[go: up one dir, main page]

CN118869264A - A method, device, medium and product for identifying abnormalities in user operation log data - Google Patents

A method, device, medium and product for identifying abnormalities in user operation log data Download PDF

Info

Publication number
CN118869264A
CN118869264A CN202410857621.5A CN202410857621A CN118869264A CN 118869264 A CN118869264 A CN 118869264A CN 202410857621 A CN202410857621 A CN 202410857621A CN 118869264 A CN118869264 A CN 118869264A
Authority
CN
China
Prior art keywords
fitness
group
individuals
node
individual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410857621.5A
Other languages
Chinese (zh)
Inventor
刘佳
谢懿
杜雪涛
吕明
陈敏时
苏昭玉
张晨
徐世权
陈东
武星宇
王郁含
薛姗
许勇
常玲
闫鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Design Institute Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Design Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Design Institute Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202410857621.5A priority Critical patent/CN118869264A/en
Publication of CN118869264A publication Critical patent/CN118869264A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a method, a device, a medium and a product for identifying abnormal user operation log data, which are used for calculating mutual information among different nodes by taking different logs in the obtained user operation log data as network nodes; determining an undirected edge according to the mutual information between different nodes, constructing an undirected minimum supporting tree, orienting the nodes in the undirected minimum supporting tree, and determining a preliminary minimum supporting tree structure; performing node sequence search in the minimum support tree structure to obtain a node sequence group, taking different node sequences as different individuals in an initial population, and calculating the fitness of the different individuals in the initial population; updating the initial population according to the fitness of different individuals and a preset population optimizing strategy; and taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log. The scheme of the application can improve the optimizing efficiency and optimizing precision.

