Entity behavior baseline analysis method, system and terminal equipment
1. A method for analyzing entity behavior baseline, which is characterized in that the method comprises the following steps:
the method comprises the following steps: defining each characteristic set of entity behaviors;
step two: establishing a multi-dimensional feature matrix for the feature set in the period;
step three: mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
step four: constructing behavior baseline data for the data sets in a plurality of periods;
step five: constructing a behavior two-dimensional characteristic matrix to be detected;
step six: and performing abnormity evaluation on the behavior characteristic data in the behavior two-dimensional characteristic matrix to be detected.
2. The entity behavior baseline analysis method of claim 1,
in step one, eachThe dimension set comprises: set g (t) ═ t1,t2,t3...tnRepresenting a feature set of an entity in a time dimension; set g(s) ═ s1,s2,s3...smRepresenting a feature set of an entity in a spatial dimension; set g (r) { r ═ r1,r2,r3...rkRepresents the set of features of the entity in the relationship dimension.
3. The entity behavior baseline analysis method of claim 2,
in the second step, counting is taken as a characteristic value for the data samples of the characteristic set in the period time D, and a multi-dimensional characteristic matrix is established in four characteristic dimensions of time, space, relation and quantityWherein U isiIn order to be the entity i,the eigenvalues are counted for the behavior when the dimensional features t, s, r are matched within the cycle time D, and v is the number of columns for generating the feature matrix data.
4. The entity behavior baseline analysis method of claim 3,
in step three, based on multi-dimensional feature matrixMapping each dimension characteristic matrix respectively to generate a plurality of two-dimensional characteristic matrices;
therein involved areIs a two-dimensional feature matrix of user or entity behavior in both the time dimension and the space dimension,counting the behaviors when the dimension characteristics t and s are matched;
and also relates toIs a two-dimensional feature matrix of user or entity behaviors in a time dimension and a relationship dimension,counting the behaviors when the dimension characteristics t and r are matched;
and also relates toIs a two-dimensional feature matrix of user or entity behaviors in relational and spatial dimensions,the behavior when matching the dimensional features r, s is counted.
5. The entity behavior baseline analysis method of claim 4,
in the fourth step: two-dimensional matrix data U for a plurality of periods Di(T,S),Ui(T,R),Ui(R, S) respectively calculating the average value of C in the matrix;
which comprisesIs an average feature matrix of user or entity behaviors in both the time dimension and the space dimension,the average count of the behaviors when the dimension characteristics t and s are matched is obtained;
also comprisesThe user or entity acts onAn average feature matrix in a time dimension and a relationship dimension,the average count of the behaviors when the dimension characteristics t and r are matched is obtained;
also comprisesIs an average feature matrix of user or entity behaviors in the relationship dimension and the spatial dimension,is the average count of the behavior when matching the dimensional features r, s.
6. The entity behavior baseline analysis method of claim 5,
in the fifth step, a characteristic matrix is established in three dimensions of time, space and relation of behaviors in the Dx period to be detected
Will be provided withRespectively mapping in each dimension to form a plurality of two-dimensional feature matrices, including
7. The entity behavior baseline analysis method of claim 6,
in step six, the feature matrix in step four is alignedCorresponding toValue (c),Corresponding toValue (c),Corresponding toValue and characteristic baseline matrix in step threeCorresponding toValue (c),Corresponding toValue (c),Corresponding toValues, respectively calculating the matrix of the characteristic deviation p by using a variance formula to obtain
For each matrix, using the formula P ═ Σ P (i, j)Summing the p values to obtain a one-dimensional deviation matrix
For SPi(T, S, R) PresetTo represent a set of weights for different dimensional offsets and values, using a formulaObtaining a final entity behavior abnormity score; for SiEntities greater than or equal to omega can be judged as behavioral abnormalities, pairAnd locating the time, space and relation characteristics of the corresponding abnormal point at the point with the larger p value.
8. An entity behavior baseline analysis system, comprising: the system comprises a definition module, a matrix configuration module, a mapping module, a construction behavior module and an evaluation module;
the definition module is used for defining each characteristic set of the entity behavior;
the matrix configuration module is used for establishing a multi-dimensional characteristic matrix for the characteristic set in the period;
the mapping module is used for mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
the behavior establishing module is used for establishing behavior baseline data for the data sets in multiple periods and establishing a two-dimensional characteristic matrix of the behavior to be detected;
the evaluation module is used for carrying out abnormity evaluation on the behavior characteristic data in the behavior two-dimensional characteristic matrix to be detected.
9. A terminal device for implementing an entity behavior baseline analysis method is characterized by comprising:
the memory is used for storing a computer program and an entity behavior baseline analysis method;
a processor for executing the computer program and the entity behavior baseline analysis method to realize the steps of the entity behavior baseline analysis method according to any one of claims 1 to 7.
Background
With the rapid development of network security technology, entity behavior analysis systems aiming at various endogenous security risks begin to be widely applied. How to identify abnormal user or device behaviors in a large amount of user behavior data becomes the key point of research of various behavior analysis systems.
At present, for entity abnormal behavior analysis, a baseline of entity behavior is generally established, and abnormal entity behavior is identified by calculating a deviation manner of behavior data and baseline data. The behavior baseline characteristics of a single dimension often cannot truly reflect the abnormity of entity behaviors, and the baseline of behavior scene characteristics is strictly matched, so that the occurrence of the situations of missed report and false report frequently occurs due to the fact that data are too sensitive.
Disclosure of Invention
The invention aims to provide a method for establishing a multi-dimensional entity behavior baseline and analyzing abnormity, which is used for solving the problem that the traditional behavior baseline is low in analysis accuracy. The method comprises the steps of establishing a plurality of behavior characteristic baselines in time, space, relation, quantity and other dimensions of entity behaviors, and establishing a grading strategy for deviation rates of the plurality of baselines, so that the entity abnormal behaviors are detected more accurately.
The entity behavior baseline analysis method comprises the following steps:
the method comprises the following steps: defining each characteristic set of entity behaviors;
step two: establishing a multi-dimensional feature matrix for the feature set in the period;
step three: mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
step four: constructing behavior baseline data for the data sets in a plurality of periods;
step five: constructing a behavior two-dimensional characteristic matrix to be detected;
step six: and performing abnormity evaluation on the behavior characteristic data in the behavior two-dimensional characteristic matrix to be detected.
The invention also provides an entity behavior baseline analysis system, comprising: the system comprises a definition module, a matrix configuration module, a mapping module, a construction behavior module and an evaluation module;
the definition module is used for defining each characteristic set of the entity behavior;
the matrix configuration module is used for establishing a multi-dimensional characteristic matrix for the characteristic set in the period;
the mapping module is used for mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
the behavior establishing module is used for establishing behavior baseline data for the data sets in multiple periods and establishing a two-dimensional characteristic matrix of the behavior to be detected;
the evaluation module is used for carrying out abnormity evaluation on the behavior characteristic data in the behavior two-dimensional characteristic matrix to be detected.
The invention also provides a terminal device for realizing the entity behavior baseline analysis method, which is characterized by comprising the following steps:
the memory is used for storing a computer program and an entity behavior baseline analysis method;
and the processor is used for executing the computer program and the entity behavior baseline analysis method so as to realize the steps of the entity behavior baseline analysis method.
According to the technical scheme, the invention has the following advantages:
in the system provided by the invention, a plurality of two-dimensional characteristic matrixes are established based on different characteristic dimensions of the entity behaviors under a plurality of dimensional visual angles, and the abnormal conditions of the entity behaviors are measured in many aspects by taking the behavior counts with the same characteristics as measuring indexes.
In the using process, the feature matrix is constructed in a two-dimensional feature combination mode, so that the problem that the deviation of a large number of behavior features is easily caused due to the fact that the feature value is too small because multi-dimensional features are completely combined is solved, and the problem that a large number of calculations are caused due to the fact that the number of multi-dimensional feature combinations is too large is avoided.
In the using process, different behavior offset evaluation weights can be set according to the static characteristics of roles, authorities and the like of the entities so as to adapt to the sensitivity of abnormal behaviors of different entities.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings used in the description will be briefly introduced, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a flow chart of a multi-dimensional perspective-based entity behavior baseline analysis method.
FIG. 2 is a diagram of a multi-dimensional view-based entity behavior baseline analysis system.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to fig. 1 in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the multi-dimensional perspective-based entity behavior baseline analysis method provided by the present invention, those skilled in the art can appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination thereof, and in order to clearly illustrate the interchangeability of hardware and software, the components and steps of the examples have been described generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the entity behavior baseline analysis method based on multi-dimensional visual angle provided by the invention, the block diagrams shown in fig. 1 and 2 are only functional entities and do not necessarily correspond to physically independent entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
In the multi-dimensional perspective-based entity behavior baseline analysis method provided by the invention, it should be understood that the disclosed system, apparatus and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
Furthermore, in the multi-dimensional perspective-based entity behavior baseline analysis methods provided by the present disclosure, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations or operations have not been shown or described in detail to avoid obscuring aspects of the invention.
The entity behavior baseline analysis method based on the multi-dimensional visual angle provided by the invention comprises the following steps:
s101: defining each characteristic set of entity behaviors;
wherein each dimension set comprises: set g (t) ═ t1,t2,t3...tnRepresenting a feature set of an entity in a time dimension; set g(s) ═ s1,s2,s3...smRepresenting a feature set of an entity in a spatial dimension; set g (r) { r ═ r1,r2,r3...rkRepresents the set of features of the entity in the relationship dimension.
S102: establishing a multi-dimensional feature matrix for the feature set in the period;
in this embodiment, the data samples of the feature set in the period time D are counted as feature values, and a multi-dimensional feature matrix is established in four feature dimensions of time, space, relationship, and numberWherein U isiIn order to be the entity i,the eigenvalues are counted for the behavior when the dimensional features t, s, r are matched within the cycle time D, and v is the number of columns for generating the feature matrix data.
S103: mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
based on multi-dimensional feature matrixMapping each dimension characteristic matrix respectively to generate a plurality of two-dimensional characteristic matrices;
therein involved areIs a two-dimensional feature matrix of user or entity behavior in both the time dimension and the space dimension,counting the behaviors when the dimension characteristics t and s are matched;
and also relates toIs a two-dimensional feature matrix of user or entity behaviors in a time dimension and a relationship dimension,counting the behaviors when the dimension characteristics t and r are matched;
and also relates toIs a two-dimensional feature matrix of user or entity behaviors in relational and spatial dimensions,the behavior when matching the dimensional features r, s is counted.
S104: constructing behavior baseline data for the data sets in a plurality of periods;
two-dimensional matrix data U for a plurality of periods Di(T,S),Ui(T,R),Ui(R, S) respectively calculating the average value of C in the matrix;
which comprisesIs an average feature matrix of user or entity behaviors in both the time dimension and the space dimension,the average count of the behaviors when the dimension characteristics t and s are matched is obtained;
also comprisesThe average feature matrix of user or entity behavior in the time dimension and relationship dimension,the average count of the behaviors when the dimension characteristics t and r are matched is obtained;
also comprisesIs an average feature matrix of user or entity behaviors in the relationship dimension and the spatial dimension,is the average count of the behavior when matching the dimensional features r, s.
S105: constructing a behavior two-dimensional characteristic matrix to be detected;
establishing a characteristic matrix in three dimensions of time, space and relation for behaviors in a Dx period to be detected
Will be provided withRespectively mapping in each dimension to form a plurality of two-dimensional feature matrices, including
S106: and performing abnormity evaluation on the behavior characteristic data in the behavior two-dimensional characteristic matrix to be detected.
The embodiment is to the feature matrix in step fourCorresponding toValue (c),Corresponding toValue (c),Corresponding toValue and characteristic baseline matrix in step threeCorresponding toValue (c),Corresponding toValue (c),Corresponding toValues, respectively calculating the matrix of the characteristic deviation p by using a variance formula to obtain
For each matrix, using the formula P ═ Σ P (i, j)Summing the p values to obtain a one-dimensional deviation matrix
For SPi(T, S, R) PresetTo represent a set of weights for different dimensional offsets and values, using a formulaObtaining a final entity behavior abnormity score; for SiEntities greater than or equal to omega can be judged as behavioral abnormalities, pairAnd locating the time, space and relation characteristics of the corresponding abnormal point at the point with the larger p value.
Therefore, the method solves the problem that the traditional behavior baseline analysis is low in accuracy. The method comprises the steps of establishing a plurality of behavior characteristic baselines in time, space, relation, quantity and other dimensions of entity behaviors, and establishing a grading strategy for deviation rates of the plurality of baselines, so that the entity abnormal behaviors are detected more accurately.
Based on the method, the invention also provides an entity behavior baseline analysis system, which comprises the following steps: the system comprises a definition module 1, a matrix configuration module 2, a mapping module 3, a construction behavior module 4 and an evaluation module 5;
the definition module 1 is used for defining each characteristic set of entity behaviors;
the matrix configuration module 2 is used for establishing a multi-dimensional feature matrix for the feature set in the period;
the mapping module 3 is used for mapping the multi-dimensional feature matrix into a plurality of two-dimensional feature matrices;
the behavior establishing module 4 is used for establishing behavior baseline data for the data sets in multiple periods and establishing a two-dimensional characteristic matrix of the behavior to be detected;
the evaluation module 5 is configured to perform anomaly evaluation on the behavior feature data in the two-dimensional behavior feature matrix to be detected.
In the system provided by the invention, a plurality of two-dimensional characteristic matrixes are established based on different characteristic dimensions of the entity behaviors under a plurality of dimensional visual angles, and the abnormal conditions of the entity behaviors are measured in many aspects by taking the behavior counts with the same characteristics as measuring indexes.
In the using process, the feature matrix is constructed in a two-dimensional feature combination mode, so that the problem that the deviation of a large number of behavior features is easily caused due to the fact that the feature value is too small because multi-dimensional features are completely combined is solved, and the problem that a large number of calculations are caused due to the fact that the number of multi-dimensional feature combinations is too large is avoided.
In the using process, different behavior offset evaluation weights can be set according to the static characteristics of roles, authorities and the like of the entities so as to adapt to the sensitivity of abnormal behaviors of different entities.
The entity behavior baseline analysis system provided by the present invention is the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein, which can be implemented in electronic hardware, computer software, or combinations of both, the components and steps of the examples having been described generally in terms of their functionality in the foregoing description for clarity of explanation of the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The entity behavior baseline analysis system provided by the present invention may write program code for performing the operations of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
