CN-122027374-A - Abnormal behavior prediction method and system based on user behavior portraits

Abstract

The invention belongs to the field of information security, and particularly relates to an abnormal behavior prediction method and system based on a user behavior portrait, wherein the abnormal behavior prediction method comprises the steps of obtaining behavior data of a user in an authorized target application after the user confirms authorization, wherein the behavior data comprise at least one of operation records, network access records and terminal equipment use records of the user in the target application, determining a behavior base line, user basic information and behavior characteristics of the user in the target application based on the behavior data, constructing the user behavior portrait, carrying out implicit mode recognition and abnormal prediction on the user according to the user behavior portrait to obtain prediction probability distribution of the abnormal behavior of the user in a preset category, and generating corresponding prompt information for a management platform based on the prediction probability distribution. The method can realize targeted implicit mode identification and improve the adaptability of the information management system to complex dynamic behavior modes.

Inventors

• NAN WEIBING
• HU ZONGNAN
• LI WEI

Assignees

• 四川西盾科技有限公司

Dates

Publication Date

20260512

Application Date

20260416

Claims (10)

1. 1. An abnormal behavior prediction method based on user behavior portraits is characterized by comprising the following steps: after the user confirms the authorization, acquiring behavior data of the user in the authorized target application; determining a behavior baseline, user basic information and behavior characteristics of a user in a target application based on the behavior data, and constructing a user behavior portrait; According to the user behavior portraits, carrying out implicit mode identification and anomaly prediction on the user to obtain prediction probability distribution of the user with preset type anomaly behaviors, wherein the preset type anomaly behaviors at least comprise off-job tendency behaviors; and generating corresponding prompt information for the management platform based on the prediction probability distribution.
2. 2. The abnormal behavior prediction method based on user behavior portrayal according to claim 1, wherein obtaining behavior data of a user in an authorized target application includes: Capturing an operation record of a user in a target application in real time; Based on a network flow analysis protocol, extracting a network access record when a user accesses a target application; collecting a terminal equipment use record through a terminal equipment management system; And performing de-identification and desensitization processing on the collected operation records, network access records and terminal equipment usage records, hiding sensitive information fields containing personal information of users, and generating an anonymized unique identifier by adopting a hash algorithm.
3. 3. The abnormal behavior prediction method based on user behavior portrayal of claim 1, wherein determining a behavior baseline, user basic information and behavior characteristics of the user in the target application based on the behavior data, constructing the user behavior portrayal comprises: Based on the behavior data, determining a behavior baseline of a user in a target application by adopting a mode of combining time sequence statistics with cluster analysis; extracting user basic information from the behavior data, wherein the user basic information is associated with a user unique identifier through anonymization; performing dimension splitting and quantization processing on the behavior data, and extracting user behavior characteristics; And constructing a correlation map by taking the behavior base line as a reference dimension, taking the user basic information as an attribute tag dimension and taking the user behavior characteristics as a core description dimension, carrying out multidimensional data fusion correlation on the correlation map through characteristic weight distribution to form a user behavior portrait, wherein the user behavior portrait corresponds to the unique identifier after anonymization of the user one by one.
4. 4. The abnormal behavior prediction method based on the user behavior portrayal of claim 3, wherein the method is characterized in that a correlation map is constructed by taking a behavior base line as a base reference dimension, taking user basic information as an attribute tag dimension and taking user behavior characteristics as a core description dimension, and the correlation map is subjected to multidimensional data fusion correlation through characteristic weight distribution to form the user behavior portrayal, and comprises the following steps: modeling the feature importance degree of each dimension data based on the behavior base line, the user basic information and the user behavior feature to obtain the weight value of each feature; According to the weight value, carrying out weighted normalization processing on a plurality of baseline indexes in the behavior baseline to obtain a first multidimensional feature vector after association; Embedding the user basic information into the user behavior feature vector as an attribute tag dimension, and constructing a second multidimensional feature vector after the attribute tag and the user behavior feature vector are fused; Establishing a correlation map between the first multidimensional feature vector and the second multidimensional feature vector, and weighting nodes and side relations in the correlation map according to weight values to obtain a structured map describing the correlation relationship of the behavior features of the user; And carrying out index management on the graph feature vectors after multi-dimensional fusion according to the unique identifiers after user anonymization based on the structured graph, and generating user behavior portraits corresponding to the unique identifiers one by one.
5. 5. The method for predicting abnormal behavior based on user behavior portraits of claim 4, wherein creating a correlation map between the first multidimensional feature vector and the second multidimensional feature vector, weighting nodes and side relations in the correlation map according to weight values, obtaining a structured map describing the correlation relationship of the user behavior features, comprises: Taking each baseline characteristic dimension in the first multidimensional characteristic vector as a first class node, taking attribute tag characteristics and behavior characteristic dimensions in the second multidimensional characteristic vector as a second class node, and constructing a heterogeneous node set based on characteristic correlation among different class nodes; calculating the association strength between the first class nodes and the second class nodes, and taking the association strength as the basic weight of the edge relationship between the nodes; and constructing a structured graph based on the basic weight of the edge relation, wherein the structured graph comprises an adjacency matrix, a node attribute matrix and an edge attribute matrix.
6. 6. The method for predicting abnormal behavior based on user behavior portraits of claim 5, wherein constructing a structured graph based on basic weights of edge relations comprises: according to the feature importance weights corresponding to the nodes, carrying out weighted adjustment on the initial features of the nodes to obtain a weighted node set; Combining the node characteristic weights to carry out secondary weighting on the basic weights of the edge relations, generating weighted edge relations reflecting the node importance and the characteristic coupling degree, and constructing an edge weight matrix with differential expression capability; and constructing the weighted node set and the side weight matrix into a structured graph, wherein the structured graph comprises an adjacent matrix, a node attribute matrix and a side attribute matrix.
7. 7. The abnormal behavior prediction method based on the user behavior portraits of claim 1, characterized in that the implicit mode recognition and the abnormal prediction are performed on the user according to the user behavior portraits to obtain the prediction probability distribution of the abnormal behavior of the user with a preset category, comprising: Organizing the graph structure feature vectors in the user behavior portraits into a time sequence graph data set according to time sequence, wherein the time sequence graph data set comprises graph node features and edge relation features of users on a plurality of time slices; based on a time sequence diagram data set, performing time sequence dependency modeling on diagram structural features of adjacent time segments, and extracting a change trend of a user behavior mode in a time dimension; carrying out joint modeling on the spatial features and the temporal features, and acquiring joint space-time representation vectors for reflecting the implicit behavior mode of the user through a space-time feature fusion layer; based on the joint space-time representation vector, carrying out multi-category prediction on the behavior state of the user by adopting a category prediction output layer to obtain a prediction probability distribution corresponding to the abnormal behavior of the preset category; And carrying out threshold screening and confidence evaluation on the prediction probability distribution to generate an abnormal behavior prediction result used for representing the current abnormal risk degree of the user.
8. 8. The method for predicting abnormal behavior based on user behavior portraits of claim 7, wherein the performing multi-class prediction on the user behavior state by using the class prediction output layer based on the joint space-time representation vector to obtain the prediction probability distribution corresponding to the preset class abnormal behavior comprises: inputting the combined space-time representation vector to a full-connection mapping layer, and carrying out linear mapping compression on the combined space-time representation vector with high dimensionality to generate a compact feature vector for classification and discrimination; Adopting a multi-layer attention feature weighting network, and carrying out self-adaptive weighting on the compact feature vector by combining the space-time feature contribution degrees of different dimensions; Performing discrete category approximate sampling on the self-adaptive weighted feature vector to generate a pseudo-discrete probability vector indicating the abnormal behavior of the preset category; and carrying out probability calibration on the pseudo-discrete probability vector to obtain the calibrated prediction probability distribution.
9. 9. The user behavior representation-based abnormal behavior prediction method according to claim 8, wherein performing discrete class approximation sampling on the adaptively weighted feature vector to generate a pseudo-discrete probability vector indicating a preset class of abnormal behavior, comprises: Respectively sampling Gumbel random noise which is independently and uniformly distributed for the characteristic components corresponding to each class in the weighted characteristic vectors; Element-wise adding Gumbel random noise to the corresponding feature components to form a perturbed intermediate representation; A first temperature scaling factor is fused into the disturbed intermediate representation, gumbel-Softmax probability distribution under temperature control is constructed through exponential mapping and normalization operation, and the first temperature scaling factor is used for adjusting discrete approximation degree; A continuously differentiable pseudo-discrete probability vector is obtained based on Gumbel-Softmax probability distribution.
10. 10. An abnormal behavior prediction system based on a representation of user behavior, the system comprising: The acquisition unit is configured to acquire behavior data of a user in an authorized target application after the user confirms the authorization; the construction unit is configured to determine a behavior baseline, user basic information and behavior characteristics of the user in the target application based on the behavior data, and construct a user behavior portrait; The prediction unit is configured to perform implicit mode recognition and anomaly prediction on the user according to the user behavior portraits to obtain prediction probability distribution of the user with preset category anomaly behaviors, wherein the preset category anomaly behaviors at least comprise off-job tendency behaviors; And the prompt unit is configured to generate corresponding prompt information for the management platform based on the prediction probability distribution.

Description

Abnormal behavior prediction method and system based on user behavior portraits Technical Field The invention relates to the field of information security, in particular to a method and a system for predicting abnormal behaviors based on user behavior portraits. Background With the rapid development of information technology, an information security management system has become an indispensable infrastructure for modern enterprises, and plays a key role in promoting internal information exchange and resource sharing. However, the prior art has obvious limitation in the field of abnormal behavior prediction, and is difficult to effectively early warn the behaviors which may cause significant losses, such as off-office, abnormal printing, and trade secret stealing. The abnormal behavior is often identified by preset fixed rules or thresholds in the related art, and the mode lacks adaptability to complex dynamic behavior modes. Taking the technical scheme of publication number CN119919101a (internet-based human resource information security management system) as an example, a risk threshold FXmax is used to mark high-risk objects and low-risk objects, and whether the human architecture risk meets the requirement is determined through an architecture threshold JGmax. For example, formulated calculations such as risk factor FX and architecture factor JG are dependent on preset scaling factors and thresholds. The judgment based on the threshold value is simple and easy, but cannot effectively cope with the real-time change or emergency of the employee behavior, and misjudgment or missed judgment can be caused. In another prior art, in the technical scheme with publication number CN108427758a (off-job trend analysis method, apparatus, device and storage medium), threshold thinking is also adopted, and risk classes (high risk, medium risk, low risk) are classified by judging whether the internet surfing behavior data contains a specific type (such as resume delivery behavior data). Although this method improves reliability, the threshold itself is static and is difficult to adjust to individual differences or environmental changes. Therefore, a new technical scheme needs to be provided, which aims to improve the adaptability of the information management system to the complex dynamic behavior mode. Disclosure of Invention The invention aims to provide a method and a system for predicting abnormal behaviors based on user behavior portraits, which are used for realizing targeted implicit pattern recognition and improving the adaptability of an information management system to complex dynamic behavior patterns. The invention provides an abnormal behavior prediction method based on a user behavior portrait, which comprises the steps of obtaining behavior data of a user in an authorized target application after the user confirms authorization, determining a behavior base line of the user in the target application, user basic information and behavior characteristics based on the behavior data, constructing the user behavior portrait, carrying out implicit mode recognition and abnormal prediction on the user according to the user behavior portrait to obtain prediction probability distribution of the abnormal behavior of the user in a preset category, wherein the preset category abnormal behavior at least comprises off-job tendency behaviors, and generating corresponding prompt information for a management platform based on the prediction probability distribution. The embodiment of the invention provides an abnormal behavior prediction system based on a user behavior portrait, which is applied to the abnormal behavior prediction method based on the user behavior portrait of the first aspect, and comprises an acquisition unit, a construction unit and a prediction unit, wherein the acquisition unit is configured to acquire behavior data of a user in an authorized target application after the user confirms authorization, the construction unit is configured to determine a behavior baseline, user basic information and behavior characteristics of the user in the target application based on the behavior data, the prediction unit is configured to perform implicit mode identification and abnormal prediction on the user according to the user behavior portrait to obtain a prediction probability distribution of the abnormal behavior of the user in a preset category, the preset category abnormal behavior at least comprises off-time tendency, and the prompting unit is configured to generate corresponding prompting information for a management platform based on the prediction probability distribution. Aiming at the technical scheme of the publication number CN119919101A (human resource information safety management system based on the Internet), the technical scheme provided by the embodiment of the invention uses the conventional behavior of an individual as a reference to replace a unified fixed threshold value, adapts the dynamic chan