的联系。It is understandable that in actual situations, many of the obtained user behavior logs may not have log-in and log-out logs, so it is not realistic to establish a user behavior baseline based on an existing single session. Therefore, in this embodiment, to analyze the behavior of a person or entity, it is to look at the operations he concentrated in a certain period of time, rather than simply using the session login and logout to distinguish. For example, a malicious user logs in to the cloud service at 2:00 in the morning and drags and drops data, and exits the cloud service at 2:30. If you log in to the cloud service again at 2:35 and log out at 3:00, this embodiment analyzes the session set in the time period from 2:00 to 3:00 as a unit, instead of using 2:00 to 2:30, 2:00 35 to 3:00 to analyze. This can better reflect the actions of the user in one operation, and the connection between the previous and previous operations will not be separated due to an exit in the middle.

本实施例的用户行为基线建立方法,可以通过处理器实现,通过获取用户行为日志样本集合,基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线,基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线,由此,后续可以通过将会话集与会话集作比较,预设时间段与预设时间段作比较,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,后续较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。The method for establishing a user behavior baseline in this embodiment can be implemented by a processor. By acquiring a user behavior log sample set, based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, users and users are established. The user behavior baseline of the session set of the group, based on the user behavior baseline of the session set of the user and the user group, and according to the time axis, establish the user behavior baseline of the user and the user group with the preset time period as the time unit. The session set is compared with the session set, and the preset time period is compared with the preset time period. Compared with the prior art where a session or a single log is used as the minimum time statistical unit, it is easier to find abnormal user behaviors later. It is more practical to improve the recognition probability of abnormal user behavior.

进一步地,在上述方法实施例的基础上,本实施例所述步骤S102可以包括:Further, on the basis of the foregoing method embodiments, step S102 in this embodiment may include:

基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,通过获取每一用户及每一用户组在一个会话集内的用户行为信息,建立用户及用户组的会话集用户行为基线。Based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, by acquiring the user behavior information of each user and each user group in a session set, a session set of users and user groups is established. User behavior baseline.

其中,所述在一个会话集内的用户行为信息,可以包括:在一个会话集内的各类动作次数(即各类操作次数)、下载或上传数据量大小,访问频率和时间长度等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组在一个会话集内其他的用户行为信息。Wherein, the user behavior information in a session set may include: the number of actions of various types in a session set (that is, the number of operations of various types), the amount of data downloaded or uploaded, the frequency of access and the length of time, etc. The embodiment does not limit it, and may also include other user behavior information of each other user and each user group in a session set according to the actual situation.

本实施例通过以会话集为最小时间统计单元,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,后续较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。In this embodiment, by using the session set as the minimum time statistical unit, compared with the prior art where one session or a single log is used as the minimum time statistical unit, it is easier to find abnormal user behaviors in the follow-up and improve the identification probability of abnormal user behaviors. more practical.

进一步地,在上述方法实施例的基础上,本实施例在所述预设时间段包括:每天、每周、每月和每季时,相应地,所述步骤S103可以包括图中未示出的步骤A1-A4:Further, on the basis of the above method embodiments, the preset time period in this embodiment includes: every day, every week, every month and every quarter, correspondingly, the step S103 may include steps not shown in the figure. Steps A1-A4:

A1、基于所述用户及用户组的会话集用户行为基线,依据时间轴,以天为时间单位,通过获取每一用户及每一用户组每天的用户行为信息,建立用户及用户组的每天用户行为基线。A1. Based on the user behavior baseline of the session set of the user and the user group, according to the time axis, taking days as the time unit, by acquiring the user behavior information of each user and each user group every day, establish the daily user of the user and the user group. behavioral baseline.

其中,所述每天的用户行为信息,可以包括:每天的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP(网络之间互连的协议)地址和源物理地址等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每天其他的用户行为信息。The daily user behavior information may include: the number of sessions per day, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, and the source IP (a protocol for interconnection between networks) The address and source physical address, etc., are not limited in this embodiment, and may also include other user behavior information of each other user and each user group every day according to the actual situation.

