CN116822606A

CN116822606A - Training method, device, equipment and storage medium of anomaly detection model

Info

Publication number: CN116822606A
Application number: CN202310654192.7A
Authority: CN
Inventors: 魏政
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2023-06-02
Filing date: 2023-06-02
Publication date: 2023-09-29

Abstract

The application discloses a training method, a device, equipment and a storage medium of an abnormality detection model, which are characterized in that a plurality of subsequences are determined by splitting a historical behavior sequence of a determined sample account, then for each subsequence, the sequence characteristics of the subsequence are determined according to the occurrence frequency of various types of operations contained in the subsequence in the historical behavior sequence, then an abnormality detection result of the subsequence is obtained through an abnormality detection model to be trained, and finally the abnormality detection model is trained according to the abnormality detection result of each subsequence and the abnormality type of the sample account. According to the method and the system, the plurality of sequence features corresponding to the account can be determined based on the historical behavior sequence of the account, so that the anomaly detection model can be trained according to each sequence feature and the anomaly type of the account, the anomaly detection model obtained through training can accurately detect the anomaly type of the account based on the sequence features of the account, and the anomaly detection efficiency is guaranteed.

Description

Training method, device, equipment and storage medium of anomaly detection model

Technical Field

The present application relates to the field of computer technologies, and in particular, to a training method, apparatus, device, and storage medium for an anomaly detection model.

Background

With the development of computer technology and the attention of people to self privacy, in the process of executing a service by a user, performing anomaly detection on an account used by the user for executing the service, and executing the service according to a detection result is one of the more common service execution modes at present. How to accurately detect the abnormality of the account used by the user is also one of the problems to be solved at present.

Based on the above, the application provides a training method of an abnormality detection model.

Disclosure of Invention

The application provides a training method, device, equipment and storage medium of an anomaly detection model, which are used for partially solving the problems existing in the prior art.

The application adopts the following technical scheme:

the application provides a training method of an anomaly detection model, which comprises the following steps:

determining a historical behavior sequence of a sample account, splitting the historical behavior sequence, and determining a plurality of subsequences each containing a specified number of continuous operations;

determining each type of operation contained in each subsequence according to each subsequence, counting the occurrence frequency of each type of operation in the historical behavior sequence, and determining the sequence characteristics of the subsequence according to the frequency corresponding to each type of operation;

Inputting the sequence characteristics into an anomaly detection model to be trained to obtain an anomaly detection result output by the anomaly detection model;

and training the anomaly detection model according to the anomaly detection result and the anomaly type of the sample account.

The application provides a training device of an abnormality detection model, comprising:

the acquisition module is used for determining a historical behavior sequence of the sample account, splitting the historical behavior sequence and determining a plurality of subsequences which all contain a specified number of continuous operations;

the first determining module is used for determining each type of operation contained in each sub-sequence, counting the occurrence frequency of each type of operation in the historical behavior sequence, and determining the sequence characteristics of the sub-sequence according to the frequency corresponding to each type of operation;

the second determining module is used for inputting the sequence characteristics into an anomaly detection model to be trained to obtain an anomaly detection result output by the anomaly detection model;

and the training module is used for training the abnormality detection model according to the abnormality detection result and the abnormality type of the sample account.

The present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the training method of the anomaly detection model described above.

The application provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the training method of the abnormality detection model when executing the program.

The at least one technical scheme adopted by the application can achieve the following beneficial effects:

determining a historical behavior sequence of a sample account, splitting the historical behavior sequence, determining a plurality of subsequences, further determining sequence characteristics of the subsequences according to the frequency of each type of operation contained in the subsequences in the historical behavior sequence for each subsequence, obtaining an anomaly detection result of the subsequences through an anomaly detection model to be trained, and finally training the anomaly detection model according to the anomaly detection result of each subsequence and the anomaly type of the sample account.