Description

User operation log data anomaly identification method, device, medium and product
Technical Field
The invention relates to the technical field of communication security, in particular to a method, a device, a medium and a product for identifying abnormal data of a user operation log.
Background
The traffic data volume in the communication enterprises is huge, data security risks are reserved under mass data, and in order to find potential and accumulated data security problems, abnormal operation data needs to be identified through a data mining analysis method, so that security management is realized. The Bayesian network is an important method in the field of data mining, can solve the problem of uncertainty, and can analyze abnormal operation logs generated under uncertain behaviors of users by using a Bayesian network structure learning algorithm.
However, the existing method for detecting abnormal operation logs of communication service is mainly characterized in that a text classification algorithm is improved or classification is carried out based on data statistics analysis, a part of key fields of user logs are selected based on established rules for analysis, but the logs generated under uncertain behaviors of users cannot be well mined and analyzed, the existing data is excessively relied on, the learning effect under a small data set is poor, and the optimizing precision and efficiency of the algorithm are low.
Disclosure of Invention
Compared with the prior art, the invention provides the method, the device, the medium and the product for identifying the abnormality of the user operation log data, which can improve the optimizing efficiency and optimizing precision.
The embodiment of the invention provides a method for identifying abnormal data of a user operation log, which comprises the following steps:
Taking different journals in the obtained user operation log data as network nodes, and calculating mutual information among different nodes;
determining an undirected edge according to the mutual information between different nodes, constructing an undirected minimum supporting tree, orienting the nodes in the undirected minimum supporting tree, and determining a preliminary minimum supporting tree structure;
performing node sequence search in the minimum support tree structure to obtain a node sequence group, taking different node sequences as different individuals in an initial population, and calculating the fitness of the different individuals in the initial population;
updating the initial population according to the fitness of different individuals and a preset population optimizing strategy;
And taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log.
Preferably, updating the initial population according to the fitness of different individuals and a preset population optimizing strategy includes:
Selecting a preset first number of individuals from the initial population as a hunting head group from large to small according to the fitness, and selecting a preset second number of individuals outside the hunting head group as a wandering group;
Calculating fitness of individuals in the game piece group and fitness of individuals in the wandering group;
Updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group;
When the preset updating termination condition is not met, selecting a hunting group and a wandering group from the updated initial population, and updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group until the updating termination condition is met;
And stopping the initial population updating when the updating termination condition is met.
Further, the updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group comprises the following steps:
updating a first individual in the game-play group to the game-play group when the fitness of the first individual is greater than the fitness of a second individual in the game-play group;
And when the fitness of all individuals in the hunting group is not less than the fitness of a third individual in the wandering group, updating the third individual.
Preferably, the updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group further includes:
selecting a preset third number of individuals from the initial population except for the hunting group and the wandering group as a group entering group;
calculating fitness of individuals in the access group;
And when the fitness of the fourth individual in the access group is larger than the fitness of the second individual in the hunting group, recalculating the fitness of the individuals in the initial group, and reselecting the first number of individuals from the initial group to the hunting group according to the fitness.
Preferably, the updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group further includes:
Calculating an absolute value of a difference between fitness of a fourth individual in the intake group and fitness of a second individual in the hunter group;
And when the calculated absolute value is within a range interval determined according to the fitness of the fourth body and the fitness of the second body, selecting part of node fragments of the second body, replacing the mapping node fragments at the same position in the fourth body, and updating the fourth body.
Preferably, the updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group further includes:
And when the nodes except the mapping node fragments in the fourth body are repeated with the nodes at the first positions in the partial node fragments, reserving the nodes corresponding to the first positions on the fourth body.
Preferably, the individual updating of the third individual comprises:
calculating dynamic variation probability according to a preset dynamic self-variation strategy;
determining the length of a variant node segment according to the dynamic variant probability correspondence;
Determining all mutation positions in the third body according to the mutation node segment length;
determining variant node fragments through node positioning;
Traversing and replacing each mutation position in the third individuals according to the mutation node segments to obtain a plurality of new mutation individuals;
And calculating the fitness of the variant new individuals in the wander group, and determining the variant new individuals with the largest fitness as updated third individuals.
Preferably, orienting nodes in the undirected minimum support tree to determine a preliminary minimum support tree structure includes:
Taking each element in a potential father node set of each node of the undirected minimum support tree as a father node of the node respectively, and constructing different substructures; calculating matching scores of different substructures and a preset standard training data set; taking the node with the highest matching score in the substructure of the node as the father node of the node;
and connecting each node of the undirected minimum support tree with a corresponding father node to obtain the minimum support tree structure.
The embodiment of the invention also provides a device for identifying the abnormality of the user operation log data, which comprises the following steps:
The mutual information calculation module is used for taking different journals in the acquired user operation log data as network nodes and calculating mutual information among different nodes;
The support tree determining module is used for determining undirected edges according to the mutual information sizes among different nodes, constructing undirected minimum support trees, orienting the nodes in the undirected minimum support trees and determining a preliminary minimum support tree structure;
the population determining module is used for searching node sequences in the minimum support tree structure to obtain node sequence groups, taking different node sequences as different individuals in the initial population, and calculating the fitness of the different individuals in the initial population;
The population updating module is used for updating the initial population according to the fitness of different individuals and a preset population optimizing strategy;
and the result output module is used for taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log.
Preferably, the population updating module is specifically configured to:
Selecting a preset first number of individuals from the initial population as a hunting head group from large to small according to the fitness, and selecting a preset second number of individuals outside the hunting head group as a wandering group;
Calculating fitness of individuals in the game piece group and fitness of individuals in the wandering group;
Updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group;
When the preset updating termination condition is not met, selecting a hunting group and a wandering group from the updated initial population, and updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group until the updating termination condition is met;
And stopping the initial population updating when the updating termination condition is met.
Preferably, the population updating module is specifically configured to:
updating a first individual in the game-play group to the game-play group when the fitness of the first individual is greater than the fitness of a second individual in the game-play group;
And when the fitness of all individuals in the hunting group is not less than the fitness of a third individual in the wandering group, updating the third individual.
Preferably, the population updating module is specifically configured to:
selecting a preset third number of individuals from the initial population except for the hunting group and the wandering group as a group entering group;
calculating fitness of individuals in the access group;
And when the fitness of the fourth individual in the access group is larger than the fitness of the second individual in the hunting group, recalculating the fitness of the individuals in the initial group, and reselecting the first number of individuals from the initial group to the hunting group according to the fitness.
Preferably, the population updating module is specifically configured to:
Calculating an absolute value of a difference between fitness of a fourth individual in the intake group and fitness of a second individual in the hunter group;
