Search

CN-114078008-B - Abnormal behavior detection method, device, equipment and computer readable storage medium

CN114078008BCN 114078008 BCN114078008 BCN 114078008BCN-114078008-B

Abstract

The embodiment of the application provides an abnormal behavior detection method, device, equipment and computer readable storage medium, wherein the method comprises the steps of obtaining a first target sub-model corresponding to a first target object from a first preset object model, determining abnormal data quantity from the first target sub-model based on preset model parameters, comparing the target data quantity with the abnormal data quantity, determining a first detection result corresponding to behavior information to be detected, obtaining a second target sub-model corresponding to a second target object and having highest similarity with the first target sub-model from a second preset object model, obtaining a target maximum data quantity corresponding to the second target sub-model, comparing the target data quantity with the target maximum data quantity, determining a second detection result corresponding to the behavior information to be detected, and determining a target detection result of the behavior information to be detected by combining the first detection result and the second detection result. By the embodiment of the application, the accuracy of abnormal behavior detection can be improved.

Inventors

  • CHENG ZHEHAO
  • DONG JINGRAN
  • CHEN SHOUZHI

Assignees

  • 腾讯科技(深圳)有限公司

Dates

Publication Date
20260512
Application Date
20200820

Claims (20)

  1. 1. An abnormal behavior detection method, comprising: Acquiring behavior information to be detected, wherein the behavior information to be detected comprises a first target object, a second target object and a target data volume; acquiring a behavior information sample; Aggregating the behavior information samples according to a first preset object type to obtain a data volume set corresponding to each first object, and constructing a first sub-model corresponding to each first object according to the data volume set to obtain a first preset object model corresponding to each first object; aggregating the behavior information samples according to the second preset object types to obtain a first object set and a maximum data volume corresponding to each second object; traversing the first object set, and constructing at least one second object sub-model based on a sub-model to be updated corresponding to a current first object in the first preset object model; combining the at least one second object sub-model and the maximum data volume into a second sub-model corresponding to each second object, thereby obtaining a second preset object model corresponding to each second object; Acquiring a first target sub-model corresponding to the first target object from the first preset object model; Determining an abnormal data amount from the first target sub-model based on preset model parameters, comparing the target data amount with the abnormal data amount, and determining a first detection result corresponding to the behavior information to be detected; Acquiring a second target sub-model which corresponds to the second target object and has the highest similarity with the first target sub-model from the second preset object model; Obtaining a target maximum data volume corresponding to the second target sub-model, comparing the target data volume with the target maximum data volume, and determining a second detection result corresponding to the behavior information to be detected; and combining the first detection result and the second detection result to determine a target detection result of the behavior information to be detected.
  2. 2. The method of claim 1, wherein constructing a first sub-model corresponding to each first object from the set of data volumes comprises: Acquiring a data volume range corresponding to each data volume in the data volume set; Segmenting the data volume range to obtain a plurality of target segments; Counting, from the data volume set, a target number of data volumes belonging to each of the plurality of target segments; determining the ratio of the target number to the number of set elements corresponding to the data volume set as a probability value corresponding to each target segment, thereby obtaining a plurality of probability values corresponding to the plurality of target segments; And determining the probability values corresponding to the target segments as the first sub-model.
  3. 3. The method of claim 2, wherein the obtaining a data volume range corresponding to each data volume in the data volume set comprises: converting each data volume in the data volume set to obtain a converted data volume set; determining a range corresponding to each converted data amount in the converted data amount set as the data amount range; the counting of the target number of data amounts belonging to each of the plurality of target segments from the data amount set includes: counting the target number of converted data amounts belonging to the each of the plurality of target segments from the converted data amount set.
  4. 4. A method according to any one of claims 1 to 3, wherein traversing the first object set and constructing at least one second object sub-model based on a sub-model to be updated corresponding to a current first object in the first preset object model comprises: Traversing the first object set, and comparing the to-be-updated sub-model corresponding to the current first object in the first preset object model with each current sub-model in the current sub-model set corresponding to each second object to obtain a similar sub-model; when the similarity corresponding to the similar submodel is larger than the preset similarity, merging the submodel to be updated and the similar submodel, and replacing the similar submodel in the current submodel set by using the merged submodel to finish updating the current submodel set; When the similarity corresponding to the similar submodel is smaller than or equal to the preset similarity, inserting the submodel to be updated into the current submodel set to finish updating the current submodel set; And when the traversal of the first object set is completed, determining the current sub-model set after the traversal update as the constructed at least one second object sub-model.
  5. 5. The method of claim 4, wherein comparing the sub-model to be updated corresponding to the current first object in the first preset object model with each current sub-model in the current sub-model set corresponding to each second object to obtain a similar sub-model includes: obtaining a plurality of first target probability values corresponding to a plurality of target segments from the sub-model to be updated corresponding to the current first object in the first preset object model; obtaining a plurality of second target probability values corresponding to the plurality of target segments from each current sub-model in the current sub-model set corresponding to each second object; Comparing the first target probability values with the second target probability values in a one-to-one correspondence manner to obtain a plurality of minimum probability values, and determining the accumulated sum of the minimum probability values as the similarity between the sub-model to be updated and each current sub-model so as to obtain a plurality of similarities corresponding to the current sub-model set; and determining the current sub-model corresponding to the highest similarity in the plurality of similarities in the current sub-model set as the similarity sub-model.