A2、基于所述用户及用户组的会话集用户行为基线,依据时间轴,以周为时间单位,通过获取每一用户及每一用户组每周的用户行为信息,建立用户及用户组的每周用户行为基线。A2. Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with weekly as the time unit, by acquiring the weekly user behavior information of each user and each user group, establish the user behavior information of each user and each user group. Weekly user behavior baseline.

其中,所述每周的用户行为信息,可以包括:每周的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本周访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每周其他的用户行为信息。The weekly user behavior information may include: the number of sessions per week, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days of weekly access, etc., is not limited in this embodiment, and other weekly user behavior information of each other user and each user group may also be included according to the actual situation.

A3、基于所述用户及用户组的会话集用户行为基线,依据时间轴,以月为时间单位,通过获取每一用户及每一用户组每月的用户行为信息,建立用户及用户组的每月用户行为基线。A3. Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with the month as the time unit, by acquiring the monthly user behavior information of each user and each user group, establish the user behavior information of each user and each user group. Monthly user behavior baseline.

其中,所述每月的用户行为信息,可以包括:每月的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本月访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每月其他的用户行为信息。The monthly user behavior information may include: the number of sessions per month, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days of monthly access, etc., is not limited in this embodiment, and other monthly user behavior information of each other user and each user group may also be included according to the actual situation.

A4、基于所述用户及用户组的会话集用户行为基线,依据时间轴,以季度为时间单位,通过获取每一用户及每一用户组每季度的用户行为信息,建立用户及用户组的每季度用户行为基线。A4. Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with the quarter as the time unit, by obtaining the user behavior information of each user and each user group in each quarter, establish each user and user group. Quarterly user behavior baseline.

其中,所述每季度的用户行为信息,可以包括:每季度的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本季度访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每季度其他的用户行为信息。The quarterly user behavior information may include: the number of sessions per quarter, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days for quarterly access, etc., is not limited in this embodiment, and other quarterly user behavior information of each other user and each user group may also be included according to the actual situation.

本实施例的用户行为基线建立方法,后续可以将会话集与会话集作比较,天与天作比较,月与月作比较,季度与季度作比较等,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。In the method for establishing a user behavior baseline in this embodiment, a session set can be compared with a session set, day with day, month with month, quarter with quarter, etc. Compared with the minimum time statistical unit, the log is easier to reasonably find the abnormal behavior of the user and improve the identification probability of the abnormal behavior of the user, which is more practical.

图2示出了本发明一实施例提供的一种用户行为基线建立装置的结构示意图,如图2所示,本实施例的用户行为基线建立装置,包括:获取模块21、第一建立模块22和第二建立模块23;其中:FIG. 2 shows a schematic structural diagram of an apparatus for establishing a user behavior baseline provided by an embodiment of the present invention. As shown in FIG. 2 , the apparatus for establishing a user behavior baseline in this embodiment includes: an acquisition module 21 and a first establishment module 22 and a second establishment module 23; wherein:

所述获取模块21,用于获取用户行为日志样本集合;The obtaining module 21 is used to obtain a set of user behavior log samples;

所述第一建立模块22,用于基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;The first establishment module 22 is configured to, based on the user behavior log sample set, and according to the time axis, take the session set as the minimum time statistical unit, and establish the session set user behavior baseline of the user and the user group;

所述第二建立模块23,用于基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。The second establishing module 23 is configured to, based on the session set user behavior baseline of the user and the user group, establish a user behavior baseline of the user and the user group with a preset time period as a time unit according to the time axis.

