CN114640499A - Method and device for carrying out abnormity identification on user behavior - Google Patents

Abstract

The embodiment of the invention discloses a method and a device for identifying user behaviors abnormally. The method comprises the steps of collecting and storing big data, extracting an SQL template and business data, analyzing the SQL template by using a K-Means clustering algorithm, constructing an incidence relation between the SQL template and the business data, extracting characteristics of the SQL template and establishing a characteristic model, and identifying abnormal behaviors according to a clustering algorithm analysis result, the incidence relation and the characteristic model. By the mode, the method and the system can refine the SQL template and the SQL data, perform machine learning and learn and mine the knowledge map, and finally identify unknown risks and deep attack behaviors without configuring other rules.

Description

A method and device for abnormal identification of user behavior

technical field

Embodiments of the present invention relate to the field of machine learning, and in particular, to a method and device for abnormal identification of user behavior.

Background technique

In the current big data environment, data security is a feature that is easily overlooked. Due to the neglect of data security management, the phenomenon of data leakage and exposure has become very common. Because database technology is widely used in various information management systems, transactions system, as well as various social software, social networking sites, online forums and other social systems. In these databases, a large number of personal privacy data such as names, ID numbers, personal passwords, etc. of customers are stored, and some financial privacy data such as bank card numbers and expiration dates of customers are also stored. As long as any personal data of anyone is stored in the database, whether it is a user or a company employee, the security of the database becomes very important. If effective protection measures are not taken, once the confidential information is stolen by criminals, it will not only lead to customers The leakage of private information may even lead to economic losses for customers. With the increase in the demand for data in the black market and the increase in profits from data leakage, illegal users of the intranet take the risk of illegally dragging and brushing the database to steal data and sell data. , Illegal modification and destruction of data have occurred from time to time.

It is difficult to identify such risky behaviors through preset security policies and rules. How to identify such abnormal behaviors among a large number of behaviors has become a difficult problem for the industry. The prior art retrieves and analyzes abnormal behaviors and users from a large number of database access behavior logs by presetting known abnormal behavior rules and policies. However, this method can only preset known risk behavior characteristics and rules, and still lack the ability to identify unknown risks.

SUMMARY OF THE INVENTION

The main technical problem solved by the embodiments of the present invention is to provide a method and device for abnormal identification of user behavior, which can extract SQL templates, SQL data, and perform machine learning, knowledge graph learning and mining, and ultimately do not need to configure other rules, Identify deep-seated aggressive behavior.

In order to solve the above technical problem, a technical solution adopted by the embodiments of the present invention is to provide a method for abnormal identification of user behavior, the method comprising: collecting and storing big data on database access logs; SQL template and business data are extracted from the SQL statement contained in it; K-Means clustering algorithm is used to analyze the extracted SQL template; knowledge graph is constructed for the extracted business data, and the SQL template and all the business data are constructed. Describe the association relationship of the business data, and save the association relationship in the analysis database; carry out habit feature extraction analysis on the extracted SQL template, and establish a user feature model; through the habit feature of the SQL template, the SQL template The association relationship between the template and the business data or the cluster analysis result of the SQL template is compared with the application user to identify abnormal behavior.

In the embodiment of the present invention, the collecting and storing the big data of the database access log of the application user further includes: collecting and storing the big data of the database access log of the application user; Logs are collected and stored for big data.

In the embodiment of the present invention, the habit features include blank lines, carriage return and line feed, table writing habit, capitalization habit, and data amount of each access

In an embodiment of the present invention, identifying abnormal behaviors by comparing the cluster analysis result of the SQL template with the application user includes:

For the application user, compare the analysis result obtained by the SQL template through the K-Means clustering algorithm with the department where the application account is located, identify user behaviors with obvious deviations in the department, and obtain the application user's Abnormal access behavior.

In an embodiment of the present invention, the identifying abnormal behavior by comparing the cluster analysis result of the SQL template with the application user further includes:

The database access log is limited to the SQL template of the application system itself, and once a new SQL template appears, it is considered that there is an SQL attack.

In an embodiment of the present invention, identifying the abnormal behavior through the association relationship between the SQL template and the business data includes:

The abnormal behavior is identified through the association relationship between the SQL template and the business data, and a profile analysis is performed on the operation behavior of the application user, so as to identify the abnormal access behavior of the application user.