  6. 6. The method of claim 4, wherein the merging the sub-model to be updated and the similar sub-model comprises: acquiring a plurality of first target probability values corresponding to a plurality of target segments from the sub-model to be updated; Obtaining a plurality of probability values to be combined corresponding to the target segments from the similar submodel; Comparing the first target probability values with the probability values to be combined in a one-to-one correspondence manner to obtain a plurality of maximum probability values; and combining the target segments with the maximum probability values to finish the combination of the sub-model to be updated and the similar sub-model.
  7. 7. A method according to any one of claims 1 to 3, wherein the obtaining, from the second preset object model, a second target sub-model corresponding to the second target object and having the highest similarity to the first target sub-model includes: Acquiring at least one target second object sub-model corresponding to the second target object from the second preset object model; obtaining a plurality of target similarities of each target second object sub-model in the first target sub-model and the at least one target second object sub-model; obtaining highest target similarity from the plurality of target similarities; And selecting the second object sub-model corresponding to the highest object similarity from the at least one second object sub-model.
  8. 8. The method of claim 7, wherein the obtaining the target maximum data amount corresponding to the second target sub-model comprises: When the highest target similarity is greater than a preset similarity, determining the maximum data amount corresponding to the second target object in the second preset object model as the target maximum data amount corresponding to the second target sub-model; And when the highest target similarity is smaller than or equal to the preset similarity, determining a preset data volume as the target maximum data volume corresponding to the second target sub-model.
  9. 9. A method according to any one of claims 1 to 3, wherein said comparing said target data amount and said abnormal data amount, determining a first detection result corresponding to said behavior information to be detected, comprises: when the target data volume is larger than the abnormal data volume, determining the first detection result corresponding to the behavior information to be detected and comprising the behavior information to be detected about the first target object abnormality; and when the target data volume is smaller than or equal to the abnormal data volume, determining the first detection result which corresponds to the behavior information to be detected and comprises the behavior information to be detected and is normal with respect to the first target object.
  10. 10. A method according to any one of claims 1 to 3, wherein said comparing said target data amount with said target maximum data amount, determining a second detection result corresponding to said behavior information to be detected, comprises: When the target data volume is larger than the target maximum data volume, determining the second detection result which corresponds to the behavior information to be detected and comprises the behavior information to be detected and is abnormal about the second target object; and when the target data volume is smaller than or equal to the target maximum data volume, determining the second detection result which corresponds to the behavior information to be detected and comprises the behavior information to be detected and is normal with respect to the second target object.
  11. 11. A method according to any one of claims 1 to 3, wherein said determining a target detection result of the behavior information to be detected by combining the first detection result and the second detection result comprises: when the first detection result is that the behavior information to be detected is abnormal with respect to the first target object, and the second detection result is that the behavior information to be detected is abnormal with respect to the second target object, determining the target detection result comprising the behavior information to be detected; when the first detection result is that the behavior information to be detected is normal with respect to the first target object and the second detection result is that the behavior information to be detected is abnormal with respect to the second target object, determining the target detection result including the abnormality of the behavior information to be detected; when the first detection result is that the behavior information to be detected is normal with respect to the first target object, and the second detection result is that the behavior information to be detected is normal with respect to the second target object, determining the target detection result including the behavior information to be detected is normal; And when the first detection result is that the behavior information to be detected is abnormal with respect to the first target object and the second detection result is that the behavior information to be detected is normal with respect to the second target object, determining the target detection result including the normal behavior information to be detected.
  12. 12. An abnormal behavior detection apparatus, comprising: the information acquisition module is used for acquiring behavior information to be detected, wherein the behavior information to be detected comprises a first target object, a second target object and a target data volume; the model acquisition module is used for acquiring a behavior information sample; Aggregating the behavior information samples according to a first preset object type to obtain a data volume set corresponding to each first object, and constructing a first sub-model corresponding to each first object according to the data volume set to obtain a first preset object model corresponding to each first object; aggregating the behavior information samples according to the second preset object types to obtain a first object set and a maximum data volume corresponding to each second object; traversing the first object set, and constructing at least one second object sub-model based on a sub-model to be updated corresponding to a current first object in the first preset object model; combining the at least one second object sub-model and the maximum data volume into a second sub-model corresponding to each second object, thereby obtaining a second preset object model corresponding to each second object; the first detection module is used for acquiring a first target sub-model corresponding to the first target object from the first preset object model; the first detection module is further configured to determine an abnormal data amount from the first target sub-model based on a preset model parameter, compare the target data amount with the abnormal data amount, and determine a first detection result corresponding to the behavior information to be detected; The second detection module is used for acquiring a second target sub-model which corresponds to the second target object and has the highest similarity with the first target sub-model from the second preset object model; The second detection module is further configured to obtain a target maximum data size corresponding to the second target sub-model, compare the target data size with the target maximum data size, and determine a second detection result corresponding to the behavior information to be detected; and the result determining module is used for determining a target detection result of the behavior information to be detected by combining the first detection result and the second detection result.