And when the calculated absolute value is within a range interval determined according to the fitness of the fourth body and the fitness of the second body, selecting part of node fragments of the second body, replacing the mapping node fragments at the same position in the fourth body, and updating the fourth body.
Preferably, the population updating module is specifically configured to:
And when the nodes except the mapping node fragments in the fourth body are repeated with the nodes at the first positions in the partial node fragments, reserving the nodes corresponding to the first positions on the fourth body.
Preferably, the population updating module is specifically configured to:
calculating dynamic variation probability according to a preset dynamic self-variation strategy;
determining the length of a variant node segment according to the dynamic variant probability correspondence;
Determining all mutation positions in the third body according to the mutation node segment length;
determining variant node fragments through node positioning;
Traversing and replacing each mutation position in the third individuals according to the mutation node segments to obtain a plurality of new mutation individuals;
And calculating the fitness of the variant new individuals in the wander group, and determining the variant new individuals with the largest fitness as updated third individuals.
Preferably, orienting nodes in the undirected minimum support tree to determine a preliminary minimum support tree structure includes:
Taking each element in a potential father node set of each node of the undirected minimum support tree as a father node of the node respectively, and constructing different substructures; calculating matching scores of different substructures and a preset standard training data set; taking the node with the highest matching score in the substructure of the node as the father node of the node;
and connecting each node of the undirected minimum support tree with a corresponding father node to obtain the minimum support tree structure.
The embodiment of the invention also provides a device for identifying the abnormality of the user operation log data, which comprises a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, wherein the processor realizes the method for identifying the abnormality of the user operation log data according to any one of the embodiments when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, which comprises a stored computer program, wherein when the computer program runs, equipment where the computer readable storage medium is located is controlled to execute the method for identifying the abnormality of the user operation log data according to any one of the embodiments.
Embodiments of the present invention also provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the method of any of the embodiments described above.
Compared with the prior art, the application provides a method, a device, a medium and a product for identifying the abnormality of user operation log data, wherein different logs in the obtained user operation log data are used as network nodes, and mutual information among different nodes is calculated; determining an undirected edge according to the mutual information between different nodes, constructing an undirected minimum supporting tree, orienting the nodes in the undirected minimum supporting tree, and determining a preliminary minimum supporting tree structure; performing node sequence search in the minimum support tree structure to obtain a node sequence group, taking different node sequences as different individuals in an initial population, and calculating the fitness of the different individuals in the initial population; updating the initial population according to the fitness of different individuals and a preset population optimizing strategy; and taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log. The scheme of the application can improve the optimizing efficiency and optimizing precision.
Drawings
FIG. 1 is a schematic flow chart of a method for identifying anomalies in user operation log data according to an embodiment of the present invention;
FIG. 2 is another flow chart of a method for identifying anomalies in user operation log data according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the principle of eliminating abnormal nodes in individual variation update provided by the embodiment of the invention;
fig. 4 is a schematic structural diagram of a device for identifying abnormality of user operation log data according to an embodiment of the present invention;
Fig. 5 is another schematic structural diagram of a user operation log data anomaly identification device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the prior art, the abnormal operation log classification method based on the improved text classification algorithm mostly has the problems of low classification processing efficiency, inaccurate classification result and the like, and does not consider the relevance among each log of user operation in classification, but takes each piece of data as a single individual to perform characteristic calculation to realize classification. For example, log classification analysis is performed through a DBSCAN algorithm, when new log data is updated, all data need to be clustered again each time, a large amount of time is consumed, and analysis efficiency is low; the clustering result of the traditional K-means clustering algorithm has randomness, the results are different each time the calculation result is different because the central particles selected by the initial random are different, the algorithm needs to continuously classify and adjust the objects, and continuously calculates the new clustering central points after adjustment, so when the data volume is very large, the time expenditure of the algorithm is very large, and the processing requirement of massive communication service log data cannot be met.
Referring to fig. 1, a flow chart of a method for identifying anomalies in user operation log data according to an embodiment of the present invention is shown, where the method includes steps S1 to S5;
S1, taking different journals in the acquired user operation log data as network nodes, and calculating mutual information among different nodes;
s2, determining undirected edges according to mutual information sizes among different nodes, constructing an undirected minimum support tree, orienting nodes in the undirected minimum support tree, and determining a preliminary minimum support tree structure;
S3, searching node sequences in the minimum support tree structure to obtain node sequence groups, taking different node sequences as different individuals in an initial group, and calculating the fitness of the different individuals in the initial group;
s4, updating the initial population according to the fitness of different individuals and a preset population optimizing strategy;
and S5, taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log.
In the implementation of this embodiment, in the communication service, the log data of the user operation has continuity and no fixed rule or feature, and according to the continuous or intermittent continuous operation of the user, the number of log data sets constructed by the log data generated by the user operation with time change is updated.
When abnormal identification of user operation log data is carried out, the log formats generated by the different types of access resources and equipment of various services in an operator enterprise are different, so that unified analysis is difficult. Therefore, firstly, the user operation log data is normalized, and the normalized log data comprises fields such as organization attribution, user name, operation time, operation content, data sensitivity level and the like, wherein the data sensitivity level represents the importance degree of the user operation, and the higher the level is, the higher the importance degree of the log is.
And for a log data set generated by the operation of a certain service user X is C (X) = { l 1,l2,...ln }, and each log is regarded as a network node, the log data set is a Bayesian network node set, and the mutual information value between each log in C (X) is calculated according to a mutual information formula.
Bayesian networks, also known as belief networks, are extensions of Bayes' methods, and are one of the most effective theoretical models in the field of uncertain knowledge expression and reasoning at present. The Bayesian network is a directed acyclic graph, which is composed of representative variable nodes and directed edges connecting the nodes, expressing and analyzing uncertainty and probabilistic events. Common applications are decisions that are conditionally dependent on a variety of control factors, where inferences can be made from incomplete, inaccurate, or uncertain knowledge or information.
Mutual information is a useful information measure in information theory, which can be seen as the amount of information contained in one random variable about another random variable, or as the uncertainty that one random variable has been reduced by knowing another random variable.
For the exception log, it is generally different from the ordinary operation log, so the smaller the value calculated by mutual information is, the more obvious the exception feature of the log is. Traversing any node in the log data set C (X) and reserving an undirected edge with minimum mutual information to construct an undirected minimum support tree.
At this time, undirected edges are arranged between nodes in the minimum supporting tree structure, sequences among the nodes need to be determined, namely the nodes are oriented, so that the oriented minimum supporting tree structure is obtained, and the node sequence group is obtained and used as input of population optimization.
In the minimum support tree structure t 1, a starting vertex a in t 1 is randomly fetched in Xi Jiedian order, a directed edge b connecting the point is obtained, the edge is obtained to be connected to a next node a 1, nodes which are in path communication with the starting point are all accessed until no directed edge is obtained to indicate that the path search is completed, and a node order is obtained.