In an embodiment of the present invention, the identifying abnormal behavior through the habitual feature of the SQL template includes:

For the client users who directly use the client to connect to the database account, by analyzing the SQL template for each client user, and analyzing the extracted features of the SQL template, abnormal behaviors are identified through the model.

The embodiment of the present invention also provides a device for abnormal identification of user behavior, the device includes: a data collection module: used to collect and store big data on database access logs; a data extraction module: used to access the database The SQL statement contained in the log extracts the SQL template and business data; the data analysis module is used to analyze the extracted SQL template using the K-Means clustering algorithm; the relationship construction module is used to analyze the extracted SQL template. The business data constructs a knowledge graph, constructs the association relationship between the SQL template and the business data, and saves the association relationship in the analysis library; feature extraction module: used to extract the habitual feature of the extracted SQL template Analysis to establish a user feature model; Behavior recognition module: used to compare with the application user through the habitual feature of the SQL template, the relationship between the SQL template and the business data or the cluster analysis result of the SQL template Identify abnormal behavior.

An embodiment of the present invention further provides an electronic device, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores a program executable by the at least one processor. Instructions executed by the at least one processor to enable the at least one processor to perform the method as described above.

An embodiment of the present invention further provides a non-volatile computer storage medium, characterized in that, the computer storage medium stores computer-executable instructions, and the computer-executable instructions are executed by one or more processors to cause all The one or more processors execute the above-mentioned method for abnormal identification of user behavior.

The beneficial effects of the embodiments of the present invention are: different from the situation in the prior art, the embodiments of the present invention provide a method and a device for abnormal identification of user behavior, the method includes collecting and storing big data, extracting SQL templates and Business data, use K-Means clustering algorithm to analyze SQL templates, build the relationship between SQL templates and business data, extract features from SQL templates and establish feature models, analyze results based on clustering algorithms, and identify association relationships and feature models Abnormal behavior. In the above manner, the embodiments of the present invention can extract SQL templates and SQL data, and perform machine learning and knowledge graph learning and mining. Finally, no other rules need to be configured, and unknown risks and deep-level attack behaviors can be identified.

Description of drawings

1 is a schematic flowchart of a method for abnormally identifying user behavior provided by an embodiment of the present invention;

2 is a schematic structural diagram of a device for abnormally identifying user behavior provided by an embodiment of the present invention;

FIG. 3 is a schematic diagram of a hardware structure of an electronic device provided by an embodiment of the present invention.

The following is a description of the drawings:

10: A device for abnormal identification of user behavior;

100: data acquisition module; 200: data extraction module; 300: data analysis module; 400: relation construction module; 500: feature extraction module; 600: behavior recognition module;

700: Electronic equipment;

701: processor; 702: memory.

Detailed ways

The present invention will be described in detail below with reference to specific embodiments. The following examples will help those skilled in the art to further understand the present invention, but do not limit the present invention in any form. It should be noted that, for those skilled in the art, several modifications and improvements can be made without departing from the concept of the present invention. These all belong to the protection scope of the present invention.

In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.

It should be noted that, if there is no conflict, various features in the embodiments of the present invention may be combined with each other, which are all within the protection scope of the present application. In addition, although the functional modules are divided in the schematic diagram of the device, and the logical sequence is shown in the flowchart, in some cases, the modules in the device may be divided differently, or the sequence shown in the flowchart may be performed. or the described steps. In addition, the words "first", "second" and "third" used herein do not limit the data and execution order, but only distinguish the same or similar items with substantially the same function and effect.

Unless otherwise defined, all technical and scientific terms used in this specification have the same meaning as commonly understood by one of ordinary skill in the technical field of the present invention. The terms used in the description of the present invention in this specification are only for the purpose of describing specific embodiments, and are not used to limit the present invention. As used in this specification, the term "and/or" includes any and all combinations of one or more of the associated listed items.

In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not conflict with each other.

Referring to FIG. 1, FIG. 1 is a schematic flowchart of a method for abnormally identifying user behavior according to an embodiment of the present invention, and the method includes:

Step S100: collecting and storing big data;

In a multi-transaction database system, each transaction that accesses the database has several operation steps, and the access log is used to record certain situations about a transaction that has been done, such as blank lines during the access operation, carriage return and line feed. situation and the amount of data accessed, etc.