  13. 13. The apparatus of claim 12, wherein the device comprises a plurality of sensors, The model acquisition module is further used for acquiring a data volume range corresponding to each data volume in the data volume set; Segmenting the data volume range to obtain a plurality of target segments; Counting, from the data volume set, a target number of data volumes belonging to each of the plurality of target segments; determining the ratio of the target number to the number of set elements corresponding to the data volume set as a probability value corresponding to each target segment, thereby obtaining a plurality of probability values corresponding to the plurality of target segments; And determining the probability values corresponding to the target segments as the first sub-model.
  14. 14. The apparatus of claim 13, wherein the device comprises a plurality of sensors, The model acquisition module is further used for converting each data volume in the data volume set to obtain a converted data volume set; determining a range corresponding to each converted data amount in the converted data amount set as the data amount range; the model acquisition module is further configured to count, from the converted data volume set, the target number of converted data volumes belonging to the each of the plurality of target segments.
  15. 15. The device according to any one of claims 12 to 14, wherein, The model acquisition module is further configured to traverse the first object set, compare the sub-models to be updated corresponding to the current first object in the first preset object model with each current sub-model in the current sub-model set corresponding to each second object, and obtain similar sub-models; when the similarity corresponding to the similar submodel is larger than the preset similarity, merging the submodel to be updated and the similar submodel, and replacing the similar submodel in the current submodel set by using the merged submodel to finish updating the current submodel set; When the similarity corresponding to the similar submodel is smaller than or equal to the preset similarity, inserting the submodel to be updated into the current submodel set to finish updating the current submodel set; And when the traversal of the first object set is completed, determining the current sub-model set after the traversal update as the constructed at least one second object sub-model.
  16. 16. The apparatus of claim 15, wherein the device comprises a plurality of sensors, The model obtaining module is further configured to obtain a plurality of first target probability values corresponding to a plurality of target segments from the sub-model to be updated corresponding to the current first object in the first preset object model; obtaining a plurality of second target probability values corresponding to the plurality of target segments from each current sub-model in the current sub-model set corresponding to each second object; Comparing the first target probability values with the second target probability values in a one-to-one correspondence manner to obtain a plurality of minimum probability values, and determining the accumulated sum of the minimum probability values as the similarity between the sub-model to be updated and each current sub-model so as to obtain a plurality of similarities corresponding to the current sub-model set; and determining the current sub-model corresponding to the highest similarity in the plurality of similarities in the current sub-model set as the similarity sub-model.
  17. 17. The apparatus of claim 15, wherein the device comprises a plurality of sensors, The model obtaining module is further configured to obtain a plurality of first target probability values corresponding to a plurality of target segments from the sub-model to be updated; Obtaining a plurality of probability values to be combined corresponding to the target segments from the similar submodel; Comparing the first target probability values with the probability values to be combined in a one-to-one correspondence manner to obtain a plurality of maximum probability values; and combining the target segments with the maximum probability values to finish the combination of the sub-model to be updated and the similar sub-model.
  18. 18. The device according to any one of claims 12 to 14, wherein, The second detection module is further configured to obtain at least one target second object sub-model corresponding to the second target object from the second preset object model; obtaining a plurality of target similarities of each target second object sub-model in the first target sub-model and the at least one target second object sub-model; obtaining highest target similarity from the plurality of target similarities; And selecting the second object sub-model corresponding to the highest object similarity from the at least one second object sub-model.
  19. 19. The apparatus of claim 18, wherein the device comprises a plurality of sensors, The second detection module is further configured to determine, when the highest target similarity is greater than a preset similarity, a maximum data amount corresponding to the second target object in the second preset object model as the target maximum data amount corresponding to the second target sub-model; And when the highest target similarity is smaller than or equal to the preset similarity, determining a preset data volume as the target maximum data volume corresponding to the second target sub-model.
  20. 20. The device according to any one of claims 12 to 14, wherein, The first detection module is further configured to determine, when the target data amount is greater than the abnormal data amount, the first detection result corresponding to the behavior information to be detected, including that the behavior information to be detected is abnormal with respect to the first target object; and when the target data volume is smaller than or equal to the abnormal data volume, determining the first detection result which corresponds to the behavior information to be detected and comprises the behavior information to be detected and is normal with respect to the first target object.

Description

Abnormal behavior detection method, device, equipment and computer readable storage medium Technical Field The present application relates to information processing technology in the field of computer applications, and in particular, to a method, apparatus, device, and computer readable storage medium for detecting abnormal behavior. Background Along with the rapid development of computer application technology, various network functions are becoming more and more widely applied, however, in the application process of the network functions, malicious processing such as false brushing amount or stolen number payment is often performed in an abnormal manner, so that in order to improve network security, abnormal behavior detection is more and more important. Generally, when abnormal behavior is detected, an unsupervised manner is usually adopted, for example, historical behavior information is clustered to obtain a plurality of clusters, and after the behavior information to be detected is obtained, the relationship between the behavior information to be detected and the clusters is judged to determine the abnormality of the behavior information to be detected. However, in the process of detecting the abnormal behavior, since the feature dimension of the behavior information to be detected is low, when the detection result is determined by clustering according to the feature of the low dimension, the possibility of error in the detection result is high, and thus, the accuracy of detecting the abnormal behavior is low. Disclosure of Invention The embodiment of the application provides a method, a device, equipment and a computer readable storage medium for detecting abnormal behaviors, which can improve the accuracy of detecting the abnormal behaviors. The technical scheme of the embodiment of the application is realized as follows: the embodiment of the application provides an abnormal behavior detection method, which comprises the following steps: Acquiring behavior information to be detected, wherein the behavior information to be detected comprises a first target object, a second target object and a target data volume; Acquiring a first target sub-model corresponding to the first target object from a first preset object model; Determining an abnormal data amount from the first target sub-model based on preset model parameters, comparing the target data amount with the abnormal data amount, and determining a first detection result corresponding to the behavior information to be detected; Obtaining a second target sub-model which corresponds to the second target object and has the highest similarity with the first target sub-model from a second preset object model; Obtaining a target maximum data volume corresponding to the second target sub-model, comparing the target data volume with the target maximum data volume, and determining a second detection result corresponding to the behavior information to be detected; and combining the first detection result and the second detection result to determine a target detection result of the behavior information to be detected. The embodiment of the application provides an abnormal behavior detection device, which comprises: the information acquisition module is used for acquiring behavior information to be detected, wherein the behavior information to be detected comprises a first target object, a second target object and a target data volume; the first detection module is used for acquiring a first target sub-model corresponding to the first target object from a first preset object model; the first detection module is further configured to determine an abnormal data amount from the first target sub-model based on a preset model parameter, compare the target data amount with the abnormal data amount, and determine a first detection result corresponding to the behavior information to be detected; The second detection module is used for acquiring a second target sub-model which corresponds to the second target object and has the highest similarity with the first target sub-model from a second preset object model; The second detection module is further configured to obtain a target maximum data size corresponding to the second target sub-model, compare the target data size with the target maximum data size, and determine a second detection result corresponding to the behavior information to be detected; and the result determining module is used for determining a target detection result of the behavior information to be detected by combining the first detection result and the second detection result. The abnormal behavior detection device further comprises a model acquisition module, wherein the model acquisition module is used for acquiring a behavior information sample, aggregating the behavior information sample according to a first preset object type to obtain a data volume set corresponding to each first object, constructing a first sub-model corresponding to each f