And searching the node sequence group obtained by searching the directional minimum support tree structure t 1, taking different node sequences as different individuals in the initial group, and calculating the fitness of the different individuals in the initial group.
As a preferred embodiment, the fitness of all the node sequences in G (l) is calculated by a node sequence scoring function FIT, and the calculated fitness isWherein i, j epsilon (1, n), T is the weight matrix.
It should be noted that, as one way of calculating the fitness, the node sequence scoring function FIT may be used to calculate the fitness in other embodiments.
And constructing an initial population by constructing a node sequence, updating individuals through a population optimizing strategy, and updating the initial population.
And finally obtaining an optimal node sequence by using the node sequence of the individual with the greatest adaptability in the updated population, wherein all nodes in the sequence are abnormal logs, and finally realizing the classification of the abnormal logs in the log group.
According to the scheme, each log generated by a user is used as a node in a Bayesian network structure, an initial population is constructed by constructing a node sequence, and an optimal solution can be quickly found with larger probability based on population algorithm learning, so that a global optimal solution is found, an abnormal operation log is determined, and the method has better global convergence and higher efficiency in a larger data structure.
In still another embodiment of the present invention, referring to fig. 2, another flow chart of the method for identifying anomalies in user operation log data provided in the embodiment of the present invention is shown. When the operation log abnormal data identification is carried out, the following steps are executed:
the logs are normalized, and because the log formats provided by different operators are different, unified analysis is difficult. Firstly, user operation log data is normalized.
And constructing a log data set according to the normalized log.
Mutual information of different logs in the log data set is calculated.
Determining a supporting tree structure and orientation, determining undirected edges according to mutual information among different nodes, constructing an undirected minimum supporting tree, orienting nodes in the undirected minimum supporting tree, and determining a preliminary minimum supporting tree structure.
An initial population G (l) is generated.
And when the initial population is updated according to the fitness of different individuals and a preset population optimizing strategy, dividing a hunting group and a wandering group from the initial population. The first n/2 node sequences are selected from the initial population G (l) as the hunting head group, n is the number of the initial population, and m node sequences outside the hunting head group are randomly selected as the wandering group.
And calculating the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group.
One individual l h、lw is selected from the hunter group and the wandering group, respectively.
Updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group.
And outputting an updated population G (l)', and calculating FIT values of all individuals in the population.
When the preset updating termination condition is not met, selecting a hunting group and a wandering group from the updated initial population, and updating the individuals in the initial population according to the fitness of the individuals in the hunting group and the fitness of the individuals in the wandering group until the updating termination condition is met;
It should be noted that, as a preferred embodiment, the update termination condition may be set such that the user operation is not being updated. In other embodiments, the update termination condition may also be set to update the number of iterations.
The individuals obtained through the strategy updating form a new population G (l)', then all individual fitness values are calculated, and when the user operation is not updated any more, the iteration representing the algorithm reaches the maximum value, namely the algorithm is ended. And outputting a node sequence L max=L1,L2,...Ln with the maximum fitness value in the updated population G (L)' and enabling each node in the node sequence to correspond to the user operation exception log.
Based on log data generated by user operation, the proposal designs and builds a minimum support tree structure model, and simultaneously provides a method for scoring and orienting nodes by a substructure. And (3) corresponding each log in the user operation data set to a Bayesian network structure, regarding one log as a node, constructing a minimum support tree structure through mutual information calculation, and utilizing the sub-structure matching scoring orientation. By the method, the operation log with abnormal characteristics can be effectively detected under uncertain behaviors of the user, and the classification accuracy is improved.
In yet another embodiment of the present invention, updating the individuals in the initial population specifically includes:
and comparing the fitness of the individuals in the walking group with the fitness of the individuals in the hunting group, and carrying out individual updating by comparing the FIT values of other groups with the FIT values of the individuals in the hunting group.
When the fitness of the first individual in the ambulatory group is greater than the fitness of the second individual in the hunt group, i.e., FIT (l w) is better than FIT (l h), it is indicated that there is a better individual in the ambulatory group than in the hunt group, at which point the first individual l w is updated into the hunt group.
When the fitness of all individuals in the hunter group is not less than that of a third individual in the wandering group, the hunter group is indicated to be better, and the third individual is updated according to the population policy.
It should be noted that, when updating the population individuals, the population individual updating may also be performed by other population updating strategies or optimizing algorithms in the prior art, and this embodiment only provides a preferred implementation, and the present embodiment is not limited to the population individual updating scheme provided in this embodiment.
And optimizing according to an evolutionary strategy of the population algorithm to obtain a final result. The mining analysis of log data generated by the user under uncertain behaviors is realized, and the classification efficiency is not influenced by the size of the data set.
In yet another embodiment of the present invention, in the case of population updating by dividing hunting groups and wandering groups, individual updating is performed by adding intake groups, specifically:
K individuals are selected from the initial population G (l) except for the hunting group and the wandering group and used as a taking group, and the fitness of the individuals in the taking group is calculated.
Either body was selected and its fitness value was compared to a second body, l h, of FIT (l h) in the hunter group.
When the fitness of the fourth individual is greater than that of the second individual, namely if the fitness of l d is better than that of l h, updating the hunter group, namely recalculating the fitness of the individuals in the initial population, and reselecting the first number of individuals from the initial population to be the hunter group according to the fitness from the high to the low; otherwise, the hunter group is not updated.
And the population is updated by adding the access group, so that the optimizing efficiency in the population updating process is provided.
In another embodiment of the present invention, when updating the population, considering that only the hunter group may be locally optimized, a node segment variation method of the individual is provided to increase the global searching capability, specifically:
Calculating the absolute value f d,fd=|FIT(lh)-FIT(ld) of the difference between the fitness of the fourth individual l d in the intake group and the fitness of the second individual in the hunting group.
The calculated absolute value is updated for the fourth individual l d when f d is between FIT (l h) and FIT (l d) in the range interval determined according to the fitness FIT (l d) of the fourth individual and the fitness FIT (l h) of the second individual, and the preferential variation is performed between part of the gene segment of the second individual l h and the fourth individual l d.
And randomly selecting a section of mapping node segment in the fourth body l d as a variation region, selecting a corresponding partial node segment at the same position of the second body l h, and replacing the partial node segment to the variation region of l d to obtain an updated fourth body l d'.
Namely:
L d′=d1,d2,h3,h4,h5 is obtained.
The individual is mutated through the mutation strategy, so that the hunting head group is prevented from being updated to be in local optimum, and the global searching capability is improved.
In still another embodiment of the present invention, in the mutation update, it is required to ensure that there is no repeated node in the updated node sequence of the individual, that is, there is no repetition between the node in the node mutation segment and the node except for the replacement in the mutation update, and the updated l d' is the correct node sequence.
Repeated nodes are also possible to occur in the process of updating individual variation, so that repeated nodes need to be removed according to illegal node mapping detection in preferential variation.
Comparing the nodes except the mapping node segments in the fourth body with the nodes at the first positions in the partial node segments, see fig. 3, which is a schematic diagram of the principle of eliminating abnormal nodes in individual variation update provided by the embodiment of the invention.
The remaining nodes, i.e., d 1 and d 2, in the fourth node l d except the mapped node segments are mapped one-to-one with the partial node segments h 1、h2 and h 3 in the second node l h to compare whether duplicates exist.