In one embodiment of the present invention, the database access logs of application users are collected and stored in big data, and operation and maintenance personnel and data analysts are also included in the collection and storage of big data for logs that directly use database client tools to access the database.

In an embodiment of the present invention, big data collection is performed on the access data, and the collected SQL statement when the user accesses the database is stored, and the SQL statement includes an SQL template and business data.

Step S200: extracting SQL templates and business data;

In an enterprise, departments are usually divided according to functions, so different departments have different functions, so the purpose of accessing the database can be distinguished according to the department. Therefore, the SQL templates used by personnel in each department and the business data accessed can also be distinguished according to their departments. In addition, the amount of SQL template data is fixed within a certain amount, and the template form will not change. Therefore, new SQL templates do not appear in general.

For example, a company has functional departments such as the finance department, R&D department, and sales department. According to the functions of the application users, such as personnel in the finance department, their access to the database is mainly reflected in the daily accounting business, invoice management and tax system work. Most of the data is financial revenue and expenditure data; the access to the database by the R&D department personnel is mainly reflected in obtaining the company's product information and entering product data information, etc.; the sales department personnel's access to the database is mainly reflected in obtaining the company's sales plan and entering customer order information. Due to different functions, the SQL templates and business data contained in the SQL statements that the personnel of each department access to the database are related to their departments. In addition, it should be noted that the designated department personnel do not use other templates to access other data, but the frequency is relatively low or almost zero.

In one embodiment of the present invention, the SQL template and business data are extracted from the SQL statements contained in the database access log collected in step S100,

Step S300: use the K-Means clustering algorithm to analyze the SQL template;

K-Means clustering algorithm is an iterative clustering analysis algorithm. Clustering is a process of classifying and organizing data members that are similar in some aspects of the data set. Clustering is a discovery Techniques for this inherent structure, clustering techniques are often referred to as unsupervised learning.

It can be seen from the above that the SQL templates and business data contained in the SQL statements that the personnel of each department access the database are related to their departments, but this relationship is not embodied in the machine, so it is necessary to perform certain operations on the SQL templates. sort.

In an embodiment of the present invention, the SQL template extracted in step S200 is divided into several categories according to the number of departments. If there are three departments in total, the number of categories to be clustered is selected to be 3, and 3 center points are selected. The center point is the three SQL templates selected from many sample SQL templates, and then for each sample point, find the center point closest to it, and the point closest to the same center point is a class, thus completing a clustering . Before completing the clustering, it is also necessary to judge whether the categories of the sample points before and after the clustering are the same. If they are the same, the algorithm is terminated. If they are not the same, the center points of these sample points are calculated for the sample points in each category. , as the new center point of the class, continue to find the closest center point for each sample point.

After the above steps, the extracted SQL templates can be divided into three categories: A type SQL template, B type SQL template and C type SQL template, corresponding to the finance department, R&D department and sales department respectively. That is, the SQL templates used by the personnel of the finance department to access the database are mainly type A SQL templates, and may also use type B and C SQL templates, but the probability is low; the SQL templates used by the personnel of the R&D department to access the database are mainly type B SQL templates. A and C SQL templates may also be used, but the probability is low; the SQL templates used by sales staff to access the database are mainly C SQL templates, and A and B SQL templates may also be used, but the probability is low.

Step S400: build an association relationship between the SQL template and the business data;

Knowledge graph is called knowledge domain visualization or knowledge domain mapping map in the library and information industry. It is a series of different graphs showing the development process and structural relationship of knowledge. , map and display knowledge and the interconnections between them. The architecture of the knowledge graph mainly includes its own logical structure and architecture. The knowledge graph can be divided into two levels: the schema layer and the data layer in the logical structure. The data layer is mainly composed of a series of facts, and knowledge will be based on facts. to store. The schema layer is built on top of the data layer, mainly through the ontology library to standardize a series of fact expressions in the data layer. The architecture of the knowledge graph refers to the structure of its construction mode.

In an embodiment of the present invention, the business data extracted from step S200 is constructed as the data layer of the knowledge graph, the SQL template extracted from step S200 is constructed as the schema layer of the knowledge graph, and the data layer and the schema layer are established. The relationship between them, that is, the relationship between the SQL template and the business data.