具体地,所述获取模块21获取用户行为日志样本集合;所述第一建立模块22基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;所述第二建立模块23基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。Specifically, the acquisition module 21 acquires a set of user behavior log samples; the first establishment module 22 establishes a set of user and user groups based on the user behavior log sample set and according to the time axis, with the session set as the minimum time statistical unit. Conversation set user behavior baseline; the second establishing module 23 establishes a user behavior baseline of the user and the user group with a preset time period as a time unit according to the time axis based on the conversation set user behavior baseline of the user and the user group.

其中,所述预设时间段可以包括:每天、每周、每月和每季度等,本实施例并不对其进行限制,也可以根据实际情况为其他预设时间段,例如每年等。The preset time period may include: every day, every week, every month, every quarter, etc., which are not limited in this embodiment, and may also be other preset time periods according to actual conditions, such as every year.

在具体应用中,所述会话集的划分可以基于所述用户行为日志样本集合,判断相邻两次操作的时间间隔是否小于等于会话集的超时时间间隔;若相邻两次操作的时间间隔小于等于会话集的超时时间间隔,则将所述相邻两次操作划分到同一会话集里,若相邻两次操作的时间间隔大于会话集的超时时间间隔,将所述相邻两次操作划分到不同的会话集里。In a specific application, the division of the session set may be based on the user behavior log sample set to determine whether the time interval between two adjacent operations is less than or equal to the timeout interval of the session set; if the time interval between two adjacent operations is less than or equal to equal to the timeout interval of the session set, then divide the two adjacent operations into the same session set. If the time interval between the two adjacent operations is greater than the timeout interval of the session set, divide the two adjacent operations into the same session set. into a different session set.

可以理解的是,用户在实际访问云或内网时,是以一个时间段为主的,即使本次访问退出,下次访问离本次访问很近,比如相差5分钟(小于会话集的超时时间间隔),则将这两次访问仍看作为一个会话集,即在一个分析单元里,而不是作为两个单独的会话来分析。It is understandable that when a user actually accesses the cloud or intranet, it is mainly for a period of time. Even if the current access exits, the next access is very close to the current one, for example, the difference is 5 minutes (less than the timeout of the session set). time interval), the two visits are still considered as a session set, that is, in one analysis unit, rather than as two separate sessions to be analyzed.

在具体应用中,所述会话集的超时时间间隔可以利用机器学习法,即基于所述用户行为日志样本集合,学习用户的操作间隔长短,通过聚合得到一个较小的聚合间隔作为所述会话集的超时时间间隔;In a specific application, a machine learning method can be used for the timeout interval of the session set, that is, based on the user behavior log sample set, the length of the user's operation interval is learned, and a smaller aggregation interval is obtained through aggregation as the session set the timeout interval;

或者,or,

所述会话集的超时时间间隔也可以根据实际情况进行预先设置,举例来说,可以根据具体的云服务设置所述会话集的超时时间间隔。The timeout interval of the session set may also be preset according to the actual situation. For example, the timeout interval of the session set may be set according to a specific cloud service.

可以理解的是,在实际情况中许多获取到的用户行为日志,可能并没有登录退出日志,所以基于现有的单个会话建立用户行为基线并不现实。所以,在本实施例中,分析一个人或实体的行为,是看他集中在某一时间段内的操作,而不是单纯的以会话登录,退出来区分。比如,某恶意用户,凌晨2:00登录云服务并拖拽数据,2:30退出云服务。2:35再次登录云服务,3:00退出,则本实施例是以2:00到3:00这个时间段的会话集为单元来分析,而不是以2:00到2:30、2:35到3:00来分析。这样更能体现该用户一次操作内的动作,不因中间的一次退出而割裂前后操作的联系。It is understandable that in actual situations, many of the obtained user behavior logs may not have log-in and log-out logs, so it is not realistic to establish a user behavior baseline based on an existing single session. Therefore, in this embodiment, to analyze the behavior of a person or entity, it is to look at the operations he concentrated in a certain period of time, rather than simply using the session login and logout to distinguish. For example, a malicious user logs in to the cloud service at 2:00 in the morning and drags and drops data, and exits the cloud service at 2:30. If you log in to the cloud service again at 2:35 and log out at 3:00, this embodiment analyzes the session set in the time period from 2:00 to 3:00 as a unit, instead of using 2:00 to 2:30, 2:00 35 to 3:00 to analyze. This can better reflect the actions of the user in one operation, and the connection between the previous and previous operations will not be separated due to an exit in the middle.