And (3) discovering that the node h 3 and the node d 1 are repeated, then rejecting the node in part of the node fragments, and reserving a node d 3 corresponding to the position on the fourth body to obtain updated l d,ld=d1,d2,d3,h4,h5.
And the repeated nodes are removed according to illegal node mapping detection in the preferential variation, so that the accuracy of a final result is prevented from being influenced by the wrong node sequence.
In another embodiment of the present invention, for individual updating, a dynamic self-variation strategy is provided, which specifically includes the following steps:
Calculating dynamic variation probability P according to a dynamic self-variation strategy;
And determining the fragment length of the variation node by using the dynamic variation probability correspondence.
When determining the length of the variable node segment, the corresponding variable node segment length is matched through the dynamic variable probability and a preset corresponding relation table.
And determining the variant node fragments by node positioning according to the variant node fragment lengths.
Traversing and replacing each mutation position in the third body according to the mutation node segment, and traversing a plurality of mutation new bodies obtained from all mutation positions of the third body, wherein l w 1~lw n;
Calculating the fitness of the new variant individuals in the wander group, and taking the individual with the largest fitness value as the variant final updated individual to finally obtain an updated individual l w', namely:
lw′={lw|FIT(lw)}=max{FIT(lw 1),FIT(lw 2),...,FIT(lw n)};
and (3) providing a dynamic self-variation strategy to perform optimization on the population individuals to obtain an optimal result. The detection and classification of the abnormal logs are realized by a population optimizing method, and the proposed individual optimizing strategy improves the global convergence performance and the searching efficiency.
In yet another embodiment provided by the present invention, the following steps are specifically performed when determining a preliminary minimum support tree structure by node location:
For each node of the undirected minimum supporting tree, let a potential parent node set of a certain node l i in the minimum supporting tree structure t be M, respectively construct a child structure S i by taking all elements in the set as parent nodes of l i, and calculate and obtain the matching degree r of the child structure and the standard training data set D, wherein the calculation formula is as follows:
Where N is the number of nodes in the training dataset D, and m j is the j-th node in the training dataset D.
And taking the node in the highest scoring sub-structure as the father node of the node, and updating all nodes in the supporting tree structure t to obtain an updated father node set.
And connecting each node of the undirected minimum support tree with a corresponding father node to obtain the minimum support tree structure.
In yet another embodiment of the present invention, the mutual information is a statistic for measuring the correlation between two random variables, and since the log generated by the user operation belongs to the random variables, the mutual information can be used to calculate the degree of correlation between nodes. The mutual information calculation formula is specifically as follows:
wherein I (l i,lj) is mutual information between the ith node and the jth node, P (l i,lj) is joint probability between the ith node and the jth node, P (l i) and P (l j) are edge probability of the ith and the jth nodes respectively, I, j=1, 2 …, n and n are the number of nodes.
According to the scheme, the relevance among the logs generated by the user is considered, each log is used as a node in a Bayesian network structure, an initial population is constructed by constructing a node sequence, an individual is updated through a population optimizing strategy, an optimal node sequence is finally obtained, all the nodes in the sequence are abnormal logs, and finally the abnormal logs in the log group are classified. The operation log with abnormal characteristics can be effectively detected under the uncertain behavior of the user, and the classification accuracy is improved.
The detection and classification of the abnormal logs are realized by a population optimizing method, and the proposed individual optimizing strategy improves the global convergence performance and the searching efficiency. The present proposal can be used for the subsequent diagnosis of solving the system fault node detection.
Referring to fig. 4, a schematic structural diagram of a device for identifying abnormality of user operation log data according to an embodiment of the present invention is provided, where the device includes:
The mutual information calculation module is used for taking different journals in the acquired user operation log data as network nodes and calculating mutual information among different nodes;
The support tree determining module is used for determining undirected edges according to the mutual information sizes among different nodes, constructing undirected minimum support trees, orienting the nodes in the undirected minimum support trees and determining a preliminary minimum support tree structure;
the population determining module is used for searching node sequences in the minimum support tree structure to obtain node sequence groups, taking different node sequences as different individuals in the initial population, and calculating the fitness of the different individuals in the initial population;
The population updating module is used for updating the initial population according to the fitness of different individuals and a preset population optimizing strategy;
and the result output module is used for taking the node sequence of the individual with the greatest adaptability in the updated population as a user operation abnormal log.
It should be noted that, the device for identifying abnormal user operation log data provided in this embodiment can execute all the steps and functions of the method for identifying abnormal user operation log data provided in any one of the above embodiments, and specific functions of the device are not described herein.
Referring to fig. 5, another schematic structural diagram of a device for identifying abnormality of user operation log data according to an embodiment of the present invention is shown. The user operation log data anomaly identification device comprises: a processor, a memory, and a computer program stored in the memory and executable on the processor, such as a user operation log data anomaly identification program. The processor executes the computer program to implement the steps in the above embodiments of the method for identifying abnormal user operation log data, for example, steps S1 to S5 shown in fig. 1. Or the processor, when executing the computer program, performs the functions of the modules in the above apparatus embodiments.
The computer program may be divided into one or more modules, which are stored in the memory and executed by the processor to accomplish the present invention, for example. The one or more modules may be a series of computer program instruction segments capable of performing a specific function for describing the execution of the computer program in the one user operation log data anomaly identification device. For example, the computer program may be divided into several modules, and specific functions of each module are described in detail in the method for identifying abnormal user operation log data provided in any of the foregoing embodiments, and specific functions of the apparatus are not described herein.
The device for identifying the abnormal data of the user operation log can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The user operation log data abnormality identification device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the schematic diagram is merely an example of a user operation log data anomaly identification device, and does not constitute a limitation of the user operation log data anomaly identification device, and may include more or less components than those illustrated, or may combine some components, or different components, for example, the user operation log data anomaly identification device may further include an input/output device, a network access device, a bus, and the like.
The Processor may be a central processing unit (Central Processing Unit, CPU), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the one kind of user operation log data abnormality recognition device, and connects the respective parts of the entire one kind of user operation log data abnormality recognition device using various interfaces and lines.
The memory may be used to store the computer program and/or the module, and the processor may implement various functions of the apparatus by running or executing the computer program and/or the module stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data (such as audio data, phonebook, etc.) created according to the use of the handset, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMART MEDIA CARD, SMC), secure Digital (SD) card, flash memory card (FLASH CARD), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
Wherein the module integrated with the user operation log data abnormality recognition device can be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a separate product. Based on such understanding, the present invention may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
Embodiments of the present invention also provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the method of any of the embodiments described above.
It should be noted that, the computer program product provided in this embodiment can execute all the steps and functions of the method for identifying abnormal user operation log data provided in any one of the above embodiments, and specific functions of the apparatus are not described herein.
It should be noted that modifications and adaptations to the invention may occur to one skilled in the art without departing from the principles of the present invention and are intended to be within the scope of the present invention.