Step S500: perform feature extraction on the SQL template to establish a feature model;

In an embodiment of the present invention, for the operation and maintenance personnel or data analysts who directly use the client to connect to the database account, the variability of the SQL template used for accessing the database is higher than that of the application user's SQL template. Even so, because everyone's writing habits are different, it is possible to analyze the blank lines, carriage return, line feed, table writing habits and size in the writing process of the SQL template by analyzing each client user. According to the writing habits and the amount of data accessed each time, feature extraction is performed on this, and a feature model is established through the extracted features.

Step S600: Identify abnormal behaviors according to clustering algorithm analysis results, association relationships and feature models.

In one embodiment of the present invention, the abnormal behavior can be identified by comparing the cluster analysis result of the SQL template with the application user. User behaviors with obvious deviations in the department can be identified. For example, the SQL template mainly used by the finance department is the A-type SQL template, while some users use the B-type SQL template, some do not use it, and some use it very frequently. Therefore, It can be analyzed that some users in this department have abnormal behaviors, which can be observed. At the same time, since the access database log is limited to the SQL template of the application system itself, the data volume of the SQL template is fixed at a certain amount. Therefore, once a new SQL template appears, it can be determined that there is an SQL attack.

Secondly, abnormal behaviors can also be identified through the relationship between SQL templates and business data. For example, the data accessed by the finance department personnel who use the A-type template is mainly financial revenue and expenditure data, that is, the B-type template and the financial revenue and expenditure data are established. Association relationship, when the personnel of the finance department use the B-type template to access the financial income and expenditure data, the behavior is normal. If a user in the finance department accesses the database by viewing research and development materials, etc., the user's abnormal behavior can be obtained by analyzing the user's operation behavior through the association relationship of the knowledge graph.

Finally, abnormal behaviors can also be identified through the habit characteristics of the SQL template. Since everyone has their own handwriting habits, through the analysis of the SQL template of each user's database access log, blank lines, carriage returns and line feeds can be extracted. According to the characteristics of the situation, table writing, capitalization, and the amount of data accessed each time, abnormal behaviors are identified through the model according to the extracted features.

Different from the prior art, the present invention provides a method for abnormal identification of SQL handwriting features. The method includes collecting and storing big data, extracting SQL templates and business data, and using K-Means clustering algorithm to analyze the SQL templates. , Construct the relationship between SQL templates and business data, extract features from SQL templates and establish feature models, and identify abnormal behaviors according to clustering algorithm analysis results, relationships and feature models. In the above manner, the embodiments of the present invention can extract SQL templates and SQL data, and perform machine learning and knowledge graph learning and mining. Finally, no other rules need to be configured, and unknown risks and deep-level attack behaviors can be identified.

Please refer to FIG. 2. FIG. 2 is a device for abnormally identifying SQL handwriting features provided by an embodiment of the present invention. The device includes: a data acquisition module 100, a data extraction module 200, a data analysis module 300, a relationship construction module 400, Feature extraction module 500 and behavior recognition module 600 .

Among them, the data collection module 100 is used to collect and store big data for database access logs of application users, and also includes operation and maintenance personnel and data analysts to collect and store big data for logs that directly use database client tools to access the database. Data collection and storage.

The data extraction module 200 is configured to extract SQL templates and business data from the SQL statements contained in the database access logs collected by the data collection module 100 .

The data analysis module 300 is used to divide the SQL template extracted by the data extraction module 200 into several categories. If there are three departments, the number of categories to be clustered is selected as 3, and 3 center points are selected, and the center points are Three SQL templates are selected from many sample SQL templates, and then for each sample point, the closest center point is found, and the closest point to the same center point is a class, thus completing a clustering. Before completing the clustering, it is also necessary to judge whether the categories of the sample points before and after the clustering are the same. If they are the same, the algorithm is terminated. If they are not the same, the center points of these sample points are calculated for the sample points in each category. , as the new center point of the class, continue to find the closest center point for each sample point.

The relationship construction module 400 is used to construct the business data extracted from the data extraction module 200 as a data layer of the knowledge graph, construct the SQL template extracted from the data extraction module 200 as a schema layer of the knowledge graph, and establish the data layer and the schema. The relationship between layers, that is, the relationship between the SQL template and the business data.

