CN115473718A - Business data anomaly identification method and device based on behavior association mining - Google Patents

Abstract

The invention discloses a method and a device for identifying abnormal business data based on behavior association mining, which relate to the field of data security processing, and comprise the following steps: determining internet behavior information of a user from the business data, and extracting user characteristics and behavior characteristics from the internet behavior information; the user characteristics are used for representing the operation environment information of the user internet surfing operation, and the behavior characteristics are used for representing the time sequence information of the user internet surfing operation; inputting the user characteristics and the behavior characteristics into a business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is obtained by training based on a sample behavior flow graph of a user; the sample behavior flow graph is constructed based on sample user characteristics and sample behavior characteristics of the user. The invention can rapidly make judgment and response to the abnormal behavior by performing the abnormal recognition through the service data recognition model, thereby accurately realizing the management limitation of the user behavior and the like and meeting the development requirement of the big data era.

Description

A method and device for abnormal identification of business data based on behavior association mining

technology neighborhood

The invention relates to the field of data security processing, in particular to a method and device for identifying business data exceptions based on behavior association mining.

Background technique

In order to ensure the security and stability of the network environment, the supervision of network traffic data in the era of big data becomes very important. Due to the large amount of data and strong randomness of network traffic, the current abnormal user behavior detection method can neither quickly make a ruling and respond to the constantly updated abnormal behavior of business data, nor can it accurately implement user behavior management restrictions, etc. , cannot meet the requirements of efficient and accurate detection of massive data, and has been unable to meet the development needs of the big data era.

Therefore, being able to identify abnormal user behavior in business data more efficiently and accurately plays a key role in network security management.

Contents of the invention

In view of this, the embodiments of the present invention provide a business data anomaly identification method and device based on behavior association mining, so as to solve the problem that the current business data-related abnormal user behavior detection cannot quickly make a judgment and response.

According to the first aspect, an embodiment of the present invention provides a business data anomaly identification method based on behavior association mining, the method comprising:

Determine the user's online behavior information, extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operation, and the behavioral characteristics are used to represent the time sequence information of the user's online operation;

Input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior flow graph is based on the user's Constructed from sample user characteristics and sample behavior characteristics;

The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes.

With reference to the first aspect, in the first implementation manner of the first aspect, the business data identification model includes a flow graph construction layer, a homogeneous user relationship network layer, and a heterogeneous user message network layer;

The flow graph construction layer is used to build a user's behavior flow graph based on user characteristics and behavioral characteristics;

The homogeneous user relationship network layer is used to perform attention operations on each node in the behavior flow graph based on the node and its neighbor nodes, and determine the fusion neighborhood characteristics of the node; the neighbor node is a node that has a connection with the current node;

The heterogeneous user message network layer is used for the fusion neighborhood feature of the node and the fusion neighborhood feature of the neighbor node to perform attention operation and semantic attention understanding, and determine the embedding representation feature of the node and the distance between the node and the corresponding embedding representation feature , and determine the abnormal behavior information based on the distance.

In combination with the first implementation mode of the first aspect, in the second implementation mode of the first aspect, the input of user characteristics and behavior characteristics into the business data identification model to obtain abnormal behavior information output by the business data identification model specifically includes:

Input user characteristics and behavior characteristics into the flow graph construction layer to obtain the behavior flow graph output by the flow graph construction layer;

Input the behavior flow graph into the homogeneous user relationship network layer, and obtain the fusion neighborhood features corresponding to the nodes output by the homogeneous user relationship network layer;

The fusion neighborhood feature is input into the heterogeneous user information network layer, and the abnormal behavior information output by the heterogeneous user information network layer is obtained; the abnormal behavior information includes the node and the state feature corresponding to the node.

With reference to the second implementation of the first aspect, in the third implementation of the first aspect, the homogeneous user relationship network layer includes a neighborhood convolution layer, a similarity determination layer, a normalization processing layer, and a first attention operation Floor;

The neighborhood convolution layer is used to perform convolution operations on nodes, neighbor nodes of nodes, and convolution weights corresponding to nodes to determine the state characteristics of nodes; the state characteristics are used to represent the labels of nodes;

The similarity determination layer is used to determine the similarity coefficient between the state feature corresponding to the neighbor node and the state feature corresponding to the node;

The normalization processing layer is used to perform normalization processing on the similarity coefficient, and determine the attention coefficient between domain nodes and nodes;

The first attention operation layer is used to perform weighting processing based on the state characteristics, splicing weights and attention coefficients corresponding to the neighbor nodes, and determine the fusion neighborhood characteristics corresponding to the nodes.

With reference to the second embodiment of the first aspect, in the fourth embodiment of the first aspect, the heterogeneous user message network layer includes a weight learning layer, a second attention operation layer, a semantic attention understanding layer, and a prediction output layer;

The second attention operation layer is used to perform weighted processing based on the fusion neighborhood features and attention weights corresponding to the neighbor nodes to determine the timing characteristics of the nodes; the timing characteristics are used to represent the semantics of the nodes;

The semantic attention understanding layer is used to map the temporal features corresponding to the nodes, determine the semantic attention weight of the node under the meta-path, and perform weighted processing based on the temporal features and semantic attention weights corresponding to the nodes to determine the embedding representation features of the nodes ;

The prediction output module is used to determine the classification result of the embedded representation feature, and output abnormal behavior information based on the classification result.

With reference to the third embodiment of the first aspect, in the fifth embodiment of the first aspect, the behavior flow graph is input into the homogeneous user relationship network layer, and the fusion neighborhood corresponding to the node output by the homogeneous user relationship network layer is obtained features, including:

Input the behavior flow graph into the neighborhood convolution layer to obtain the state characteristics corresponding to the nodes output by the neighborhood convolution layer;

The node features are input into the similarity determination layer to obtain the similarity coefficient between the nodes output by the similarity determination layer;

Input the similarity coefficient into the normalization processing layer to obtain the attention coefficient between the nodes output by the normalization processing layer;

The state features, splicing weights, and attention coefficients corresponding to the neighbor nodes of the node are input into the first attention operation layer, and the fusion neighborhood features corresponding to the nodes output by the first attention operation layer are obtained.

With reference to the fourth embodiment of the first aspect, in the sixth embodiment of the first aspect, the input of the fused neighborhood features into the heterogeneous user message network layer to obtain the abnormal behavior information output by the heterogeneous user message network layer, specifically include:

Input the fusion neighborhood feature into the weight learning layer to obtain the attention weight corresponding to the node output by the weight learning layer;

Input the fusion neighborhood feature and attention weight of the node into the second attention operation layer, and obtain the timing characteristics of the nodes output by the second attention operation layer;

Input the timing features into the semantic attention understanding layer, and obtain the embedded representation features corresponding to the nodes output by the semantic attention understanding layer;

The embedded representation feature is input into the prediction output module, and the abnormal behavior information output by the prediction output module is obtained.

With reference to the first aspect, in the seventh implementation manner of the first aspect, the business data identification model is trained through the following steps:

Determine the sample state characteristics of the sample nodes from the sample behavior flow graph; each sample node in the sample behavior flow graph contains sample user characteristics and sample behavior characteristics, and connects the sample nodes based on the sample behavior characteristics, and the connection is used to represent the sample nodes the timing relationship between

The sample behavior flow graph is used as the input data for training, and the sample state characteristics corresponding to the sample nodes are used as the labels for training, and the deep learning method is used for training to obtain the business data used to generate the user's online behavior information and abnormal behavior information Identify the model.

According to the second aspect, an embodiment of the present invention also provides a device for identifying abnormalities in business data based on behavior association mining, the device comprising:

The feature extraction module is used to determine the user's online behavior information, and extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operations, and the behavioral characteristics are used to represent the chronological information of the user's online operations ;

The behavior recognition module is used to input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior The flow graph is constructed based on the user's sample user characteristics and sample behavior characteristics;

The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes.

With reference to the second aspect, in the first implementation manner of the second aspect, the behavior recognition module specifically includes:

The flow graph construction unit is used to input user characteristics and behavior characteristics into the flow graph construction layer to obtain the behavior flow graph output by the flow graph construction layer;

The relationship recognition unit is used to input the behavior flow graph into the homogeneous user relationship network layer, and obtain the fusion neighborhood features corresponding to the nodes output by the homogeneous user relationship network layer;

The message recognition unit is used to input the fusion neighborhood feature into the heterogeneous user message network layer to obtain the abnormal behavior information output by the heterogeneous user message network layer; the abnormal behavior information includes nodes and state features corresponding to the nodes.

With reference to the first implementation manner of the second aspect, in the second implementation manner of the second aspect, the relationship identification unit specifically includes:

The first identification unit is used to input the behavior flow graph into the neighborhood convolution layer, and obtain the state characteristics corresponding to the nodes output by the neighborhood convolution layer;

The second identification unit is used to input the node features into the similarity determination layer to obtain the similarity coefficient between the nodes output by the similarity determination layer;

The third identification unit is used to input the similarity coefficient into the normalization processing layer, and obtain the attention coefficient between the nodes output by the normalization processing layer;

The fourth identification unit is used to input the state features, splicing weights and attention coefficients corresponding to the neighbor nodes of the node into the first attention operation layer, and obtain the fused neighborhood features corresponding to the nodes output by the first attention operation layer.

With reference to the first implementation manner of the second aspect, in the third implementation manner of the second aspect, the message identification unit specifically includes:

The fifth identification unit is used to input the fusion neighborhood feature into the weight learning layer to obtain the attention weight corresponding to the node output by the weight learning layer;

The sixth identification unit is used in the weight learning layer to determine the attention weight of the node based on the self-attention mechanism;

The seventh identification unit is used to input the fusion neighborhood feature and attention weight of the node into the second attention operation layer to obtain the timing characteristics of the nodes output by the second attention operation layer;

The eighth recognition unit is used to input the time series feature into the semantic attention understanding layer, and obtain the embedded representation feature corresponding to the node output by the semantic attention understanding layer;

The ninth identification unit is configured to input the embedded representation feature into the predictive output module to obtain the abnormal behavior information output by the predictive output module.

According to the third aspect, an embodiment of the present invention also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, the above-mentioned The steps of any one of the business data anomaly identification methods based on behavior association mining.

According to the fourth aspect, an embodiment of the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, it implements behavior-based association mining as described in any of the above The steps of the business data exception identification method.

The business data anomaly identification method and device based on behavior association mining provided by the present invention determine the user's online behavior information from the business data, and then extract user characteristics and behavior characteristics from it, and the extracted information not only retains the user's online operation Environmental information also retains the chronological information of users’ online operations, and uses the trained business data recognition model to identify business data and identify abnormal behavior information. Since the business data recognition model is constructed based on user characteristics and behavior characteristics Behavior flow graph, determine the fusion neighborhood features corresponding to each node in the behavior flow graph and determine the embedded representation features corresponding to the nodes based on the fusion field features of the nodes, and based on the classification results determined from the embedded representation features, abnormalize the business data Behavior prediction, so the business data identification model integrates the characteristics of three aspects: user behavior, content generated by the behavior, and the temporal relationship between user behaviors to identify abnormal business data. The speed has been significantly improved. This application uses the business data identification model to identify business data abnormalities based on behavior association mining, and can quickly make judgments and respond to abnormal behaviors, so as to accurately realize user behavior management restrictions, etc., and can meet The development requirements of the big data era.

Description of drawings

The features and advantages of the present invention will be more clearly understood by referring to the accompanying drawings, which are schematic and should not be construed as limiting the invention in any way. In the accompanying drawings:

Fig. 1 shows a schematic flow diagram of a business data anomaly identification method based on behavior association mining provided by the present invention;

Fig. 2 shows one of the result schematic diagrams of the service data identification model provided by the present invention;

FIG. 3 shows a specific flow diagram of step S20 in the business data anomaly identification method based on behavior association mining provided by the present invention;

Fig. 4 shows the second schematic diagram of the result of the business data identification model provided by the present invention;

FIG. 5 shows a specific flow diagram of step S22 in the business data anomaly identification method based on behavior association mining provided by the present invention;

Fig. 6 shows the third schematic diagram of the result of the business data identification model provided by the present invention;

Fig. 7 shows a specific flowchart of step S23 in the business data anomaly identification method based on behavior association mining provided by the present invention;

Fig. 8 shows a schematic flow chart of the business data identification model training process provided by the present invention;

FIG. 9 shows a schematic structural diagram of a business data anomaly identification device based on behavior association mining provided by the present invention;

FIG. 10 shows a schematic structural diagram of an electronic device provided by the present invention.

detailed description

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.

Network traffic analysis plays an important role in user behavior and security maintenance of the network environment. In the prior art, methods such as port scanning, packet feature extraction, and field matching are used to identify user abnormal behaviors. However, as user business abnormal behaviors are constantly updated and changed, port scanning, packet feature The cost of the method is getting higher and higher, and there are still shortcomings such as the inability to quickly and accurately identify abnormal behaviors. User business anomaly detection combined with network traffic analysis mainly extracts and analyzes normal data through network traffic and formulates corresponding rules. With the help of the formulated rules, abnormal data can be quickly identified, but the above-mentioned user business anomaly detection combined with network traffic analysis There is a problem of insufficient detection accuracy.

At present, machine learning technology has been widely applied to the field of abnormal data processing, and can be used as a better solution for user abnormal behavior identification. The relevant machine learning model extracts the features of the traffic data at the network layer and the transport layer, and samples the detected abnormal types of data, so as to automatically evolve the detection rules to realize the identification of abnormal user business data. However, the currently adopted machine learning model lacks features closely related to users’ online behavior, and does not combine the needs of special network environments with user-defined business behavior types. This makes the user business anomaly data identification system not only expensive, but also affects the actual situation. The analysis and detection of data will affect the actual recognition effect.

This application provides a business data anomaly identification method based on behavior association mining, which can be used in electronic devices, such as computers, mobile phones, wearable smart devices, tablet computers, etc. Figure 1 is a behavior association-based The flow chart of the mining business data anomaly identification method, as shown in Figure 1, the method includes the following steps:

S10. Determine the user's online behavior information from the service data, and extract user characteristics and behavior characteristics from the online behavior information.

The service data may be stored in the electronic device in advance, or obtained by the electronic device from the outside. For example, it may be business data collected by electronic devices from various traffic monitoring devices, including but not limited to business data collected from traffic data at the network layer and transport layer. Here, there is no restriction on how the application obtains the user's online behavior information, it only needs to ensure that the user can obtain the service data.

In this embodiment, the user characteristics are used to represent the operating environment information of the user's online operation, the user characteristics include information such as user equipment, application programs, browsers used, and web pages, and the behavioral characteristics are used to represent the chronological information of the user's online operations. Behavior features include the chronological order of the user's various online operations, that is, the behavior features include the timing information of user characteristics, for example, a user is accustomed to clicking a certain function icon first and then clicking another function icon, and so on.

In this embodiment, the business data may contain at least one user's online behavior information, therefore, the user characteristics and behavior characteristics of a corresponding number of users will also be extracted from the online behavior information, for example, the business data includes user A , B and C three users’ online behavior information, then from the online behavior information, the user characteristics and behavior characteristics corresponding to user A, the user characteristics and behavior characteristics corresponding to user B, and the user characteristics and behavior corresponding to user C will be extracted respectively. feature.

S20. Input user characteristics and behavior characteristics into the trained business data recognition model to obtain abnormal behavior information output by the business data recognition model. In this application, the business data recognition model is obtained by training based on the user's sample behavior flow graph Yes, the sample behavior flow graph is constructed based on the user’s sample user characteristics and sample behavior characteristics. The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, and determine the fusion neighborhood features corresponding to each node in the behavior flow graph And based on the fused domain features of the nodes, the embedded representation features corresponding to the nodes are determined, and based on the classification results determined from the embedded representation features, the abnormal behavior of the business data is predicted. In this embodiment, each node in the behavior flow graph contains user characteristics and behavior characteristics. Since the behavior characteristics contain relevant timing information, the nodes will be connected based on the behavior characteristics, and the connections are used to represent the nodes. timing relationship between them.

The embedded representation feature is the representation of nodes in the embedding space (Embedding Space), that is, to encode each node in the behavior flow graph, so that the similarity of the nodes in the embedding space approximates the similarity of the nodes in the original graph. In this application, the user's behavior flow graph will be constructed first based on the extracted user characteristics and behavior characteristics, and then based on each user characteristic (each node in the behavior flow graph), the neighbor nodes of the node, and the weight of the neighbor nodes to obtain Based on the fused domain features corresponding to the node, the embedded representation features are determined based on the fused neighborhood features of the node, the neighbor nodes of the node, and the weights of the neighbor nodes, and based on the classification results determined from the embedded representation features, the abnormal behavior of the business data is predicted. Specifically, how to obtain the embedded representation features corresponding to the nodes will be described in detail below.

Among them, the behavior flow graph has several nodes, the nodes are related information of the user, including user characteristics and behavior characteristics, and are used to represent the static information of the user's behavior, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the nodes The timing relationship between nodes, the node connected to node A is the neighbor node of node A. Similarly, the sample behavior flow graph has several sample nodes. The sample nodes are also user-related information, including user characteristics and user behavior characteristics, and are used to represent the static information of user behavior. The connection between sample nodes is based on the sample behavior characteristics. , and the connection line is used to represent the timing relationship between the sample nodes, and the node connected to the sample node C is the neighbor node of the sample node C.

It can be understood that the sample user characteristics and sample behavior characteristics are extracted from the user's sample online behavior information, and the sample online behavior information is extracted from historical service data. Here, there is no restriction on how the application obtains the user's historical service data, and it is only necessary to ensure that the user can obtain the historical service data.

More specifically, after obtaining the user's online behavior information, extract the user's user characteristics and behavior characteristics from the online behavior information, and then fill the user characteristics and behavior characteristics into each node and each edge of the behavior flow graph respectively In the process, the construction of the behavior flow graph is completed. Nodes are user information nodes, which carry relevant information such as user equipment, applications, browsers used, and web pages. The connection (edge) from node A to node B represents the user information. The timing relationship of behavior is the time sequence of online behavior.

The construction method of the sample behavior flow graph is the same as that of the behavior flow graph, and will not be repeated here.

The business data anomaly identification method based on behavior association mining of the present invention determines the user's online behavior information from the business data, and then extracts user characteristics and behavior characteristics therefrom, and the extracted information not only retains the operating environment information of the user's online operation, It also retains the chronological information of users’ online operations, and uses the trained business data recognition model to identify business data and identify abnormal behavior information in it. Since the business data recognition model is based on user characteristics and behavior characteristics, it constructs a behavior flow graph , determine the fused neighborhood features corresponding to each node in the behavior flow graph and determine the embedded representation features corresponding to the nodes based on the fused domain features of the nodes, and based on the classification results determined from the embedded representation features, predict the abnormal behavior of the business data, Therefore, the business data identification model integrates the characteristics of the three aspects of user behavior, content generated by the behavior, and the temporal relationship between user behaviors to identify abnormal business data. Correspondingly, abnormal behavior information has advantages in terms of accuracy and recognition speed. Significant improvement, this application uses the business data identification model to identify business data anomalies based on behavior association mining, and can quickly make judgments and respond to abnormal behaviors, so as to accurately realize user behavior management restrictions, etc., and can meet the requirements of the big data era development requirements.

The business data anomaly identification method based on behavior association mining of the present invention is described below in conjunction with FIG. 2 . In this embodiment, the business data identification model includes a flow graph construction layer, a homogeneous user relationship network layer and a heterogeneous user message network layer.

Among them, the flow graph construction layer is used to construct the user's behavior flow graph based on user characteristics and behavior characteristics; the homogeneous user relationship network layer is used to analyze each node in the behavior flow graph based on each node in the behavior flow graph and the neighbor nodes of the node. Perform attention calculations to determine the fusion neighborhood features of nodes; the heterogeneous user message network layer is used to perform attention calculations and semantic attention understanding on the fusion neighborhood features of nodes and neighbor nodes to determine the embedded representation of nodes The feature and the distance between the node and the corresponding embedding represent the feature, and the abnormal behavior information is determined based on the distance.

In this embodiment, the behavior flow graph G=(V,E), where V={u ₁ ,u ₁ ,…,u _n }, u _i represents the i-th user feature, i∈n, E={ ε ₁ ,ε ₁ ,…,ε _m }, ε _j represents the jth behavioral feature, j∈m.

In this embodiment, the homogeneous user relationship network layer is a graph neural network based on a homogeneous graph. More specifically, the homogeneous user relationship network layer uses a graph convolutional network and a graph attention network; the heterogeneous user message network layer is The isomer-based graph neural network, more specifically, the heterogeneous user message network layer uses a heterogeneous graph-based attention network.

The business data identification model of this application uses the graph structure to preserve the structure of the social network generated by user behavior to the greatest extent. The graph structure not only retains the operating environment information of the user's online operation, but also retains the time sequence information of the user's online operation. Therefore The business data identification model integrates the characteristics of user behavior, content generated by the behavior, and the temporal relationship between user behaviors in social networks to identify business data anomalies, and has obvious advantages in the accuracy and speed of business data anomaly identification. improvement.

Therefore, referring to FIG. 3, step S20 specifically includes:

S21. Input user characteristics and behavior characteristics into the flow graph construction layer, and obtain a behavior flow graph output by the flow graph construction layer.

S22. Input the behavior flow graph into the homogeneous user relationship network layer, and obtain the fusion neighborhood features corresponding to the nodes output by the homogeneous user relationship network layer.

S23. Input the fusion neighborhood feature into the heterogeneous user message network layer to obtain the abnormal behavior information output by the heterogeneous user message network layer. The abnormal behavior information includes the node and the state feature corresponding to the node, wherein the state feature is the node's Label, corresponding to the category of abnormal behavior.

The business data anomaly identification method based on behavior association mining of the present invention is described below in conjunction with FIG. 4 . The homogeneous user relationship network layer includes a neighborhood convolution layer, a similarity determination layer, a normalization processing layer, and a first attention operation layer.

Among them, the neighborhood convolution layer is used to perform convolution operations on the node, the neighbor nodes of the node, and the convolution weights corresponding to the node, and determine the state characteristics of the nodes. The state characteristics are used to represent the labels of the nodes. In this application, the state characteristics It will be output as a label for user abnormal behavior detection; the similarity determination layer is used to determine the similarity coefficient between the state characteristics corresponding to the neighbor node and the state characteristics corresponding to the node; the normalization processing layer is used to normalize the similarity coefficient The first attention operation layer is used to perform weighted processing based on the state characteristics, splicing weights and attention coefficients corresponding to the neighbor nodes, and determine the fusion neighborhood features corresponding to the nodes.

Therefore, referring to Fig. 5, step S22 specifically includes:

S221. Input the behavior flow graph into the neighborhood convolution layer, and obtain the state features corresponding to the nodes output by the neighborhood convolution layer.

The neighborhood convolution layer is a space-based graph convolution network, that is, the graph convolution is defined based on the spatial relationship of nodes. The convolution method is to accumulate the state of a node and all its neighbor nodes to update the state of the current node. , get the state characteristics of the node, specifically:

为第l层节点v的卷积权重，用于特征的增强，在本实施例中，任意一个节点i在第l层对应的卷积权重

是可以学习的参数矩阵，这个可学习的参数矩阵

用以聚合节点i在第l层的特征并实现特征向量维度的转换。Among them, h ^l (v) represents the state characteristics of node v in layer l, h ^l (v) represents the state characteristics of node v in layer l+1; N(v) represents the neighbor nodes of node v; σ represents the activation coefficient, That is, a nonlinear activation function σ will be added;

is the convolution weight of node v in layer l, which is used for feature enhancement. In this embodiment, the convolution weight corresponding to any node i in layer l

is a learnable parameter matrix, this learnable parameter matrix

It is used to aggregate the features of node i in layer l and realize the conversion of feature vector dimensions.

As an optional implementation of the present invention, the neighborhood convolutional layer is a one-layer convolutional layer and a local output function, and the domain convolutional layer takes the entire behavior flow graph as input, through which the convolutional layer All nodes and their corresponding neighbor nodes perform a convolution operation, and update the state of the node with the convolution result to obtain the state characteristics of the node, and finally convert the state characteristics of the node into a label output for user anomaly detection through a local output function .

As another optional implementation of the present invention, the neighborhood convolution layer is a multi-layer convolution layer and an output function, and the neighborhood convolution layer also takes the entire behavior flow graph as input, and in each layer In the convolutional layer, a convolution operation is performed on all nodes and the corresponding neighbor nodes of the node, and the node is updated with the convolution result, and then input to the next convolutional layer through the activation function, and the cycle is repeated, and finally through a local output The function converts the state of a node into a label output for anomalous user detection.

That is, the state of a node is updated according to the state of its neighbor nodes, and the distribution of the weight of node i mainly depends on the convolution weight W _i corresponding to node i, and W _i is continuously learned and optimized, specifically through forward propagation and Backpropagation optimizes the parameters.

S222. Input node features into the similarity determination layer, and obtain similarity coefficients between nodes output by the similarity determination layer.

The similarity determination layer, the subsequent normalization processing layer, and the first attention operation layer are the graph attention network with the attention mechanism. The attention operation in the graph attention network is only performed on the neighbor nodes of a certain node, for example, for the node i, calculate the similarity coefficient between its neighbor nodes and it one by one, specifically:

e _ij ＝a([V _i h _i ||V _i h _j ]),j∈N(i)

Among them, e _ij represents the similarity coefficient between the neighbor node j of node i and node i; [·||·] is a feature splicing function, which is used to splice the features after dimension enhancement; a is the mapping coefficient, in this implementation In the example, a is a function used to map the spliced high-dimensional features into real numbers, specifically through a single-layer feed-forward neural network; V _i is the splicing weight of node i, and N(i) represents Neighbor nodes of node i.

In this application, a graph attention network with an attention mechanism is used, which can not only assign different weights (ie splicing weights) to different nodes, but also only rely on paired neighbor nodes during training, rather than the specific overall network structure, so that The business data identification model has better generalization.

S223. Input the similarity coefficient into the normalization processing layer, and obtain the attention coefficient between nodes output by the normalization processing layer.

Normalize the similarity coefficient e _ij to obtain the attention coefficient a _ij between neighbor node j and node i, namely:

S224. Input the state features, splicing weights, and attention coefficients corresponding to the neighbor nodes of the node into the first attention operation layer, and obtain fusion neighborhood features corresponding to the nodes output by the first attention operation layer.

In the first attention operation layer, according to the state features, splicing weights and attention coefficients corresponding to the neighbor nodes of the node, the features are weighted and summed to obtain the fusion neighborhood features corresponding to the node, specifically:

Among them, h′ _i is the fusion neighborhood feature of node i, and the fusion domain feature is the new feature information after combining the feature information of the neighbor nodes of node i.

The business data anomaly identification method based on behavior association mining of the present invention is described below in conjunction with FIG. 6 . The heterogeneous user message network layer includes a weight learning layer, a second attention operation layer, a semantic attention understanding layer, and a prediction output layer.

Among them, the weight learning layer is used to determine the attention weight of nodes based on the self-attention mechanism; the second attention operation layer is used to perform weighted processing based on the fusion neighborhood features and attention weights corresponding to neighbor nodes to determine the timing characteristics of nodes ;The timing feature is used to represent the semantics of the node; the semantic attention understanding layer is used to map the timing feature corresponding to the node, determine the semantic attention weight of the node under the meta path, and based on the timing feature corresponding to the node and the semantic attention weight Perform weighting processing to determine the embedding representation characteristics of the nodes; the prediction output module is used to determine the classification results of the embedding representation characteristics, and output abnormal behavior information based on the classification results.

Therefore, referring to FIG. 7, step S23 specifically includes:

S231. Input the fusion neighborhood feature into the weight learning layer, and obtain the attention weights corresponding to the nodes output by the weight learning layer.

具体的为：In the weight learning layer, the weight of the neighbors is learned through the self-attention mechanism of the node. For the fusion neighborhood feature h′ i of the node i after fusion splicing and the fusion neighborhood feature h′ _j of its neighbor node _j , one can learn The node attention vector a _Φ to learn the attention weight of neighbor node j relative to node i

Specifically:

S232. Input the fused neighborhood features and attention weights of the nodes into the second attention operation layer, and obtain the time sequence features of the nodes output by the second attention operation layer.

After obtaining the attention weights corresponding to each neighbor node of a certain node i, use the attention network in the same figure to weight and sum the fusion neighborhood features according to the attention weights to obtain the timing characteristics of node i, specifically:

表示节点i的时序特征，时序特征是融合了节点在各条元路径也就是结合邻居节点的相关信息，例如节点A存在10个邻居节点，那么该节点A存在10条元路径。in,

Represents the timing feature of node i, which is the fusion of the node's information on each meta-path, that is, the combination of neighbor nodes. For example, if node A has 10 neighbor nodes, then node A has 10 meta-paths.

S233. Input the time series features into the semantic attention understanding layer, and obtain the embedded representation features corresponding to the nodes output by the semantic attention understanding layer.

The semantic attention understanding layer will first learn the weight of a node in different meta-paths and perform weighted fusion on the temporal features of the node to obtain the semantic attention weight of the node, specifically:

表示节点i的语义注意力权重；V为节点i的元路径总数也就是邻居节点的总数；q^T为语义映射系数，用于将每个元路径的每个节点的语义映射到实数上来，在本实施例中，q^T采用一个大小为1×3的向量参数；

为一单层的神经网络，W为该神经网络层可学习的参数矩阵，也为该神经网络层的层权重，b为该神经网络层的偏差向量。in,

Indicates the semantic attention weight of node i; V is the total number of meta-paths of node i, that is, the total number of neighbor nodes; q ^T is the semantic mapping coefficient, which is used to map the semantics of each node of each meta-path to a real number. In this embodiment, q ^T adopts a vector parameter whose size is 1×3;

is a single-layer neural network, W is the learnable parameter matrix of the neural network layer, and is also the layer weight of the neural network layer, and b is the bias vector of the neural network layer.

以及

对应的语义注意力权重也可以分为三类：

以及

In this application, after the processing in step S20, the node will be updated to the fusion neighborhood feature, and the neighbor node of the fusion neighborhood feature is also the fusion neighborhood feature corresponding to the neighbor node of the original node. The fusion neighborhood feature can be divided into four types: : User information of user A, behavior message information of user A, user information of non-user A (such as user B) and behavior message information of non-user A (such as user B), so according to the relationship between a node and its neighbor nodes, The timing features are divided into three categories: user information of user A - behavior information of the same user A, user information of user A - behavior information of non-user A, and user information of user A - information of non-user A User Info. That is, according to the relationship between a node and its neighbor nodes, the final timing features can be divided into three categories:

as well as

The corresponding semantic attention weights can also be divided into three categories:

as well as

Afterwards, the semantic attention understanding layer performs weighting processing based on the timing features corresponding to the nodes and the semantic attention weight, and determines the embedding representation features of the nodes. The embedding representation features can preserve the information in the original image in a low-dimensional vector. Specifically, for:

where Z represents the embedding representation features of all nodes.

S234. Input the embedded representation feature into the prediction output module, and obtain the abnormal behavior information output by the prediction output module.

The prediction output module will obtain multi-label classification results based on Z. According to the classification results and corresponding labels, whether there is abnormal behavior and what type of abnormal behavior it belongs to is obtained, and then the generated abnormal behavior information is transmitted and fed back to the user.

The business data anomaly identification method based on behavior association mining of the present invention is described below in conjunction with FIG. 8, and the business data identification model is obtained through the following steps of training:

A10. Determine the sample state characteristics of the sample nodes from the sample behavior flow graph. The steps for determining the sample state characteristics are similar to step S221, and will not be repeated here.

A20. Use the sample behavior flow graph as the input data for training, use the sample state features corresponding to the sample nodes as the label for training, and use deep learning to train to obtain the abnormal behavior information used to generate the user's online behavior information. Business data identification model.

In this embodiment, in step A20, a semi-supervised learning method is used to train the model, and various parameters in the business data identification model are adjusted. During training, the ratio of the training set, the verification set and the test set is 3:1:1, and Normal users and abnormal users are randomly selected according to the above ratio, and the precision rate (Precision) and recall rate (Recall) are selected as the evaluation criteria, and the corresponding parameters are continuously optimized by forward propagation and back propagation.

The business data anomaly identification device based on behavioral correlation mining provided by the present invention is described below. The business data anomaly identification device based on behavioral correlation mining described below and the business data anomaly identification method based on behavioral correlation mining described above can be referred to in correspondence. .

This application provides a business data anomaly identification device based on behavior association mining, which can be used in electronic devices, such as computers, mobile phones, wearable smart devices, tablet computers, etc. A schematic diagram of the structure of the mined business data anomaly identification device, as shown in Figure 9, the device includes:

The feature extraction module 10 is used to determine the user's online behavior information from the service data, and extract user features and behavior features from the online behavior information.

The service data may be stored in the electronic device in advance, or obtained by the electronic device from the outside. For example, it may be business data collected by electronic devices from various traffic monitoring devices, including but not limited to business data collected from traffic data at the network layer and transport layer. Here, there is no restriction on how the application obtains the user's online behavior information, it only needs to ensure that the user can obtain the service data.

In this embodiment, the user characteristics are used to represent the operating environment information of the user's online operation, the user characteristics include information such as user equipment, application programs, browsers used, and web pages, and the behavioral characteristics are used to represent the chronological information of the user's online operations. Behavior features include the chronological order of the user's various online operations, that is, the behavior features include the timing information of user characteristics, for example, a user is accustomed to clicking a certain function icon first and then clicking another function icon, and so on. In this embodiment, the business data may contain at least one user's online behavior information, therefore, the user characteristics and behavior characteristics of a corresponding number of users will also be extracted from the online behavior information, for example, the business data includes user A , B and C three users’ online behavior information, then from the online behavior information, the user characteristics and behavior characteristics corresponding to user A, the user characteristics and behavior characteristics corresponding to user B, and the user characteristics and behavior corresponding to user C will be extracted respectively. feature.

The behavior recognition module 20 is used to input user characteristics and behavior characteristics into the trained business data recognition model to obtain abnormal behavior information output by the business data recognition model. In this application, the business data recognition model is based on user samples Behavior flow diagram training, the sample behavior flow diagram is constructed based on the user's sample user characteristics and sample behavior characteristics, the business data recognition model is used to construct the behavior flow diagram based on user characteristics and behavior characteristics, and determine the corresponding nodes in the behavior flow diagram Based on the fused neighborhood features and node-based fused domain features, the embedded representation features corresponding to the nodes are determined, and based on the classification results determined from the embedded representation features, the abnormal behavior of the business data is predicted. In this embodiment, each node in the behavior flow graph contains user characteristics and behavior characteristics. Since the behavior characteristics contain relevant timing information, the nodes will be connected based on the behavior characteristics, and the connections are used to represent the nodes. timing relationship between them.

The embedding representation feature is the representation of nodes in the embedding space, that is, each node in the behavior flow graph is encoded, so that the similarity of the nodes in the embedding space is similar to the similarity of the nodes in the original graph. In this application, the user's behavior flow graph will be constructed first based on the extracted user characteristics and behavior characteristics, and then based on each user characteristic (each node in the behavior flow graph), the neighbor nodes of the node, and the weight of the neighbor nodes to obtain Based on the fused domain features corresponding to the node, the embedded representation features are determined based on the fused neighborhood features of the node, the neighbor nodes of the node, and the weights of the neighbor nodes, and based on the classification results determined from the embedded representation features, the abnormal behavior of the business data is predicted. Specifically, how to obtain the embedded representation features corresponding to the nodes will be described in detail below.

Among them, the behavior flow graph has several nodes, the nodes are related information of the user, including user characteristics and behavior characteristics, and are used to represent the static information of the user's behavior, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the nodes The timing relationship between nodes, the node connected to node A is the neighbor node of node A. Similarly, the sample behavior flow graph has several sample nodes. The sample nodes are also user-related information, including user characteristics and user behavior characteristics, and are used to represent the static information of user behavior. The connection between sample nodes is based on the sample behavior characteristics. , and the connection line is used to represent the timing relationship between the sample nodes, and the node connected to the sample node C is the neighbor node of the sample node C.

It can be understood that the sample user characteristics and sample behavior characteristics are extracted from the user's sample online behavior information, and the sample online behavior information is extracted from historical service data. Here, there is no restriction on how the application obtains the user's historical service data, and it is only necessary to ensure that the user can obtain the historical service data.

The business data anomaly identification device based on behavior association mining of the present invention extracts user characteristics and behavior characteristics from the user's online behavior information, and the extracted information not only retains the operating environment information of the user's online operation, but also retains the user's online operation chronological information, and use the trained business data recognition model to identify user characteristics and behavior characteristics, and identify the abnormal behavior information, because the business data recognition model is used to weight Obtain the embedded representation features corresponding to the user features and predict the abnormal behavior of the user features based on the distance between the embedded representation features and the user features. Therefore, the business data recognition model integrates the user behavior, the content generated by the behavior, and the time sequence between user behaviors The characteristics of these three aspects of the relationship identify business data anomalies. Correspondingly, abnormal behavior information has significantly improved in terms of accuracy and recognition speed. This application uses this business data identification model to conduct business data anomalies based on behavior association mining. Identify and quickly make judgments and respond to abnormal behaviors, so as to accurately realize user behavior management restrictions, etc., and can meet the development requirements of the big data era.

FIG. 10 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 10 , the electronic device may include: a processor (processor) 310, a communication interface (Communications Interface) 320, a memory (memory) 330 and a communication bus 340, Wherein, the processor 310 , the communication interface 320 , and the memory 330 communicate with each other through the communication bus 340 . The processor 310 can invoke logic commands in the memory 330 to execute a method for identifying business data anomalies based on behavior association mining, the method including:

Determine the user's online behavior information, extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operation, and the behavioral characteristics are used to represent the time sequence information of the user's online operation;

Input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior flow graph is based on the user's Constructed from sample user characteristics and sample behavior characteristics;

The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes.

In addition, the above-mentioned logic commands in the memory 330 can be implemented in the form of software function units and can be stored in a computer-readable storage medium when sold or used as an independent medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software medium, and the computer software medium is stored in a storage medium, including Several commands are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

On the other hand, the present invention also provides a computer program medium, the computer program medium includes a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer can Executing the business data anomaly identification method based on behavior association mining provided by the above methods, the method includes:

Determine the user's online behavior information, extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operation, and the behavioral characteristics are used to represent the time sequence information of the user's online operation;

Input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior flow graph is based on the user's Constructed from sample user characteristics and sample behavior characteristics;

The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes.

The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative efforts.

Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solutions or the part that contributes to the prior art can be embodied in the form of software media, and the computer software media can be stored in computer-readable storage media, such as ROM/RAM, magnetic Disc, CD, etc., including several commands to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in this area should understand that: it still The technical solutions recorded in the foregoing embodiments may be modified, or some of the technical features may be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention. .

Claims (14)

1. A business data anomaly identification method based on behavior association mining, is characterized in that, described method comprises: Determine the user's online behavior information from the business data, extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operation, and the behavioral characteristics are used to represent the time sequence information of the user's online operation; Input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior flow graph is based on the user's Constructed from sample user characteristics and sample behavior characteristics; The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes. 2. The business data anomaly identification method based on behavior association mining according to claim 1, wherein the business data identification model comprises a flow graph construction layer, a homogeneous user relationship network layer and a heterogeneous user message network layer; The flow graph construction layer is used to build a user's behavior flow graph based on user characteristics and behavioral characteristics; The homogeneous user relationship network layer is used to perform attention operations on each node in the behavior flow graph based on the node and its neighbor nodes, and determine the fusion neighborhood characteristics of the node; the neighbor node is a node that has a connection with the current node; The heterogeneous user message network layer is used for the fusion neighborhood feature of the node and the fusion neighborhood feature of the neighbor node to perform attention operation and semantic attention understanding, determine the embedded representation feature of the node, obtain the classification result based on the embedded representation feature, and obtain the classification result based on the classification The results identify abnormal behavior information. 3. The business data anomaly identification method based on behavior association mining according to claim 2, wherein the user characteristics and behavior characteristics are input into the business data identification model to obtain the abnormal behavior output by the business data identification model information, including: Input user characteristics and behavior characteristics into the flow graph construction layer to obtain the behavior flow graph output by the flow graph construction layer; Input the behavior flow graph into the homogeneous user relationship network layer, and obtain the fusion neighborhood features corresponding to the nodes output by the homogeneous user relationship network layer; The fusion neighborhood feature is input into the heterogeneous user information network layer, and the abnormal behavior information output by the heterogeneous user information network layer is obtained; the abnormal behavior information includes the node and the state feature corresponding to the node. 4. The business data anomaly identification method based on behavior association mining according to claim 3, wherein the homogeneous user relationship network layer comprises a neighborhood convolution layer, a similarity determination layer, a normalization processing layer and The first attention operation layer; The neighborhood convolution layer is used to perform convolution operations on nodes, neighbor nodes of nodes, and convolution weights corresponding to nodes to determine the state characteristics of nodes; the state characteristics are used to represent the labels of nodes; The similarity determination layer is used to determine the similarity coefficient between the state feature corresponding to the neighbor node and the state feature corresponding to the node; The normalization processing layer is used to perform normalization processing on the similarity coefficient, and determine the attention coefficient between domain nodes and nodes; The first attention operation layer is used to perform weighting processing based on the state characteristics, splicing weights and attention coefficients corresponding to the neighbor nodes, and determine the fusion neighborhood characteristics corresponding to the nodes. 5. the business data anomaly identification method based on behavior association mining according to claim 3, is characterized in that, described heterogeneous user message network layer comprises weight learning layer, the second attention calculation layer, semantic attention understanding layer and predict output layer; The weight learning layer is used to determine the attention weight of the node based on the self-attention mechanism; The second attention operation layer is used to perform weighted processing based on the fusion neighborhood features and attention weights corresponding to the neighbor nodes to determine the timing characteristics of the nodes; the timing characteristics are used to represent the semantics of the nodes; The semantic attention understanding layer is used to map the timing features corresponding to the nodes, determine the semantic attention weight of the nodes, and perform weighting processing based on the timing features corresponding to the nodes and the semantic attention weights, and determine the embedding representation characteristics of the nodes; The prediction output module is used to determine the classification result of the embedded representation feature, and output abnormal behavior information based on the classification result. 6. The business data anomaly identification method based on behavior association mining according to claim 4, wherein the behavior flow graph is input into the homogeneous user relationship network layer to obtain the nodes output by the homogeneous user relationship network layer The corresponding fusion neighborhood features include: Input the behavior flow graph into the neighborhood convolution layer to obtain the state characteristics corresponding to the nodes output by the neighborhood convolution layer; The node features are input into the similarity determination layer to obtain the similarity coefficient between the nodes output by the similarity determination layer; Input the similarity coefficient into the normalization processing layer to obtain the attention coefficient between the nodes output by the normalization processing layer; The state features, splicing weights, and attention coefficients corresponding to the neighbor nodes of the node are input into the first attention operation layer, and the fusion neighborhood features corresponding to the nodes output by the first attention operation layer are obtained. 7. The business data anomaly identification method based on behavior association mining according to claim 5, wherein the fusion neighborhood feature is input into the heterogeneous user message network layer to obtain the output of the heterogeneous user message network layer Abnormal behavior information, including: Input the fusion neighborhood feature into the weight learning layer to obtain the attention weight corresponding to the node output by the weight learning layer; Input the fusion neighborhood feature and attention weight of the node into the second attention operation layer, and obtain the timing characteristics corresponding to the nodes output by the second attention operation layer; Input the timing features into the semantic attention understanding layer, and obtain the embedded representation features corresponding to the nodes output by the semantic attention understanding layer; The embedded representation feature is input into the prediction output module, and the abnormal behavior information output by the prediction output module is obtained. 8. The business data anomaly identification method based on behavior association mining according to claim 1, wherein the business data identification model is trained through the following steps: Determine the sample state characteristics of the sample nodes from the sample behavior flow graph; each sample node in the sample behavior flow graph contains sample user characteristics and sample behavior characteristics, and connects the sample nodes based on the sample behavior characteristics, and the connection is used to represent the sample Timing relationship between nodes; The sample behavior flow graph is used as the input data for training, and the sample state characteristics corresponding to the sample nodes are used as the labels for training, and the deep learning method is used for training to obtain the business data used to generate the user's online behavior information and abnormal behavior information Identify the model. 9. A business data anomaly identification device based on behavior association mining, characterized in that the device comprises: The feature extraction module is used to determine the user's online behavior information, and extract user characteristics and behavior characteristics from the online behavior information; user characteristics are used to represent the operating environment information of the user's online operations, and the behavioral characteristics are used to represent the chronological information of the user's online operations ; The behavior recognition module is used to input user characteristics and behavior characteristics into the business data recognition model to obtain abnormal behavior information output by the business data recognition model; the business data recognition model is trained based on the user's sample behavior flow graph; the sample behavior The flow graph is constructed based on the user's sample user characteristics and sample behavior characteristics; The business data identification model is used to construct a behavior flow graph based on user characteristics and behavior characteristics, determine the fusion neighborhood characteristics corresponding to each node in the behavior flow diagram, and determine the embedded representation characteristics corresponding to nodes based on the fusion field characteristics of nodes, and based on the embedded representation The classification result determined in the feature is used to predict the abnormal behavior of the business data; the nodes contain user characteristics and behavior characteristics, and the nodes are connected based on the behavior characteristics, and the connection is used to represent the timing relationship between the nodes. 10. The business data anomaly identification device based on behavior association mining according to claim 9, wherein the behavior identification module specifically includes: The flow graph construction unit is used to input user characteristics and behavior characteristics into the flow graph construction layer to obtain the behavior flow graph output by the flow graph construction layer; The relationship recognition unit is used to input the behavior flow graph into the homogeneous user relationship network layer, and obtain the fusion neighborhood features corresponding to the nodes output by the homogeneous user relationship network layer; The message recognition unit is used to input the fusion neighborhood feature into the heterogeneous user message network layer to obtain the abnormal behavior information output by the heterogeneous user message network layer; the abnormal behavior information includes nodes and state features corresponding to the nodes. 11. The business data anomaly identification device based on behavior association mining according to claim 10, wherein the relationship identification unit specifically comprises: The first identification unit is used to input the behavior flow graph into the neighborhood convolution layer, and obtain the state characteristics corresponding to the nodes output by the neighborhood convolution layer; The second identification unit is used to input the node features into the similarity determination layer to obtain the similarity coefficient between the nodes output by the similarity determination layer; The third identification unit is used to input the similarity coefficient into the normalization processing layer, and obtain the attention coefficient between the nodes output by the normalization processing layer; The fourth identification unit is used to input the state features, splicing weights and attention coefficients corresponding to the neighbor nodes of the node into the first attention operation layer, and obtain the fused neighborhood features corresponding to the nodes output by the first attention operation layer. 12. The business data anomaly identification device based on behavior association mining according to claim 10, wherein the message identification unit specifically comprises: The fifth identification unit is used to input the fusion neighborhood feature into the weight learning layer to obtain the attention weight corresponding to the node output by the weight learning layer; The sixth identification unit is used in the weight learning layer to determine the attention weight of the node based on the self-attention mechanism; The seventh identification unit is used to input the fusion neighborhood feature and attention weight of the node into the second attention operation layer, and obtain the timing characteristics of the nodes output by the second attention operation layer under the meta-path; The eighth recognition unit is used to input the time series feature into the semantic attention understanding layer, and obtain the embedded representation feature corresponding to the node output by the semantic attention understanding layer; The ninth identification unit is configured to input the embedded representation feature into the predictive output module to obtain the abnormal behavior information output by the predictive output module. 13. An electronic device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor according to claim 1 is implemented when executing the program. The steps of the business data anomaly identification method based on behavior association mining described in any one of 8 to 8. 14. A non-transitory computer-readable storage medium, on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the behavior-based association mining as described in any one of claims 1 to 8 is implemented. The steps of the method for identifying abnormal business data.

Images