According to the method and the system, the plurality of sequence features corresponding to the account can be determined based on the historical behavior sequence of the account, so that the anomaly detection model can be trained according to each sequence feature and the anomaly type of the account, the anomaly detection model obtained through training can accurately detect the anomaly type of the account based on the sequence features of the account, and the anomaly detection efficiency is guaranteed.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a flow chart of a training method of an anomaly detection model in the present application;

FIG. 2 is a schematic diagram of a training device for an anomaly detection model according to the present application;

fig. 3 is a schematic diagram of an electronic device corresponding to fig. 1 provided in the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In addition, it should be noted that, in the present application, all actions of acquiring signals, information or data are performed under the condition of conforming to the corresponding data protection rule policy of the location and obtaining the authorization given by the owner of the corresponding device.

The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.

Fig. 1 is a flow chart of a training method of an anomaly detection model provided by the application.

S100: and determining a historical behavior sequence of the sample account, splitting the historical behavior sequence, and determining a plurality of subsequences each containing a specified number of continuous operations.

The embodiment of the application provides a training method of an abnormality detection model, and the execution process of the training method of the abnormality detection model can be executed by electronic equipment such as a server for executing an abnormality detection service or a server for carrying out model training. For convenience of description, the training method of the anomaly detection model provided by the application is described in detail below with only the server as the execution subject.

In the embodiment of the application, the server can determine a plurality of subsequences by determining the historical behavior sequence of the sample account and splitting the historical behavior sequence, further determine the sequence characteristics of each subsequence according to the frequency of each type of operation in the historical behavior sequence contained in the subsequence, further take the sequence characteristics of each subsequence as a training sample, take the abnormal type of the sample account as a label, and train the abnormal detection model. The training process of the anomaly detection model can be divided into three stages: a sample determination phase, a sample processing phase, and a training phase. Thus, in the sample determination phase, the server may determine training samples for training the anomaly detection model, i.e., determine sequence features for each of the subsequences, respectively.

Based on this, the server may determine each subsequence corresponding to the sample account.

Specifically, the server may store an account used by the user when the user historically executes the service, and a historical behavior sequence corresponding to the account. The server may take an account that the user used when historically executing the service as a sample account and take a historical behavior sequence corresponding to the account as a historical behavior sequence corresponding to the sample account. The historical behavior sequence corresponding to the sample account can be the operation of the user, which is monitored after the user initiates the specified service, and the specified service can be the service executed last time or the service of the specified type such as the payment service. The monitored user operation may include: aiming at operations such as clicking, long pressing and the like of the control, a user slides a track of the screen, and the user clicks the position of the screen and the like.

Of course, the historical behavior sequence may also be the operation of the user monitored within a preset period, and may also be all the user operations monitored within a period from the operation performed by the user for the first time to the operation performed by the user last time. How the historical behavior sequence is specifically determined and the specific content contained in the historical behavior sequence can be set according to the needs, and the specification does not limit the historical behavior sequence.

Then, the server can split the historical behavior sequence corresponding to the sample account into a plurality of subsequences which all contain the specified number of continuous operations. That is, for each sub-sequence obtained by splitting, the sub-sequence contains a specified number of consecutive operations, and the number of consecutive operations contained in the sub-sequence and other sub-sequences is the specified number.

It should be noted that the number of sample accounts may be plural, and each sample account may correspond to a user that is not identical, that is, the anomaly detection model may be trained based on a historical behavior sequence of a plurality of sample accounts that are historically used by a plurality of users.

S102: and determining each type of operation contained in each sub-sequence, counting the occurrence frequency of each type of operation in the historical behavior sequence, and determining the sequence characteristics of the sub-sequence according to the frequency corresponding to each type of operation.

In one or more embodiments of the present application, as described above, the training method of the anomaly detection model in the present application uses a frequency coding method to determine, for each sub-sequence, a sequence feature included in the sub-sequence, and determine a sequence feature corresponding to the sub-sequence. Based on this, the server may first determine each type of operation included in the sub-sequence to perform frequency encoding according to each type of operation determined.

