CN118233180A - A method for identifying abnormal users based on behavior analysis and traffic detection - Google Patents

Abstract

The invention discloses an abnormal user identification method based on behavior analysis and flow detection. And secondly, in the operation process of the user, analyzing flow data and sensitive operation information generated when the user interacts with the server by utilizing an integrated learning model, and further intercepting abnormal operation performed by an illegal user after the illegal user logs in the system legally. The invention can rapidly complete detection without affecting the login experience of the user, continuously analyze abnormal behaviors in the use process of the user, and realize efficient abnormal user identification.

Description

A method for identifying abnormal users based on behavior analysis and traffic detection

Technical Field

The present invention relates to Internet user behavior recognition technology, and in particular to abnormal user recognition technology based on behavior analysis and traffic detection.

Background technique

With the popularization and widespread application of the Internet, users' activities on the Internet are increasing day by day. However, there are also various security threats and risks in the network environment, such as phishing, which can steal users' password information through deception and use users' legitimate accounts to commit illegal acts. Therefore, in order to ensure the security of the system, it is particularly important to detect abnormal behavior of users who legally access the system.

Traditional security protection methods are mainly based on rules and signatures to detect and defend known attack patterns. However, with the continuous evolution of network attack methods, the limitations of traditional methods have become more and more significant. Therefore, abnormal user identification methods based on behavior analysis and traffic detection have emerged.

Behavior analysis-based methods monitor and analyze user behaviors on the Internet to identify abnormal behavior patterns. These behaviors include login patterns, access patterns, data transmission patterns, etc. By establishing a normal behavior model for users, behaviors that do not conform to the normal behavior model can be identified and warned. For example, if a user logs in to an account in multiple locations within a short period of time or transmits a large amount of data in an unconventional time period, he or she may be judged as an abnormal user.

Traffic detection is another commonly used method for identifying abnormal users. It detects abnormal traffic behaviors, such as large-scale DDoS attacks and port scans, by monitoring the packet size, protocol type, transmission rate and other information in the network traffic and learning and comparing normal traffic patterns.

Summary of the invention

The technical problem to be solved by the present invention is to provide a method for judging abnormal users in the user login state and continuous use process by comprehensively using behavior analysis and flow detection.

The technical solution adopted by the present invention to solve the above technical problems is a method for identifying abnormal users based on behavior analysis and traffic detection, which is characterized by comprising:

Detection steps when a user logs into the system:

S1. In response to the user password verification during the user login process, feature extraction and data preprocessing are performed on the login information of this time; the login information includes the browser type used by the user, the user operating system type, the user's real address, the user's device MAC address, the user login time and the user input password time;

S2. Use the user's login history in the database to mine association rules and build a legal range for login; the history is the login information that meets the legal login rules before the user logs in this time;

S3. Determine whether the user login information is within the legal range. If yes, allow the user to log in; otherwise, intercept abnormal behavior;

Detection steps when users use the system:

S4. Regularly collect traffic data and sensitive interface access records within a set time, extract features from the collected traffic data to obtain traffic features of the corresponding IP within a period of time; the sensitive interface is a preset operation interface related to sensitive behavior;

S6: Input the traffic characteristics and sensitive interface access records into the trained anomaly detection model. The anomaly detection model determines whether there are abnormalities in the user behavior. If there are abnormalities in the user behavior, the abnormal behavior is intercepted.

The present invention aggregates multiple features to comprehensively analyze whether there is abnormal behavior during the user login process, and can ensure the stability and speed of the login process, and continuously determine whether there is anomaly by monitoring traffic data and sensitive interface access during user use. The comprehensive use of methods based on behavior analysis and traffic detection can improve the accuracy and timeliness of identifying abnormal users. By establishing and updating the user's normal behavior model, combined with real-time traffic analysis and monitoring technology, various new types of network attacks and abnormal behaviors can be discovered and responded to in a timely manner, protecting the security of the network and the interests of users.

Specifically, the anomaly detection model uses the known normal traffic data and abnormal traffic data collected in the past as training data sets to complete the construction of the detection model; the anomaly detection model is the integrated learning model EasyEnsemble.

