Behavior sequence anomaly detection method and system based on unsupervised algorithm

Abstract

The invention provides a behavior sequence anomaly detection method based on an unsupervised algorithm. The method comprises the steps: calculating the time interval of two operations based on the operation data of an enterprise web system through the sequence of user operations, and segmenting a user behavior sequence according to whether the time interval of the two operations is greater than a preset threshold or not, and training a probability suffix tree model, outputting a probability value corresponding to the user behavior sequence according to the probability suffix tree model, taking the probability value corresponding to the user as a feature, i.e., input of an isolated forest model, and judging whether the user behavior is abnormal or not according to a model output result.

Description

technical field

[0001] The invention relates to the technical field of information security, in particular to an unsupervised algorithm-based behavior sequence anomaly detection method and system. Background technique

[0002] In recent years, with the continuous development of cloud computing technology and market demand, the business systems of various industries have grown rapidly, and the accompanying network attack methods have also shown a trend of diversification. Some conventional security protection measures can only Play traditional security protection effect, these capabilities are gradually failing in the current complex network environment. How to quickly and accurately dig out attack threats, malicious users, and malicious behaviors has gradually become more and more difficult. Malicious behaviors such as website attacks, "sweeping wool", and stealing internal data of enterprises are hidden in a large number of normal network behaviors through various camoufla...

Images