本实施例的用户行为基线建立装置,后续可以将会话集与会话集作比较,预设时间段与预设时间段作比较,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。In the device for establishing a user behavior baseline in this embodiment, the session set can be compared with the session set, and the preset time period can be compared with the preset time period, which is different from the prior art that uses a session or a single log as the minimum time statistical unit. It is easier to find abnormal user behaviors reasonably and improve the recognition probability of abnormal user behaviors, which is more practical.

进一步地,在上述方法实施例的基础上,本实施例所述第一建立模块22,可具体用于Further, on the basis of the foregoing method embodiments, the first establishment module 22 in this embodiment may be specifically used for

基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,通过获取每一用户及每一用户组在一个会话集内的用户行为信息,建立用户及用户组的会话集用户行为基线。Based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, by acquiring the user behavior information of each user and each user group in a session set, a session set of users and user groups is established. User behavior baseline.

其中,所述在一个会话集内的用户行为信息,可以包括:在一个会话集内的各类动作次数、下载或上传数据量大小,访问频率和时间长度等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组在一个会话集内其他的用户行为信息。The user behavior information in a session set may include: the number of actions of various types in a session set, the amount of data downloaded or uploaded, the access frequency and time length, etc., which are not limited in this embodiment. , and can also include other user behavior information of each other user and each user group in a session set according to the actual situation.

本实施例通过以会话集为最小时间统计单元,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,后续较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。In this embodiment, by using the session set as the minimum time statistical unit, compared with the prior art where one session or a single log is used as the minimum time statistical unit, it is easier to find abnormal user behaviors in the follow-up and improve the identification probability of abnormal user behaviors. more practical.

进一步地,在上述方法实施例的基础上,本实施例在所述预设时间段包括:每天、每周、每月和每季时,相应地,所述第二建立模块23,可具体用于Further, on the basis of the above method embodiment, the preset time period in this embodiment includes: every day, every week, every month and every quarter, correspondingly, the second establishment module 23 can be specifically At

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以天为时间单位,通过获取每一用户及每一用户组每天的用户行为信息,建立用户及用户组的每天用户行为基线;Based on the session set user behavior baselines of the users and user groups, according to the time axis, with days as the time unit, by acquiring the daily user behavior information of each user and each user group, establish the daily user behavior baseline of the user and the user group ;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以周为时间单位,通过获取每一用户及每一用户组每周的用户行为信息,建立用户及用户组的每周用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, weekly user behavior information of each user and each user group is obtained by obtaining weekly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以月为时间单位,通过获取每一用户及每一用户组每月的用户行为信息,建立用户及用户组的每月用户行为基线;Based on the user behavior baseline of the session set of the user and user group, according to the time axis, the monthly user behavior information of each user and each user group is obtained by obtaining the monthly user behavior information of each user and each user group according to the time axis. behavioral baseline;

基于所述用户及用户组的会话集用户行为基线,依据时间轴,以季度为时间单位,通过获取每一用户及每一用户组每季度的用户行为信息,建立用户及用户组的每季度用户行为基线。Based on the user behavior baseline of the session set of the user and user group, according to the time axis, with the quarter as the time unit, by acquiring the user behavior information of each user and each user group in each quarter, establish the quarterly users of the user and the user group. behavioral baseline.

其中,所述每天的用户行为信息,可以包括:每天的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址和源物理地址等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每天其他的用户行为信息。The daily user behavior information may include: the number of sessions per day, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address and the source physical address, etc. This implementation The example does not limit it, and can also include other user behavior information of each other user and each user group every day according to the actual situation.