Specifically, the data preprocessing in step S1 is as follows:

Convert the user login time into six time periods of the corresponding date: morning, noon, afternoon, evening, night, and early morning;

Convert the browser type used by the user to IE, SOGOU_EXPLORER, CHROME, SAFARI, EDGE, FIREFOX, ANDROID_BROWSER and other types;

Convert the operating system type used by the user to WINDOWS, MAC, ANDROID, IOS and other types;

Convert the time when the user inputs the password into a time range, where the time range is determined by the earliest and latest time of the timing;

The real address is the city name.

Specifically, in step S2, the historical records of the user's login in the database are used to mine association rules, and the specific method for constructing the legal range of the login request information is as follows:

The browser type, operating system type and user login time used by the user in the past login are queried from the database and symbolically represented as triples; according to the association analysis algorithm FP-Growth, an FP-Tree is constructed for each triple of historical information, and then frequent patterns are mined from the FP-Tree to obtain frequent item sets, thereby constituting the legal range of the user's login.

Step S3 determines whether the current user login is within the legal range, specifically:

Obtain the triplet of the browser type, operating system type, and user login time used by the user during this login; determine whether any combination of the triplet of this login exists in the legal range, if so, proceed to other user behavior mode determination, if not, intercept abnormal behavior;

Other user behavior pattern judgments: The user's real address, user device MAC address, user login time, and the length of time the user inputs the password during this login are compared and judged according to the set legal behavior pattern. If it meets the legal behavior pattern, the user is allowed to log in, otherwise abnormal behavior is intercepted.

Preferably, other user behavior pattern judgments are specifically as follows: judging whether the user's real address and the user device MAC address have both appeared in the historical records at the time of this login; whether the user's login time this time is within a preset number of days from the last login time; and whether the length of time the user has to input the password is within a limited range; if all of the conditions are met, the user is allowed to log in, otherwise abnormal behavior is intercepted.

The beneficial effects of the present invention are:

(1) Login status interception and online continuous detection are used to simultaneously detect whether users have abnormal behavior. Traditional data mining algorithms are used to quickly analyze login requests to ensure the smoothness of the user login process. Secondly, user traffic behavior is continuously detected during actual user use to prevent the system from performing malicious operations after unauthorized users log in normally.

(2) In the login request, the association rule mining method is used to perform a combined analysis of multiple features, avoiding the problem of abnormal interception that may be caused by using a single feature judgment. Furthermore, in the abnormal traffic behavior detection process, the ensemble learning EasyEnsemble is used to solve the problem of unbalanced training data volume between abnormal traffic and normal traffic, resulting in poor model training effect.

BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 is a flow chart of the invention.

Detailed ways

The technical solution adopted by the abnormal user identification method based on behavior analysis and traffic detection is shown in Figure 1 and includes the following steps:

S1. When the user logs in, the browser used by the user, the user's operating system, the user's real address, the device MAC address, the login time and the time when the user enters the password are extracted and the data is preprocessed;

S2. Use the past user login records in the database to mine association rules and construct legal rules for the login state;

S3. Determine whether the user login situation is within the legal scope of the rules. If it is legal, allow the user to enter the system; otherwise, intercept abnormal behavior;

S4. Monitor the traffic data and sensitive interface status of the server over a period of time, parse and extract features from the data, and obtain multi-dimensional features of the corresponding IP over a period of time;

S5. Process the normal traffic data and abnormal traffic data collected in the past using the same parsing and feature extraction methods in S3, and use the processed data to train a traffic analysis model based on ensemble learning;

S6: Use the trained model to continuously detect anomalies in the traffic data collected in the service, and intercept abnormal behaviors of corresponding users after anomalies are found.

The S1 comprises the following steps:

S1.1 When the user clicks to log in, the user's information will interact with the server in the form of HTTP, and the required information can be obtained by parsing HTTP;

S1.2 After parsing the HTTP request header, the browser and operating system information used by the user when sending the request can be extracted from the User-Agent field;

After S1.3 parses the HTTP request header, it can obtain the IP address of the user request and obtain the MAC address of the target device through the ARP command. On the server side, code can be used to simulate command line operations to obtain the MAC address. These two user behavior features will form the user address behavior vector. Using the IP address library, the user's IP address is mapped to the real user location;

S1.4 The time when the user enters the password is obtained through the front-end keyboard monitoring event of the WEB application system. The time when the user enters the password starts from the time the user enters the password and ends when the user clicks somewhere else to make the password box lose focus. When the user sends an HTTP request to the WEB application system, the time obtained at that time is recorded as the user's login time;

S1.5 After extracting the above feature vectors, the user's behavior is defined as a collection of six features: the browser used by the user, the operating system used by the user, the user's real address, the MAC address of the user's device, the user's login time, and the time when the user enters the password, and is represented in vector form.