The feature extraction module 500 is used to analyze each client user, and analyzes the situation of blank lines in the writing process in its SQL template, the situation of carriage return and line feed, the writing habits of tables, capitalization habits, and the data volume of each access, Feature extraction is performed on this, and a feature model is established through the extracted features.

The behavior identification module 600 is configured to identify abnormal behaviors by comparing the cluster analysis result of the SQL template with the application user. User behaviors with obvious deviations in the department can be identified. For example, the SQL template mainly used by the finance department is the A-type SQL template, while some users use the B-type SQL template, some do not use it, and some use it very frequently. Therefore, It can be analyzed that some users in this department have abnormal behaviors, which can be observed. At the same time, since the access database log is limited to the SQL template of the application system itself, the data volume of the SQL template is fixed at a certain amount. Therefore, once a new SQL template appears, it can be determined that there is an SQL attack.

Secondly, it can also be used to identify abnormal behaviors through the relationship between SQL templates and business data. For example, the data accessed by the finance department personnel who use the A-type template is mainly financial revenue and expenditure data, that is, the B-type template is established with the financial revenue and expenditure data. The association relationship is established. When the personnel of the finance department use the B-type template to access the financial income and expenditure data, the behavior is normal. If a user in the finance department accesses the database by viewing research and development materials, etc., the user's abnormal behavior can be obtained by analyzing the user's operation behavior through the association relationship of the knowledge graph.

Finally, it can also be used to identify abnormal behaviors through the habit characteristics of SQL templates. Since everyone has their own handwriting habits, by analyzing the SQL template of each user's database access log, blank lines, carriage return and line feed can be extracted. The situation of the table, the writing situation of the table, the capitalization situation, the amount of data accessed each time and other characteristics, according to the extracted characteristics, the abnormal behavior is identified through the model.

FIG. 3 is a schematic diagram of a hardware structure of an electronic device provided by an embodiment of the present invention. As shown in FIG. 3 , the electronic device 700 includes:

One or more processors 701 and a memory 702, one processor 701 is taken as an example in FIG. 3 .

The processor 701 and the memory 702 may be connected through a bus or in other ways, and the connection through a bus is taken as an example in FIG. 3 .

As a non-volatile computer-readable storage medium, the memory 702 can be used to store non-volatile software programs, non-volatile computer-executable programs and modules. The processor 701 executes various functional applications and data processing of the electronic device by running the non-volatile software programs, instructions and units stored in the memory 702, that is, to realize the drawing of data maps based on the gallery and the sorting of the flow direction of the above method embodiments. Methods.

The memory 702 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the electronic device, and the like. Additionally, memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 702 may optionally include memory located remotely from processor 701, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The one or more units are stored in the memory 702, and when executed by the one or more processors 701, execute a method for abnormally identifying user behavior in any of the above method embodiments, for example, Steps S100 to S600 of the method in FIG. 1 described above are executed to realize the functions of the modules 100 - 600 in FIG. 2 .

The above electronic device can execute the method for abnormal identification of user behavior provided by the embodiment of the present invention, and has program modules and beneficial effects corresponding to the execution method. For technical details that are not described in detail in the embodiments of the electronic device, reference may be made to a method for abnormal identification of user behavior provided by the embodiments of the present invention.

Embodiments of the present invention also provide a non-volatile computer-readable storage medium, and the non-volatile computer-readable storage medium may be included in the device described in the foregoing embodiments; or may exist independently, and Not assembled into this device. The above-mentioned non-volatile computer-readable storage medium carries one or more programs, and when the above-mentioned one or more programs are executed, the methods of the embodiments of the present disclosure are implemented.

The electronic devices of the embodiments of the present application exist in various forms, including but not limited to:

(1) Mobile communication equipment: This type of equipment is characterized by having mobile communication functions, and its main goal is to provide voice and data communication. Such terminals include: smart phones (eg iPhone), multimedia phones, feature phones, and low-end phones.

(2) Ultra-mobile personal computer equipment: This type of equipment belongs to the category of personal computers, has computing and processing functions, and generally has the characteristics of mobile Internet access. Such terminals include: PDAs, MIDs, and UMPC devices, such as iPads.

(3) Portable entertainment equipment: This type of equipment can display and play multimedia content. Such devices include: audio and video players (eg iPod), handheld game consoles, e-books, as well as smart toys and portable car navigation devices.

(4) Server: A device that provides computing services. The composition of the server includes a processor, a hard disk, a memory, a system bus, etc. The server is similar to a general computer architecture, but due to the need to provide highly reliable services, the processing power, stability , reliability, security, scalability, manageability and other aspects of high requirements.

(5) Other electronic devices.

The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

From the description of the above embodiments, those of ordinary skill in the art can clearly understand that each embodiment can be implemented by means of software plus a general hardware platform, and certainly can also be implemented by hardware. Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be completed by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium, and the program is During execution, it may include the processes of the embodiments of the above-mentioned methods. The storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM) or the like.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; under the idea of the present invention, the technical features in the above embodiments or different embodiments can also be combined, The steps may be carried out in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity; although the invention has been The skilled person should understand that it is still possible to modify the technical solutions recorded in the foregoing embodiments, or to perform equivalent replacements on some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the implementation of the application. scope of technical solutions.

Claims (10)

1. a method for abnormal identification of user behavior is characterized in that, comprising: Big data collection and storage of database access logs; Extract the SQL template and business data from the SQL statement contained in the database access log; The extracted SQL template is analyzed using K-Means clustering algorithm; Constructing a knowledge graph for the extracted business data, constructing an association relationship between the SQL template and the business data, and saving the association relationship in an analysis library; Carry out habit feature extraction analysis on the extracted SQL template, and establish a user feature model; The abnormal behavior is identified by comparing the habitual feature of the SQL template, the association relationship between the SQL template and the business data, or the cluster analysis result of the SQL template and the application user. 2. The method according to claim 1, wherein the collecting and storing the big data on the database access log further comprises: collecting and storing the big data on the database access log of the application user; The tool accesses the logs of the database for big data collection and storage. 3 . The method according to claim 1 , wherein the habit characteristics include blank lines, carriage return and line feed, table writing habit, capitalization habit, and data volume of each access. 4 . 4. method according to claim 1, is characterized in that, described by the cluster analysis result of described SQL template and application user to compare and identify abnormal behavior comprising: For the application user, compare the analysis result obtained by the SQL template through the K-Means clustering algorithm with the department where the application account is located, identify user behaviors with obvious deviations in the department, and obtain the application user's Abnormal access behavior. 5. method according to claim 4, is characterized in that, described by the cluster analysis result of described SQL template and application user to compare and identify abnormal behavior and also comprise: The database access log is limited to the SQL template of the application system itself, and once a new SQL template appears, it is considered that there is an SQL attack. 6. The method according to claim 1, wherein identifying abnormal behavior through the association relationship between the SQL template and the business data comprises: The abnormal behavior is identified through the association relationship between the SQL template and the business data, and a profile analysis is performed on the operation behavior of the application user, so as to identify the abnormal access behavior of the application user. 7. The method according to claim 1, wherein the identifying abnormal behavior by the habitual feature of the SQL template comprises: For the client users who directly use the client to connect to the database account, by analyzing the SQL template for each client user, and analyzing the extracted features of the SQL template, abnormal behaviors are identified through the model. 8. A device for abnormal identification of user behavior, characterized in that, comprising: Data collection module: used for big data collection and storage of database access logs; Data extraction module: for extracting SQL templates and business data from the SQL statements contained in the database access log; Data analysis module: used to analyze the extracted SQL template using K-Means clustering algorithm; Relationship construction module: used to construct a knowledge graph for the extracted business data, construct an association relationship between the SQL template and the business data, and save the association relationship in an analysis library; Feature extraction module: used to extract and analyze the habitual feature of the extracted SQL template, and establish a user feature model; Behavior identification module: used to identify abnormal behaviors by comparing the habitual characteristics of the SQL template, the association relationship between the SQL template and the business data, or the cluster analysis result of the SQL template with the application user. 9. An electronic device, characterized in that, comprising: at least one processor; and, a memory communicatively coupled to the at least one processor; wherein, The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the execution of any of claims 1-7 Methods. 10. A non-volatile computer storage medium, wherein the computer storage medium stores computer-executable instructions that are executed by one or more processors to cause the one or more The processor executes the method for abnormal identification of user behavior according to any one of claims 1 to 7.

Images