CN115048464A - User operation behavior data detection method and device and electronic equipment - Google Patents

Abstract

The invention provides a method and a device for detecting user operation behavior data and electronic equipment, belonging to the technical field of computers, wherein the method comprises the following steps: collecting user operation behavior data; performing entity extraction on the user operation behavior data to obtain entity identification data; performing feature selection and feature dimension reduction on the entity identification data to obtain feature data subjected to dimension reduction; performing clustering analysis on the characteristic data to obtain classified data of various operation behaviors; and performing data analysis on the classified data by adopting an anomaly detection algorithm to obtain normal data of normal operation behaviors of the user and abnormal data of abnormal operation behaviors of the user. The invention can effectively detect the abnormal data of the abnormal operation behaviors of the user by performing entity extraction, feature selection, feature dimension reduction, cluster analysis and abnormal detection algorithm analysis on the data of the user operation behaviors.

Description

User operation behavior data detection method, device and electronic device

technical field

The present invention relates to the field of computer technology, and in particular, to a method, device and electronic device for detecting user operation behavior data.

Background technique

In the prior art, anomaly detection systems play an important role in discovering irregularities in the network. Since it is difficult to directly extract abnormal traffic from massive data, the method adopted by the existing abnormality detection equipment is to randomly sample all traffic data and further analyze the extracted abnormal traffic. However, due to the normal behavior of users in the network There are far more traffic data than abnormal traffic data, so the sampling method of random sampling will miss a lot of abnormal traffic. The use of traditional machine learning, deep learning algorithms or random sampling in the prior art for anomaly detection mainly has the following problems in the actual operation process: difficult parameter setting, too many assumptions, and many restrictions on data content.

SUMMARY OF THE INVENTION

The present invention provides a method, device and electronic device for detecting user operation behavior data, which are used to solve the problem that a large amount of abnormal traffic is missed in the abnormal detection of user behavior in the prior art, and the parameter setting of the existing algorithm for abnormal detection by adopting relevant algorithms Problems such as difficulty, too many assumptions, and more data content restrictions, realize real-time monitoring and prediction of possible illegal operations based on user operation behavior.

The present invention provides a method for detecting user operation behavior data, comprising:

collecting user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal;

Perform entity extraction on the user operation behavior data to obtain entity identification data, and the entity identification data is used to extract data related to the abnormal operation behavior of the user;

Perform feature selection and feature dimensionality reduction on the entity recognition data to obtain dimensionality-reduced feature data, where the feature data is data obtained by feature selection and feature dimensionality reduction to achieve feature extraction and data compression;

Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

An anomaly detection algorithm is used to perform data analysis on the classified data to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior.

According to a method for detecting user operation behavior data provided by the present invention, the collection of user operation behavior data includes:

Collect user operation behavior data based on a first database, where relational data and log data recording various user operation behaviors are stored in the first database;

The user operation behavior data includes data of one or more combinations of the start/end time of various operations of the user, the specific steps of the operation, the sequence of operations, and the final result of the operation.

According to a method for detecting user operation behavior data provided by the present invention, performing entity extraction on the user operation behavior data to obtain entity identification data, including:

Marking part of the data of the user operation behavior data as training data, and using a neural network to train an entity extraction model;

Based on the entity extraction model, entity extraction is performed on the user operation behavior data to obtain entity identification data; wherein,

The first layer of the entity extraction model is a word embedding layer, which is used to train the input word sequence into a word vector output;

The second layer of the entity extraction model is used to input the word vector output from the first layer to the BiLSTM layer for training to learn the relationship between words and output labels, and the BiLSTM layer includes a forward LSTM network and a reverse LSTM network, The forward LSTM network and the reverse LSTM network are connected through an output layer;

The third layer of the entity extraction model is provided with an attention model on the output sequence of the BiLSTM layer, which is used to deal with the label problem so that the entity extraction model can better focus on local features and highlight the important role of keywords;

The fourth layer of the entity extraction model is the CRF layer used after the attention mechanism, which is used to output the transition score between labels through the transition matrix, and based on the conversion rule of each label and the rationality of the label syntax, Get the best tag sequence.

According to a method for detecting user operation behavior data provided by the present invention, the feature selection and feature dimension reduction are performed on the entity identification data to obtain dimension-reduced feature data, including:

summarizing the entity identification data and data stored in a second database, where the second database stores data for handling user services;

Handling outliers/duplicates in the data;

Perform feature selection on the processed data, and store the selected filtered feature selection data;

Calculate a covariance matrix representing data correlation based on the feature selection data, and perform eigendecomposition on it to obtain a set of eigenvalues and eigenvectors;

Projecting the set of eigenvalues and eigenvectors to a feature matrix to obtain dimensionality-reduced feature data, and storing the feature data.

According to a method for detecting user operation behavior data provided by the present invention, the cluster analysis is performed on the feature data to obtain classification information of various operation behaviors, including:

Based on the K-means density clustering algorithm, the set of feature data is divided into objects belonging to different clusters according to the feature similarity, including distributing the data with similar features in the same cluster, and distributing the data with dissimilar features outside the cluster;

Perform data analysis based on the density of the characteristic data distribution to obtain classification data of various operational behaviors;

The K-means density clustering algorithm is to pre-set a threshold before clustering, calculate the weight based on the density of the feature data, the average distance within the cluster and the distance between the clusters, and use the weighted Euclidean distance to calculate the weight. The distance of the characteristic data, and the initial cluster center is selected by calculating the density, weight and distance of the characteristic data, and the initial input parameters of the K-means density clustering algorithm are obtained.

According to a method for detecting user operation behavior data provided by the present invention, the data analysis is performed on the classified data based on an anomaly detection algorithm to obtain normal data of the user's normal operation behavior and abnormal data of the user's illegal operation behavior, including:

Using three anomaly detection algorithms, isolated forest, One Class SVM and local anomaly factor, respectively, to score anomaly on the classified data, and obtain the corresponding anomaly score value;

Weighting and normalizing the anomaly scoring values output by the three anomaly detection algorithms to obtain the ranking of the abnormal scoring values for all users;

According to the ranking of the abnormal score values, the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior are determined.

According to a method for detecting user operation behavior data provided by the present invention, the data analysis is performed on the classified data based on an anomaly detection algorithm, and after obtaining the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior, further include:

If it is determined to be abnormal data of the user's illegal operation, the system administrator and related technical personnel will be notified by email and text message, and a disaster recovery mechanism will be activated for some abnormal data to solve the abnormal problem.

The present invention also provides a detection device for user operation behavior data, comprising:

a data collection module for collecting user operation behavior data, where the user operation behavior data is data describing various user operation behaviors;

an entity extraction module, configured to perform entity extraction on the user operation behavior data to obtain entity identification data, where the entity identification data is data related to abnormal data extracted from the user operation behavior data;

A feature selection module, configured to perform feature selection and feature dimensionality reduction on the entity identification data, to obtain feature data after dimensionality reduction, and the feature data is data obtained by feature selection and feature dimensionality reduction to realize feature extraction and data compression;

a cluster analysis module, configured to perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

The anomaly detection module is used for performing data analysis on the classified data by using an anomaly detection algorithm to obtain normal data of the user's normal operation behavior and abnormal data of the user's illegal operation behavior.