S1.6 processes the above six features respectively, converting the user login time into six time periods: morning, noon, afternoon, evening, night and early morning; converting the browser type used by the user into IE, SOGOU_EXPLORER, CHROME, SAFARI, EDGE, FIREFOX, ANDROID_BROWSER and other types; converting the operating system type used by the user into WINDOWS, MAC, ANDROID, IOS and other types; converting the time when the user enters the password into a range, the longest time and the shortest time; converting the user's login IP into specific location information, such as Beijing and Shanghai.

The S2 comprises the following steps:

S2.1 retrieves the browser, operating system and user login time information used by the user in the past login from the database, and symbolizes and abstracts them into triples;

S2.2 According to the FP-Growth algorithm, a frequent itemset table is constructed for the data in the triples: the data set is traversed and the support of each item is calculated. According to the minimum support threshold, frequent itemsets are screened out and sorted in descending order of support; specifically, the minimum support is set to 3; the support of each item is the frequency of the item set appearing in the data set;

S2.3 According to the FP-Growth algorithm, construct an FP-Tree for each triple of historical information: construct an FP-Tree based on the frequent item set table and the data set. For each triple, construct a path according to the order of itemsets in the frequent item set table. If the node on the path already exists, increase the support count of the node, otherwise create a new node. Repeat the above steps for each triple until all transactions are processed;

S2.4 Mining frequent patterns from FP-Tree according to FP-Growth algorithm: Mining frequent patterns by recursively traversing FP-Tree. For each item set, starting from the leaf node, traverse the parent nodes of the node upwards in sequence to build the conditional pattern base (i.e. all nodes on the path from the node to the root node);

For each frequent itemset, generate its conditional pattern base;

For each conditional pattern base, construct a conditional FP-Tree and the corresponding frequent item set table;

If the conditional FP-Tree is not empty, recursively execute S2.4 until no more frequent itemsets can be generated;

Through the above process, all frequent patterns and their support can be obtained, wherein the generated frequent patterns are the legal rules of the user's login status.

The S3 comprises the following steps:

After the user password is successfully compared, it is determined whether the user behavior meets the legal login status rules mined in step S2 and whether the user behavior meets the user behavior identification conditions;

S3.1 obtains three user behavior features: the operating system used by the current logged-in user, the browser used by the user, and the current login time, and converts the data according to the methods in S1 and S2 to obtain a triple;

S3.2 determines in turn whether any combination of the triples exists in the legal rules;

S3.3 Whether the user's current login address has appeared in the user's behavior pattern;

S3.4 Whether the MAC address of the user's current device has appeared in the user's behavior pattern;

S3.5 Whether the user's current login time is within 30 days of the last login time;

S3.6 Whether the time when the user enters the password is within the specified range.

The S4 comprises the following steps:

S4.1 uses packet capture tools to collect traffic data in the server system over a period of time and parse the data packets to obtain specific protocol information.

S4.2 uses CICFlowMeter to extract features from captured data packets, including flow duration, total number of packets, data packet size and other characteristic information.

The S5 comprises the following steps:

S5.1 collects past system traffic data and open source traffic data information, and also uses the CICFlowMeter tool to parse traffic data packets, and marks the collected data as benign or malicious.

S5.2 inputs the data collected by S6.3 into the integrated learning model EasyEnsemble for training to obtain a malicious traffic classification model.

The S6 comprises the following steps:

By setting up scheduled tasks in the server system, traffic data is collected and features are extracted regularly, and the data is input into the malicious traffic detection model for classification. If it is marked as malicious traffic, the users involved in the traffic are obtained to check whether they are online. If they are online, abnormal user processing is performed. If they are not online, abnormal user processing is performed at the next login.

Example

S1: Collect data sets for traffic anomaly detection, including system historical traffic data and open source data sets. The open source data sets include benign traffic and malicious traffic. The historical traffic data generated by the system is regarded as benign traffic. Divide it into training set, validation set and test set in a ratio of 8:1:1;

S2: Use the CICFlowMeter tool to analyze the flow data, extract flow characteristics, including flow duration, total number of packets, data packet size, etc., and clean and normalize the data;

S2.1: Parse traffic data packets, including packet header parsing, packet data parsing, Ethernet header parsing, IP data packet header parsing, and related specific protocol parsing;

S2.2: Group according to source IP, destination IP, source port number, destination port number and protocol information. If the above five types of information are the same, they are recorded as one flow data, and features are extracted for each group of data;

S2.3: The data are expressed as numerical and discrete types and stored in CSV format for subsequent training;

S3: Use the ensemble learning model EasyEnsemble for model training. The baseline model uses AdaBoost to train a classification model that can detect abnormal traffic.

S4: Set the information to be monitored in the system login module, and perform data cleaning and standardization operations;

S4.1 reads the User-Agent attribute through the HTTP Header to obtain the user's operating system and browser information, and standardizes the information. The browser types are recorded as: IE, SOGOU_EXPLORER, CHROME, SAFARI, EDGE, FIREFOX, ANDROID_BROWSER and other types; the operating system types are recorded as WINDOWS, MAC, ANDROID, IOS and other types;

S4.2 obtains the user's IP information through the HTTP Header, and then obtains the MAC address of the target device through the ARP command. It is also necessary to convert the IP information into actual regional information, such as Beijing, Shanghai, etc.;

S4.3 monitors the input box through the front end to obtain the processing time of the user's password input and the user's actual login time, and processes the user's actual login time into six periods: morning, noon, afternoon, evening, night, and early morning;

S4.4 stores these data in a unified database for use in subsequent calculation of legal login rules;

S5: Monitor abnormal behavior during the user login process, including extracting legal login rules and detecting compliance logins;

S5.1: Query the historical login information of the current logged-in user, and use the FP-Growth data mining algorithm to analyze the relationship between the user's login time, the user's browser, and the user's operating system in the user's historical login, forming multiple frequent patterns;

S5.2: Detect whether any combination of user login time, user browser, and user operating system exists in the frequent paradigm at the same time when the user logs in. If not, trigger the user abnormal behavior processing mechanism;

S5.3: Continue to check whether the user's real address, device MAC address, and user password operation time are within the legal range of historical data. If any of them does not exist, the user abnormal behavior processing mechanism is triggered;

S5.4 If all detection mechanisms pass, the user logs into the system normally;

S6 continuously monitors traffic and sensitive interfaces while users are using the system, and uses the model trained in S3 to detect whether there is malicious behavior;

Set up a scheduled task in the S6.1 system to regularly collect the traffic data packets in the system and the number of download and query interface accesses of each user;

S6.2 parses and extracts features from the data packets using the method in S2, and inputs the data into the detection model for analysis. If abnormal traffic behavior is found, the source IP information of the traffic is obtained, and it is determined which user the IP is consistent with, and the user is forced to execute the user abnormal behavior processing mechanism;

S6.3 determines whether the number of times a user accesses a sensitive interface within a period of time exceeds the maximum limit. If so, the user is forced to execute the user abnormal behavior processing mechanism.

Finally, it should be noted that the above-described embodiments are only specific implementations of the present invention, which are used to illustrate the technical solutions of the present invention, rather than to limit them. The protection scope of the present invention is not limited thereto. Although the present invention is described in detail with reference to the above-described embodiments, those skilled in the art should understand that any person skilled in the art can still modify the technical solutions described in the above-described embodiments within the technical scope disclosed by the present invention, or can easily think of changes, or perform equivalent replacements on some of the technical features thereof; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention. They should all be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. The abnormal user identification method based on behavior analysis and flow detection is characterized by comprising the following steps:

the detection step when the user logs in the system:

S1, after user password verification passes in a user login process, carrying out feature extraction and data preprocessing on login information of the time; the login information comprises a browser type used by a user, a user operating system type, a real address of the user, a user equipment MAC address, user login time and user password input time;

S2, utilizing a history record of the user login in a database to carry out association rule mining on the history record, and constructing a legal range during login; the history record is login information meeting legal login rules before the user logs in this time;