Specifically, the server may determine, for each sub-sequence, each type of operation contained in the sub-sequence. The historical behavior sequence of the sample account comprises various types of operations executed by the user, wherein the various types of operations can comprise: aiming at operations such as clicking, long pressing and the like of a control, a user slides a track of a screen, the user clicks the position and the like of the screen, and the user accesses the operations of the equipment A and the equipment B through a network. Wherein the a device and the B device are merely examples of other devices.

The server may then count, for each type of operation that the subsequence contains, how frequently that type of operation occurs in the historical sequence of actions.

Finally, the server can directly take the frequency as the code corresponding to the operation of the type, and the server can determine the sequence characteristic of the subsequence according to the codes corresponding to the operations.

Taking ABBACDD as an example in the subsequence, wherein the a-characterization user performs the a-operation, the B-characterization user performs the B-operation, the C-characterization user performs the C-operation, and the D-characterization user performs the D-operation, and the a-operation, the B-operation, the C-operation, and the D-operation characterize different types of operations. Assuming that the frequency of the occurrence of the operation a in the history behavior sequence is 5, the frequency of the occurrence of the operation B in the history behavior sequence is 3, the frequency of the occurrence of the operation C in the history behavior sequence is 7, and the frequency of the occurrence of the operation D in the history behavior sequence is 9, the sequence feature corresponding to the sub-sequence may be 5335799. Of course, the corresponding feature of the subsequence may also be 05030305070909. In particular, how to determine the sequence characteristics according to the codes corresponding to each type of operation can be set according to the needs, and the application is not limited to this.

Further, for the anomaly detection model, when the model learns the information of the change between different operations, the situation that the frequencies of the two types of operations in the historical behavior sequence of the sample account are the same may occur in the process of determining the sequence characteristics of each sub-sequence, and on the basis of the situation, the model cannot distinguish the two types of operations with the same frequency, so that the situation that the detection accuracy is lower may occur. To avoid this, the server may add disturbances to each type of operation.

Specifically, when determining the codes corresponding to the respective types of operations, the server may determine, for each type of operation, the frequency of occurrence of the type of operation, and determine whether the frequency of the type of operation is the same as the frequency of the other type of operation. I.e. if there is an operation of the same type as the frequency of operations of that type among other types of operations.

If the same, it represents another type in which the frequency of the operations existing in this type is the same. Thus, the server can regard the type of operation, and the operation whose frequency is the same as that of the typed operation, as the operation to be discriminated.

Then, the server can determine disturbance parameters corresponding to each operation to be distinguished. The disturbance parameters are used for disturbing the frequency of the operation to be distinguished, and the disturbance result is used as the code of the operation to be distinguished. For each operation to be distinguished, the disturbance parameter corresponding to the operation to be distinguished can be preset, or the server can randomly allocate the operation to be distinguished. How to determine the disturbance parameters can be set as needed, which is not limited by the present application.

Finally, after determining the disturbance parameters corresponding to the operations to be distinguished, the server can determine the codes corresponding to the operations to be distinguished according to the frequency of the operations to be distinguished and the disturbance parameters of the operations to be distinguished for each operation to be distinguished. The disturbance parameters may be +0.1, +0.2, -0.1, -0.2, etc., that is, after determining the frequency corresponding to the operation to be distinguished, determining the sum of the frequency and the disturbance parameters on the basis of the frequency, as the code corresponding to the operation to be distinguished.

Of course, the server may also determine the codes corresponding to the operations to be distinguished by determining the product, difference, quotient, etc. of the frequency and the disturbance parameters. In particular, how to determine the codes corresponding to the operation according to the disturbance parameters and the frequency can be set according to the needs, and the application is not limited to the above.