其中,所述每周的用户行为信息,可以包括:每周的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本周访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每周其他的用户行为信息。The weekly user behavior information may include: the number of sessions per week, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days of weekly access, etc., is not limited in this embodiment, and other weekly user behavior information of each other user and each user group may also be included according to the actual situation.

其中,所述每月的用户行为信息,可以包括:每月的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本月访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每月其他的用户行为信息。The monthly user behavior information may include: the number of sessions per month, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days of monthly access, etc., is not limited in this embodiment, and other monthly user behavior information of each other user and each user group may also be included according to the actual situation.

其中,所述每季度的用户行为信息,可以包括:每季度的会话集次数、各类动作次数,数据量大小,访问的会话集时间段,整体访问时间,源IP地址、源物理地址和本季度访问的天数等,本实施例并不对其进行限制,也可以根据实际情况包括其他每一用户及每一用户组每季度其他的用户行为信息。The quarterly user behavior information may include: the number of sessions per quarter, the number of actions of various types, the amount of data, the time period of the session set accessed, the overall access time, the source IP address, the source physical address and the local The number of days for quarterly access, etc., is not limited in this embodiment, and other quarterly user behavior information of each other user and each user group may also be included according to the actual situation.

本实施例的用户行为基线建立装置,后续可以将会话集与会话集作比较,天与天作比较,月与月作比较,季度与季度作比较等,与现有技术中以一个会话或单条日志作为最小时间统计单元相比,较易合理的发现用户异常行为,提高用户异常行为的识别概率,更具有实际意义。The user behavior baseline establishment device of this embodiment can subsequently compare session sets with session sets, days with days, months with months, quarters with quarters, etc. Compared with the minimum time statistical unit, the log is easier to reasonably find the abnormal behavior of the user and improve the identification probability of the abnormal behavior of the user, which is more practical.

本实施例的用户行为基线建立装置,可以用于执行前述方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The apparatus for establishing a user behavior baseline in this embodiment can be used to execute the technical solutions of the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.

图3示出了本发明实施例提供的一种电子设备的实体结构示意图,如图3所示,该电子设备可以包括:处理器11、存储器12、总线13及存储在存储器12上并可在处理器11上运行的计算机程序;FIG. 3 shows a schematic diagram of the physical structure of an electronic device provided by an embodiment of the present invention. As shown in FIG. 3 , the electronic device may include: a processor 11 , a memory 12 , a bus 13 , and storage on the memory 12 and available in the a computer program running on the processor 11;

其中,所述处理器11,存储器12通过所述总线13完成相互间的通信;The processor 11 and the memory 12 communicate with each other through the bus 13;

所述处理器11执行所述计算机程序时实现上述各方法实施例所提供的方法,例如包括:获取用户行为日志样本集合;基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。When the processor 11 executes the computer program, the methods provided by the above method embodiments are implemented, for example, including: acquiring a user behavior log sample set; based on the user behavior log sample set, according to the time axis, taking the session set as the smallest The time statistics unit establishes the user behavior baseline of the session set of the user and the user group; based on the user behavior baseline of the session set of the user and the user group, according to the time axis, establishes the user behavior of the user and the user group with the preset time period as the time unit baseline.

本发明实施例提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述各方法实施例所提供的方法,例如包括:获取用户行为日志样本集合;基于所述用户行为日志样本集合,依据时间轴,以会话集为最小时间统计单元,建立用户及用户组的会话集用户行为基线;基于所述用户及用户组的会话集用户行为基线,依据时间轴,建立用户及用户组以预设时间段为时间单位的用户行为基线。Embodiments of the present invention provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the methods provided by the foregoing method embodiments, for example, including: acquiring a user behavior log sample set; based on the user behavior log sample set, according to the time axis, with the session set as the minimum time statistical unit, establish the user behavior baseline of the session set of the user and the user group; based on the user behavior baseline of the session set of the user and the user group, According to the time axis, establish a user behavior baseline of users and user groups with a preset time period as a time unit.