S3, judging whether the login information of the user is in a legal range or not, if so, allowing the user to log in, otherwise, intercepting abnormal behaviors;

the detection steps in the process of using the system by a user are as follows:

S4, collecting flow data and sensitive interface access records in a set time at regular time, and extracting features of the collected flow data to obtain flow features in a period of time corresponding to the IP; the sensitive interface is an operation interface which is preset and related to sensitive behaviors;

S6: and inputting the flow characteristics and the sensitive interface access record into a trained abnormality detection model, judging whether the user behavior has an abnormality or not by the abnormality detection model, and intercepting the abnormal behavior when the user behavior has the abnormality.

2. The method of claim 1, wherein the anomaly detection model uses previously collected known normal flow data and anomaly flow data as a training data set to complete detection model construction;

The anomaly detection model is an ensemble learning model EasyEnsemble.

3. The method of claim 1, wherein in step S1, when the user clicks to log in and interacts with the server in the form of HTTP, the HTTP header information is parsed to obtain the current log-in information:

After the HTTP request header is analyzed, extracting the browser type and the User operating system type used by a User when sending a request from a User-Agent field;

After resolving the HTTP request header, acquiring a user IP address, and acquiring an equipment MAC address through an address resolution protocol ARP; mapping the IP address of the user into the real address of the user by using an IP address library;

acquiring user input password time information through a front-end keyboard monitoring event of a WEB application system: the time of inputting the password by the user starts timing from the time of inputting the password by the user, and ends when the user clicks other positions to enable the password frame to lose focus;

and when the user sends an HTTP request to the rear end of the WEB application system, acquiring the time at the time and recording the time as user login time.

4. The method according to claim 1, wherein the data preprocessing in step S1 is specifically:

the user login time is converted into six periods of morning, noon, afternoon, evening and early morning of corresponding dates;

converting the BROWSER type used by the user into IE, SOGOU_ EXPLORER, CHROME, SAFARI, EDGE, FIREFOX or ANDROID_BROWSER;

converting the type of the operating system used by the user into WINDOWS, MAC, ANDROID or IOS;

converting the time of inputting the password by the user into a time length range, wherein the time length range is determined by the earliest time and the latest time of timing;

The real address is the city name.

5. The method of claim 1, wherein in step S2, the history of the user login in the database is utilized to perform association rule mining, and the specific method for constructing the legal scope of the login request information is as follows:

Inquiring the browser type, the operating system type and the user login time used in the previous login of the user from a database, and symbolizing the browser type, the operating system type and the user login time to be expressed as triples; according to the correlation analysis algorithm FP-Growth, an FP-Tree Tree is constructed for each triplet of history information, and then frequent item sets are obtained by mining frequent patterns from the FP-Tree Tree, so that a legal range of the user during login is formed.

6. The method of claim 5, wherein step S3 is to determine whether the current user login is within a legal range, specifically:

Obtaining a triplet of browser type, operating system type and user login time symbolized representation used by a user during the login; judging whether any combination in the triples logged in at the time exists in a legal range, if yes, entering other user behavior modes, and if no, intercepting abnormal behaviors;

Judging other user behavior modes: and comparing and judging the real address of the user, the MAC address of the user equipment, the login time of the user and the time length of inputting the password by the user when logging in according to the set legal behavior mode, if the user is in line with the legal behavior mode, allowing the user to log in, otherwise, intercepting abnormal behaviors.

7. The method of claim 6, wherein the other user behavior pattern determination is specifically: judging whether the real address of the user and the MAC address of the user equipment appear in the history record when the login is satisfied; the login time of the user is within a preset number of days from the last login time; the time length of inputting the password by the user is within a limited range; if all the actions are satisfied, the user is allowed to log in, otherwise, abnormal behavior interception is carried out.

8. The method of claim 1, wherein the traffic characteristics include traffic duration, total number of packets, and packet size.

9. The method of claim 1, wherein the anomaly detection model in step S6 judges whether the user behavior is abnormal, if so, the abnormal behavior interception is performed and the user related to the abnormal access is obtained, whether the user is online is checked, if so, the abnormal user processing is performed, and if not, the abnormal user processing is performed at the next login of the user.

10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method of claim 1.