The present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, when the processor executes the program, the processor implements any of the above-mentioned user operation behaviors The steps of the data detection method.

The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of any of the above-mentioned methods for detecting user operation behavior data.

The user operation behavior data detection method, device and electronic device provided by the present invention can effectively detect user anomalies by performing entity extraction, feature selection, feature dimension reduction, cluster analysis and anomaly detection algorithm analysis on the user operation behavior data. Exception data for operational behavior.

Description of drawings

In order to explain the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are the For some embodiments of the invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.

1 is a schematic flowchart of a method for detecting user operation behavior data provided by the present invention;

2 is a schematic flowchart of an entity extraction step provided by the present invention;

Fig. 3 is the structural representation of the entity extraction model provided by the present invention;

4 is a schematic flowchart of a feature processing step provided by the present invention;

5 is a schematic flowchart of a cluster analysis step provided by the present invention;

6 is a schematic flowchart of an abnormal scoring step provided by the present invention;

7 is a schematic structural diagram of a device for detecting user operation behavior data provided by the present invention;

FIG. 8 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the technical solutions in the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

The terms "first", "second" and the like in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein.

With the advent of the era of big data, the number of Internet users has increased sharply, the amount of data in the network has shown a trend of massive growth, and the problem of cheating and violations in network system security has shown an increasing trend year by year. Behavior has risen sharply, and it has become increasingly important to spot possible threats in the network. By researching and analyzing user operations, users who violate the regulations can be discovered as soon as possible, thereby ensuring network security and normal system operation. Therefore, finding illegal operations in user behavior through anomaly detection has become an urgent problem to be solved.

Because the network prevention mechanism still needs to be improved, it is more and more important to conduct security monitoring and detect cheating behavior. Anomaly detection is to detect whether there is a violation by collecting information during user operations and analyzing the collected information. In the prior art, commonly used anomaly detection methods mainly include machine learning, deep learning, etc., such as decision tree (Decision Tree), random forest (Random Forest), support vector machine (SVM), AdaBoost, GBDT (gradient boosting decision tree), neural network. network, etc.

In the prior art, the use of traditional machine learning, deep learning algorithms or random sampling for anomaly detection mainly has the following problems in the actual operation process:

First, parameter setting is difficult.

Traditional anomaly detection algorithms are more difficult to find optimal parameters, especially proximity-based methods. These algorithms quantify the degree of anomaly through the concept of outlier strength. The time consumption and complexity increase with the dimension, and parameter search is difficult. In the modeling process, it takes a lot of time to determine the model-related parameters.

Second, feature engineering may not be accurate enough, and individual algorithms assume too many conditions.

So far, there are many methods for abnormal behavior analysis using user operation logs. However, in terms of feature engineering, there is no systematic detailed description, and the statistical features of the relevant categories cannot be used in the single-layer classification model, which makes the detection efficiency limited. Traditional classification algorithms include logistic regression algorithm (LR), support vector machine algorithm (SVM), naive Bayes algorithm (NB), K-nearest neighbor algorithm (KNN) and so on. For logistic regression models, when the feature space is large, the performance of the model is not very good, and it is prone to overfitting. When there are many observation variables, the classification efficiency of SVM is not very high, and it is difficult to find a suitable kernel function. For the naive Bayesian model, the model is sensitive to the expression form of the input data and needs to calculate the prior probability. The time and space complexity of the K-nearest neighbor model is relatively high, it takes a long time to run, and the efficiency is low. . Besides, these algorithms cannot satisfy both low variance and low bias. For example, Naive Bayes is a high-bias, low-variance classifier, and conversely, the K-Nearest Neighbors model is a low-bias, high-variance classifier. Therefore, abnormal behavior anomaly detection systems based on these traditional machine learning algorithms generally have the characteristics that they cannot achieve a balance between the detection rate and the false alarm rate.

Third, the cost of manual maintenance is large.

Whether the user's operation is compliant or not sometimes needs to be judged by professionals with experience in this field. In manual operation and maintenance, the cost of labor is high. The more complex the system, the more manpower needs to be invested, and the cost will naturally be higher, and manual operation and maintenance cannot achieve 24-hour uninterrupted abnormal monitoring work.

Fourth, there are many restrictions on data content.

The data items required by traditional anomaly detection algorithms during training are already counted numerical data, but in some systems, the user log files stored may be mostly unstructured text data, which contain a large number of important data. Information, if not extracted, will have a greater impact on the results, but traditional anomaly detection methods lack such information extraction steps and cannot process these text data.

Therefore, based on the problems existing in the above-mentioned prior art, the present invention provides a method, device and electronic device for detecting user operation behavior data. Real-time monitoring of behaviors and prediction of possible illegal operations can effectively detect abnormal data of abnormal user behaviors.

The technical terms involved in the present invention are described below:

(1) Information extraction

Information extraction (Information Extraction, IE) is to structure the information contained in the text and turn it into a table-like organizational form. The input information extraction system is the original text, and the output is the information point in a fixed format. Information points are extracted from various documents and then integrated together in a unified form. This is the main task of information extraction. The benefit of having information integrated in a unified form is that it is easy to inspect and compare. Information extraction techniques do not attempt to fully understand the entire document, but only analyze the portion of the document that contains relevant information. As for what information is relevant, that will be determined by the scope of the domain that the system was designed for.

Information extraction tasks mainly include entity extraction, relation extraction and so on. Entity extraction, also known as Named Entity Recognition (NER), refers to identifying entity naming referents with specific meanings from unstructured text, and indicating their categories (such as person names, place names, institutions, etc.) organization name, amount, etc.). For specific sub-categories, the task of entity recognition is to identify three categories (entity category, time category and number category) and seven subcategories (person name, institution name, place name, time, date, currency and percentage) in the text to be processed. named entity.

Entity recognition usually needs to complete two aspects of work, specifically identifying entity word boundaries and identifying entity word categories. Chinese and English have different emphasis in recognition tasks. The characteristics of entity information in English are more obvious, usually the first letter of the word is capitalized. Therefore, the difficulty of the NER task in the original text is relatively simple, and the focus is more on identifying entity word categories. However, the task of entity recognition in Chinese is more difficult, not only to focus on entity categories, but also to find entity boundaries.

(2) Cluster analysis

Cluster analysis refers to the analytical process of grouping a collection of physical or abstract objects into classes of similar objects. It is an important human behavior.

The goal of cluster analysis is to collect data to classify on the basis of similarity. Clustering has its origins in many fields, including mathematics, computer science, statistics, biology, and economics. In different application fields, many clustering techniques have been developed. These techniques are used to describe data and measure the similarity between different data sources, as well as classify data sources into different clusters.

(3) Anomaly detection

In data mining, anomaly detection is the identification of items, events, or observations that do not match expected patterns or other items in a dataset. Often anomalous items turn into bank frauds, structural flaws, medical problems, text errors, and more. Anomalies are also known as outliers, novelties, noise, biases, and exceptions.

There are three broad categories of anomaly detection methods. Unsupervised anomaly detection methods can detect anomalies in unlabeled test data by finding the instances that are most mismatched with other data, assuming that most instances in the dataset are normal. Supervised anomaly detection methods require a dataset that has been labeled "normal" and "abnormal" and involve training a classifier (the key difference from many other statistical classification problems is the inherent imbalance of anomaly detection). Semi-supervised anomaly detection methods create a model representing normal behavior given a normal training dataset, and then detect the likelihood of test instances generated by the learned model.

The following describes a method, device and electronic device for detecting user operation behavior data according to the present invention with reference to FIGS. 1 to 8 .

FIG. 1 is a schematic flowchart of a method for detecting user operation behavior data provided by the present invention, as shown in the figure. A detection method for user operation behavior data, comprising:

Step 101: Collect user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal.

Optionally, all user operation behavior data including the front-end system level can be collected based on a first database (system database), where relational data and log data recording various user operation behaviors are stored in the first database.

The user operation behavior data includes, but is not limited to, data of one or more combinations of the start/end time of various operations of the user, the specific steps of the operation, the sequence of operations, and the final result of the operation.

Step 102: Perform entity extraction on the user operation behavior data to obtain entity identification data, where the entity identification data is used to extract data related to the user's abnormal operation behavior.

Optionally, the entity extraction algorithm of the improved LSTM-CRF of the present invention can be used to perform entity extraction on the collected user operation behavior data, and data related to abnormal operation behaviors can be extracted from a large amount of unstructured text data, such as user operation. behavior name, etc.

Due to special circumstances such as a large amount of user front-end operation log data, a large amount of historical data, and the existence of a small amount of abnormal data in the system, it is necessary to do certain entity extraction work for the operation behavior in the log data. Recognition technology is combined with deep learning algorithm to extract entity information. BiLSTM bidirectional recurrent neural network and attention mechanism are added during extraction, which is separated from the traditional manual labeling method of logs, saves a lot of labor costs, and has a high accuracy rate.

Step 103: Perform feature selection and feature dimension reduction on the entity identification data to obtain dimension-reduced feature data, where the feature data is data obtained by feature selection and feature dimension reduction to achieve feature extraction and data compression.

Optionally, for the problem of excessively high dimensionality in the entity recognition data, feature dimensionality reduction processing based on PCA (principal components analysis, principal component analysis) can be used, which can reduce the complexity of the prediction model and reduce those that are more important to the model. Low feature weights eliminate missing data and improve the accuracy of subsequent modeling.

The data collected in the system has many characteristics, and there may be a problem of "curse of dimensionality". The "dimension disaster" causes key factors and data to be submerged and cannot be mined, which in turn causes the prediction accuracy to fall into a bottleneck, making it difficult to continue to improve, and the high-dimensional and huge amount of data causes the prediction model to become more and more complex, and the calculation speed increases accordingly. decline. Based on the above problems, the present invention adopts the method based on Principal Component Analysis (PCA) to perform dimension reduction processing on high-dimensional data, improves the prediction accuracy, reduces the complexity of the prediction model, and realizes feature extraction and data compression.

Step 104: Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, where the classification data is used to classify various operation behaviors of the user.

Optionally, the K-means (K-means clustering) density clustering algorithm can be used to divide the user operation data set into objects belonging to different clusters, so that the operation behavior characteristics distributed in the same cluster are highly similar, while the objects in different clusters are highly similar. There is a large gap between the features until all the points are aggregated. By using clustering analysis techniques, not only can real-time and rapid delineation and identification of sparse and dense areas of operational data, but also the existence of independent clusters, independent points, etc. can be found in time, so as to mine And analyze the relevant mathematical relationship hidden behind each data.

The present invention performs cluster analysis on the user operation data based on the improved K-Means algorithm on the basis of the data after feature dimension reduction in the above step 103, and the improved algorithm also considers the sample density, the average distance within the cluster and the distance between the clusters , to find and discover various related mathematical relationship laws inherent in dynamic data, and mine the intelligence value of dynamic operational data, so as to provide prediction and decision-making services for user operation compliance. The introduction of operational data research based on clustering algorithm can not only reduce the cost of manual random sampling of users, but also further improve the efficiency of user data mining and optimize the accuracy of anomaly analysis, thereby changing the dispersion and locality of traditional anomaly analysis. It will become an inevitable trend of the internal development of user behavior analysis.

Step 105 , using an abnormality detection algorithm to perform data analysis on the classified data, to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior.

Optionally, the user operation behavior can be predicted and calculated based on the score values of the weighted fusion of three anomaly detection algorithms (isolated forest, One Class SVM and local anomaly factor), and the clustering results in the previous step 104 are updated. In-depth analysis, comprehensive identification and evaluation of various abnormal user actions that are most likely to affect the system.

The main task of anomaly detection and analysis is to extract a small probability of abnormal data points in the normal user data set. The present invention adopts the integration of the three algorithms of isolated forest, One-Class SVM and local abnormal factor to comprehensively identify and evaluate the most likely impact. For various abnormal user operations of the system, these three algorithms are used to complete the abnormality detection in a weighted fusion method, and the abnormal scores of all operation behaviors can be obtained separately, instead of relying only on a certain abnormality detection algorithm to make predictions and judgments, which can extremely The prediction accuracy and efficiency are greatly improved.

To sum up, in order to more accurately analyze the compliance of the user's operation behavior and predict and warn the problems that may occur in the future, the present invention collects various data of the user's foreground operation and combines the entity recognition technology. , feature selection, feature dimensionality reduction, text clustering analysis and anomaly detection algorithms to model all user operation behavior data that needs attention, so as to effectively detect abnormal data of user abnormal operation behavior.

The above steps 101 to 105 will be described below through specific embodiments.

FIG. 2 is a schematic flowchart of an entity extraction step provided by the present invention, and FIG. 3 is a schematic structural diagram of an entity extraction model provided by the present invention, as shown in FIGS. 2 and 3 . In the above-mentioned step 102, the entity extraction is performed on the user operation behavior data to obtain entity identification data, including:

Step 201: Mark part of the user operation behavior data as training data, and use a neural network to train an entity extraction model.

Since the system database not only saves relational data, but also retains a large number of log files, which record various operation information of users, so it is necessary to extract relevant operation behavior entity information from these log files. However, if the data is extracted by manual screening or labeling, it will consume a lot of labor costs, and the accuracy cannot be guaranteed.

Therefore, the present invention extracts entity information from the log files stored in the system database by using the entity recognition method in the natural language processing technology combined with the deep learning algorithm. The specific method is to first mark part of the training data and use the neural network to train the entity extraction model, so that the neural network can learn the syntactic and lexical features in the log file, and finally use the model to make predictions on more data.

Step 202: Based on the entity extraction model, entity extraction is performed on the user operation behavior data to obtain entity identification data.

Because the text data in the user operation log is often faced with the situation that the length of the text to be processed varies, and the text contains many irrelevant network words, the traditional entity extraction model has a great impact on the recognition effect of this special situation. The NER (Name Entity Recognition, Named Entity Recognition) model is optimized and adjusted as follows:

(1) The first layer of the entity extraction model

The first layer of the entity extraction model is a word embedding layer, which is used to train the input word sequence into a word vector output.

Specifically, the present invention uses the CBOW (continuous vocabulary) model in Word2Vec (word to vector, a related model for generating word vectors) to perform word vector training. The CBOW model determines the position of each word by analyzing the context, and outputs each word. The word vector of the word is used as the input to the next layer of neural network at various time steps.

(2) The second layer of the entity extraction model

The second layer of the entity extraction model is used to input the word vector output by the first layer into the BiLSTM (Bi-directional Long Short-Term Memory, abbreviated BiLSTM) layer for training to learn the relationship between words and output labels, the described The BiLSTM layer includes a forward LSTM (Long Short-Term Memory, abbreviated LSTM) network and a reverse LSTM network, and the forward LSTM network and the reverse LSTM network are connected through an output layer. The bidirectional LSTM network will obtain the corresponding implicit output sequence through the forward LSTM and the reverse LSTM, splicing it to form the complete implicit sequence at each moment, as the input of the next layer, and composed of the hidden state generated by the BiLSTM layer. The matrix is H={h ₁ , h ₂ , ..., h _j }.

The following describes the algorithm improvement of the BiLSTM layer (as shown in Figure 3):

The traditional NER model uses a one-way LSTM structure. The one-way LSTM structure can only record the input before the t time step, and cannot obtain the information of the future time step. When the text is short, the model needs to capture the only feature information more effectively, taking into account the context, in order to capture the features more effectively.

The bidirectional LSTM structure (BiLSTM) can effectively solve this problem. BiLSTM consists of two backward unidirectional LSTMs, and the two network structures are connected by an output layer in the middle. The forward LSTM enters the data into the neural network structure through the input layer, and obtains the training results in the output layer according to the normal calculation and transmission method. Inverse LSTM means that during the training process, the neural network passes the error layer by layer to the input layer, and updates the network parameters of each layer according to the error. The bidirectional LSTM model considers the sequence information of the past and future times at the same time, and achieves the goal of completely recording the future and past information of each time step. When the text is short, the predicted results can be relatively accurate.

(3) The third layer of the entity extraction model

The third layer of the entity extraction model is to add an attention mechanism (attention model) to the output sequence of the BiLSTM layer to deal with the labeling problem so that the entity extraction model can better focus on local features and highlight the importance of keywords. The function is to assign different weights to the output of the BiLSTM layer, and the new output vector is obtained by adding the product of each feature vector and the corresponding weight.

For the model output vector at time i, the model uses the attention weight distribution vector to calculate the weighted summation of the hidden layer output of the encoded source sequence, and obtains the encoding result of the source sequence for the current output. The formula is as follows:

Among them, c _i represents the use of the attention mechanism to output a new word feature vector, which is calculated by the sum of the products of each feature vector h _j output by the pre-order model and the corresponding weight a _ij . a _ij is calculated from the word feature vectors c _i-1 and h _j at the previous moment by the following two formulas. The attention layer multiplies the output at all times by the corresponding weights and adds them as the final output, as follows:

e _ij = v _a tanh(w _a c _i-1 +w _b h _j ).

Among them, v _a , w _a , and w _b are weights.

The above-mentioned attention coefficient a _ij is also called the perceptron. The value of the hidden layer h _j generated by BiLSTM is measured by the perceptron a _ij in relation to the position i of the output label. The hidden layer contains not only the global information of the text, but also the local keyword information of the text, and the output state of the current time step is obtained by weighted summation. Then a linear transformation is needed to make it correspond to the label dimension, and then the final output vector is obtained through the softmax (used to convert the output of the neural network into a probability expression) algorithm. In exchange for higher accuracy, the attention model used in this model is composed of an additive model.

The Attention Model introduced by the present invention can be widely used in different deep learning fields, and can help the NER model to better focus on local features and capture the key points of text in a very small space. And introducing an attention model, the model will focus on other words near the labeled word, while appropriately ignoring distant or irrelevant word information. The probability distribution value represents the attention value of each word given by the attention model, effectively showing the area where the attention model focuses.

Combined with BiLSTM, the transformation function of the middle semantics of the entire sentence is synthesized. The formula is:

The current state C _i of the attention model needs to be jointly determined by the length L _x of the input sentence, the attention coefficient a _ij and the state value h _j of the jth word. The update of the attention model is determined by the attention coefficient. The more attention the output item assigns to the input item, the larger the corresponding a _ij value.

(4) The fourth layer of the entity extraction model

The fourth layer of the entity extraction model is the CRF layer used after the attention mechanism, which is used to output the transition score between labels through the transition matrix, and based on the conversion rule of each label and the rationality of the label syntax, Get the best tag sequence.

Specifically, using CRF after the attention mechanism can use Viterbi decoding to obtain the best label sequence and output the best solution.

It can be seen that the prior art adopts the entity extraction algorithm of LSTM-CRF, and the present invention adopts the entity extraction algorithm of BiLSTM-CRF which improves LSTM-CRF, and BiLSTM is composed of a bidirectional LSTM network structure. CRF is a commonly used sequence tagging algorithm, which can be used for tasks such as part-of-speech tagging, word segmentation, and named entity recognition. The BiLSTM+CRF adopted in the present invention combines BiLSTM and CRF, so that the model can not only consider the correlation between the sequences before and after the sequence like CRF, but also have the feature extraction and fitting capabilities of LSTM.

To sum up, the present invention applies the entity extraction technology in the field of natural language processing to the collection of user operation data, and improves the named entity recognition model according to the particularity of the user log text. Based on the entity recognition model, the one-way LSTM is changed to a two-way LSTM, and an attention model is added. The improved named entity recognition model is applied to the user behavior analysis work in the data field, and the named entity recognition is performed on the text that the operation steps focus on, which helps the anomaly detection system to efficiently mine valuable information and capture the characteristics of massive log information. good effect.

FIG. 4 is a schematic flowchart of the feature processing steps provided by the present invention, as shown in the figure. In the above-mentioned step 103, the feature selection and feature dimension reduction are performed on the entity identification data to obtain dimension-reduced feature data, including:

After combining the entity identification data extracted in the above step 102 and the discrete data stored in the second database, these data may have the problem of "dimension disaster". On the one hand, the "dimension disaster" causes key factors and data to be submerged and cannot be mined, which in turn causes the prediction accuracy to fall into a bottleneck and it is difficult to continue to improve; Complex, the calculation speed is getting slower and slower, and the computing power has to be continuously expanded, resulting in a waste of computing power. Therefore, in order to continuously improve the prediction accuracy and reduce the complexity of the prediction model, the high-dimensional data is first constructed when constructing the feature vector set. Dimensionality reduction processing is necessary. The invention adopts feature dimension reduction and feature selection based on principal component analysis (PCA) to realize feature extraction and data compression. details as follows:

Step 401, according to the system database and actual business requirements, summarize the entity identification data and the data stored in the second database, and the second database stores the data for handling user services.

Specifically, the data stored in the system database (that is, the processed entity identification data) and the data stored in the second database (that is, the data for handling user services) are loaded and aggregated together.

Step 402: Process outliers/repeated values appearing in the data.

Specifically, some abnormal data in the data are processed. For example, if the performance data exceeds the normal range threshold, the abnormal value is removed by the method of direct deletion; the repeated phenomenon in the data is processed. It is caused by the repeated startup of the platform program or a problem during the storage phase. The merging method can be used to combine the equal records into one record by judging whether the attribute values between the records are equal.

Step 403 , perform feature selection on the processed data, and store the feature selection data that has been selected and filtered.

In machine learning, feature selection generally has two purposes: first, to reduce the number of features and improve training speed; second, to reduce noise features to improve the accuracy of the model on the test set. There are many commonly used feature selection algorithms, such as chi-square test and mutual information.

Specifically, for discrete data, the selection results are obtained by discrete calculation methods, including chi-square test and mutual information; for continuous data, selection results are obtained by continuous calculation methods, mainly including Pearson correlation coefficient. ) and Fisher's scoring method, and store selected filtered feature data to provide support for further data analysis.

Step 404: Calculate a covariance matrix representing data correlation based on the feature selection data, and perform feature decomposition on the covariance matrix to obtain a set of eigenvalues and eigenvectors.

Step 405: Project the set of eigenvalues and eigenvectors to a feature matrix to obtain dimensionality-reduced feature data, and store the feature data.

Specifically, a principal component analysis (PCA) algorithm can be used to achieve data dimension reduction, and the stored dimension-reduced feature data can be used as a data basis for a deep learning prediction system and a big data analysis and processing system.

The principal component analysis (PCA) algorithm described above is as follows:

Principal component analysis is carried out on the operation behavior data of the user's foreground, and the principal component components with reduced dimensions are obtained. Organize all operation behavior data into a sample matrix, the size of the matrix is m×k dimension:

Centered sample matrix:

Compute the variance of the feature dataset:

Among them, X represents the set of feature data _xi .

Calculate the eigenvalues of the covariance matrix and take out the eigenvectors corresponding to the largest d eigenvalues, and output the projection matrix, assuming that the transformed coordinate system is {w ₁ ,w ₂ ,...,w _d }, where w is the standard Orthogonal basis vectors. If the dimension of the data is reduced, the projection of the feature data _xi to the low-dimensional coordinate system is _zi = (z _i1 , z _i2 ,..., z _id ), and _{xi is constructed from z i ,} the result is:

与原本的x_i的距离为：refactored

The distance from the original _xi is:

Among them, constμ is constant and can be ignored.

代表协方差矩阵，计算出最少的特征维度：In order to achieve the dimensionality reduction effect, the above formula should be minimized, because

Represents the covariance matrix, which computes the minimum feature dimension:

The above formula is a constraint function, and the principal component components after PCA dimensionality reduction are obtained.

To sum up, if the dimension of the collected user operation data set is too high to build an effective data model, at the data presentation layer, a large amount of high-dimensional data will lead to an exponential increase in the computational complexity of data processing algorithms, and even Dimension explosion occurs, which seriously affects the efficiency of system operation. PCA data dimensionality reduction is a feature processing and data compression method that can reduce the data dimension while retaining the main information of the original data as much as possible. PCA dimensionality reduction can retain enough information to distinguish different categories, effectively store data information, reduce data complexity, and help the data set to potentially expand.

Further, in the present invention, the above steps 101 to 103 can be implemented by a combination of modules with different functions. For example, a module with the following functions is set by the system:

The core database is used to store various data collected by the platform and provide a data basis for other modules. The data preprocessing module is used to fill in missing values, remove data redundancy, and encode non-numeric data for the original data, and perform normalization and centralization operations to unify the data structure to facilitate subsequent calculations. The data dimensionality reduction and compression module is used to reduce the dimensionality of the data by using principal component analysis (PCA), reduce the amount of data, and provide data support for the deep learning prediction model; the data feature extraction module uses corresponding standards to extract features according to the data type, Extract key data information and provide a data foundation for big data analysis and processing.

The above-mentioned functional modules are only examples of implementing the above-mentioned steps 101 to 103 in the present invention, and the present invention is not limited to the above-mentioned functional modules.

FIG. 5 is a schematic flowchart of a cluster analysis step provided by the present invention, as shown in the figure. In the above step 104, the cluster analysis is performed on the feature data to obtain classification information of various operation behaviors, including:

Step 501, based on the K-means density clustering algorithm, divide the set of feature data into objects belonging to different clusters according to the feature similarity, including distributing the data with similar features in the same cluster, and distributing the data with dissimilar features in the same cluster. outside the cluster.

Optionally, the K-means density clustering algorithm calculates the weight based on the density of the feature data, the average distance between clusters and the distance between clusters by presetting a threshold before clustering, and adopts the weighted Euclidean distance. Calculate the distance of the feature data, and select the initial cluster center by calculating the density, weight and distance of the feature data, and obtain the initial input parameters of the K-means density clustering algorithm.

Step 502: Perform data analysis based on the density of the characteristic data distribution to obtain classification data of various operation behaviors.

The present invention takes the feature data after feature selection as the research object, analyzes and mines user behavior operation data through K-means (k-means clustering algorithm) density clustering algorithm, and divides user operations into multiple clusters. Focusing on compliance with specifications, cluster analysis is to find clusters of these compliance operations. The data of illegal operations are often distributed outside these clusters, and these illegal operations can be automatically discovered through clustering.

The following is a detailed description of the K-means density clustering algorithm:

The basic idea of the classical K-means clustering algorithm is: after inputting the number of clusters k, first randomly select k sample points from the data set as the initial cluster centers, and then calculate the distances from each sample point to the k initial cluster centers. , classify the samples according to the principle of minimum distance, form k clusters, and then calculate the average value of each cluster to obtain a new cluster center, and repeat the above process until the cluster center no longer changes or the number of iterations reaches the set value After that, the algorithm ends.

The K-means algorithm can use the Euclidean distance when calculating the distance between samples, and the calculation formula of the distance between the samples is as follows:

Among them, x _i ={x _i1 ,x _i2 ,...,x _im } and x _j ={x _j1 ,x _j2 ,...,x _jm } in the above formula are sample points with any two dimensions equal to m; x _ip Indicates the specific value of the p-th dimension corresponding to sample i.

The present invention improves the above-mentioned classical K-means algorithm as follows:

The classical K-means clustering algorithm has certain limitations. Since the initial clustering center of the algorithm is randomly set, the clustering results are unstable and easy to fall into the local optimum, and the results are easily affected by noise points; The user presets the K value, and the algorithm has poor adaptability. In view of the above problems, the present invention proposes an improved K-means algorithm based on distance and weight. The calculation of the weight integrates the sample density, the average distance within the cluster and the distance between the clusters, and the calculation of the sample distance adopts the weighted Euclidean distance. , which increases the degree of distinction between data attributes and reduces the influence of outliers. Then, the initial clustering center is selected through the calculated sample density, sample weight and distance, and the initial input parameters of the K-means clustering algorithm are obtained. .

Specific steps are as follows:

Step 1: For a given data set D, calculate the density of all samples in the data set and the weight w of all sample elements in the data set D. The first initial cluster center selects the object c ₁ with the highest density in D, and adds it to the set C of cluster center points. At this time, C={c ₁ }, and then all distance points c ₁ in D are less than Point deletion for MeanDist(D).

The formula for calculating the density of the sample is:

The formula for calculating the weight w of all sample elements:

MeanDist(D) calculation formula:

Step 2: Select the point _xi with the maximum value of τ _i =ω _i ·d _ω ( _xi ,c ₁ ) as the second initial cluster center, denoted as c ₂ , add c ₂ to the set C, this When C={c ₁ , c ₂ }, similar to the first step, delete all points in D whose distance c ₂ is less than MeanDist(D).

Step 3: Select the point x _{i`</sub> with the maximum value of τ <sub>i</sub> =ω <sub>i`} ·d _ω (x _i` ,c ₂ ) as the third initial cluster center, denoted as c ₃ , and add c ₃ to the set In C, at this time C={c ₁ , c ₂ , c ₃ }, delete all points in D whose distance c ₃ is less than MeanDist(D), and similarly repeat the above process until the data set D becomes an empty set . At this time, C={c ₁ , c ₂ ,...,c _k }, thereby obtaining k initial cluster centers, that is, the sample points in the set C.

Step 4: Using the initial cluster center and the number of clusters obtained in the above steps as input, perform K-means clustering operation on the given data set D until the cluster center does not change.

Step 5: Output the final clustering result.

To sum up, the user operation normative analysis of the present invention based on the density clustering algorithm can intelligently mine the user operation behavior rules, reduce the high cost disadvantage caused by manual review, and cannot guarantee the accuracy and real-time performance of manual prediction. The problem. The improved K-means algorithm eliminates the influence of outliers, effectively solves the shortcomings of the classical K-means algorithm's poor anti-noise and easy to fall into local optimum, and improves the stability of the algorithm.

FIG. 6 is a schematic flowchart of an abnormality scoring step provided by the present invention, as shown in the figure. In the above step 105, the data analysis is performed on the classified data based on the abnormality detection algorithm to obtain normal data of the user's normal operation behavior and abnormal data of the user's illegal operation behavior, including:

Step 601 , using three anomaly detection algorithms of isolation forest, One Class SVM and local anomaly factor to respectively perform anomaly scoring on the classified data to obtain a corresponding anomaly scoring value.

Specifically, through the cluster analysis in the above step 104, various operation behaviors of the user can be summarized, and the operation rules and logics therein can be mined. The present invention further analyzes the clustering results in the previous step 104, and detects whether the user operation is abnormal through these data. The main task of anomaly detection and analysis is to extract small-probability anomalous data points from normal user data sets. These anomaly points are not generated by random deviations, but by completely different mechanisms such as faults, threats, and intrusions. The frequency of these abnormal events is only a small fraction of the large number of normal events. There are many anomaly detection algorithms. Although they all aim to separate normal data from abnormal data as much as possible, their principles are different. The present invention uses three algorithms of isolation forest, One-Class SVM and local abnormal factor to complete the abnormal detection task.

The three algorithms of isolation forest, One-Class SVM and local anomaly factor are described in detail below.

(1) Lonely Forest

The Lonely Forest algorithm is an anomaly detection algorithm based on division and ensemble learning. The design of the algorithm takes advantage of two characteristics of abnormal data: one is that the number of abnormal data is small compared to normal data; the other is the attributes of abnormal data and normal data There are significant differences in values. The core of the lonely forest algorithm is to randomly sample and construct a certain number of isolation trees (ifree), and these isolation trees form a lonely forest (iForest). The main steps in constructing a lonely forest are as follows:

Step 1: randomly select m sample data points from a training set consisting of a set of continuous data as a sub-sampling set D={d ₁ , d ₂ ,..., d _m }, the dimension of the data point is n, as the root of the tree node.

Step 2: Randomly select a dimension A and a split point p from the current sub-sampling set, where p is between the maximum and minimum values of dimension A in the current sub-sampling set.

Step 3: Divide each data d _i of the sub-sampling set according to the value d _i (A) of its dimension A. If d _i (A)<p, divide it into the left subtree, otherwise, divide it into the right subtree .

Step 4: Repeat steps 2 and 3 to continuously construct new left and right subtrees until one of the following conditions is met: ① There is only one data point or multiple identical data points left in D, which cannot be further divided; ② The height reaches the limit height.

Step 5: Repeat the above steps until the number of isolation trees reaches the specified number N, and these isolation trees form an isolation forest.

(2)One-Class SVM

One-Class SVM equates the one-class problem as a special two-class problem, and transforms the problem of separating the hyperplane and the maximum classification interval in the classical SVM feature space into the problem of maximizing the interval between the hyperplane and the origin. The optimization problem turns into:

where ω is the hyperplane normal vector, i is the sample number, ξ _i is the slack variable, ρ is the hyperplane intercept, v∈(0,1] is the preset negative sample ratio, l is the total number of samples, and vl is the penalty coefficient , which controls the upper bound of the boundary support vector rate and the lower bound of the total support vector rate. The training process of One-Class SVM only requires the participation of positive samples, which can ensure a high abnormal recognition rate. Therefore, this algorithm is mainly used to estimate High-dimensional data distribution, suitable for solving machine learning problems such as training sample selection and anomaly detection when the number of positive and negative training samples is uneven.

(3) Local Outlier Factor (LOF)

The LOF algorithm judges whether the point is an abnormal point by the density of each point p and its neighboring points. If the density of the point p is lower, the possibility that the point p is an abnormal point is greater. Assuming that any point p is taken in the thresholded point cloud, the k-th distance d _k (p) is defined as:

_dk (p)=d(p,o);

where d(p, o) is the distance between point p and point o.

After given d _k (p), define the k-th distance neighborhood of p as all points whose distance from p is less than d _k (p), that is

N _k (p)={q∈D\{p}|d(p,q)≤d _k (p)};

In the formula: N _k (p) is the k-th distance neighborhood of point p; q is the neighborhood point of point p; D\{p} represents the point cloud set except for point p.

The kth reachable distance from point to point o is:

d _r (p,o)=max{ _dk (o),d(p,o)};

The above formula means that the h points closest to the point o, the reachable distances from o to them are equal and equal to d _k (o).

According to the above definition, the local reachability density of point p is expressed as:

By comparing the local reachable distance of point p and the local reachable distance of point o (the neighborhood point of point p), the following comparison factor is constructed, that is, the local outlier factor, and then abnormal points are detected:

The closer the ratio is to 1, it indicates that the density of point p is similar to that of its neighbors, and p may belong to the same cluster as its neighbors; the smaller the ratio is, it indicates that the density of p is higher than that of its neighbors, and p is Dense points; the larger the ratio is than 1, it indicates that the density of p is less than the density of its neighbors, and the more likely p is an abnormal point. Therefore, observe the LOF value and select an appropriate value, and keep the points within the value range, that is, the target point cloud after the outliers are removed.

Step 602 , weighting and normalizing the abnormal score values output by the three abnormality detection algorithms to obtain a ranking of the abnormal score values for all users.

Specifically, for different data sources, it is difficult to guarantee which type of anomaly detection algorithm can achieve the best results. Therefore, the integration of the three algorithms of isolation forest, One Class SVM and local anomaly factor is used to comprehensively identify and evaluate the most likely Affect various abnormal users of the system. The present invention uses these three algorithms for abnormality detection, and can obtain the abnormality scores of all users respectively. By weighting and normalizing the results of these three algorithms, the final abnormal score ranking for all users can be obtained.

Each algorithm computes an independent outlier score for user i. The three algorithms of isolation forest, One Class SVM, and local abnormal factor are denoted as S ₁ , S ₂ , and S ₃ respectively, and their corresponding weights are P ₁ , P ₂ , and P ₃ respectively. Then the final anomaly score Score for:

Step 603 , according to the ranking of the abnormal score values, determine the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior.

It can be seen that, ranking according to the above-mentioned final abnormal score Score can comprehensively identify and evaluate various abnormal user operations that are most likely to affect the system.

To sum up, the user behavior analysis based on anomaly detection uses the weighted fusion of three anomaly detection algorithms to predict user operation compliance scores, and comprehensively identifies and evaluates various abnormal users that are most likely to affect the system in an integrated manner, so as to improve the performance of the system. The high accuracy rate separates normal data and abnormal data as much as possible to ensure the accuracy of abnormal detection.

Further, in the above step 105, after the data analysis is performed on the classified data based on the abnormality detection algorithm to obtain the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior, the method further includes:

If it is determined to be abnormal data of the user's illegal operation, the system administrator and related technical personnel will be notified by email and text message, and a disaster recovery mechanism will be activated for some abnormal data to solve the abnormal problem.

Specifically, by judging the predicted result in the above step 603, if it is predicted that there is abnormal operation of the user, the system administrator and the corresponding technical personnel will be notified in the form of email and short message. At the same time, in order to reduce such illegal operation events that will occur in the future, the detailed information of each indicator of the alarm data will be analyzed. For example, if an operation occurs too many times or lasts too long, there may be too many defects in this operation. Case. In this regard, by analyzing the data of various indicators, the disaster recovery mechanism is activated for some abnormal situations, such as automatically starting some containerized services on the standby node of the platform.

The present invention can, on the one hand, alert possible abnormal situations, and on the other hand, for some abnormal scenarios, by enabling the disaster recovery mechanism, it is possible to try whether the abnormality can be solved, reduce the experience of the abnormality for users, or strive for the operation and maintenance personnel. More time to locate and solve problems.

The device for detecting user operation behavior data provided by the present invention is described below. The device for detecting user operation behavior data described below and the method for detecting user operation behavior data described above may refer to each other correspondingly.

FIG. 7 is a schematic structural diagram of an apparatus for detecting user operation behavior data provided by the present invention, as shown in the figure. An apparatus 700 for detecting user operation behavior data includes a data collection module 710 , an entity extraction module 720 , a feature selection module 730 , a cluster analysis module 740 and an abnormality detection module 750 . in,

A data collection module 710, configured to collect user operation behavior data, where the user operation behavior data is data describing various user operation behaviors;

an entity extraction module 720, configured to perform entity extraction on the user operation behavior data to obtain entity identification data, where the entity identification data is data related to abnormal data extracted from the user operation behavior data;

The feature selection module 730 is used to perform feature selection and feature dimensionality reduction on the entity identification data, and obtain feature data after dimensionality reduction, and the feature data is the data for realizing feature extraction and data compression through feature selection and feature dimensionality reduction ;

The cluster analysis module 740 is configured to perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

The anomaly detection module 750 is configured to perform data analysis on the classified data by using an anomaly detection algorithm to obtain normal data of the user's normal operation behavior and abnormal data of the user's illegal operation behavior.

Optionally, the data collection module 710 collects user operation behavior data based on a first database, where relational data and log data recording various user operation behaviors are stored in the first database; the user operation behavior data It includes data of one or more combinations of the start/end time of various operations of the user, the specific steps of the operation, the sequence of operations, and the final result of the operation.

Optionally, the entity extraction module 720 is further configured to perform the following steps:

Marking part of the data of the user operation behavior data as training data, and using a neural network to train an entity extraction model;

Based on the entity extraction model, entity extraction is performed on the user operation behavior data to obtain entity identification data; wherein,

The first layer of the entity extraction model is a word embedding layer, which is used to train the input word sequence into a word vector output;

The second layer of the entity extraction model is used to input the word vector output from the first layer to the BiLSTM layer for training to learn the relationship between words and output labels, and the BiLSTM layer includes a forward LSTM network and a reverse LSTM network, The forward LSTM network and the reverse LSTM network are connected through an output layer;

The third layer of the entity extraction model is provided with an attention model on the output sequence of the BiLSTM layer, which is used to deal with the label problem so that the entity extraction model can better focus on local features and highlight the important role of keywords;

The fourth layer of the entity extraction model is the CRF layer used after the attention mechanism, which is used to output the transition score between labels through the transition matrix, and based on the conversion rule of each label and the rationality of the label syntax, Get the best tag sequence.

Optionally, the feature selection module 730 is further configured to perform the following steps:

summarizing the entity identification data and data stored in a second database, where the second database stores data for handling user services;

Handling outliers/duplicates in the data;

Perform feature selection on the processed data, and store the selected filtered feature selection data;

Calculate a covariance matrix representing data correlation based on the feature selection data, and perform eigendecomposition on it to obtain a set of eigenvalues and eigenvectors;

Projecting the set of eigenvalues and eigenvectors to a feature matrix to obtain dimensionality-reduced feature data, and storing the feature data.

Optionally, the cluster analysis module 740 is further configured to perform the following steps:

Based on the K-means density clustering algorithm, the set of feature data is divided into objects belonging to different clusters according to the feature similarity, including distributing the data with similar features in the same cluster, and distributing the data with dissimilar features outside the cluster;

Perform data analysis based on the density of the characteristic data distribution to obtain classification data of various operational behaviors;

The K-means density clustering algorithm is to pre-set a threshold before clustering, calculate the weight based on the density of the feature data, the average distance within the cluster and the distance between the clusters, and use the weighted Euclidean distance to calculate the weight. The distance of the characteristic data, and the initial cluster center is selected by calculating the density, weight and distance of the characteristic data, and the initial input parameters of the K-means density clustering algorithm are obtained.

Optionally, the abnormality detection module 750 is further configured to perform the following steps:

Using three anomaly detection algorithms, isolated forest, One Class SVM and local anomaly factor, respectively, to score anomaly on the classified data, and obtain the corresponding anomaly score value;

Weighting and normalizing the anomaly scoring values output by the three anomaly detection algorithms to obtain the ranking of the abnormal scoring values for all users;

According to the ranking of the abnormal score values, the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior are determined.

Further, the apparatus 700 for detecting user operation behavior data further includes a system alarm module (not marked in the figure).

The alarm module is used to notify the system administrator and related technical personnel by email and short message if it is determined to be abnormal data of the user's illegal operation behavior, and activate a disaster recovery mechanism for some abnormal data to solve the abnormal problem.

FIG. 8 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 8 , the electronic device may include: a processor (processor) 810, a communication interface (Communications Interface) 820, a memory (memory) 830, and a communication bus 840, The processor 810 , the communication interface 820 , and the memory 830 communicate with each other through the communication bus 840 . The processor 810 may invoke the logic instructions in the memory 830 to execute the method for detecting the user operation behavior data, the method comprising:

collecting user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal;

Perform entity extraction on the user operation behavior data to obtain entity identification data, and the entity identification data is used to extract data related to the abnormal operation behavior of the user;

Perform feature selection and feature dimensionality reduction on the entity recognition data to obtain dimensionality-reduced feature data, where the feature data is data obtained by feature selection and feature dimensionality reduction to achieve feature extraction and data compression;

Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

An anomaly detection algorithm is used to perform data analysis on the classified data to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior.

In addition, the above-mentioned logic instructions in the memory 830 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer When executed, the computer can execute the method for detecting the user operation behavior data provided by the above methods, and the method includes:

collecting user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal;

Perform entity extraction on the user operation behavior data to obtain entity identification data, and the entity identification data is used to extract data related to the abnormal operation behavior of the user;

Perform feature selection and feature dimensionality reduction on the entity recognition data to obtain dimensionality-reduced feature data, where the feature data is data obtained by feature selection and feature dimensionality reduction to achieve feature extraction and data compression;

Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

An anomaly detection algorithm is used to perform data analysis on the classified data to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior. In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented by a processor to execute the above-mentioned detection methods for the user operation behavior data provided. , the method includes:

collecting user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal;

Perform entity extraction on the user operation behavior data to obtain entity identification data, and the entity identification data is used to extract data related to the abnormal operation behavior of the user;

Perform feature selection and feature dimensionality reduction on the entity recognition data to obtain dimensionality-reduced feature data, where the feature data is data obtained by feature selection and feature dimensionality reduction to achieve feature extraction and data compression;

Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user;

An anomaly detection algorithm is used to perform data analysis on the classified data to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior.

The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. a detection method of user operation behavior data, is characterized in that, comprises: collecting user operation behavior data, where the user operation behavior data is used to analyze whether the user's operation behavior is abnormal; Perform entity extraction on the user operation behavior data to obtain entity identification data, and the entity identification data is used to extract data related to the abnormal operation behavior of the user; Perform feature selection and feature dimensionality reduction on the entity recognition data to obtain dimensionality-reduced feature data, where the feature data is data obtained by feature selection and feature dimensionality reduction to achieve feature extraction and data compression; Perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user; An anomaly detection algorithm is used to perform data analysis on the classified data to obtain normal data of the user's normal operation behavior and abnormal data of the user's abnormal operation behavior. 2. The method for detecting user operation behavior data according to claim 1, wherein the collecting user operation behavior data comprises: Collect user operation behavior data based on a first database, where relational data and log data recording various user operation behaviors are stored in the first database; The user operation behavior data includes data of one or more combinations of the start/end time of various operations of the user, the specific steps of the operation, the sequence of operations, and the final result of the operation. 3. The method for detecting user operation behavior data according to claim 1, wherein the entity extraction is performed on the user operation behavior data to obtain entity identification data, comprising: Marking part of the data of the user operation behavior data as training data, and using a neural network to train an entity extraction model; Based on the entity extraction model, entity extraction is performed on the user operation behavior data to obtain entity identification data; wherein, The first layer of the entity extraction model is a word embedding layer, which is used to train the input word sequence into a word vector output; The second layer of the entity extraction model is used to input the word vector output from the first layer to the BiLSTM layer for training to learn the relationship between words and output labels, and the BiLSTM layer includes a forward LSTM network and a reverse LSTM network, The forward LSTM network and the reverse LSTM network are connected through an output layer; The third layer of the entity extraction model is provided with an attention model on the output sequence of the BiLSTM layer, which is used to deal with the label problem so that the entity extraction model can better focus on local features and highlight the important role of keywords; The fourth layer of the entity extraction model is the CRF layer used after the attention mechanism, which is used to output the transition score between labels through the transition matrix, and based on the conversion rule of each label and the rationality of the label syntax, Get the best tag sequence. 4. the detection method of user operation behavior data according to claim 1, is characterized in that, described entity identification data is carried out feature selection and feature dimensionality reduction, obtains the feature data after dimensionality reduction, comprising: summarizing the entity identification data and data stored in a second database, where the second database stores data for handling user services; Handling outliers/duplicates in the data; Perform feature selection on the processed data, and store the selected filtered feature selection data; Calculate a covariance matrix representing data correlation based on the feature selection data, and perform eigendecomposition on it to obtain a set of eigenvalues and eigenvectors; Projecting the set of eigenvalues and eigenvectors to a feature matrix to obtain dimensionality-reduced feature data, and storing the feature data. 5. The method for detecting user operation behavior data according to claim 1, wherein the feature data is subjected to cluster analysis to obtain classification information of various operation behaviors, including: Based on the K-means density clustering algorithm, the set of feature data is divided into objects belonging to different clusters according to the feature similarity, including distributing the data with similar features in the same cluster, and distributing the data with dissimilar features outside the cluster; Perform data analysis based on the density of the characteristic data distribution to obtain classification data of various operational behaviors; The K-means density clustering algorithm is to pre-set a threshold before clustering, calculate the weight based on the density of the feature data, the average distance within the cluster and the distance between the clusters, and use the weighted Euclidean distance to calculate the weight. The distance of the characteristic data, and the initial cluster center is selected by calculating the density, weight and distance of the characteristic data, and the initial input parameters of the K-means density clustering algorithm are obtained. 6 . The method for detecting user operation behavior data according to claim 1 , wherein the data analysis is performed on the classified data based on an anomaly detection algorithm to obtain normal data of the user’s normal operation behavior and user’s illegal operation behavior. 7 . abnormal data, including: Using three anomaly detection algorithms, isolated forest, One Class SVM and local anomaly factor, respectively, to score anomaly on the classified data, and obtain the corresponding anomaly score value; Weighting and normalizing the anomaly scoring values output by the three anomaly detection algorithms to obtain the ranking of the abnormal scoring values for all users; According to the ranking of the abnormal score values, the normal data of the user's normal operation behavior and the abnormal data of the user's illegal operation behavior are determined. 7. The method for detecting user operation behavior data according to claim 1, wherein the data analysis is performed on the classified data based on an anomaly detection algorithm to obtain normal data of the user's normal operation behavior and user's illegal operation behavior After the abnormal data, it also includes: If it is determined to be abnormal data of the user's illegal operation, the system administrator and related technical personnel will be notified by email and text message, and a disaster recovery mechanism will be activated for some abnormal data to solve the abnormal problem. 8. A detection device for user operation behavior data, comprising: a data collection module for collecting user operation behavior data, where the user operation behavior data is data describing various user operation behaviors; an entity extraction module, configured to perform entity extraction on the user operation behavior data to obtain entity identification data, where the entity identification data is data related to abnormal data extracted from the user operation behavior data; A feature selection module, configured to perform feature selection and feature dimensionality reduction on the entity identification data, to obtain feature data after dimensionality reduction, and the feature data is data obtained by feature selection and feature dimensionality reduction to realize feature extraction and data compression; a cluster analysis module, configured to perform cluster analysis on the feature data to obtain classification data of various operation behaviors, and the classification data is used to classify various operation behaviors of the user; The anomaly detection module is used for performing data analysis on the classified data by using an anomaly detection algorithm to obtain normal data of the user's normal operation behavior and abnormal data of the user's illegal operation behavior. 9. An electronic device, comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor implements the program as claimed in claim 1 when executing the program Steps of any one of to 7 of the method for detecting user operation behavior data. 10. A non-transitory computer-readable storage medium on which a computer program is stored, wherein when the computer program is executed by a processor, the user operation behavior data according to any one of claims 1 to 7 is implemented. The steps of the detection method.

Images