Claims (10)

1.一种用户操作日志数据异常识别方法,其特征在于,所述方法包括:1. A method for identifying abnormalities in user operation log data, characterized in that the method comprises: 将获取的用户操作日志数据中不同日志作为网络节点,计算不同节点间的互信息;Different logs in the acquired user operation log data are used as network nodes to calculate the mutual information between different nodes; 根据不同节点间的互信息大小确定无向边,构建无向最小支撑树,对所述无向最小支撑树中的节点进行定向,确定初步的最小支撑树结构;Determine undirected edges according to the mutual information between different nodes, construct an undirected minimum spanning tree, orient the nodes in the undirected minimum spanning tree, and determine a preliminary minimum spanning tree structure; 在所述最小支撑树结构中进行节点序搜索得到节点序群,将不同节点序作为初始种群中的不同个体,计算不同个体在所述初始种群中的适应度;Performing node sequence search in the minimum supporting tree structure to obtain a node sequence group, taking different node sequences as different individuals in the initial population, and calculating the fitness of different individuals in the initial population; 根据不同个体的适应度以及预设的种群寻优策略对所述初始种群进行更新;The initial population is updated according to the fitness of different individuals and a preset population optimization strategy; 将更新后的种群中适应度最大的个体的节点序作为用户操作异常日志。The node sequence of the individual with the largest fitness in the updated population is used as the user operation abnormality log. 2.根据权利要求1所述的用户操作日志数据异常识别方法,其特征在于,根据不同个体的适应度以及预设的种群寻优策略对所述初始种群进行更新,包括:2. The method for identifying abnormalities in user operation log data according to claim 1, characterized in that the initial population is updated according to the fitness of different individuals and a preset population optimization strategy, comprising: 从初始种群中按照适应度由大到小选择预设的第一数量的个体作为猎头群,并在猎头群之外选择预设的第二数量的个体作为游走群;A preset first number of individuals are selected from the initial population according to the fitness from large to small as the headhunting group, and a preset second number of individuals are selected from the headhunting group as the wandering group; 计算所述猎头群中的个体在所述猎头群中的适应度以及所述游走群中的个体在所述游走群中的适应度;Calculating the fitness of individuals in the headhunting group in the headhunting group and the fitness of individuals in the wandering group in the wandering group; 根据所述猎头群中个体的适应度和所述游走群中个体的适应度大小对初始种群中的个体进行更新;The individuals in the initial population are updated according to the fitness of the individuals in the headhunting group and the fitness of the individuals in the wandering group; 当不满足预设的更新终止条件时,从更新的初始种群中选择猎头群和游走群,根据猎头群中个体的适应度和游走群中个体的适应度大小对初始种群中的个体进行更新,直到满足所述更新终止条件;When the preset update termination condition is not met, a headhunting group and a wandering group are selected from the updated initial population, and the individuals in the initial population are updated according to the fitness of the individuals in the headhunting group and the fitness of the individuals in the wandering group until the update termination condition is met; 当满足更新终止条件,停止初始种群更新;所述根据所述猎头群中个体的适应度和所述游走群中个体的适应度大小对初始种群中的个体进行更新,包括:When the update termination condition is met, the initial population update is stopped; the individuals in the initial population are updated according to the fitness of the individuals in the headhunting group and the fitness of the individuals in the wandering group, including: 当所述游走群中第一个体的适应度大于所述猎头群中第二个体的适应度时,将所述第一个体更新至猎头群中;When the fitness of the first individual in the wandering group is greater than the fitness of the second individual in the headhunting group, updating the first individual to the headhunting group; 当所述猎头群中所有个体的适应度均不小于所述游走群中第三个体的适应度时,对所述第三个体进行个体更新。When the fitness of all individuals in the headhunting group is not less than the fitness of the third individual in the wandering group, the third individual is updated. 3.根据权利要求2所述的用户操作日志数据异常识别方法,其特征在于,所述根据所述猎头群中个体的适应度和所述游走群中个体的适应度大小对初始种群中的个体进行更新,还包括:3. The method for identifying abnormalities in user operation log data according to claim 2, characterized in that the updating of individuals in the initial population according to the fitness of individuals in the headhunting group and the fitness of individuals in the wandering group further comprises: 在所述初始种群中除猎头群和游走群之外的个体中选择预设的第三数量的个体作为进群群;Selecting a preset third number of individuals from the individuals in the initial population except the headhunting group and the wandering group as the entering group; 计算所述进取群中的个体在所述进取群中的适应度;Calculate the fitness of individuals in the enterprising group in the enterprising group; 当所述进取群中的第四个体的适应度大于所述猎头群中第二个体的适应度时,重新计算个体在初始种群中的适应度,从初始种群中按照适应度由大到小重新选择所述第一数量的个体作为猎头群。When the fitness of the fourth individual in the aggressive group is greater than the fitness of the second individual in the headhunting group, the fitness of the individuals in the initial population is recalculated, and the first number of individuals are reselected from the initial population in descending order of fitness as the headhunting group. 4.根据权利要求3所述的用户操作日志数据异常识别方法,其特征在于,所述根据所述猎头群中个体的适应度和所述游走群中个体的适应度大小对初始种群中的个体进行更新,还包括:4. The method for identifying abnormalities in user operation log data according to claim 3, characterized in that the updating of individuals in the initial population according to the fitness of individuals in the headhunting group and the fitness of individuals in the wandering group further comprises: 计算所述进取群中的第四个体的适应度和所述猎头群中第二个体的适应度的差值的绝对值;Calculating the absolute value of the difference between the fitness of the fourth individual in the enterprising group and the fitness of the second individual in the headhunting group; 当计算的绝对值在根据所述第四个体的适应度和所述第二个体的适应度确定范围区间内时,选取所述第二个体的部分节点片段,对所述第四个体中相同位置的映射节点片段进行替换,更新所述第四个体;When the calculated absolute value is within a range determined according to the fitness of the fourth individual and the fitness of the second individual, select some node fragments of the second individual, replace the mapped node fragments at the same position in the fourth individual, and update the fourth individual; 当所述第四个体中除映射节点片段外的节点与所述部分节点片段中的第一位置的节点重复时,保留所述第四个体上第一位置对应的节点。