S104: and inputting the sequence characteristics into an anomaly detection model to be trained, and obtaining an anomaly detection result output by the anomaly detection model.

In one or more embodiments of the present application, after determining the training sample, the training method of the anomaly detection model may process the training sample, and then train the anomaly detection model based on the processing result of the training sample.

Specifically, the server may input the determined sequence feature as an input to an anomaly detection model to be trained.

Then, the server can obtain the abnormality detection result of the sample account corresponding to the sequence feature output by the abnormality detection model.

The abnormality detection result at least comprises an abnormality type corresponding to the sample account. That is, in addition to the abnormality type corresponding to the sample account, the abnormality detection result may further include an abnormality processing policy executed on the sample account, the sample account belonging to the cause of the abnormality type corresponding to the abnormality detection result, and the like. The content included in the abnormality detection result may be set as needed, which is not limited by the present application.

S106: and training the anomaly detection model according to the anomaly detection result and the anomaly type of the sample account.

In one or more embodiments of the present application, the server may train the anomaly detection model after processing training samples.

Specifically, the server may determine, for each sub-sequence, a gap between an anomaly detection result corresponding to the sub-sequence and an anomaly type of a sample account corresponding to the sub-sequence as the first gap.

And then, determining loss according to the first gaps corresponding to the subsequences, taking the loss minimization as a training target, and training the anomaly detection model.

Thus, the trained abnormality detection model can accurately detect the abnormality of the account based on the historical behavior sequence of the account.

Further, after training is completed, the server may also receive a detection request and process the detection request.

Specifically, the server may determine, in response to the detection request, a target account included in the detection request and a target behavior sequence corresponding to the target account. The detection request can be sent by the target account when the user needs to execute the service, or can be generated according to the target account sending the service execution request when the server receives the service execution request sent by the user. The number of consecutive operations contained in the target behavior sequence is the specified number.

Second, the server may determine the types of target operations contained in the target behavior sequence and count how frequently each type of target operation occurs in the target behavior sequence. Wherein the target operation is an operation in the target behavior sequence.

Then, the server can determine the target sequence characteristics according to the frequency corresponding to each type of target operation.

And finally, the server can input the determined target sequence characteristics into the trained abnormality detection model to obtain an abnormality detection result output by the abnormality detection model. The server may return the anomaly detection result according to the detection request.

According to the training method of the anomaly detection model shown in fig. 1, a plurality of subsequences are determined by splitting a historical behavior sequence of a determined sample account, then for each subsequence, sequence characteristics of the subsequence are determined according to the occurrence frequency of various types of operations contained in the subsequence in the historical behavior sequence, an anomaly detection result of the subsequence is obtained through the anomaly detection model to be trained, and finally the anomaly detection model is trained according to the anomaly detection result of each subsequence and the anomaly type of the sample account. According to the method and the system, the plurality of sequence features corresponding to the account can be determined based on the historical behavior sequence of the account, so that the anomaly detection model can be trained according to each sequence feature and the anomaly type of the account, the anomaly detection model obtained through training can accurately detect the anomaly type of the account based on the sequence features of the account, and the anomaly detection efficiency is guaranteed.

In addition, in the process of anomaly detection of an account, an account transaction diagram including at least an account node corresponding to the account may be constructed based on other accounts having transaction transactions with the account in history, and the account transaction diagram is used as a representation of the account node and is input into an anomaly detection model trained in advance to obtain an anomaly detection result output by the anomaly detection model, so as to execute a service according to the anomaly detection result. However, in the case where a certain account has not been transacted with other nodes in the past, it is obvious that abnormality detection cannot be performed on the account. Based on the abnormality detection model, the account can be subjected to abnormality detection based on the historical behavior sequence corresponding to the account, so that the accuracy of abnormality detection is ensured.

