A user account abnormity detection method and device based on time sequence characteristics

Abstract

The embodiment of the invention provides a user account abnormity detection method based on time sequence characteristics, and the method comprises the steps: building a time sequence abnormity detection algorithm model with a plurality of characteristic dimensions according to the historical record data of a user account; Obtaining current data of a user account, and according to the plurality ofanomaly detection algorithm models, respectively carrying out anomaly detection on the current data from the plurality of feature dimensions to obtain scores of the current data in the plurality of feature dimensions; Taking the average value of the scores of the plurality of feature dimensions as a comprehensive abnormal score of the current data; And when the comprehensive abnormal score is greater than a preset score threshold, judging that the user account is an abnormal user account. According to the technical scheme, dynamic behavior changes of a user are captured through user account evaluation based on a time sequence model and abnormal feature set matching based on association rule analysis, and the accuracy and interpretability of abnormal account detection in practical application are improved.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method and device for abnormal detection of user accounts based on time series features. Background technique [0002] Commonly used network accounts and host accounts are stolen, which may cause information leakage, financial loss, or affect the trust relationship between users. Therefore, abnormal account detection has always been one of the key issues in the field of security research. Aiming at the threats posed by abnormal accounts, both academia and industry have proposed a large number of detection schemes, which can be divided into four categories according to the core algorithms used in these schemes: [0003] The first is a detection method based on empirical knowledge. The scoring method based on empirical knowledge relies too much on expert knowledge and is not universal. Abnormal hacking behaviors usually change dynamically to avoid anomaly detection. The current...

AI Technical Summary

Problems solved by technology

[0008] The above detection methods only consider the user's static behavior characteristics, such as the user's personal information, friend relationship, etc., without considering the timing characteristics, and cannot capture the user's dynamic behavior

Since the behavior of abnormal hacking is always changing dynamically, the detection model needs to be updated frequently, and the calculation cost is high, especially the algorithm based on graph mining has no practical value

The detection accuracy of both classification-based and cluster-based methods depends on the specific machine learning algorithm, and the detection results are not interpretable. It is not easy to understand the specific reasons why the user is judged as abnormal, which is not conducive to analyzing the abnormal behavior of the user.

Images