本领域内的技术人员应明白,本申请的实施例可提供为方法、装置、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that the embodiments of the present application may be provided as a method, an apparatus, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、装置、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置/系统。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce An apparatus/system for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。术语“上”、“下”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以根据具体情况理解上述术语在本发明中的具体含义。It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element. The orientation or positional relationship indicated by the terms "upper", "lower", etc. is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the indicated device or element must be It has a specific orientation, is constructed and operates in a specific orientation, and therefore should not be construed as a limitation of the present invention. Unless otherwise expressly specified and limited, the terms "installed", "connected" and "connected" should be understood in a broad sense, for example, it may be a fixed connection, a detachable connection, or an integral connection; it may be a mechanical connection, It can also be an electrical connection; it can be a direct connection, an indirect connection through an intermediate medium, or an internal connection between two components. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood according to specific situations.

本发明的说明书中,说明了大量具体细节。然而能够理解的是,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。类似地,应当理解,为了精简本发明公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释呈反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。本发明并不局限于任何单一的方面,也不局限于任何单一的实施例,也不局限于这些方面和/或实施例的任意组合和/或置换。而且,可以单独使用本发明的每个方面和/或实施例或者与一个或更多其他方面和/或其实施例结合使用。In the description of the present invention, numerous specific details are set forth. It will be understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description. Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment in order to simplify the present disclosure and to aid in the understanding of one or more of the various aspects of the invention. , figures, or descriptions thereof. However, this method of disclosure should not be construed to reflect the intention that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention. It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict. The invention is not limited to any single aspect, nor to any single embodiment, nor to any combination and/or permutation of these aspects and/or embodiments. Furthermore, each aspect and/or embodiment of the invention may be used alone or in combination with one or more other aspects and/or embodiments thereof.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. The scope of the invention should be included in the scope of the claims and description of the present invention.

Claims (8)