Further, the abnormality detection model used in the present application includes a feature extraction layer and a detection layer. After determining the sequence feature, the server can input the sequence feature as input into a feature extraction layer of the anomaly detection model to obtain a sample feature output by the feature extraction layer. And then inputting the sample characteristics into a detection layer of the abnormality detection model to obtain an abnormality detection result output by the detection layer.

Furthermore, compared with a common convolution kernel, the cavity convolution kernel has larger receptive field and higher convolution efficiency. Thus, in determining the sample characteristics, the server may also determine the sample characteristics using a hole convolution approach.

Specifically, the server may input the sequence feature as an input to a feature extraction layer of the anomaly detection model to be trained.

The feature extraction layer is provided with a cavity convolution kernel for extracting features of input data in advance. In the feature extraction layer, the server can perform hole convolution on the sequence feature according to a hole convolution kernel preset in the feature extraction layer, and obtain a sample feature output by the feature extraction layer according to a convolution result.

Because the hole convolution is already a mature technology, the application does not describe how to perform the hole convolution in detail.

In addition, the different sizes of the empty convolution kernels differ from the convolution itself, and the information that can be learned is not exactly the same. For example, information learned by a large-sized hole convolution kernel is more biased toward unity, while information learned by a small-sized hole convolution kernel is more biased toward detail. Thus, different sizes of hole convolution kernels may also be provided in the feature extraction layer.

Then, in the feature extraction layer, the server may preset different-sized hole convolution kernels according to the feature extraction layer, and perform different-sized hole convolution on the sequence feature.

Finally, the server can obtain the sample characteristics output by the characteristic extraction layer according to the convolution result. The server can determine sample characteristics by adopting a mode of simultaneously carrying out different-size hole convolution on sequence characteristics and fusing convolution results, or can determine the sample characteristics by adopting a mode of carrying out small-size hole convolution on the sequence characteristics to obtain a first convolution result, carrying out medium-size hole convolution on the first convolution result to obtain a second convolution result, and then carrying out large-size hole convolution to obtain a third convolution result which is used as the sample characteristics. The specific manner in which to determine the sample characteristics may be set as desired, as the application is not limited in this regard.

It should be noted that, the above description is given by taking the example that three kinds of hole convolution kernels with different sizes are preset in the feature extraction layer as an example, the number of hole convolution kernels with different sizes stored in advance in the feature extraction layer may be set according to the need, and the number of convolution results that can be finally determined may also be set according to the need, which is not limited in the present application.

Furthermore, the server can train the abnormality detection model by adopting a contrast learning mode.

Specifically, the number of sample accounts determined in step S100 may be plural. The server may then determine each sub-sequence to which each sample account corresponds.

Secondly, the server can take sequence characteristics corresponding to each subsequence as each training sample, and combine the determined training samples in pairs to obtain each training sample pair. The server may determine, for each training sample pair, a similarity between anomaly types of sample accounts corresponding to each training sample in the training sample, as a label for the training sample pair.

Then, the server can input the training sample pair into the anomaly detection model to be trained to obtain anomaly detection results respectively corresponding to each training sample contained in the training sample pair output by the anomaly detection model.

Then, the server may determine, for each training sample pair, a similarity between abnormal detection results of respective training samples included in the training sample pair, and determine a difference between the similarity and a label of the training sample pair as a first gap.

Meanwhile, the server can determine a second gap according to the difference between the abnormal detection result of each training sample contained by the training sample pair and the abnormal type of the corresponding sample account.

And finally, the server can determine loss according to the first differences corresponding to the training samples and the second differences corresponding to the training samples, and train the anomaly detection model by taking the loss minimization as an optimization target.

Fig. 2 is a schematic diagram of a training device for an anomaly detection model according to the present application, wherein:

the obtaining module 200 is configured to determine a historical behavior sequence of the sample account, split the historical behavior sequence, and determine a plurality of subsequences each including a specified number of continuous operations.

