Abnormal behavior detection method, device and system and computer readable storage medium

Abstract

The invention discloses an abnormal behavior detection method, device and system and a computer readable storage medium. The method comprises the steps that expert experience knowledge is adopted, and intelligent selection operation behaviors of people correspond to multi-dimensional operation characteristic values; and selecting an optimal K value, normalizing an operation characteristic value, then carrying out K-means clustering, carrying out detection on a clustered result through an idea of integrating the clustering result into a peer group to obtain an abnormal behavior, and visualizing the abnormal behavior. According to the invention, sufficient and rapid feature selection is carried out; all the features are normalized, so that the detection sensitivity is improved; an optimal K-means clustering algorithm is adopted to obtain a clustering center and a clustering category so as to facilitate detection of abnormal behaviors; abnormal behavior judgment is carried out in a peer-to-peer group mode, and threshold parameters can be regulated and controlled, so that the detection speed and accuracy are improved; and the detection result is visualized after dimension reduction, so that the detection result is more common, intuitive and clear.

Description

technical field [0001] The present invention relates to the field of data security, in particular to an abnormal behavior detection method, device, system and computer-readable storage medium. Background technique [0002] In recent years, data security has gradually risen to the level of national security, and many industries such as mobile communications, telecommunications, power grids, real estate, big data centers, education and other institutions or departments have emerged urgent needs for big data security protection. However, the complexity of the Internet topology, the concealment of network attacks, the diversity of attack methods, the irregularity of hacker attacks, and the advancement of hacker technical capabilities have made the security environment increasingly tense. Therefore, targeted product technologies such as situational awareness and User Entity Behavior Analysis (UEBA) emerged as the times require. Looking at these emerging product technologies, the...

AI Technical Summary

Problems solved by technology

[0003] At this stage, abnormal user entity behavior detection is usually carried out using model training algorithms, and there are still deficiencies and areas to be improved, which are mainly reflected in the following aspects: 1) Failure to fully mine and extract features, and cannot make full use of multi-dimensional features; 2) Most abnormal behavior detection methods such as authentication (brute force cracking, abnormal time login, etc.), time series and other detection models use characteristics or rules are relatively simple; 3) more or less lack of consideration of data quality, even multi-dimensional The multi-rule anomaly detection model is not satisfactory and convincing in the processing of the original data input into the algorithm model; 4) the use is more complicated and the running speed is slow; 5) the accuracy of the detection results is not enough, or the results Accuracy regulation is not flexible enough

[0004] For the above-mentioned problems existing in the prior art, there is not yet an effective solution

Images