When the nodes other than the mapped node fragments in the fourth body are repeated with the nodes at the first position in the partial node fragments, the nodes corresponding to the first position on the fourth body are retained. 5.根据权利要求2所述的用户操作日志数据异常识别方法,其特征在于,对所述第三个体进行个体更新,包括:5. The method for identifying abnormalities in user operation log data according to claim 2, wherein the step of performing individual updating on the third individual comprises: 根据预设的动态自变异策略计算动态变异概率;Calculate the dynamic mutation probability according to the preset dynamic self-mutation strategy; 根据所述动态变异概率对应确定变异节点片段长度;Determine the length of the mutation node segment according to the dynamic mutation probability; 根据所述变异节点片段长度确定所述第三个体中所有变异位置;Determine all mutation positions in the third individual according to the mutation node fragment length; 通过节点定位确定变异节点片段;Determine the variant node fragment through node positioning; 根据所述变异节点片段遍历替换所述第三个体中每一变异位置,得到多个变异新个体;Traversing and replacing each mutation position in the third individual according to the mutation node fragment to obtain multiple mutation new individuals; 计算变异新个体在所述游走群中的适应度,确定适应度最大的变异新个体作为更新后的第三个体。The fitness of the mutated new individual in the wandering group is calculated, and the mutated new individual with the largest fitness is determined as the third individual after update. 6.根据权利要求1所述的用户操作日志数据异常识别方法,其特征在于,对所述无向最小支撑树中的节点进行定向,确定初步的最小支撑树结构,包括:6. The method for identifying abnormalities in user operation log data according to claim 1, characterized in that orienting the nodes in the undirected minimum spanning tree to determine a preliminary minimum spanning tree structure comprises: 将所述无向最小支撑树的每一节点的潜在父节点集合中每一元素分别作为该节点的父节点,构建不同子结构;计算不同子结构和预设的标准训练数据集的匹配评分;将该节点的子结构中匹配评分最高的节点作为该节点的父节点;Taking each element in the potential parent node set of each node of the undirected minimum spanning tree as the parent node of the node, constructing different substructures; calculating the matching scores of different substructures and the preset standard training data set; taking the node with the highest matching score in the substructure of the node as the parent node of the node; 将所述无向最小支撑树的每一节点于其对应的父节点进行连接,得到所述最小支撑树结构。Each node of the undirected minimum spanning tree is connected to its corresponding parent node to obtain the minimum spanning tree structure. 7.一种用户操作日志数据异常识别装置,其特征在于,所述装置包括:7. A device for identifying abnormalities in user operation log data, characterized in that the device comprises: 互信息计算模块,用于将获取的用户操作日志数据中不同日志作为网络节点,计算不同节点间的互信息;A mutual information calculation module is used to use different logs in the acquired user operation log data as network nodes and calculate the mutual information between different nodes; 支撑树确定模块,用于根据不同节点间的互信息大小确定无向边,构建无向最小支撑树,对所述无向最小支撑树中的节点进行定向,确定初步的最小支撑树结构;A spanning tree determination module, used to determine undirected edges according to the mutual information between different nodes, construct an undirected minimum spanning tree, orient the nodes in the undirected minimum spanning tree, and determine a preliminary minimum spanning tree structure; 种群确定模块,用于在所述最小支撑树结构中进行节点序搜索得到节点序群,将不同节点序作为初始种群中的不同个体,计算不同个体在所述初始种群中的适应度;A population determination module, used to search for node sequences in the minimum supporting tree structure to obtain node sequence groups, use different node sequences as different individuals in the initial population, and calculate the fitness of different individuals in the initial population; 种群更新模块,用于根据不同个体的适应度以及预设的种群寻优策略对所述初始种群进行更新;A population updating module, used to update the initial population according to the fitness of different individuals and a preset population optimization strategy; 结果输出模块,用于将更新后的种群中适应度最大的个体的节点序作为用户操作异常日志。The result output module is used to use the node sequence of the individual with the largest fitness in the updated population as the user operation abnormality log. 8.一种用户操作日志数据异常识别装置,其特征在于,包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序,所述处理器执行所述计算机程序时实现如权利要求1至6中任意一项所述的用户操作日志数据异常识别方法。8. A user operation log data anomaly identification device, characterized in that it includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, and when the processor executes the computer program, it implements the user operation log data anomaly identification method as described in any one of claims 1 to 6. 9.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括存储的计算机程序,其中,在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行如权利要求1至6中任意一项所述的用户操作日志数据异常识别方法。9. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a stored computer program, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the user operation log data anomaly identification method as described in any one of claims 1 to 6. 10.一种计算机程序产品,包括计算机程序/指令,其特征在于,该计算机程序/指令被处理器执行时实现权利要求1~6中任意一项所述方法的步骤。10. A computer program product, comprising a computer program/instruction, characterized in that when the computer program/instruction is executed by a processor, the steps of the method according to any one of claims 1 to 6 are implemented.
CN202410857621.5A 2024-06-28 2024-06-28 A method, device, medium and product for identifying abnormalities in user operation log data Pending CN118869264A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410857621.5A CN118869264A (en) 2024-06-28 2024-06-28 A method, device, medium and product for identifying abnormalities in user operation log data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410857621.5A CN118869264A (en) 2024-06-28 2024-06-28 A method, device, medium and product for identifying abnormalities in user operation log data