The first determining module 202 is configured to determine, for each sub-sequence, each type of operation included in the sub-sequence, count the frequencies of the types of operations in the historical behavior sequence, and determine the sequence characteristics of the sub-sequence according to the frequencies respectively corresponding to the types of operations.

And the second determining module 204 is configured to input the sequence feature into an anomaly detection model to be trained, and obtain an anomaly detection result output by the anomaly detection model.

And the training module 206 is configured to train the anomaly detection model according to the anomaly detection result and the anomaly type of the sample account.

Optionally, the first determining module 202 is configured to determine, for each type of operation, whether the frequency of the type of operation is the same as the frequency of other types of operations, if so, take the frequency of the type of operation as the code of the type of operation, and if so, take the type of operation and the operation with the same frequency as the frequency of the type of operation as the operations to be distinguished, respectively determine a disturbance parameter corresponding to each operation to be distinguished, and determine, according to the disturbance parameter and the frequency of each operation to be distinguished, a code corresponding to each operation to be distinguished, and determine a characteristic of the subsequence according to the codes corresponding to each type of operation in the subsequence.

Optionally, the second determining module 204 is configured to input the sequence feature into a feature extraction layer of an anomaly detection model to be trained, obtain a sample feature output by the feature extraction layer, input the sample feature into a detection layer of the anomaly detection model, and obtain an anomaly detection result output by the detection layer.

Optionally, the second determining module 204 is configured to input the sequence feature into a feature extraction layer of an anomaly detection model to be trained, perform hole convolution on the sequence feature according to a hole convolution kernel preset in the feature extraction layer, and obtain a sample feature output by the feature extraction layer according to a convolution result.

Optionally, different-sized hole convolution kernels are preset in the feature extraction layer, and the second determining module 204 is configured to input the sequence feature into a feature extraction layer of an anomaly detection model to be trained, and perform different-sized hole convolution on the input data according to the different-sized hole convolution kernels preset in the feature extraction layer, so as to obtain a sample feature output by the feature extraction layer.

Optionally, the number of the sample accounts is multiple, the second determining module 204 is configured to use the sequence features corresponding to each subsequence respectively as each training sample, combine each training sample pair two by two, determine each training sample pair, determine a similarity between the anomaly types of the sample accounts corresponding to each training sample in each training sample pair, determine a label of each training sample pair according to the similarity between the anomaly types of the sample accounts corresponding to each training sample in each training sample pair, input each training sample pair into an anomaly detection model to be trained, obtain an anomaly detection result of each training sample contained in each training sample pair output by the anomaly detection model, and the training module 206 is configured to perform, for each training sample pair, determine a first gap according to the similarity between the anomaly detection results of each training sample contained in the training sample pair and the label of the training sample pair, determine a second gap according to the anomaly detection results of each training sample and the anomaly type of the corresponding sample account, determine a loss according to the first gap and the second gap, and perform the anomaly detection on the anomaly model according to the minimum loss as an optimization target.

Optionally, the obtaining module 200 is configured to determine, in response to a detection request, a target account included in the detection request and a target behavior sequence corresponding to the target account, where the number of continuous operations included in the target behavior sequence is the specified number, determine various types of target operations included in the target behavior sequence, count the frequency of occurrence of the various types of target operations in the target behavior sequence, determine a target sequence feature according to the frequency corresponding to each type of target operation, input the target sequence feature into a trained anomaly detection model, obtain an anomaly detection result output by the anomaly detection model, and return the anomaly detection result according to the detection request.

The present application also provides a computer-readable storage medium storing a computer program operable to execute the training method of the abnormality detection model shown in fig. 1 described above.

