A terminal data access anomaly discovery method
By constructing a robust random partitioning forest model and optimization strategy, anomalies in terminal data access are identified, solving the problem of anomaly identification in cross-domain access scenarios of user terminal data and improving the security of the power grid system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- STATE GRID FUJIAN ELECTRIC POWER CO LTD
- Filing Date
- 2023-12-11
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies struggle to effectively identify abnormal behavior in scenarios involving cross-domain access to user terminal data, especially when business activities are frequent and data volumes are large, making it difficult to effectively protect the security of the power grid system.
By collecting terminal access behavior data, a robust random segmentation forest training model is constructed after data preprocessing. The model parameters are set and trained to optimize the model to identify abnormal behavior. Combined with anomaly scoring and label management, anomaly detection is achieved.
In complex user terminal scenarios, it can effectively identify abnormal behavior, improve the anomaly detection rate, protect the safe operation of the power grid system, and at the same time, not affect normal operation.
Smart Images

Figure CN117708736B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to a method for detecting abnormal terminal data access, belonging to the field of data security. Background Technology
[0002] In the power system, the main function of the power grid is to distribute and transmit electrical energy. Power industry terminals play a crucial role in the process of power informatization. On the other hand, while data creates value through flow and sharing, it also faces significant risks of leakage. The demand for data flow, sharing, and collaborative analysis among multiple entities is increasing dramatically, further lengthening the data protection chain and highlighting the risks of leakage of critical power business data and user privacy data.
[0003] Currently, smart grid systems contain numerous complex terminal devices. The purpose of system control and grid data acquisition is primarily to monitor these terminal devices in real time, enabling professionals to understand the grid's operational status and take timely preventative or remedial measures when anomalies are detected. Power terminal devices include feeder terminal units (FTUs) and remote terminal units (RTUs). RTUs, embedded systems within the grid structure, refer to various remotely operated devices located around substations. They can communicate with the master station, respond to requests, and collect power parameters from electrical devices. By constructing a security assessment model for power terminal devices, including evaluation standards for terminal applications, systems, and networks, the accuracy and standardization of power terminal data can be further improved. Simultaneously, through security assessments and quantitative analysis of power terminals, the rationality and scientific nature of grid resource allocation can be enhanced, thereby protecting the safe operation of the grid system. As we know from information security knowledge, the more complex the system structure, the more severe the security protection problems it faces. Therefore, the state attaches great importance to grid security issues, conducting targeted research on attacks against the grid and designing targeted defense models. However, existing solutions and technologies are still insufficient to cope with unknown attacks. The terminal side faces significant data security risks.
[0004] To address the current problems, invention patent publication number "CN 111600880 A" discloses a method for detecting abnormal access behavior. The specific scheme is as follows: "Record a set of access relationships of terminal access behavior; input the access behavior features of the access relationship set into an access detection model; the access detection model is a model trained on access behavior features from the terminal's historical access data; determine whether the access behavior in the access relationship set is abnormal based on the output of the access detection model." This existing technology can significantly improve terminal security and enhance terminal security performance. However, the problem with this existing technology is that current cross-domain access scenarios for user terminal data are complex, and for scenarios with frequent terminal business activities and large amounts of terminal business data, there is a lack of effective identification of abnormal user terminal behavior risks.
[0005] Therefore, this invention proposes a method for detecting abnormal terminal data access, which considers and comprehensively utilizes information from multiple aspects such as data content, operation mode, and user behavior. This method can identify abnormal terminals without affecting their normal operation, thereby improving the effective identification rate of abnormal user terminal behavior risks and protecting the safe operation of the power grid system to a certain extent. Summary of the Invention
[0006] To address the problems existing in the prior art, this invention proposes a method for detecting abnormal terminal data access.
[0007] The technical solution of the present invention is as follows:
[0008] This invention provides a method for detecting abnormal terminal data access, comprising the following steps:
[0009] Collect terminal data access behavior data to obtain the raw dataset; perform data preprocessing on the raw dataset to establish time series samples of terminal data access behavior; calculate the anomaly score of each sample point in the entire time series sample; set a threshold and use the threshold to determine whether the sample points in the entire time series sample are abnormal; construct an abnormal behavior feature library based on the abnormal behavior characteristics of the abnormal time series samples; add abnormal behavior feature labels to form a time series sample set.
[0010] A robust random segmentation forest training model was constructed and its parameters were set. The robust random segmentation forest training model was trained using a time series sample set to obtain a trained first terminal data access behavior anomaly detection model.
[0011] The abnormal data access behavior detection model of the first terminal is optimized. The optimization includes recommending candidate tags and optimizing the model based on the update strategy, resulting in the optimized abnormal data access behavior detection model of the second terminal.
[0012] The target terminal data access behavior data is acquired, and after data preprocessing, it is input into the second terminal data access behavior anomaly detection model to determine whether there is any behavior anomaly.
[0013] Preferably, the step of collecting terminal data access behavior data specifically includes:
[0014] By collecting access behaviors of different terminals to different data at different time points, a raw dataset of data access behaviors of different terminals is obtained. The access behaviors of different data include file access, network access, and memory access. The raw dataset includes the target user's access records, operation logs, and data content. The operation logs include system logs, application logs, network logs, user feedback, and survey data.
[0015] Preferably, the data preprocessing steps include data cleaning, data quantification, and data normalization;
[0016] The data cleaning method specifically involves: sorting the original dataset and deleting invalid operations from the original dataset; the data numeration method specifically involves: digitizing discontinuous numbers or text during the processing of the original dataset based on a single valid code; and the data normalization method specifically involves: normalizing the data in the original dataset based on the attribute values of the data.
[0017] Preferably, the step of determining whether sample points in the entire time series sample are abnormal is as follows:
[0018] The parameters of the robust random partitioning forest model are set, and outlier detection is performed on each sample point of the preprocessed time series sample to obtain the outlier score of each sample point in the entire time series sample. The outlier score of each sample point is subjected to threshold test to determine the outlier score threshold for abnormal values of terminal data access behavior. Based on this threshold, the information of abnormal time series samples is obtained by filtering.
[0019] Preferably, the step of recommending candidate tags is as follows:
[0020] The time series sample set is sorted according to anomaly scores, and consecutive sample points with anomaly scores greater than anomaly score thresholds are identified as anomaly segments. Anomaly segments at different locations are then selected based on an active learning strategy. Specifically, this includes:
[0021] Based on the overall anomaly score of the anomaly fragments, select the n1 anomaly fragments with the highest overall anomaly score and recommend them to the tag administrator;
[0022] And select n2 abnormal segments with overall abnormal scores near the threshold to recommend to the tag administrator;
[0023] And based on the overall anomaly score, the abnormal segments are divided into several groups, and n3 abnormal segments from each group are selected and recommended to the tag administrator;
[0024] Tag administrators add appropriate tags to abnormal segments recommended by the proactive learning strategy.
[0025] Preferably, the model optimization steps based on the update strategy are as follows:
[0026] The tree is selectively updated based on the degree of anomaly of the time series samples. There are two types of data points in the time series samples. The model covers extreme features by updating the two types of data points. The two types of data points include the first anomaly point in a continuous anomaly segment and points that are judged as normal points in a certain dimension but are actually anomalies. If the two types of data points have not appeared for a long time, normal points are used to update the tree at a low frequency.
[0027] On the other hand, the present invention also provides an electronic device having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the terminal data access anomaly detection technology method as described in any embodiment of the present invention.
[0028] In another aspect, the present invention also provides a computer-readable medium for storing one or more programs, which, when executed by one or more processors, cause the one or more processors to implement the terminal data access anomaly detection technology method as described in any embodiment of the present invention.
[0029] The present invention has the following beneficial effects:
[0030] 1. This invention can effectively identify abnormal user terminal behavior even in complex cross-domain data access scenarios. For scenarios with frequent terminal business behavior and large amounts of terminal business data, this solution considers and comprehensively utilizes multiple aspects of information such as data content, operation methods, and user behavior, which can not only identify abnormal terminals, but also not affect the normal operation of the terminals.
[0031] 2. The RRCF algorithm of this invention introduces several mechanisms to improve robustness to outliers, enabling the algorithm to better identify genuine anomalies even in the presence of a large number of outliers or noise. Mean correction is used to mitigate the impact of noise on anomaly detection. The interference of outliers on the overall algorithm is reduced by correcting the mean of tree nodes. Dynamic Gaussian scaling is introduced, allowing the algorithm to adaptively adjust the weights of outliers. This scaling mechanism helps to better distinguish between normal and outlier values. The scoring mechanism for outliers is improved, making the generated anomaly scores easier to interpret.
[0032] 3. This invention optimizes the terminal data access behavior anomaly detection model based on manual labeling; such as... Figure 2 As shown in the flowchart of the anomaly detection process, candidate labels are recommended through active learning methods, and a selective tree update strategy is established to optimize the model. After the model training phase, anomaly scores are provided for each point, including historical points and incoming online data points. Intuitively, merging some labels into the unsupervised learning model can significantly improve performance. Labels can guide the model to accurately understand anomalies. Merging some labels into the training model can optimize and obtain better detection performance. 4. Description of the attached drawings
[0033] Figure 1 This is a framework diagram of the terminal data access anomaly detection method that integrates data content, operation, and behavior according to the present invention.
[0034] Figure 2 This is a flowchart of the terminal data access anomaly detection method that integrates data content, operation, and behavior according to the present invention.
[0035] Figure 3 This is a schematic diagram of the robust random partitioning tree of the present invention. Detailed Implementation
[0036] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0037] It should be understood that the step numbers used in the text are for ease of description only and are not intended to limit the order in which the steps are performed.
[0038] It should be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the invention. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.
[0039] The terms “comprising” and “including” indicate the presence of the described feature, whole, step, operation, element and / or component, but do not exclude the presence or addition of one or more other features, wholes, steps, operations, elements, components and / or collections thereof.
[0040] The term “and / or” refers to any combination of one or more of the associated listed items, as well as all possible combinations, and includes these combinations.
[0041] Example 1:
[0042] See Figure 1-3 This embodiment provides a method for detecting abnormal terminal data access;
[0043] The specific steps of this method are as follows:
[0044] S1. Collect terminal data access behavior data to obtain the raw dataset; perform data preprocessing on the raw dataset, establish time series samples of terminal data access behavior, calculate the abnormal score of each sample point in the entire time series sample, set a threshold and use the threshold to determine whether the sample points in the entire time series sample are abnormal, construct an abnormal behavior feature library based on the abnormal behavior characteristics of the abnormal time series samples; add abnormal behavior feature labels to form a time series sample set.
[0045] S2. Construct a robust random segmentation forest training model and set the model parameters. Use a time series sample set to train the robust random segmentation forest training model to obtain the trained first terminal data access behavior anomaly detection model.
[0046] S3. Optimize the abnormal data access behavior detection model of the first terminal. The optimization includes recommending candidate tags and optimizing the model based on the update strategy to obtain the optimized abnormal data access behavior detection model of the second terminal.
[0047] S4. Obtain target terminal data access behavior data, perform data preprocessing on the target terminal data access behavior data, and input it into the second terminal data access behavior anomaly detection model to determine whether there is any behavior anomaly.
[0048] In a preferred embodiment of this example, in steps S1 and S2, a pre-trained model for detecting anomalies in terminal data access behavior based on a robust random segmentation forest is established. A time-series sample of terminal data access behavior is created, an anomaly score for each time-series sample is calculated, and a threshold is used to determine whether a sample is abnormal. Figure 2 As shown in the flowchart of the training model, this step first collects terminal data access behavior data to obtain the raw dataset of different terminal data access behaviors. The terminal data access behavior data includes user access records, operation logs, and data content, etc.; then, the terminal data access behaviors are preprocessed; finally, based on the abnormal behavior characteristics of abnormal time series samples, an abnormal behavior feature library is constructed, and a robust random segmentation tree training model is established. The specific process of this step is as follows:
[0049] Collect terminal data access behavior data. Collect access behaviors of different terminals to different data at different time points, including file access, network access, memory access, etc., to obtain a raw dataset of different terminal data access behaviors. Specific data collection includes: System logs, which record the operation of the system and applications generated by the terminal devices; these logs contain user login information, file operation records, network activity, etc.; by analyzing system logs, basic user behavior on the terminal device can be obtained. Application logs, which record various user operations in the application, including opening, saving, and editing files, as well as other application-specific operations. Network logs, which collect network activity logs on the terminal devices, including user network access, data transmission, etc. User feedback and surveys, which collect user feedback and survey data to understand their evaluation, needs, and expectations of the terminal device usage experience, providing a more comprehensive perspective.
[0050] Preprocessing of terminal data access behavior data. Based on the data collected from the terminal devices mentioned above, the robust random segmentation tree accepts numerical values as input. Therefore, the anomaly detection data used for training needs to be preprocessed. The preprocessing process includes: data cleaning, data quantification, and data normalization, ultimately forming the input data. The specific preprocessing process is as follows: Data cleaning: This involves ensuring the consistency of the training data, detecting and removing duplicate records to avoid bias towards the model, detecting and handling missing values, identifying and handling outliers that are significantly different from other values in the dataset, and sorting the data to facilitate later training. This includes removing invalid user actions. Data quantification: "One-Hot Encoding" is used to digitize discontinuous numbers or text during data processing, converting categorical variables into a form easily used by machine learning algorithms. One-Hot Encoding is a method for converting categorical variables into numerical variables. It maps each category to a binary code, where each category is represented by a unique binary bit. For a categorical variable with N distinct categories, a single valid code will generate an N-bit binary code, where only one bit is 1 and the rest are 0. Data normalization is crucial in machine learning for classification problems. The categories of data records are typically determined by the "distance" between attribute values (probabilistic distance or norm distance). Larger attribute values have a greater impact on the distance calculation results. Therefore, to avoid the influence of differences in attribute metrics on classification, attribute values X need to be normalized. i Normalization is performed according to the standard deviation rule. The transformation formula is:
[0051]
[0052] This linear processing can unify the data of each dimension to the range of [0,1] without changing the probability distribution characteristics of the original data. After preprocessing, it forms training data that can be input and establishes a robust random split tree training model.
[0053] Establish a robust random split tree training model. Robust random split trees are anomaly detection models that can better handle high-dimensional and streaming data, showing significant advantages in anomaly detection for time series data. The robust random split tree algorithm details the specific steps and operations used to construct the robust random split tree model. Based on a set of robust random split trees (RRCTs), it constructs an effective binary tree to split time series samples, transforming the description of anomalies into quantifying the path length of leaf nodes within the tree.
[0054] RRCT is a sample set of terminal access data corresponding to all nodes of a tree, where each non-leaf node corresponds to one sample set. A diagram of RRCT is shown below. Figure 2 As shown. The RRCF algorithm creates a Robust Random Cut Tree (RRCT) from the point set S by iteratively partitioning it until each point is isolated within its own bounding box; a random dimension is chosen for each iteration of the tree construction process by selecting a dimension proportional to its minimum and maximum values. A random value is chosen between the minimum and the highest valid value of this dimension. A new leaf node is generated for x, and if the partition separates point x from the rest of the point set, the point is deleted from the point set. The process is performed recursively for each subset.
[0055] The specific steps for generating an RRCT tree include: selecting a... Proportional random dimension, where l i =max x∈ S x i -min x∈S x i Select X i ~Conforms to [min x∈S x i max x∈S x i Let S1 = {x | x ∈ S, x i ≤X i} and S2 = S\S1, and recursively apply the formulas to S1 and S2.
[0056] In RRCF (Recursive Response Code for Outliers), outliers are more likely to be found closer to the bottom of the tree. The concatenation shift of a point is used to determine if it is an outlier. If adding a new point increases the bit depth of the model, it is more likely to be an outlier. By setting the parameters of the RRCF outlier detection algorithm, outlier detection is performed on preprocessed time series samples, and an outlier score is obtained for each time series sample.
[0057] Subsequently, a threshold test was performed on the anomaly scores of the time series samples to determine the anomaly score threshold for abnormal values of terminal data access behavior. Information on anomaly time series samples was then filtered based on this threshold. Furthermore, certain optimization measures were implemented on the parameters during the model training phase. Specific measures are as follows:
[0058] Feature representation: The original RRCF uses the most recent historical points as features, making it difficult to obtain time-related features of the data (such as periodicity, trend changes, etc.). Common time series features were selected as the candidate set, such as median, standard deviation, difference from previous points, difference from the previous point, and third exponential mean. These features cover general time series characteristics and are easy to compute. Since different terminal data access behaviors typically have different statistical characteristics, these features may not be suitable or applicable to every terminal. Therefore, a set of statistical indicators was designed, and values were calculated for each terminal's data access behavior. Based on this set of indicators, it was then determined which features are suitable for the current terminal data access behavior.
[0059] In node splitting size selection, the original RRCF algorithm, after extracting multidimensional features from the training set, randomly selects dimensions and splits them to construct multiple decision trees. By selecting more discriminative features, fewer layers are needed to distinguish all samples. If less discriminative features are selected, the tree level is higher. This difference becomes more pronounced when the number of samples is large. The original RRCF algorithm tends to choose features with larger ranges as the splitting criteria; however, such selection does not accurately reflect the discriminative power of the features. Sequences exhibiting periodic features often have larger ranges than sequences with stable patterns. Some features may have large ranges, but normal data is uniformly distributed. Some features have smaller ranges, but outliers and normal points are clearly clustered separately; selecting these features can more directly distinguish outliers.
[0060] For node cutting threshold selection, the original RRCF randomly selects a value between the maximum and minimum feature values as the cutting threshold. For features with high discriminative power, their data often exhibits an aggregated distribution, thus sparse cutting yields significantly better results than dense cutting. Therefore, after selecting the cutting dimension, we specifically focus on the data distribution along that dimension and increase the cutting probability in sparse distributions.
[0061] In RRCF, each sample falls into a leaf node of the tree. The original RRCF forest calculates an anomaly score for each sample to characterize the degree of anomaly. The node depth is taken into account, which can reflect the probability of anomaly from another perspective.
[0062] In a preferred embodiment of this practice, step S3 involves optimizing the terminal data access behavior anomaly detection model based on manually labeled data. After the model training phase, an anomaly score is provided for each point, including historical points and incoming online data points. Intuitively, incorporating some labels into the unsupervised learning model can significantly improve performance, as labels can guide the model to accurately understand what constitutes an anomaly. Therefore, to enhance the method, some labels are incorporated into the training model to optimize for better detection performance. The optimization measures during the testing phase are as follows:
[0063] To collect user feedback and improve tagging efficiency, an active learning method is proposed for candidate tag recommendation. This method recommends anomalous segments that can improve model optimization efficiency to administrators. The training set is sorted based on anomaly scores, and anomalous segments at different positions are selected according to different strategies. Anomalies in time series samples usually appear in the form of consecutive time periods. Therefore, instead of asking administrators to report single points, consecutive anomalous points are recommended as anomalous segments. Currently, the main recommendation strategies used in the field of active learning are as follows:
[0064] Selecting the 30 most anomalous segments and obtaining such labels can further confirm obvious anomalies and eliminate false alarms.
[0065] Selecting 30 of the most uncertain anomalous segments, anomaly detection in time series analysis is essentially a binary classification problem. Obtaining such labels can further improve the boundaries of the classification results and increase the accuracy of identifying ambiguous anomalies.
[0066] The data was divided into 10 groups based on anomaly scores, with 3 anomalous segments selected from each group with moderate probability. Obtaining such labels captures the operator's preference for different levels of anomaly generated by the algorithm, thus helping to determine which group is more likely to be the boundary between anomalous and normal situations.
[0067] Model optimization based on update strategies involves the original RRCF maintaining a dynamic set of trees based on real-time data. When a new data point arrives, RRCF performs an insertion process and updates each tree in the model using that data point. This process generates additional computation, thus slowing down the detection process. Considering that the number of anomalies is relatively small in reality, trees can be selectively updated based on the degree of anomaly in the data. To ensure that the model can promptly cover changes in extreme features, two types of data points need to be updated: the first anomaly point in a continuous anomaly segment, and points that are judged as normal but extremely anomalous in a specific dimension. These two types of points are collectively referred to as extremes. In addition, to obtain the slow changing trends of some special curves, the model is also updated with normal points at a lower frequency when these two types of data points have not appeared for a long time.
[0068] Example 2:
[0069] This embodiment provides an electronic device that stores a computer program, which, when executed by a processor, implements a terminal data access anomaly detection method as described in any embodiment of the present invention.
[0070] Example 3:
[0071] This embodiment provides a computer-readable medium for storing one or more programs, which, when executed by one or more processors, cause the one or more processors to implement a terminal data access anomaly detection method as described in any embodiment of the present invention.
[0072] In this application embodiment, "at least one" refers to one or more, and "more than one" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent the existence of A alone, A and B simultaneously, or B alone. A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" and similar expressions refer to any combination of these items, including any combination of singular or plural items. For example, at least one of a, b, and c can represent: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, and c can be single or multiple.
[0073] Those skilled in the art will recognize that the units and algorithm steps described in the embodiments disclosed herein can be implemented using electronic hardware, computer software, or a combination of electronic hardware and software. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0074] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0075] In the several embodiments provided in this application, any function, if implemented as a software functional unit and sold or used as an independent product, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, essentially, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0076] The above description is merely an embodiment of the present invention and does not limit the patent scope of the present invention. Any equivalent structural or procedural transformations made based on the content of the present invention's specification and drawings, or direct or indirect applications in other related technical fields, are similarly included within the patent protection scope of the present invention.
Claims
1. A method for detecting abnormal terminal data access, characterized in that, Includes the following steps: Collect terminal data access behavior data to obtain the raw dataset; perform data preprocessing on the raw dataset to establish time series samples of terminal data access behavior; calculate the anomaly score of each sample point in the entire time series sample; set a threshold and use the threshold to determine whether the sample points in the entire time series sample are abnormal; and construct an abnormal behavior feature library based on the abnormal behavior characteristics of the abnormal time series samples. Add abnormal behavior feature labels to form a time series sample set; A robust random segmentation forest training model was constructed and its parameters were set. The robust random segmentation forest training model was trained using a time series sample set to obtain a trained first terminal data access behavior anomaly detection model. The abnormal data access behavior detection model of the first terminal is optimized, including the recommendation of candidate tags and / or model optimization based on the update strategy, to obtain the optimized abnormal data access behavior detection model of the second terminal. The specific steps for recommending candidate tags are as follows: The time series sample set is sorted according to anomaly scores, and consecutive sample points with anomaly scores greater than anomaly score thresholds are identified as anomaly segments. Anomaly segments at different locations are then selected based on an active learning strategy. Specifically, this includes: Based on the overall anomaly score of the anomaly fragments, select the n1 anomaly fragments with the highest overall anomaly score and recommend them to the tag administrator; And select n2 abnormal segments with overall abnormal scores near the threshold to recommend to the tag administrator; And based on the overall anomaly score, the abnormal segments are divided into several groups, and n3 abnormal segments from each group are selected and recommended to the tag administrator; Tag administrators add appropriate tags to abnormal segments recommended by the proactive learning strategy; The specific steps of model optimization based on the update strategy are as follows: The tree is selectively updated based on the degree of anomaly of the time series samples. There are two types of data points in the time series samples. The model covers extreme features by updating the two types of data points. The two types of data points include the first anomaly point in a continuous anomaly segment and the point that is judged as normal in a certain dimension but is actually anomaly. If the two types of data points have not appeared for a long time, the normal points are used to update the tree at a low frequency. The target terminal data access behavior data is acquired, and after data preprocessing, it is input into the second terminal data access behavior anomaly detection model to determine whether there is any behavior anomaly.
2. The method for detecting abnormal terminal data access according to claim 1, characterized in that, The specific steps for collecting terminal data access behavior data are as follows: By collecting access behaviors of different terminals to different data at different time points, a raw dataset of data access behaviors of different terminals is obtained; the access behaviors of different data include file access, network access, or memory access; the raw dataset includes the target user's access records, operation logs, and data content; the operation logs include system logs, application logs, network logs, user feedback, and survey data.
3. The method for detecting abnormal terminal data access according to claim 1, characterized in that: The data preprocessing steps include data cleaning, data quantification, and data normalization; The data cleaning method specifically involves: sorting the original dataset and deleting invalid operations from the original dataset; the data numeration method specifically involves: digitizing discontinuous numbers or text during the processing of the original dataset based on a single valid code; and the data normalization method specifically involves: normalizing the data in the original dataset based on the attribute values of the data.
4. The method for detecting abnormal terminal data access according to claim 1, characterized in that, The specific steps for determining whether sample points in the entire time series sample are abnormal are as follows: The parameters of the robust random partitioning forest model are set, and outlier detection is performed on each sample point of the preprocessed time series sample to obtain the outlier score of each sample point in the entire time series sample. The outlier score of each sample point is subjected to threshold test to determine the outlier score threshold for abnormal values of terminal data access behavior. Based on this threshold, the information of abnormal time series samples is obtained by filtering.
5. A physical device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the terminal data access anomaly detection method as described in any one of claims 1 to 4.
6. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the terminal data access anomaly detection method as described in any one of claims 1 to 4.