1. A user behavior baseline establishing method is characterized by comprising the following steps:
acquiring a user behavior log sample set;
based on the user behavior log sample set, taking a session set as a minimum time statistical unit according to a time axis, and establishing a session set user behavior baseline of users and user groups by acquiring user behavior information of each user and each user group in one session set;
establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups;
the division of the session set is based on the user behavior log sample set, and whether the time interval of two adjacent operations is less than or equal to the timeout time interval of the session set is judged; if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets; the timeout interval of the session set is obtained by aggregating the operation interval length of the learning user based on the user behavior log sample set; or the timeout interval of the session set is preset according to a specific cloud service; the user behavior information in a session set comprises: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
2. The method of claim 1, wherein the preset time period comprises: daily, weekly, monthly, and quarterly;
correspondingly, the establishing of the user behavior baseline of the user and the user group with the preset time period as the time unit according to the time axis based on the conversation set user behavior baseline of the user and the user group comprises:
establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
3. The method of claim 2, wherein the daily user behavior information comprises: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
4. A user behavior baseline establishing apparatus, comprising:
the acquisition module is used for acquiring a user behavior log sample set;
the first establishing module is used for establishing a session set user behavior baseline of the users and the user groups by taking the session set as a minimum time statistical unit according to a time axis and acquiring user behavior information of each user and each user group in one session set based on the user behavior log sample set;
the second establishing module is used for establishing user behavior baselines of the users and the user groups by taking a preset time period as a time unit according to a time axis based on the conversation set user behavior baselines of the users and the user groups;
the division of the session set is based on the user behavior log sample set, and whether the time interval of two adjacent operations is less than or equal to the timeout time interval of the session set is judged; if so, dividing the two adjacent operations into the same session set, otherwise, dividing the two adjacent operations into different session sets; the timeout interval of the session set is obtained by aggregating the operation interval length of the learning user based on the user behavior log sample set; or the timeout interval of the session set is preset according to a specific cloud service; the user behavior information in a session set comprises: the number of various actions within a session set, the size of the data volume downloaded or uploaded, the access frequency and the length of time.
5. The apparatus of claim 4, wherein the preset time period comprises: daily, weekly, monthly, and quarterly;
accordingly, the second establishing module is specifically used for
Establishing a daily user behavior baseline of the users and the user groups by acquiring daily user behavior information of each user and each user group according to a time axis and taking days as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
based on the conversation set user behavior baselines of the users and the user groups, establishing weekly user behavior baselines of the users and the user groups by acquiring weekly user behavior information of each user and each user group according to a time axis and taking a week as a time unit;
establishing a monthly user behavior baseline of the users and the user groups by acquiring monthly user behavior information of each user and each user group according to a time axis and by taking months as time units on the basis of the conversation set user behavior baselines of the users and the user groups;
and based on the conversation set user behavior baselines of the users and the user groups, establishing the quarterly user behavior baselines of the users and the user groups by acquiring the quarterly user behavior information of each user and each user group according to a time axis.
6. The apparatus of claim 5, wherein the daily user behavior information comprises: the number of times of each day of session set, the number of times of various actions, the size of data volume, the time period of the accessed session set, the overall access time, the source IP address and the source physical address;
the weekly user behavior information comprises: the number of times of the session set, the number of times of various actions, the data size, the time period of the accessed session set, the overall access time, the source IP address, the source physical address and the number of days of the access in the week;
the monthly user behavior information includes: the number of sessions, the number of actions, the data size, the time period of the accessed sessions, the overall access time, the source IP address, the source physical address and the number of days of access in the month;
the quarterly user behavior information comprises: number of session sets per quarter, number of actions of various types, data size, session set time period of access, overall access time, source IP address, source physical address, and number of days accessed in the quarter.
7. An electronic device, comprising: a processor, a memory, a bus, and a computer program stored on the memory and executable on the processor;
the processor and the memory complete mutual communication through the bus;
the processor, when executing the computer program, implements the method of any of claims 1-3.
8. A non-transitory computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the method of any one of claims 1-3.
CN201710671859.9A 2017-08-08 2017-08-08 User behavior baseline establishing method and device Active CN107517203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710671859.9A CN107517203B (en) 2017-08-08 2017-08-08 User behavior baseline establishing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710671859.9A CN107517203B (en) 2017-08-08 2017-08-08 User behavior baseline establishing method and device

Publications (2)

Publication Number Publication Date
CN107517203A CN107517203A (en) 2017-12-26
CN107517203B true CN107517203B (en) 2020-07-14

Family

ID=60723012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710671859.9A Active CN107517203B (en) 2017-08-08 2017-08-08 User behavior baseline establishing method and device

Country Status (1)

Country Link
CN (1) CN107517203B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109164786B (en) * 2018-08-24 2020-05-29 杭州安恒信息技术股份有限公司 Abnormal behavior detection method, device and equipment based on time-dependent baseline
CN110222530A (en) * 2019-05-27 2019-09-10 北京奇艺世纪科技有限公司 A kind of database drags detection method, device and the electronic equipment of library behavior
CN111935165B (en) * 2020-08-14 2022-09-20 中国工商银行股份有限公司 Access control method, device, electronic device and medium
CN113992340B (en) * 2021-09-09 2024-04-16 奇安信科技集团股份有限公司 User abnormal behavior identification method, device, equipment and storage medium
CN114615021B (en) * 2022-02-16 2024-07-23 奇安信科技集团股份有限公司 Real-time behavior safety baseline automatic calculation method and device for safety analysis
CN114661568B (en) * 2022-03-21 2025-07-01 中国联合网络通信集团有限公司 Abnormal operation behavior detection method, device, equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102945263A (en) * 2012-10-23 2013-02-27 北京百度网讯科技有限公司 Method for determining access correlation information among multiple access objects
CN103178982A (en) * 2011-12-23 2013-06-26 阿里巴巴集团控股有限公司 Method and device for analyzing log
CN103399855A (en) * 2013-07-01 2013-11-20 百度在线网络技术(北京)有限公司 Behavior intention determining method and device based on multiple data sources
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN102868548B (en) * 2012-08-15 2016-06-15 苏州迈科网络安全技术股份有限公司 The application affected user distribution detection method of performance and system
CN105989155A (en) * 2015-03-02 2016-10-05 阿里巴巴集团控股有限公司 Method and device for identifying risk behaviors
CN106998334A (en) * 2017-05-25 2017-08-01 北京计算机技术及应用研究所 A kind of computer user's abnormal behavior detection method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462156B (en) * 2013-09-25 2018-12-28 阿里巴巴集团控股有限公司 A kind of feature extraction based on user behavior, personalized recommendation method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103178982A (en) * 2011-12-23 2013-06-26 阿里巴巴集团控股有限公司 Method and device for analyzing log
CN102868548B (en) * 2012-08-15 2016-06-15 苏州迈科网络安全技术股份有限公司 The application affected user distribution detection method of performance and system
CN102945263A (en) * 2012-10-23 2013-02-27 北京百度网讯科技有限公司 Method for determining access correlation information among multiple access objects
CN103399855A (en) * 2013-07-01 2013-11-20 百度在线网络技术(北京)有限公司 Behavior intention determining method and device based on multiple data sources
CN105989155A (en) * 2015-03-02 2016-10-05 阿里巴巴集团控股有限公司 Method and device for identifying risk behaviors
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN106998334A (en) * 2017-05-25 2017-08-01 北京计算机技术及应用研究所 A kind of computer user's abnormal behavior detection method

Also Published As

Publication number Publication date
CN107517203A (en) 2017-12-26

Similar Documents

Publication Publication Date Title
CN107517203B (en) User behavior baseline establishing method and device
US12335310B2 (en) System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces
AU2019204090B2 (en) Networking flow logs for multi-tenant environments
US20210136121A1 (en) System and method for creation and implementation of data processing workflows using a distributed computational graph
US9843598B2 (en) Capture triggers for capturing network data
US9805202B2 (en) Automated SDK ingestion
CN107566163B (en) Alarm method and device for user behavior analysis association
Karyotis et al. Malware diffusion models for modern complex networks: theory and applications
CN104487993B (en) The system and method for authentication is carried out using social networks
US11108835B2 (en) Anomaly detection for streaming data
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
US11074652B2 (en) System and method for model-based prediction using a distributed computational graph workflow
US10411985B1 (en) Network traffic monitoring for virtual machines
WO2012058486A2 (en) Automated policy builder
WO2015062345A1 (en) Method and device for recognizing ip address of designated category, and defence method and system
JP2019512133A (en) System and method for automatic classification of application network activity
US20200004905A1 (en) System and methods for complex it process annotation, tracing, analysis, and simulation
US20240419657A1 (en) Natural language interface for querying cloud security logs
WO2021055964A1 (en) System and method for crowd-sourced refinement of natural phenomenon for risk management and contract validation
Howden et al. Virtual vignettes: the acquisition, analysis, and presentation of social network data
WO2020167539A1 (en) System and method for complex it process annotation, tracing, analysis, and simulation
US20230315842A1 (en) Dynamically blocking credential attacks using identity intelligence
US20250272713A1 (en) Systems and methods for generating and utilizing synthetic data
CN106790000B (en) A kind of configuration method and device of security strategy
US12542816B2 (en) Complex IT process annotation, tracing, analysis, and simulation

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Applicant after: QAX Technology Group Inc.

Address before: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant