+

CN108076032A - A kind of abnormal behaviour user identification method and device - Google Patents

A kind of abnormal behaviour user identification method and device Download PDF

Info

Publication number
CN108076032A
CN108076032A CN201611035558.9A CN201611035558A CN108076032A CN 108076032 A CN108076032 A CN 108076032A CN 201611035558 A CN201611035558 A CN 201611035558A CN 108076032 A CN108076032 A CN 108076032A
Authority
CN
China
Prior art keywords
user
rate
network
identified
current network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611035558.9A
Other languages
Chinese (zh)
Other versions
CN108076032B (en
Inventor
罗骁茜
吴栩欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guangdong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611035558.9A priority Critical patent/CN108076032B/en
Publication of CN108076032A publication Critical patent/CN108076032A/en
Application granted granted Critical
Publication of CN108076032B publication Critical patent/CN108076032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/067Generation of reports using time frame reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种异常行为用户识别方法及装置,所述方法包括:获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。所述装置执行上述方法。本发明实施例提供的异常行为用户识别方法及装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。

Embodiments of the present invention provide a method and device for identifying users with abnormal behavior. The method includes: obtaining status information of the current network, and the status information includes: overall network rate, network element rate, and service flow value; according to the current network state information, preset time interval t, and observation time i, to determine whether there are users with abnormal behavior in the current network; if there are users with abnormal behavior in the current network, obtain the session record information of the user to be identified and the user terminal to be identified Information; according to the session record information and the user terminal information, identify the user with abnormal behavior. The apparatus performs the method described above. The method and device for identifying users with abnormal behaviors provided by the embodiments of the present invention ensure the stability of the current network rate by judging whether there are users with abnormal behaviors in the current network and identifying the users with abnormal behaviors.

Description

一种异常行为用户识别方法及装置Abnormal behavior user identification method and device

技术领域technical field

本发明实施例涉及移动通信技术领域,具体涉及一种异常行为用户识别方法及装置。Embodiments of the present invention relate to the technical field of mobile communications, and in particular to a method and device for identifying users with abnormal behavior.

背景技术Background technique

随着移动通信技术的发展,人们越来越多的通过上网获取信息,来满足日常学习工作的需求。With the development of mobile communication technology, more and more people obtain information through the Internet to meet the needs of daily study and work.

但同时一些盗号发广告、发布恶意链接、骗取互联网用户钱财等与上网信息安全有关的行为也随之产生,这类行为统称为“用户异常行为”,这些用户异常行为长期、大量地占用有限的网络资源,极大的影响了正常用户的上网体验,导致用户上网速度慢或者无法上网,现有的解决该问题的方式主要通过用户投诉后,处理人员到现场测试,并根据测试结果对特定的网络环境进行优化,但无法识别出异常行为的用户,不能从源头解决正常用户上网速度慢的问题。But at the same time, some behaviors related to Internet information security, such as hacking accounts, posting advertisements, publishing malicious links, defrauding Internet users of money, etc., also occurred. Such behaviors are collectively referred to as "abnormal user behaviors". Network resources have greatly affected the normal user's online experience, resulting in slow or inability to access the Internet. The existing methods to solve this problem are mainly through user complaints, and the processing personnel go to the site to test, and according to the test results, specific The network environment is optimized, but users with abnormal behavior cannot be identified, and the problem of slow Internet speed of normal users cannot be solved from the source.

因此,如何有效识别出异常行为的用户,成为亟须解决的问题。Therefore, how to effectively identify users with abnormal behavior has become an urgent problem to be solved.

发明内容Contents of the invention

针对现有技术存在的问题,本发明实施例提供一种异常行为用户识别方法及装置。Aiming at the problems existing in the prior art, embodiments of the present invention provide a method and device for identifying users with abnormal behavior.

一方面,本发明实施例提供一种异常行为用户识别方法,包括:On the one hand, an embodiment of the present invention provides a user identification method for abnormal behavior, including:

获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;Obtaining status information of the current network, the status information including: the overall network speed, network element speed and service flow value;

根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;According to the state information of the current network, the preset time interval t and the observation time i, determine whether there are abnormal behavior users in the current network;

若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;If there is a user with abnormal behavior in the current network, obtaining session record information of the user to be identified and terminal information of the user to be identified;

根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。Identify the user with abnormal behavior according to the session record information and the user terminal information.

另一方面,本发明实施例提供一种异常行为用户识别装置,包括:On the other hand, an embodiment of the present invention provides an abnormal behavior user identification device, including:

网络信息获取单元,用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;A network information acquisition unit, configured to acquire status information of the current network, the status information including: the speed of the entire network, the speed of network elements and the value of service flow;

判断单元,用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;A judging unit, configured to judge whether there are abnormal behavior users in the current network according to the state information of the current network, the preset time interval t and the observation time i;

用户信息获取单元,用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;A user information acquiring unit, configured to acquire session record information of the user to be identified and terminal information of the user to be identified if there is a user with abnormal behavior in the current network;

识别单元,用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。An identifying unit, configured to identify the user with abnormal behavior according to the session record information and the user terminal information.

本发明实施例提供的异常行为用户识别方法及装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The method and device for identifying users with abnormal behaviors provided by the embodiments of the present invention ensure the stability of the current network rate by judging whether there are users with abnormal behaviors in the current network and identifying the users with abnormal behaviors.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例异常行为用户识别方法的流程示意图;FIG. 1 is a schematic flow diagram of a method for identifying a user with abnormal behavior according to an embodiment of the present invention;

图2为本发明又一实施例异常行为用户识别方法的流程示意图;FIG. 2 is a schematic flow diagram of a method for identifying users with abnormal behavior according to yet another embodiment of the present invention;

图3为本发明实施例异常行为用户识别装置的结构示意图;3 is a schematic structural diagram of an abnormal behavior user identification device according to an embodiment of the present invention;

图4为本发明实施例提供的装置实体结构示意图。Fig. 4 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

图1为本发明实施例异常行为用户识别方法的流程示意图,如图1所示,本实施例提供的一种异常行为用户识别方法,包括以下步骤:FIG. 1 is a schematic flow chart of a method for identifying users with abnormal behaviors in an embodiment of the present invention. As shown in FIG. 1 , a method for identifying users with abnormal behaviors provided in this embodiment includes the following steps:

S1:获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值。S1: Obtain status information of the current network, where the status information includes: overall network rate, network element rate, and service flow value.

具体的,装置获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值。需要说明的是:当前网络状态信息可以包括全网速率、网元速率和业务流量值,但不限定于上述的全网速率、网元速率和业务流量值。Specifically, the device acquires the state information of the current network, and the state information includes: the speed of the entire network, the speed of network elements, and the value of service flow. It should be noted that the current network status information may include the overall network rate, network element rate and service flow value, but is not limited to the above-mentioned overall network rate, network element rate and service flow value.

S2:根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户。S2: According to the status information of the current network, the preset time interval t and the observation time i, determine whether there is an abnormal behavior user in the current network.

具体的,装置根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户。需要说明的是:预设时间间隔t和观察时间i可以根据实际情况自主设置,例如:预设时间间隔t可以设置为1小时,可以理解为:装置每间隔1小时执行所述异常行为用户识别的方法一次,并对待选的用户行为进行识别;该预设时间间隔t设置的数值越小,对用户行为进行识别的频次越高,该预设时间间隔t设置的数值越大,对用户行为进行识别频次越低,观察时间i在预设时间间隔t所对应的起始时间和终止时间之间可以任意设置为一次或多次,例如:当预设时间间隔t设置为1小时,若执行该方法的当前时间为17:00,则起始时间对应于17:00,终止时间对应于18:00,观察时间i就可以是17:00~18:00的任意一次或几次所对应的对全网速率或者网元速率或者业务流量值的获取时间。Specifically, the device judges whether there is a user with abnormal behavior in the current network according to the status information of the current network, a preset time interval t, and an observation time i. It should be noted that: the preset time interval t and the observation time i can be set independently according to the actual situation, for example: the preset time interval t can be set to 1 hour, which can be understood as: the device performs the abnormal behavior user identification every 1 hour method once, and identify the user behavior to be selected; the smaller the value set for the preset time interval t, the higher the frequency of user behavior recognition, and the larger the value set for the preset time interval t, the higher the user behavior The lower the frequency of identification, the observation time i can be arbitrarily set to one or more times between the start time and end time corresponding to the preset time interval t, for example: when the preset time interval t is set to 1 hour, if the execution The current time of this method is 17:00, then the start time corresponds to 17:00, the end time corresponds to 18:00, and the observation time i can be any one or several times from 17:00 to 18:00 The acquisition time of the whole network rate or network element rate or service flow value.

S3:若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息。S3: If there is a user with abnormal behavior in the current network, acquire session record information of the user to be identified and terminal information of the user to be identified.

具体的,装置若获知所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息。需要说明的是:用户会话记录信息可以包括但不限于:对网络域名的访问记录信息、会话时长、源TCP/UDP端口、目标TCP/UDP端口等,用户终端信息可以包括但不限于:用户所使用的手机终端品牌和型号等。Specifically, if the device learns that there is a user with abnormal behavior in the current network, it acquires the session record information of the user to be identified and the terminal information of the user to be identified. It should be noted that user session record information may include but not limited to: access record information to network domain names, session duration, source TCP/UDP port, target TCP/UDP port, etc. User terminal information may include but not limited to: The brand and model of the mobile phone terminal used, etc.

S4:根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。S4: Identify the user with abnormal behavior according to the session record information and the user terminal information.

具体的,装置根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。需要说明的是:对异常行为用户进行识别可以是根据会话记录信息中的对特定域名的访问次数、和用户终端信息的手机终端品牌和型号,所用的手机号码,以及该手机终端的位置实现的。Specifically, the device identifies the user with abnormal behavior according to the session record information and the user terminal information. It should be noted that the identification of users with abnormal behavior can be realized based on the number of visits to a specific domain name in the session record information, and the mobile terminal brand and model of the user terminal information, the mobile phone number used, and the location of the mobile terminal .

本发明实施例提供的异常行为用户识别方法,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the stability of the current network rate by judging whether there are abnormal behavior users in the current network and identifying the abnormal behavior users.

在上述实施例的基础上,所述根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户,包括:On the basis of the above embodiments, the judging whether there are users with abnormal behavior in the current network according to the state information of the current network, the preset time interval t and the observation time i includes:

根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降。According to the overall network rate of the current network, the preset time interval t and the observation time i, it is judged whether the overall network rate of the current network has decreased.

具体的,装置根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降。需要说明的是:全网速率是否下降的判断依据可以是当前网络的全网速率下降百分比,继续参照上述实施举例说明如下:当预设时间间隔t设置为1小时,若执行该方法的当前时间为17:00,则起始时间对应于17:00,终止时间对应于18:00,假设观察时间i为17:10、17:25、和,则观察次数n为3次,可以根据公式:计算出预设时间间隔1小时内全网速率的平均值其中VAi是当前网络的状态信息中的全网速率,再根据公式:计算出当前网络的全网速率下降百分比PA,再根据公式:判断出当前网络的全网速率是否处于下降状态(即当PA≥5%,表示全网速率有下降;当PA<5%,表示全网速率未下降),其中的5%为预设全网速率百分比,可以根据实际情况自主设置,这里的5%是一种可选的方案,本发明实施例对此不做具体的限定。Specifically, the device judges whether the overall network rate of the current network decreases according to the overall network rate of the current network, a preset time interval t, and an observation time i. It should be noted that: the basis for judging whether the overall network rate drops can be the percentage of the entire network rate decrease of the current network. Continue to refer to the above implementation for example as follows: when the preset time interval t is set to 1 hour, if the current time of executing this method is 17:00, then the start time corresponds to 17:00, and the end time corresponds to 18:00, assuming that the observation time i is 17:10, 17:25, and, then the number of observations n is 3 times, according to the formula: Calculate the average speed of the entire network within a preset time interval of 1 hour Among them, V Ai is the whole network rate in the status information of the current network, and then according to the formula: Calculate the network-wide rate drop percentage P A of the current network, and then according to the formula: Determine whether the overall network rate of the current network is in a declining state (that is, when PA ≥ 5%, it means that the overall network rate has decreased; when PA < 5%, it indicates that the entire network rate has not decreased), and 5% of them are preset The percentage of the entire network rate can be set independently according to the actual situation, and 5% here is an optional solution, which is not specifically limited in the embodiment of the present invention.

若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降。If it is determined that the network-wide rate of the current network is in a declining state, it is determined whether the network element rate of the current network has decreased.

具体的,装置若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降。若判断获知所述当前网络的全网速率为未下降状态,则可以认为当前网络不存在异常行为用户。需要说明的是:网元速率是否下降的判断依据可以是当前网络的网元速率下降百分比,继续参照上述实施举例说明如下:观察次数n为3次,可以根据公式:计算出预设时间间隔1小时内网元速率的平均值其中VBi是当前网络的状态信息中的网元速率,再根据公式:计算出当前网络的网元速率下降百分比PB,再根据公式:判断出当前网络的网元速率是否处于下降状态,其中的10%为预设网元速率百分比,可以根据实际情况自主设置,这里的10%是一种可选的方案,本发明实施例对此不做具体的限定。Specifically, if the device determines that the network-wide rate of the current network is in a declining state, it determines whether the network element rate of the current network has decreased. If it is determined that the network-wide rate of the current network is not reduced, it can be considered that there is no user with abnormal behavior in the current network. It should be noted that: the basis for judging whether the network element rate drops can be the network element rate drop percentage of the current network, continue to refer to the above implementation for example as follows: the number of observations n is 3 times, according to the formula: Calculate the average value of network element speed within a preset time interval of 1 hour Among them, V Bi is the network element rate in the current network status information, and then according to the formula: Calculate the network element speed reduction percentage P B of the current network, and then according to the formula: Judging whether the network element rate of the current network is in a declining state, 10% of which is the preset network element rate percentage, which can be set independently according to the actual situation. The 10% here is an optional solution. No specific limitation is made.

若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值。If it is determined that the network element rate of the current network is in a declining state, then according to the size of the service flow values, select the first m service flow values among the service flow values as candidate service flow values.

具体的,装置若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值。装置若判断获知所述当前网络的网元速率为未下降状态,则可以认为当前网络不存在异常行为用户。m的数值可以根据实际情况自主设置,此处不做具体限定,本实施例列举m=10获取的待选业务流量值如表1所示:Specifically, if the device determines that the network element rate of the current network is in a declining state, select the first m service flow values among the service flow values as candidate service flow values according to the size of the service flow values. If the device determines that the rate of the network element of the current network is not decreased, it may consider that there is no user with abnormal behavior in the current network. The value of m can be set independently according to the actual situation, and is not specifically limited here. This embodiment lists the value of the service flow to be selected obtained by m=10 as shown in Table 1:

表1为可作为待选业务流量值的前10个业务流量值Table 1 shows the top 10 service flow values that can be used as the service flow values to be selected

表1Table 1

业务business 流量(MB)Traffic (MB) 占比Proportion 速率(kbps)Rate(kbps) 360安全卫士360 Security Guard 36873687 14%14% 283283 飞信Fetion 10901090 4%4% 198198 网易netease 570570 2%2% 108108 中国工商银行ICBC 553553 2%2% 9393 QQ空间Qzone 370370 1%1% 479479 腾讯网Tencent.com 284284 1%1% 591591 UC浏览UC browsing 151151 1%1% 480480 新浪Sina 148148 1%1% 503503 百度baidu 110110 0%0% 397397 苹果官方网站Apple official website 7777 0%0% 470470 RNC整体RNC as a whole 2559825598 100%100% 278 278

根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率。Calculate the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the flow value of the service to be selected.

具体的,装置根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率。举例说明如下:可以根据公式:计算出待选业务速率Vij,其中i为所述观察时间、j为第j个业务、Mij为待选业务流量值。Specifically, the device calculates the rate of the service to be selected corresponding to the service to be selected according to the preset time interval t and the flow value of the service to be selected. An example is as follows: According to the formula: Calculate the rate V ij of the service to be selected, where i is the observation time, j is the jth service, and M ij is the flow rate of the service to be selected.

判断所述当前网络的待选业务速率是否下降。Judging whether the rate of the service to be selected on the current network drops.

具体的,装置判断所述当前网络的待选业务速率是否下降。可以根据公式:计算出待选业务速率的平均值可以再根据公式:判断所述当前网络的待选业务速率是否为下降状态判断所述当前网络的待选业务速率是否为下降状态。Specifically, the device judges whether the rate of the service to be selected on the current network decreases. According to the formula: Calculate the average value of the service rate to be selected Then according to the formula: Judging whether the service rate to be selected on the current network is in a declining state. Judging whether the service rate to be selected on the current network is in a declining state.

若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。If it is determined that the rate of the service to be selected on the current network is in a declining state, it is determined that there are users with abnormal behavior in the current network.

具体的,装置若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。若判断获知所述当前网络的待选业务速率为未下降状态,则可以认为当前网络不存在异常行为用户。Specifically, if the device determines that the rate of the service to be selected on the current network is in a declining state, it determines that there is a user with abnormal behavior on the current network. If it is determined that the rate of the service to be selected on the current network is in a non-decreasing state, it may be considered that there is no user with abnormal behavior in the current network.

本发明实施例提供的异常行为用户识别方法,通过判断当前网络的全网速率、网元速率和待选业务速率是否下降,能够准确的识别出当前网络是否存在异常行为用户。The abnormal behavior user identification method provided by the embodiment of the present invention can accurately identify whether there is an abnormal behavior user in the current network by judging whether the current network's overall network rate, network element rate, and candidate service rate have decreased.

在上述实施例的基础上,所述根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降,包括:On the basis of the above embodiments, the judging whether the overall network rate of the current network has decreased according to the overall network rate of the current network, the preset time interval t and the observation time i includes:

根据预设时间间隔t和观察时间i,获取在所述预设时间间隔t内的观察次数n,其中,所述观察时间i位于所述预设时间间隔t所对应的起始时间和终止时间之间。Obtain the number of observations n within the preset time interval t according to the preset time interval t and the observation time i, wherein the observation time i is located at the start time and end time corresponding to the preset time interval t between.

具体的,装置根据预设时间间隔t和观察时间i,获取在所述预设时间间隔t内的观察次数n,其中,所述观察时间i位于所述预设时间间隔t所对应的起始时间和终止时间之间。已在上述实施例中说明,此处不再赘述。Specifically, the device obtains the number of observations n within the preset time interval t according to the preset time interval t and the observation time i, wherein the observation time i is located at the start corresponding to the preset time interval t between time and end time. It has been described in the above embodiments, and will not be repeated here.

根据所述观察次数n和所述当前网络的全网速率,计算在所述预设时间间隔t内全网速率的平均值。According to the number of observations n and the network-wide rate of the current network, an average value of the network-wide rate within the preset time interval t is calculated.

具体的,装置根据所述观察次数n和所述当前网络的全网速率,计算在所述预设时间间隔t内全网速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the device calculates an average value of the network-wide rate within the preset time interval t according to the number of observations n and the network-wide rate of the current network. It has been described in the above embodiments, and will not be repeated here.

根据所述全网速率的平均值和所述当前网络的全网速率,计算所述当前网络的全网速率下降百分比。Calculate the decrease percentage of the network-wide rate of the current network according to the average value of the network-wide rate and the network-wide rate of the current network.

具体的,装置根据所述全网速率的平均值和所述当前网络的全网速率,计算所述当前网络的全网速率下降百分比。已在上述实施例中说明,此处不再赘述。Specifically, the device calculates the decrease percentage of the network-wide rate of the current network according to the average value of the network-wide rate and the network-wide rate of the current network. It has been described in the above embodiments, and will not be repeated here.

若所述当前网络的全网速率下降百分比大于等于预设全网速率百分比,则判断所述当前网络的全网速率为下降状态。If the overall network rate decrease percentage of the current network is greater than or equal to the preset overall network rate percentage, it is determined that the overall network rate of the current network is in a declining state.

具体的,装置若获知所述当前网络的全网速率下降百分比大于等于预设全网速率百分比,则判断所述当前网络的全网速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, if the device learns that the overall network rate decrease percentage of the current network is greater than or equal to a preset overall network rate percentage, it determines that the overall network rate of the current network is in a decreased state. It has been described in the above embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,通过计算当前网络的全网速率下降百分比,保证了全网速率下降状态判断的准确性。The abnormal-behavior user identification method provided by the embodiment of the present invention ensures the accuracy of judging the overall network rate decrease state by calculating the rate decrease percentage of the current network.

在上述实施例的基础上,所述则判断所述当前网络的网元速率是否下降,包括:On the basis of the foregoing embodiments, the determination of whether the network element rate of the current network has decreased includes:

根据所述观察次数n和所述当前网络的网元速率,计算在所述预设时间间隔t内网元速率的平均值。According to the number of observations n and the network element rate of the current network, an average value of the network element rate within the preset time interval t is calculated.

具体的,装置根据所述观察次数n和所述当前网络的网元速率,计算在所述预设时间间隔t内网元速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the device calculates an average value of the network element rate within the preset time interval t according to the number of observations n and the network element rate of the current network. It has been described in the above embodiments, and will not be repeated here.

根据所述网元速率的平均值和所述当前网络的网元速率,计算所述当前网络的网元速率下降百分比。Calculate the decrease percentage of the network element rate of the current network according to the average value of the network element rate and the network element rate of the current network.

具体的,装置根据所述网元速率的平均值和所述当前网络的网元速率,计算所述当前网络的网元速率下降百分比。已在上述实施例中说明,此处不再赘述。Specifically, the device calculates a decrease percentage of the network element rate of the current network according to the average value of the network element rate and the network element rate of the current network. It has been described in the above embodiments, and will not be repeated here.

若所述当前网络的网元速率下降百分比大于等于预设网元速率百分比,则判断所述当前网络的网元速率为下降状态。If the decreasing percentage of the network element rate of the current network is greater than or equal to the preset network element rate percentage, it is determined that the network element rate of the current network is in a decreasing state.

具体的,装置若获知所述当前网络的网元速率下降百分比大于等于预设网元速率百分比,则判断所述当前网络的网元速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, if the device learns that the decrease percentage of the network element rate of the current network is greater than or equal to the preset network element rate percentage, it determines that the network element rate of the current network is in a decreased state. It has been described in the above embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,通过计算当前网络的网元速率下降百分比,保证了网元速率下降状态判断的准确性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the accuracy of judging the network element rate decrease state by calculating the rate decrease percentage of the network element rate in the current network.

在上述实施例的基础上,所述判断所述当前网络的待选业务速率是否下降,包括:On the basis of the above embodiments, the judging whether the service rate of the current network to be selected has decreased includes:

根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值。Calculate the average value of the service rates to be selected according to the service rates to be selected and the number m of service flows to be selected.

具体的,装置根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值。已在上述实施例中说明,此处不再赘述。Specifically, the device calculates an average value of the service rates to be selected according to the service rates to be selected and the number m of service flows to be selected. It has been described in the above embodiments, and will not be repeated here.

根据所述待选业务速率的平均值所述待选业务速率Vij和所述网元速率的平均值若通过公式计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。According to the average value of the service rate to be selected The average value of the service rate V ij to be selected and the network element rate If passed the formula If the calculation result is 1, it is judged that the service rate to be selected in the current network is in a declining state.

具体的,装置根据所述待选业务速率的平均值所述待选业务速率Vij和所述网元速率的平均值若通过公式计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。已在上述实施例中说明,此处不再赘述。Specifically, according to the average value of the service rate to be selected, the device The average value of the service rate V ij to be selected and the network element rate If passed the formula If the calculation result is 1, it is judged that the service rate to be selected in the current network is in a declining state. It has been described in the above embodiments, and will not be repeated here.

本发明实施例提供的异常行为用户识别方法,根据计算出的待选业务速率和网元速率的平均值,保证了待选业务速率为下降状态判断的准确性。The abnormal behavior user identification method provided by the embodiment of the present invention ensures the accuracy of judging that the service rate to be selected is in a declining state according to the calculated average value of the service rate to be selected and the network element rate.

在上述实施例的基础上,所述根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别,包括:On the basis of the above embodiments, the identifying the user with abnormal behavior according to the session record information and the user terminal information includes:

根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户。According to the specific domain name visit times in the session record information, the user to be identified whose visit times to the specific domain name is greater than a first visit times threshold is identified as an abnormal user.

具体的,图2为本发明又一实施例异常行为用户识别方法的流程示意图,如图2所示,装置根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户。第一访问次数阈值可以根据实际情况自主设置,此处不作限定。举例说明如下:待识别用户为1000个,第一访问次数阈值50次,待识别用户中有40个特定域名访问次数大于第一访问次数阈值50次,则将这40个待识别用户标识为异常用户。Specifically, Fig. 2 is a schematic flowchart of a method for identifying users with abnormal behavior according to another embodiment of the present invention. As shown in Fig. 2, the device counts the number of visits to a specific domain name greater than the number of visits to a specific domain name in the session record information. The user to be identified with a visit times threshold is identified as an abnormal user. The first access times threshold can be set independently according to the actual situation, which is not limited here. An example is as follows: there are 1,000 users to be identified, the first access threshold is 50, and 40 of the users to be identified have a specific domain name whose access times are greater than the first access threshold of 50 times, then these 40 users to be identified will be identified as abnormal user.

将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户。The user to be identified whose visit times to the specific domain name is less than a first visit times threshold is taken as the first user to be identified.

具体的,装置将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户。继续参照上述实施例,举例说明如下:将上述960(1000-40=960)个待识别用户作为第一待识别用户。Specifically, the device takes the user to be identified whose visit times to the specific domain name is less than a first visit times threshold as the first user to be identified. Continuing to refer to the foregoing embodiment, an example is described as follows: the above 960 (1000−40=960) users to be identified are taken as the first users to be identified.

提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值。extracting the mobile phone number of the first user to be identified, and if the number of times the same mobile phone number has visited the specific domain name is greater than a second threshold of visit times, identifying the first user to be identified as an abnormal user, wherein the second The access count threshold is smaller than the first access count threshold.

具体的,装置提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值。第二访问次数阈值可以根据实际情况自主设置,此处不作限定。继续参照上述实施例,举例说明如下:第一待识别用户为960个,第二访问次数阈值为40次,将第一待识别用户中同一手机号码对特定域名访问次数大于第二访问次数阈值40 次的60个第一待识别用户标识为异常用户。Specifically, the device extracts the mobile phone number of the first user to be identified, and identifies the first user to be identified as an abnormal user if the number of visits to the specific domain name by the same mobile phone number is greater than the second access times threshold, wherein, The second access times threshold is smaller than the first access times threshold. The second access times threshold can be set independently according to the actual situation, which is not limited here. Continuing to refer to the above-mentioned embodiment, an example is as follows: the first user to be identified is 960, and the second access times threshold is 40 times, and the number of visits to a specific domain name by the same mobile phone number among the first users to be identified is greater than the second access times threshold of 40 The first 60 users to be identified are identified as abnormal users.

将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户。The first user to be identified whose number of visits to the specific domain name by the same mobile phone number is less than a second threshold of visit times is used as the second user to be identified.

具体的,装置将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户。举例说明如下:第一待识别用户为960,将900(960-60)个第一待识别用户作为第二待识别用户。Specifically, the device uses the first user to be identified whose number of visits to the specific domain name by the same mobile phone number is less than the second threshold of visit times as the second user to be identified. An example is as follows: the first user to be identified is 960, and 900 (960-60) first users to be identified are taken as the second user to be identified.

提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号。Extracting the mobile phone terminal information of the second user to be identified, where the mobile phone terminal information includes: a manufacturer and model of the mobile phone terminal.

具体的,装置提取所述第二待识别用户的手机终端信息,所述手机终端信息可以包括但不限定于:手机终端厂家和型号。Specifically, the device extracts the mobile phone terminal information of the second user to be identified, and the mobile phone terminal information may include but not limited to: a manufacturer and model of the mobile phone terminal.

若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值。If the number of visits to the specific domain name by the mobile phone terminal of the same manufacturer and model is greater than the third visit times threshold, the second user to be identified is identified as an abnormal user, wherein the third visit times The threshold is smaller than the second access times threshold.

具体的,装置若获知相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值。第三访问次数阈值可以根据实际情况自主设置,此处不做限定。继续参照上述实施例,举例说明如下:第二待识别用户为900个,第三访问次数阈值为30次,将第二待识别用户中相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值30次的20个第二待识别用户标识为异常用户。Specifically, if the device learns that the number of visits to the specific domain name by the mobile phone terminal of the same manufacturer and model is greater than the third threshold for the number of visits, it identifies the second user to be identified as an abnormal user, wherein the The third access times threshold is smaller than the second access times threshold. The third visit times threshold can be set independently according to the actual situation, which is not limited here. Continuing to refer to the foregoing embodiment, an example is as follows: the second user to be identified is 900, and the third access times threshold is 30 times. The 20 second unrecognized users whose access times to the specific domain name are greater than the third access times threshold of 30 times are identified as abnormal users.

将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户。The second user to be identified whose number of accesses to the specific domain name by the mobile phone terminal of the same manufacturer and model is less than a third access times threshold is taken as the third user to be identified.

具体的,装置将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户。举例说明如下:第二待识别用户为900,将880(900-20)个第二待识别用户作为第三待识别用户。Specifically, the device takes the second user to be identified whose number of visits to the specific domain name by the mobile phone terminal of the same manufacturer and model is less than a third threshold for the number of visits as the third user to be identified. An example is as follows: the second unidentified user is 900, and 880 (900-20) second unidentified users are taken as the third unidentified user.

提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。extracting the location information of the mobile phone terminal of the third user to be identified, and if the displacement variation generated by the position of the mobile phone terminal within the preset time interval t is less than a preset distance threshold, the third user to be identified is Identified as an abnormal user.

具体的,装置提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。预设距离阈值可以根据实际情况自主设置,此处不做限定。继续参照上述实施例,举例说明如下:第三待识别用户为880个,预设距离阈值为200米,将第三待识别用户中手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值200米的10个第三待识别用户标识为异常用户。将第三待识别用户中手机终端的位置在所述预设时间间隔t内产生的位移变化量大于等于预设距离阈值200米的870(880-10)个第三待识别用户标识为正常用户。Specifically, the device extracts the location information of the mobile phone terminal of the third user to be identified, and if the displacement variation of the location of the mobile phone terminal within the preset time interval t is less than a preset distance threshold, the second Three users to be identified are identified as abnormal users. The preset distance threshold can be set independently according to the actual situation, which is not limited here. Continuing to refer to the above-mentioned embodiment, an example is as follows: there are 880 third users to be identified, and the preset distance threshold is 200 meters, and the displacement generated by the position of the mobile phone terminal among the third users to be identified within the preset time interval t The 10 third unrecognized users whose variation is less than the preset distance threshold of 200 meters are identified as abnormal users. Identify the 870 (880-10) third unidentified users whose displacement variation of the position of the mobile phone terminal among the third unidentified users is greater than or equal to the preset distance threshold of 200 meters within the preset time interval t as normal users .

本发明实施例提供的异常行为用户识别方法,通过逐次识别出异常行为用户,保证了识别效果的准确性。The method for identifying users with abnormal behaviors provided by the embodiments of the present invention ensures the accuracy of the recognition effect by successively identifying users with abnormal behaviors.

如图2所示的异常行为用户识别方法流程图的获取方式可以根据如下步骤:The method for obtaining the flow chart of the abnormal behavior user identification method shown in Figure 2 can be obtained according to the following steps:

R1:待识别的用户会话记录信息,提取关键特征作为样本库因素。对其他特征无影响的独立特征作为一个样本库因素,互相影响且共同作用的多个特征合并为一个样本库因素。由此,建立包含正常用户和异常用户上网行为会话的样本库。R1: User session record information to be identified, and key features are extracted as sample base factors. Independent features that have no effect on other features are regarded as a sample library factor, and multiple features that interact and act together are combined into a sample library factor. Thus, a sample library containing online behavior sessions of normal users and abnormal users is established.

R2:基于步骤R1的样本库因素,随机抽取一定数量的对象,构造训练数据集,通过训练和剪枝,生成如图2所示的异常行为用户识别方法流程图。识别异常行为用户识别方法流程图的详细结构和算法如下:R2: Based on the sample library factors in step R1, a certain number of objects are randomly selected, and a training data set is constructed. Through training and pruning, a flow chart of the abnormal behavior user identification method shown in Figure 2 is generated. The detailed structure and algorithm of the flow chart of the user identification method for identifying abnormal behaviors are as follows:

决策树算法采用CART(Classification and Regression Trees)算法,即分类回归树算法。The decision tree algorithm adopts the CART (Classification and Regression Trees) algorithm, that is, the classification regression tree algorithm.

CART算法主要包括两个步骤:(1)将样本递归划分进行建树过程,(2)用验证数据进行剪枝。The CART algorithm mainly includes two steps: (1) recursively divide the sample for tree building process, (2) use the verification data for pruning.

步骤(1)的递归建立二叉树,段x1,x2,...,xn代表单个样本的n个属性,y表示所属类别。CART算法通过递归的方式将n维的空间划分为不重叠的矩形。划分步骤大致如下:Step (1) recursively builds a binary tree, segments x 1 , x 2 , . . . , x n represent n attributes of a single sample, and y represents the category it belongs to. The CART algorithm recursively divides the n-dimensional space into non-overlapping rectangles. The division steps are roughly as follows:

(1)选一个自变量xi,再选取xi的一个值vi,vi把n维空间划分为两部分,一部分的所有样本都满足xi≤vi,另一部分的所有样本都满足xi>vi,对离散变量来说属性值的取值只有两个,即等于该值或不等于该值。对于连续变量还需要先进行离散化处理,本提案的异常用户上网行为特征属于连续变量。(1) Select an independent variable x i , and then select a value v i of x i , vi divides the n-dimensional space into two parts, all samples in one part satisfy x i ≤ v i , and all samples in the other part satisfy x i >v i , for discrete variables, there are only two values of the attribute value, that is equal to this value or not equal to this value. Continuous variables need to be discretized first, and the characteristics of abnormal user online behavior in this proposal belong to continuous variables.

(2)递归处理,将上面得到的两部分按步骤(1)重新选取一个属性继续划分,直到把整个n维空间都划分完。(2) Recursive processing, the two parts obtained above are reselected according to step (1) to continue dividing until the entire n-dimensional space is divided.

在划分过程中,对于一个变量属性来说,它的划分点是一对连续变量属性值的中点。假设m个样本的集合一个属性有m个连续的值,那么则会有m-1个分裂点,每个分裂点为相邻两个连续值的均值。每个属性的划分按照能减少的杂质的量来进行排序,而杂质的减少量定义为划分前的杂质减去划分后的每个节点的杂质量划分所占比率之和。而杂质度量方法常用Gini指标,Gini值主要是度量数据划分或训练数据集K的不纯度,在分支节点上进行Gini值的测试,如果满足一定纯度则划分到左子树,否则划分到右子树,最终生成一棵二叉决策树。Gini值越小,表明样本的“纯净度”越高。假设一个样本共有Z类,属于i类的概率为pi,那么一个节点K的Gini不纯度可定义为如下公式:In the division process, for a variable attribute, its division point is the midpoint of a pair of continuous variable attribute values. Assuming that an attribute of a set of m samples has m continuous values, then there will be m-1 split points, and each split point is the mean of two adjacent continuous values. The division of each attribute is sorted according to the amount of impurities that can be reduced, and the reduction of impurities is defined as the sum of the proportions of the impurity before division minus the division of the impurity amount of each node after division. The Gini index is commonly used in the impurity measurement method. The Gini value is mainly to measure the impurity of the data division or training data set K. The Gini value is tested on the branch node. If it meets a certain purity, it is divided into the left subtree, otherwise it is divided into the right subtree. tree, and finally generate a binary decision tree. The smaller the Gini value, the higher the "purity" of the sample. Assuming that a sample has a total of Z classes, and the probability of belonging to class i is p i , then the Gini impurity of a node K can be defined as the following formula:

当Gini(K)=0时,所有样本属于同类,所有类在节点中以等概率出现时,Gini(K)最大化, When Gini(K)=0, all samples belong to the same class, and when all classes appear in nodes with equal probability, Gini(K) is maximized,

实际的递归划分过程中,如果当前节点的所有样本都不属于同一类或者只剩下一个样本,那么此节点为非叶子节点,因此需要尝试样本的每个属性以及每个属性对应的分裂点,尝试找到杂质变量最大的一个划分,该属性划分的子树即为最优分支。In the actual recursive division process, if all samples of the current node do not belong to the same class or there is only one sample left, then this node is a non-leaf node, so it is necessary to try each attribute of the sample and the split point corresponding to each attribute, Try to find a partition with the largest impurity variable, and the subtree partitioned by this attribute is the optimal branch.

步骤(2)CART算法采用后剪枝,本提案在后剪枝采用代价复杂性剪枝法:r(t)是节点t的误差率,p(t)是节点t上的数据占所有数据的比例,如果该节点被剪枝,R(t)是节点t的误差代价,则Step (2) CART algorithm adopts post-pruning, and this proposal adopts cost complexity pruning method in post-pruning: r(t) is the error rate of node t, p(t) is the percentage of data on node t in all data ratio, if the node is pruned, R(t) is the error cost of node t, then

R(t)=r(t)×p(t) (9)R(t)=r(t)×p(t) (9)

如果该节点不被剪枝,R(Tt)是子树Tt的误差代价,它等于子树Tt上所有叶子节点的误差代价之和;是子树中包含的叶子节点个数,由公式(9),对于分类回归树中的每一个非叶子节点的表面误差率增益值α,有If the node is not pruned, R(T t ) is the error cost of the subtree T t , which is equal to the sum of the error costs of all leaf nodes on the subtree T t ; is the number of leaf nodes contained in the subtree, according to the formula (9), for the surface error rate gain value α of each non-leaf node in the classification regression tree, we have

图3为本发明实施例异常行为用户识别装置的结构示意图,如图3所示,本实施例提供了一种异常行为用户识别装置,包括网络信息获取单元1、判断单元2、用户信息获取单元3和识别单元4,其中:Figure 3 is a schematic structural diagram of an abnormal behavior user identification device according to an embodiment of the present invention. As shown in Figure 3, this embodiment provides an abnormal behavior user identification device, including a network information acquisition unit 1, a judgment unit 2, and a user information acquisition unit 3 and identification unit 4, wherein:

网络信息获取单元1用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值;判断单元2用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;用户信息获取单元3用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;识别单元4用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。The network information obtaining unit 1 is used to obtain the state information of the current network, and the state information includes: the whole network speed, the network element speed and the service flow value; t and observation time i, to determine whether there is an abnormal behavior user in the current network; the user information acquisition unit 3 is used to obtain the session record information of the user to be identified and the user terminal information to be identified if there is a user with abnormal behavior in the current network The identifying unit 4 is configured to identify the user with abnormal behavior according to the session record information and the user terminal information.

具体的,网络信息获取单元1用于获取当前网络的状态信息,所述状态信息包括:全网速率、网元速率和业务流量值,网络信息获取单元1将状态信息发送给判断单元2,判断单元2用于根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户,判断单元2将异常行为用户的判断结果发送给用户信息获取单元3,用户信息获取单元3用于若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息,用户信息获取单元3将会话记录信息和用户终端信息发送给识别单元4,识别单元4用于根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。Specifically, the network information acquisition unit 1 is used to acquire the status information of the current network, and the status information includes: the whole network rate, the network element rate and the service flow value, and the network information acquisition unit 1 sends the status information to the judgment unit 2, and judges Unit 2 is used to judge whether there are users with abnormal behavior in the current network according to the state information of the current network, the preset time interval t and the observation time i, and the judgment unit 2 sends the judgment result of the user with abnormal behavior to the user information acquisition unit 3. The user information acquisition unit 3 is used to acquire the session record information of the user to be identified and the user terminal information to be identified if there is an abnormal behavior user in the current network, and the user information acquisition unit 3 sends the session record information and the user terminal information The identification unit 4 is configured to identify the user with abnormal behavior according to the session record information and the user terminal information.

本发明实施例提供的异常行为用户识别装置,通过判断当前网络是否存在异常行为用户,并识别出异常行为用户,保证了当前网络速率的稳定性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the stability of the current network rate by judging whether there are abnormal behavior users in the current network and identifying the abnormal behavior users.

在上述实施例的基础上,所述判断单元2用于:On the basis of the above embodiments, the judging unit 2 is used for:

根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降;若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降;若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值;根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率;判断所述当前网络的待选业务速率是否下降;若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。According to the overall network rate of the current network, the preset time interval t and the observation time i, it is judged whether the overall network rate of the current network is declining; Whether the network element rate of the current network is declining; if it is judged that the network element rate of the current network is in a declining state, then according to the size of the service flow value, select the first m service flow values in the service flow value as the waiting Select a service flow value; calculate the candidate service rate corresponding to the candidate service according to the preset time interval t and the candidate service flow value; determine whether the candidate service rate of the current network has declined; if If it is determined that the rate of the service to be selected on the current network is in a declining state, then it is determined that there are users with abnormal behavior in the current network.

具体的,所述判断单元2用于根据所述当前网络的全网速率、预设时间间隔t和观察时间i,判断所述当前网络的全网速率是否下降;所述判断单元2用于若判断获知所述当前网络的全网速率为下降状态,则判断所述当前网络的网元速率是否下降;所述判断单元2用于若判断获知所述当前网络的网元速率为下降状态,则根据所述业务流量值的大小,选择所述业务流量值中前m个业务流量值作为待选业务流量值;所述判断单元2用于根据所述预设时间间隔t和所述待选业务流量值,计算所述待选业务所对应的待选业务速率;所述判断单元2用于判断所述当前网络的待选业务速率是否下降;所述判断单元2用于若判断获知所述当前网络的待选业务速率为下降状态,则判断所述当前网络存在异常行为用户。Specifically, the judging unit 2 is used to judge whether the whole network speed of the current network drops according to the whole network speed of the current network, the preset time interval t and the observation time i; Judging that the entire network rate of the current network is in a declining state, then judging whether the network element rate of the current network is declining; the judging unit 2 is used to judge that the network element rate of the current network is in a declining state, then According to the size of the service flow value, select the first m service flow values in the service flow value as the service flow value to be selected; the judgment unit 2 is used to The traffic value is used to calculate the rate of the service to be selected corresponding to the service to be selected; the judging unit 2 is used to judge whether the rate of the service to be selected in the current network has declined; the judging unit 2 is used to determine whether the current If the service rate of the network to be selected is in a declining state, it is determined that there are users with abnormal behavior in the current network.

本发明实施例提供的异常行为用户识别装置,通过判断当前网络的全网速率、网元速率和待选业务速率是否下降,能够准确的识别出当前网络是否存在异常行为用户。The device for identifying users with abnormal behaviors provided by the embodiments of the present invention can accurately identify whether there are users with abnormal behaviors in the current network by judging whether the overall network rate, network element rate, and candidate service rate of the current network have decreased.

在上述实施例的基础上,所述判断单元2还用于:On the basis of the above embodiments, the judging unit 2 is also used for:

根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值;根据所述待选业务速率的平均值所述待选业务速率Vij和所述网元速率的平均值若通过公式计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。According to the service rate to be selected and the number m of service flows to be selected, calculate the average value of the service rate to be selected; according to the average value of the service rate to be selected The average value of the service rate V ij to be selected and the network element rate If passed the formula If the calculation result is 1, it is judged that the service rate to be selected in the current network is in a declining state.

具体的,判断单元2还用于根据所述待选业务速率和待选业务流量个数m,计算所述待选业务速率的平均值;判断单元2还用于根据所述待选业务速率的平均值所述待选业务速率Vij和所述网元速率的平均值若通过公式计算的结果为1,则判断所述当前网络的待选业务速率为下降状态。Specifically, the judgment unit 2 is also used to calculate the average value of the service rate to be selected according to the service rate to be selected and the number m of service flows to be selected; average value The average value of the service rate V ij to be selected and the network element rate If passed the formula If the calculation result is 1, it is judged that the service rate to be selected in the current network is in a declining state.

本发明实施例提供的异常行为用户识别装置,根据计算出的待选业务速率和网元速率的平均值,保证了待选业务速率为下降状态判断的准确性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the accuracy of judging that the rate of the service to be selected is in a declining state according to the calculated average value of the rate of the service to be selected and the rate of the network element.

在上述实施例的基础上,所述识别单元4用于:On the basis of the above-mentioned embodiments, the identification unit 4 is used for:

根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户;将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户;提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值;将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户;提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号;若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值;将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户;提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。According to the number of visits to a specific domain name in the session record information, identify the user whose visits to the specific domain name is greater than a first visits threshold as an abnormal user; identify the number of visits to the specific domain name to be less than the first visits threshold The user to be identified is taken as the first user to be identified; the mobile phone number of the first user to be identified is extracted, and if the number of visits to the specific domain name by the same mobile phone number is greater than the second threshold of visit times, the first user to be identified will be Identifying the user as an abnormal user, wherein the second visit times threshold is less than the first visit times threshold; the first user to be identified who visits the specific domain name with the same mobile phone number less than the second visit times threshold As the second user to be identified; extract the mobile phone terminal information of the second user to be identified, the mobile terminal information includes: mobile phone terminal manufacturer and model; If the number of visits to a specific domain name is greater than the third threshold of visits, the second user to be identified is identified as an abnormal user, wherein the third threshold of visits is less than the second threshold of visits; The second user to be identified whose number of visits to the specific domain name by the mobile phone terminal of the same model is less than the third access times threshold is taken as the third user to be identified; the location information of the mobile phone terminal of the third user to be identified is extracted, if If the displacement variation of the position of the mobile phone terminal within the preset time interval t is smaller than a preset distance threshold, the third user to be identified is identified as an abnormal user.

具体的,识别单元4用于根据所述会话记录信息中的特定域名访问次数,将所述特定域名访问次数大于第一访问次数阈值的所述待识别用户标识为异常用户;识别单元4用于将所述特定域名访问次数小于第一访问次数阈值的所述待识别用户作为第一待识别用户;识别单元4用于提取所述第一待识别用户的手机号码,若同一手机号码对所述特定域名访问次数大于第二访问次数阈值,则将所述第一待识别用户标识为异常用户,其中,所述第二访问次数阈值小于所述第一访问次数阈值;识别单元4用于将同一手机号码对所述特定域名访问次数小于第二访问次数阈值的所述第一待识别用户作为第二待识别用户;识别单元4用于提取所述第二待识别用户的手机终端信息,所述手机终端信息包括:手机终端厂家和型号;识别单元4用于若相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数大于第三访问次数阈值,则将所述第二待识别用户标识为异常用户,其中,所述第三访问次数阈值小于所述第二访问次数阈值;识别单元4用于将相同所述手机终端厂家和型号的所述手机终端对所述特定域名访问次数小于第三访问次数阈值的所述第二待识别用户作为第三待识别用户;识别单元4用于提取所述第三待识别用户手机终端的位置信息,若所述手机终端的位置在所述预设时间间隔t内产生的位移变化量小于预设距离阈值,则将所述第三待识别用户标识为异常用户。Specifically, the identification unit 4 is used to identify the user to be identified whose number of visits to a specific domain name is greater than the first visit times threshold as an abnormal user according to the number of visits to a specific domain name in the session record information; the identification unit 4 is used to The user to be identified whose number of visits to the specific domain name is less than the threshold of the first number of visits is taken as the first user to be identified; the identification unit 4 is used to extract the mobile phone number of the first user to be identified, if the same mobile phone number has If the number of visits to a specific domain name is greater than the second threshold of visits, the first user to be identified is identified as an abnormal user, wherein the second threshold of visits is smaller than the first threshold of visits; the identification unit 4 is used to identify the same The first user to be identified whose mobile phone number visits the specific domain name is less than the second access times threshold is used as the second user to be identified; the identification unit 4 is used to extract the mobile phone terminal information of the second user to be identified, the The mobile phone terminal information includes: mobile phone terminal manufacturer and model; identification unit 4 is used for if the mobile phone terminal of the same described mobile phone terminal manufacturer and model visits the specific domain name more than the third visit times threshold, then the second The user to be identified is identified as an abnormal user, wherein the third visit times threshold is less than the second visit times threshold; the identification unit 4 is used to identify the mobile terminal of the same mobile phone terminal manufacturer and model for the specific domain name The second user to be identified whose number of visits is less than the threshold of the third number of visits is used as the third user to be identified; the identification unit 4 is used to extract the location information of the mobile phone terminal of the third user to be identified, if the location of the mobile phone terminal is within If the displacement variation generated within the preset time interval t is smaller than a preset distance threshold, the third user to be identified is identified as an abnormal user.

本发明实施例提供的异常行为用户识别装置,通过逐次识别出异常行为用户,保证了识别效果的准确性。The abnormal behavior user identification device provided by the embodiment of the present invention ensures the accuracy of the identification effect by successively identifying abnormal behavior users.

本实施例提供的异常行为用户识别装置具体可以用于执行上述各方法实施例的处理流程,其功能在此不再赘述,可以参照上述方法实施例的详细描述。The abnormal behavior user identification device provided in this embodiment can be specifically used to execute the processing procedures of the above-mentioned method embodiments, and its functions will not be described in detail here, and reference can be made to the detailed description of the above-mentioned method embodiments.

图4为本发明实施例提供的装置实体结构示意图,如图4所示,所述邻区优化处理装置,包括:处理器(processor)401、存储器(memory)402和总线403;FIG. 4 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention. As shown in FIG. 4 , the neighboring cell optimization processing device includes: a processor (processor) 401, a memory (memory) 402, and a bus 403;

其中,所述处理器401、存储器402通过总线403完成相互间的通信;Wherein, the processor 401 and the memory 402 complete mutual communication through the bus 403;

所述处理器401用于调用所述存储器402中的程序指令,以执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。The processor 401 is used to call the program instructions in the memory 402 to execute the methods provided by the above method embodiments, for example, including: the overall network rate, network element rate and service flow value; according to the current network State information, preset time interval t and observation time i, to determine whether there are users with abnormal behaviors in the current network; if there are users with abnormal behaviors in the current network, then obtain the session record information of the user to be identified and the terminal information of the user to be identified ; Identifying the abnormal behavior user according to the session record information and the user terminal information.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by the computer, the computer The methods provided by the above-mentioned method embodiments can be executed, for example, including: the overall network rate, the network element rate and the service flow value; according to the state information of the current network, the preset time interval t and the observation time i, determine the current Whether there is an abnormal behavior user in the network; if there is an abnormal behavior user in the current network, then obtain the session record information of the user to be identified and the user terminal information to be identified; according to the session record information and the user terminal information, the Abnormal behavior users are identified.

本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法,例如包括:全网速率、网元速率和业务流量值;根据所述当前网络的状态信息、预设时间间隔t和观察时间i,判断所述当前网络是否存在异常行为用户;若所述当前网络存在异常行为用户,则获取待识别用户会话记录信息和所述待识别用户终端信息;根据所述会话记录信息和所述用户终端信息,对所述异常行为用户进行识别。This embodiment provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the above method embodiments, for example, including : the overall network rate, network element rate and service flow value; according to the state information of the current network, the preset time interval t and the observation time i, determine whether there is an abnormal behavior user in the current network; if there is an abnormality in the current network Behavioral users, obtain the session record information of the user to be identified and the user terminal information to be identified; identify the user with abnormal behavior according to the session record information and the user terminal information.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

以上所描述的异常行为用户识别装置等实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The above-described embodiments such as the abnormal behavior user identification device are only illustrative, and the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physically separated. A unit can be located in one place, or it can be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上各实施例仅用以说明本发明的实施例的技术方案,而非对其限制;尽管参照前述各实施例对本发明的实施例进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明的实施例各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, not to limit them; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art The skilled person should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the present invention The scope of the technical solution of each embodiment of the embodiment.

Claims (10)

1. a kind of abnormal behaviour user identification method, which is characterized in that including:
The status information of current network is obtained, the status information includes:The whole network rate, network element rate and Business Stream magnitude;
According to the status information of the current network, prefixed time interval t and observing time i, whether the current network is judged There are abnormal behaviour users;
If the current network obtains user conversation record information to be identified and the use to be identified there are abnormal behaviour user Family end message;
According to the conversation recording information and the user terminal information, the abnormal behaviour user is identified.
It is 2. according to the method described in claim 1, it is characterized in that, the status information according to the current network, default Time interval t and observing time i judges that the current network whether there is abnormal behaviour user, including:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists Behavior user.
It is 3. according to the method described in claim 2, it is characterized in that, the whole network rate according to the current network, default Time interval t and observing time i, judges whether the whole network rate of the current network declines, including:
According to prefixed time interval t and observing time i, the number of observation n in the prefixed time interval t is obtained, wherein, institute Observing time i is stated to be located between the initial time corresponding to the prefixed time interval t and termination time;
According to the number of observation n and the whole network rate of the current network, the whole network speed in the prefixed time interval t is calculated The average value of rate;
According to the average value of the whole network rate and the whole network rate of the current network, the whole network for calculating the current network is fast Rate declines percentage;
If the whole network rate of the current network, which declines percentage, is more than or equal to default the whole network rate percentage, described work as is judged The whole network rate of preceding network is decline state.
4. according to the method described in claim 2, it is characterized in that, described, judge the current network network element rate whether Decline, including:
According to the number of observation n and the network element rate of the current network, the network element speed in the prefixed time interval t is calculated The average value of rate;
According to the average value of the network element rate and the network element rate of the current network, the network element for calculating the current network is fast Rate declines percentage;
If the network element rate of the current network, which declines percentage, is more than or equal to default network element rate percentage, described work as is judged The network element rate of preceding network is decline state.
5. according to the method described in claim 2, it is characterized in that, the service rate to be selected of the judgement current network is No decline, including:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network Service rate is decline state.
It is 6. according to the method described in claim 1, it is characterized in that, described whole according to the conversation recording information and the user The abnormal behaviour user is identified in client information, including:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified Family.
7. a kind of abnormal behaviour customer identification device, which is characterized in that including:
Network information acquiring unit, for obtaining the status information of current network, the status information includes:The whole network rate, net First rate and Business Stream magnitude;
Judging unit, for status information, prefixed time interval t and the observing time i according to the current network, described in judgement Current network whether there is abnormal behaviour user;
User information acquiring unit, if obtaining user conversation to be identified there are abnormal behaviour user for the current network Record information and the user terminal information to be identified;
Recognition unit, for according to the conversation recording information and the user terminal information, to the abnormal behaviour user into Row identification.
8. device according to claim 7, which is characterized in that the judging unit is used for:
According to the whole network rate of the current network, prefixed time interval t and observing time i, the complete of the current network is judged Whether network speed rate declines;
If judging to know the whole network rate of the current network as decline state, judging the network element rate of the current network is No decline;
If judging to know the network element rate of the current network as decline state, according to the size of the Business Stream magnitude, choosing Preceding m Business Stream magnitude is selected in the Business Stream magnitude as Business Stream magnitude to be selected;
According to the prefixed time interval t and the Business Stream magnitude to be selected, the industry to be selected corresponding to the business to be selected is calculated Business rate;
Judge whether the service rate to be selected of the current network declines;
If judging to know the service rate to be selected of the current network as decline state, it is abnormal to judge that the current network exists Behavior user.
9. device according to claim 8, which is characterized in that the judging unit is additionally operable to:
According to the service rate to be selected and service traffics number m to be selected, the average value of the calculating service rate to be selected;
According to the average value of the service rate to be selectedThe service rate V to be selectedijWith the average value of the network element rateIf pass through formulaThe result of calculating is 1, then judges the to be selected of the current network Service rate is decline state.
10. device according to claim 7, which is characterized in that the recognition unit is used for:
According to the certain domain name access times in the conversation recording information, the certain domain name access times are more than first and are visited The user identifier to be identified for asking frequency threshold value is abnormal user;
The user to be identified that the certain domain name access times are less than to the first access times threshold value is to be identified as first User;
The phone number of the described first user to be identified is extracted, if same phone number is more than the certain domain name access times Described first user identifier to be identified is then abnormal user by the second access times threshold value, wherein, the second access times threshold Value is less than the first access times threshold value;
Same phone number is less than the described first to be identified of the second access times threshold value to the certain domain name access times User is as the second user to be identified;
The information of mobile phone terminal of the described second user to be identified is extracted, the information of mobile phone terminal includes:Mobile phone terminal producer and Model;
If the mobile phone terminal of the identical mobile phone terminal producer and model is more than the 3rd to the certain domain name access times Described second user identifier to be identified is then abnormal user by access times threshold value, wherein, the 3rd access times threshold value is small In the second access times threshold value;
The mobile phone terminal of the identical mobile phone terminal producer and model is less than the 3rd to the certain domain name access times Described second user to be identified of access times threshold value is as the 3rd user to be identified;
The location information of the 3rd user mobile phone terminal to be identified is extracted, if the position of the mobile phone terminal is when described default Between be spaced the displacement variable generated in t and be less than pre-determined distance threshold value, then be abnormal use by the 3rd user identifier to be identified Family.
CN201611035558.9A 2016-11-15 2016-11-15 Abnormal behavior user identification method and device Active CN108076032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611035558.9A CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Publications (2)

Publication Number Publication Date
CN108076032A true CN108076032A (en) 2018-05-25
CN108076032B CN108076032B (en) 2020-11-06

Family

ID=62161671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611035558.9A Active CN108076032B (en) 2016-11-15 2016-11-15 Abnormal behavior user identification method and device

Country Status (1)

Country Link
CN (1) CN108076032B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381A (en) * 2020-04-20 2020-08-11 北京创世云科技有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data
CN113987206A (en) * 2021-10-29 2022-01-28 平安银行股份有限公司 Abnormal user identification method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
US20150341380A1 (en) * 2014-05-20 2015-11-26 Electronics And Telecommunications Research Institute System and method for detecting abnormal behavior of control system
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN102368842A (en) * 2011-10-12 2012-03-07 中国联合网络通信集团有限公司 Detection method of abnormal behavior of mobile terminal and detection system thereof
US20150341380A1 (en) * 2014-05-20 2015-11-26 Electronics And Telecommunications Research Institute System and method for detecting abnormal behavior of control system
CN104320297A (en) * 2014-10-15 2015-01-28 中冶长天国际工程有限责任公司 Method and device for network anomaly detection and network communication control
CN105451257A (en) * 2015-12-04 2016-03-30 中国联合网络通信集团有限公司 Data business problem locating method and device
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409902A (en) * 2018-09-04 2019-03-01 平安普惠企业管理有限公司 Risk subscribers recognition methods, device, computer equipment and storage medium
CN111526381A (en) * 2020-04-20 2020-08-11 北京创世云科技有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN111526381B (en) * 2020-04-20 2021-07-09 北京创世云科技股份有限公司 Method and device for optimizing live broadcast resources and electronic equipment
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data
CN113987206A (en) * 2021-10-29 2022-01-28 平安银行股份有限公司 Abnormal user identification method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN108076032B (en) 2020-11-06

Similar Documents

Publication Publication Date Title
CN107404408B (en) Virtual identity association identification method and device
CN105824813B (en) A kind of method and device for excavating core customer
CN110337059B (en) Analysis algorithm, server and network system for family relationship of user
CN109640312B (en) &#39;Black card&#39; identification method, electronic equipment and computer readable storage medium
Pal et al. Centrality measures, upper bound, and influence maximization in large scale directed social networks
CN103605791B (en) Information transmission system and information-pushing method
EP2698967A1 (en) Social network data mining method for terminal user, and relevant method, device and system
CN105843909A (en) Financial information pushing method and apparatus
CN111339436A (en) Data identification method, device, equipment and readable storage medium
CN107896153B (en) A method and device for recommending a data package based on the online behavior of a mobile user
WO2016090748A1 (en) Virtual human creating method and apparatus
CN108985048B (en) Simulator identification method and related device
CN108076032B (en) Abnormal behavior user identification method and device
CN104408640B (en) Application software recommends method and device
CN109325232A (en) A kind of user behavior exception analysis method, system and storage medium based on LDA
CN110033302A (en) The recognition methods of malice account and device
CN110166344A (en) A kind of identity recognition methods, device and relevant device
CN113412607A (en) Content pushing method and device, mobile terminal and storage medium
US8700756B2 (en) Systems, methods and devices for extracting and visualizing user-centric communities from emails
CN110677269B (en) Method and device for determining communication user relationship and computer readable storage medium
CN110032596A (en) Traffic Anomaly user identification method and system
Zulfadhilah et al. Log classification using K-means clustering for identify Internet user behaviors
CN114268939B (en) Abnormal user identification method in mobile communication and intelligent device
CN118798626A (en) Risk data identification method, device and electronic equipment
CN112016940A (en) Model establishment method and equipment, network satisfaction assessment method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Guangdong global building, No.11 Zhujiang West Road, Zhujiang New Town, Tianhe District, Guangzhou, Guangdong 510630

Patentee after: China Mobile Group Guangdong Co.,Ltd.

Patentee after: CHINA MOBILE COMMUNICATIONS GROUP Co.,Ltd.

Address before: 510623 Guangdong global building, 11 Zhujiang West Road, Zhujiang New Town, Guangzhou City, Guangdong Province

Patentee before: China Mobile Group Guangdong Co.,Ltd.

Patentee before: China Mobile Communications Corp.

CP03 Change of name, title or address
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载