The application also provides a schematic block diagram of the electronic device shown in fig. 3. At the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, as described in fig. 3, although other hardware required by other services may be included. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to implement the training method of the anomaly detection model shown in fig. 1. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present application, that is, the execution subject of the following processing flows is not limited to each logic unit, but may be hardware or logic devices.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments of the present application are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment is mainly described in the differences from the other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A method of training an anomaly detection model, the method comprising:

2. The method of claim 1, determining the sequence feature of the sub-sequence according to the frequency corresponding to each type of operation, specifically comprising:

for each type of operation, judging whether the frequency of the operation of the type is the same as the frequency of the operation of other types;

if the operation types are different, the frequency of the operation types is used as the code of the operation types;

if the operation parameters are the same, the operation of the type and the operation with the same frequency as the operation of the type are used as the operation to be distinguished, disturbance parameters corresponding to each operation to be distinguished are respectively determined, and codes corresponding to each operation to be distinguished are determined according to the disturbance parameters and the frequency of each operation to be distinguished;

and determining the characteristics of the subsequence according to the codes respectively corresponding to the various types of operations in the subsequence.

3. The method of claim 1, wherein the sequence feature is input into an anomaly detection model to be trained to obtain an anomaly detection result output by the anomaly detection model, and specifically comprises:

Inputting the sequence features into a feature extraction layer of an anomaly detection model to be trained, and obtaining sample features output by the feature extraction layer;

and inputting the sample characteristics into a detection layer of the abnormality detection model to obtain an abnormality detection result output by the detection layer.

4. A method according to claim 3, wherein the sequence features are input into a feature extraction layer of an anomaly detection model to be trained, and sample features output by the feature extraction layer are obtained, specifically including:

inputting the sequence features into a feature extraction layer of an anomaly detection model to be trained, carrying out hole convolution on the sequence features according to a hole convolution kernel preset in the feature extraction layer, and obtaining sample features output by the feature extraction layer according to convolution results.

5. A method according to claim 3, wherein the feature extraction layer is provided with different-sized cavity convolution kernels in advance;

inputting the sequence features into a feature extraction layer of an anomaly detection model to be trained to obtain sample features output by the feature extraction layer, wherein the method specifically comprises the following steps:

inputting the sequence features into a feature extraction layer of an anomaly detection model to be trained, and carrying out different-size cavity convolution on the input data according to different-size cavity convolution kernels preset in the feature extraction layer to obtain sample features output by the feature extraction layer.

6. The method of claim 1, the number of sample accounts being a plurality;

inputting the input data into an anomaly detection model to be trained to obtain an anomaly detection result output by the anomaly detection model, wherein the anomaly detection result comprises the following specific steps:

taking sequence features corresponding to the subsequences as training samples, combining the training samples pairwise, determining training sample pairs, and determining labels of the training sample pairs according to the similarity between abnormal types of sample accounts corresponding to the training samples in the training sample pairs;

inputting the training sample pairs into an anomaly detection model to be trained to obtain anomaly detection results of the training samples contained in the training sample pairs output by the anomaly detection model;

training the abnormality detection model according to the abnormality detection result and the abnormality type of the sample account, specifically including:

for each training sample pair, determining a first gap according to the similarity between abnormal detection results of each training sample contained in the training sample pair and the label of the training sample pair;

determining a second gap according to the abnormal detection result of each training sample and the abnormal type of the corresponding sample account;

And determining loss according to the first gap and the second gap, taking the loss minimization as an optimization target, and training the anomaly detection model.

7. The method of claim 1, the method further comprising:

responding to a detection request, and determining a target account contained in the detection request and a target behavior sequence corresponding to the target account, wherein the number of continuous operations contained in the target behavior sequence is the appointed number;

determining various types of target operations contained in the target behavior sequence, counting the occurrence frequency of the various types of target operations in the target behavior sequence, and determining target sequence characteristics according to the respective corresponding frequency of the various types of target operations;

inputting the target sequence characteristics into an abnormality detection model after training is completed, and obtaining an abnormality detection result output by the abnormality detection model;

and returning the abnormal detection result according to the detection request.

8. A training apparatus for an anomaly detection model, the apparatus comprising:

9. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any of the preceding claims 1-7.

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1-7 when the program is executed.