Publications (1)

Publication Number Publication Date
CN118869264A true CN118869264A (en) 2024-10-29

Family

ID=93172757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410857621.5A Pending CN118869264A (en) 2024-06-28 2024-06-28 A method, device, medium and product for identifying abnormalities in user operation log data

Country Status (1)

Country Link
CN (1) CN118869264A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119728313A (en) * 2025-03-03 2025-03-28 深圳市悦道科技有限公司 A network security management method based on communication data processing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150106324A1 (en) * 2013-10-11 2015-04-16 Accenture Global Services Limited Contextual graph matching based anomaly detection
CN117391204A (en) * 2023-10-24 2024-01-12 江南大学 A hybrid Bayesian network structure learning method based on mutual information guidance
CN118152962A (en) * 2024-03-28 2024-06-07 国电南瑞南京控制系统有限公司 A method and system for detecting abnormality in power monitoring operation data
CN118171129A (en) * 2024-05-11 2024-06-11 中移(苏州)软件技术有限公司 User data acquisition method, system, electronic device, chip and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150106324A1 (en) * 2013-10-11 2015-04-16 Accenture Global Services Limited Contextual graph matching based anomaly detection
CN117391204A (en) * 2023-10-24 2024-01-12 江南大学 A hybrid Bayesian network structure learning method based on mutual information guidance
CN118152962A (en) * 2024-03-28 2024-06-07 国电南瑞南京控制系统有限公司 A method and system for detecting abnormality in power monitoring operation data
CN118171129A (en) * 2024-05-11 2024-06-11 中移(苏州)软件技术有限公司 User data acquisition method, system, electronic device, chip and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
苏昭玉: "改进贝叶斯网络算法及篦冷机故障诊断的研究", 《中国优秀硕士学位论文全文数据库工程科I辑》, 15 March 2022 (2022-03-15), pages 7 - 11 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119728313A (en) * 2025-03-03 2025-03-28 深圳市悦道科技有限公司 A network security management method based on communication data processing

Similar Documents

Publication Publication Date Title
Chen et al. Entity embedding-based anomaly detection for heterogeneous categorical events
US8280915B2 (en) Binning predictors using per-predictor trees and MDL pruning
Messaoudi et al. A multi-objective bat algorithm for community detection on dynamic social networks: I. Messaoudi and N. Kamel
CN113821657B (en) Image processing model training method and image processing method based on artificial intelligence
CN104573130B (en) The entity resolution method and device calculated based on colony
Meeus et al. Achilles’ heels: vulnerable record identification in synthetic data publishing
CN112437053B (en) Intrusion detection method and device
CN116737727B (en) Stock transaction data column type storage method and server based on tree structure
Boytsov et al. Learning to prune in metric and non-metric spaces
Singh et al. Probabilistic data structure-based community detection and storage scheme in online social networks
CN118869264A (en) A method, device, medium and product for identifying abnormalities in user operation log data
Chen et al. Predicting user retweeting behavior in social networks with a novel ensemble learning approach
CN119150158A (en) O2O platform user portrait construction method based on deep learning
Epasto et al. Massively parallel and dynamic algorithms for minimum size clustering
Gias et al. Samplehst: Efficient on-the-fly selection of distributed traces
WO2025147767A1 (en) Apparatus and method for generating a path containing a user engagement target
US20160292300A1 (en) System and method for fast network queries
CN114036345B (en) A method, device and storage medium for processing trajectory data
Feng et al. Web service QoS classification based on optimized convolutional neural network
US20220391734A1 (en) Machine learning based dataset detection
CN116361677A (en) Particle swarm fuzzy C-means clustering method based on differential privacy protection mechanism
Snir On the number of genomic pacemakers: a geometric approach
Ranjan et al. Automatic Data Clustering using Dynamic Crow Search Algorithm.
Gayathri et al. A Novel Cuckoo Search with Levy Distribution-Optimized Density-Based Clustering Model on MapReduce for Big Data Environment
Xu et al. Unsupervised entity resolution method based on random forest

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination