CN112491602A - Behavior data monitoring method and device, computer equipment and medium - Google Patents

Abstract

The invention relates to the field of artificial intelligence, and discloses a behavior data monitoring method, a behavior data monitoring device, computer equipment and a storage medium, wherein the behavior data monitoring method comprises the following steps: the method comprises the steps of acquiring a user identifier from an access request each time the access request is detected, generating a random character string based on the user identifier, adding the random character string into a request message and a response message, generating log data according to the request message and the response message, storing the log data into a log cloud platform, acquiring the user identifier contained in the query request as a target user identifier when the query request aiming at the user operation behavior is received, acquiring the log data corresponding to the target user identifier from the log cloud platform as a target log, analyzing the behavior trajectory of the target log to obtain a visual behavior trajectory corresponding to the target user identifier, and judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior trajectory.

Description

Behavior data monitoring method and device, computer equipment and medium

Technical Field

The invention relates to the field of artificial intelligence, in particular to a behavior data monitoring method, a behavior data monitoring device, computer equipment and a medium.

Background

With the rapid development of social economy, the business range related to some enterprise units is more and more extensive, most enterprises adopt a distributed log cloud platform to store logs of different business sites or APPs, and the existing log cloud platform mainly comprises modules such as log acquisition, log analysis, log storage, log search and log analysis. And massive log data are collected and are cut and stored according to fields, so that a developer can conveniently check logs and locate problems, and statistical analysis and data mining are performed according to the logs. The enterprise system is many, and the host computer quantity is big, does not have unified log cloud platform, is difficult to carry out the complete correlation analysis to some security incident audit or business abnormal access. The unified log cloud platform is an important platform for enterprise security monitoring and data mining.

The existing log cloud platform only can see one fixed record and cannot be serially connected for analysis. It is very clear that what a certain log comes from and goes to, what page and what system initiate the request, and jump to what system and whole flow. When the account number of the salesman needs to be investigated whether the account number is abnormal or not, due to the fact that the time sequence is disordered, it is difficult for a system which is associated with all jumps to analyze whether the request is a request initiated by a client or not, and the monitoring efficiency of user behavior data is low.

Disclosure of Invention

The embodiment of the invention provides a behavior data monitoring method and device, computer equipment and a storage medium, and aims to improve the monitoring efficiency of behavior data.

In order to solve the foregoing technical problem, an embodiment of the present application provides a method for monitoring behavior data, including:

when an access request is detected each time, acquiring a user identifier from the access request, and generating a random character string based on the user identifier;

adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform;

if an inquiry request aiming at user operation behaviors is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;

analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier;

and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.

Optionally, the request packet and the response packet contain a log jump parameter field, and adding the random character string into the request packet and the response packet includes:

analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;

and generating the response message based on the updated request message.

Optionally, the storing the log data to a log cloud platform includes:

collecting the log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;

uploading the compressed log data to a distributed file system for storage;

slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to each slicing task;

and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.

Optionally, the query request includes a query time range and a query path range, and the obtaining, from the log cloud platform, log data corresponding to the target user identifier as a target log includes:

executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;

and traversing the initial query result to obtain log data containing the target user identification as the target log.

Optionally, the analyzing the behavior trace of the target log to obtain a visual behavior trace corresponding to the target user identifier includes:

acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;

for each group of behavior logs, sequencing according to log generation time points to obtain access sequences corresponding to the behavior logs;

and for each access sequence, extracting the behavior record of each log in the access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.

Optionally, after determining whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory, the method for monitoring behavior data further includes:

and if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.

In order to solve the foregoing technical problem, an embodiment of the present application further provides a monitoring device for behavior data, including:

the character string generating module is used for acquiring a user identifier from an access request every time the access request is detected, and generating a random character string based on the user identifier;

the log acquisition module is used for adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data into a log cloud platform;

the log query module is used for acquiring a user identifier contained in a query request as a target user identifier if the query request aiming at the user operation behavior is received, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;

the behavior visualization module is used for analyzing the behavior track of the target log to obtain a visualization behavior track corresponding to the target user identifier;

and the abnormity judgment module is used for judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track.

Optionally, the log collection module includes:

a request message updating unit, configured to parse the request message, and add the random character string to a log skip parameter field of the request message, to obtain an updated request message;

and the response message generating unit is used for generating the response message based on the updated request message.

Optionally, the log collection module further includes:

the timing acquisition unit is used for collecting the log data according to a preset time interval by adopting a timing script and compressing the collected log data to obtain compressed data;

the distributed transmission unit is used for uploading the compressed log data to a distributed file system for storage;

the slicing analysis unit is used for slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks and analyzing log files corresponding to the slicing tasks;

and the classification storage unit is used for storing the data classification statistical result into the log cloud platform according to the request interface path of the log file corresponding to each analyzed slicing task.

Optionally, the log query module includes:

the initial query unit is used for executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;

and the traversal query unit is used for traversing the initial query result to acquire log data containing the target user identifier as the target log.

Optionally, the behavior visualization module comprises:

the grouping unit is used for acquiring the random character strings contained in each target log and taking the target logs with the same random character strings as a group of behavior logs;

the sorting unit is used for sorting each group of behavior logs according to the log generation time point to obtain an access sequence corresponding to the behavior logs;

and the log association unit is used for extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.

Optionally, the monitoring device for behavior data further includes:

and the early warning module is used for executing early warning processing according to a preset early warning mode if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal.

In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the monitoring method for behavior data when executing the computer program.

In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above behavior data monitoring method.

The behavior data monitoring method, the behavior data monitoring device, the computer equipment and the storage medium provided by the embodiment of the invention acquire the user identification from the access request when the access request is detected each time, generate the random character string based on the user identification, add the random character string into the request message and the response message, generate the log data according to the request message and the response message, store the log data into the log cloud platform, generate different random codes through each behavior, distinguish the log data of the access behavior of the same user at different times, are favorable for improving the accuracy of subsequent log query, simultaneously, when the query request aiming at the user operation behavior is received, acquire the user identification contained in the query request as the target user identification, acquire the log data corresponding to the target user identification from the log cloud platform as the target log, and analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier, judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track, realizing visual analysis and judgment of the behavior track, and improving the monitoring efficiency of behavior data.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.

FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;

FIG. 2 is a flow diagram of one embodiment of a method for monitoring behavioral data of the present application;

FIG. 3 is a schematic block diagram of one embodiment of a behavioral data monitoring apparatus according to the present application;

FIG. 4 is a schematic block diagram of one embodiment of a computer device according to the present application.

Detailed Description

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, as shown in fig. 1, asystem architecture 100 may includeterminal devices 101, 102, 103, anetwork 104 and aserver 105. Thenetwork 104 serves as a medium for providing communication links between theterminal devices 101, 102, 103 and theserver 105.Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.

The user may use theterminal devices 101, 102, 103 to interact with theserver 105 via thenetwork 104 to receive or send messages or the like.

Theterminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, E-book readers, MP3 players (Moving Picture E interface shows a properties Group Audio Layer III, motion Picture experts compress standard Audio Layer 3), MP4 players (Moving Picture E interface shows a properties Group Audio Layer IV, motion Picture experts compress standard Audio Layer 4), laptop portable computers, desktop computers, and the like.

Theserver 105 may be a server providing various services, such as a background server providing support for pages displayed on theterminal devices 101, 102, 103.

It should be noted that the monitoring method for behavior data provided in the embodiments of the present application is executed by a server, and accordingly, a monitoring device for behavior data is disposed in the server.

It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. Any number of terminal devices, networks and servers may be provided according to implementation needs, and theterminal devices 101, 102 and 103 in this embodiment may specifically correspond to an application system in actual production.

Referring to fig. 2, fig. 2 shows a method for monitoring behavior data according to an embodiment of the present invention, which is described by taking the method applied to the server in fig. 1 as an example, and is detailed as follows:

s201: and when the access request is detected each time, acquiring the user identification from the access request, and generating a random character string based on the user identification.

Specifically, the embodiment is applied to a scenario of a multi-application system, and after an access request is detected each time, a user identifier is obtained from the access request, and a random character string is generated based on the user identifier.

The user identifier may specifically be a symbol used for uniquely determining the user identity, such as a user name, a user certificate number, a user job number, and the like, and may specifically be one or a combination of multiple characters, numbers, and letters.

The random character string is generated based on the user identifier, and the generation manner may be set according to actual needs, for example, the user identifier and a specific encryption algorithm are used to generate the random character string, and the like, which is not limited herein.

S202: adding the random character string into the request message and the response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform.

Specifically, the original request message and response message include a source IP, a target IP, a uuid, a UID, an operation time, and the like, and in the present application, the random character string generated in step S10 according to the user identifier is added to the request message and response message, so that when log data is generated, the generated log file includes the random character string corresponding to the user identifier, and the generated log data is stored in the log cloud platform.

It is easy to understand that the application scenario of this embodiment includes multiple application systems, and therefore, in a conventional log platform, storage locations of log files of different systems may be different, and when a user uses multiple systems, it is difficult to analyze a jump address (from which), a destination address (to which), a request source (from which page, which system initiates a request), and the like of a certain log, so that the whole process makes log analysis, for access logs associated with multiple systems, it is difficult to perform association analysis, and logs are disordered, which is a difficulty of log analysis. In this embodiment, based on the original log cloud platform, logs are collected, user access request packets, response packets (html, js, jpg, css, and other unnecessary sensitive fields, and response packets can be collected), and basic elements such as source IP, destination IP, uuid, UID, user-agent, x-forward-for, time, and the like, in this embodiment, the original log cloud platform is modified, a field log skip parameter is added to each request packet and response packet, and a random character string is generated by a background according to a user request to identify and track the skip condition of the user access log, so that each request access log of a user, and the access logs of a system and the skip can be connected in series in order.

And searching a system which is jumped after a user clicks a certain link or inquires certain data according to the field, and collecting and storing the user access log. If any log of the user needs to be searched in the log cloud platform subsequently if a certain user click behavior needs to be checked, the client behavior track can be visualized according to the character string of the jump parameter, and the access behavior of the user can be clearly seen.

The log cloud platform is a distributed log storage cloud platform, and the distributed log storage cloud platform is beneficial to processing in a distributed task mode during log analysis and retrieval in the follow-up process, so that the processing efficiency is improved.

S203: and if an inquiry request aiming at the user operation behavior is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log.

Specifically, when an inquiry request of a user operation behavior is received, a user identifier included in the inquiry request is obtained and used as a target user identifier, and log data corresponding to the target user identifier is obtained and used as target data in a log cloud platform in an inquiry mode.

It should be understood that, in steps S201 and S202, each access request of each user identifier is added with a random character string to generate a log file, and the log file is stored in the log cloud platform, so that the log cloud platform includes multiple query records of a plurality of user identifiers, and in order to improve query efficiency, this embodiment provides an optimal manner, in a query request of a user operation behavior, a time range of query and a system range of query are defined, so as to reduce a data amount of query and improve query efficiency, and at the same time, data of a target log is also reduced, which is beneficial to precise positioning of a subsequent user behavior trajectory.

S204: and analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier.

Specifically, data analysis is performed on the obtained target log, a behavior trace of the operation behavior of the user is determined, the behavior trace is visualized, and for visualization of the behavior trace, data visualization tool modeling can be adopted to realize, and data visualization tools of the scene include but are not limited to: leaffet, Ali DataV, etc. The specific process of analyzing the behavior trace of the target log to obtain the visual behavior trace corresponding to the target user identifier may refer to the description of the subsequent embodiment, and is not repeated here to avoid repetition.

S205: and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.

Specifically, according to the visual behavior track, the operation required to be executed when the target operation is achieved is compared, whether the operation behavior corresponding to the target user identification is abnormal or not is judged, and if the operation behavior is abnormal, the reason of the abnormality is analyzed and early warning is performed according to the difference between the operation behavior and the operation behavior.

In a specific implementation mode, according to the obtained visual behavior track, when the log does not record js, html and jpg file requests, the interface is directly accessed to inquire data, the account of the user possibly uses a crawler or a robot to crawl data in a traversing manner, abnormal operation behavior logs of a service worker are accurately positioned, an early warning mail is sent out, and timely notification processing is carried out.

In the embodiment, each time an access request is detected, a user identifier is obtained from the access request, a random character string is generated based on the user identifier, the random character string is added into a request message and a response message, log data is generated according to the request message and the response message, the log data is stored in a log cloud platform, different random codes are generated through each behavior, the log data of different access behaviors of the same user are distinguished, the accuracy of subsequent log query is improved, meanwhile, when a query request aiming at user operation behaviors is received, a user identifier contained in the query request is obtained to serve as a target user identifier, the log data corresponding to the target user identifier is obtained from the log cloud platform to serve as a target log, behavior trajectory analysis is carried out on the target log, and a visual behavior trajectory corresponding to the target user identifier is obtained, and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visualized behavior track, so that the behavior track is analyzed and judged visually, and the monitoring efficiency of behavior data is improved.

In some optional implementation manners of this embodiment, in step S201, the request packet and the response packet include a log jump parameter field, and adding the random character string to the request packet and the response packet includes:

analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;

and generating a response message based on the updated request message.

In the embodiment, the generated random character strings are added into the request message, so that each behavior has the same random character string, different behavior character strings are different, and the accuracy of grouping the behaviors of the same user each time is improved.

In some optional implementation manners of this embodiment, in step S202, storing the log data to the log cloud platform includes:

collecting log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;

uploading the compressed log data to a distributed file system for storage;

slicing program running logs stored in a distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to the slicing tasks;

and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.

The preset time interval can be set according to actual requirements.

Specifically, by adopting the timing script, log data are collected according to a preset time interval, the collected log data are compressed and stored through the distributed file system, slicing analysis is performed, an analysis result is stored in the log cloud platform, and then the subsequent process is directly inquired through the analyzed result to obtain the result, so that the generation efficiency of the subsequent visual track is improved.

In some optional implementation manners of this embodiment, in step S203, the query request includes a query time range and a query path range, and the obtaining of the log data corresponding to the target user identifier from the log cloud platform includes, as the target log:

executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;

and traversing the initial query result, and acquiring log data containing the target user identifier as a target log.

Specifically, query processing is executed in the log cloud platform according to the query time range and the query path range to obtain an initial query result, and then log data containing the target user identifier is traversed from the initial query result to serve as a target log, so that the query efficiency is improved.

The query time range refers to a query time interval, for example, 3/month 2/2020 to 3/month 5/2020, and the query path range refers to a system or an application corresponding to the query generation log.

In the embodiment, the query time range and the query system range are limited in the query request of the user operation behavior, so that the query data volume is reduced, the query efficiency is improved, and meanwhile, the data of the target log is reduced, which is beneficial to the accurate positioning of the user behavior track in the follow-up process.

In some optional implementation manners of this embodiment, in step S204, performing behavior trajectory analysis on the target log to obtain a visual behavior trajectory corresponding to the target user identifier includes:

acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;

for each group of behavior logs, sequencing according to the log generation time point to obtain an access sequence corresponding to the behavior logs;

and extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.

Specifically, target logs of the same random character string are divided into a group, so that each user accesses the behavior logs independently and packages the behavior logs, sequencing is performed according to time points to obtain access sequences corresponding to the behavior logs, for each access sequence, behavior records of each log in the access sequences are extracted, and the behavior records are connected in series according to the sequence of the behavior logs in the access sequences to obtain behavior tracks.

Specifically, a visualization tool can be adopted to obtain the time of the behavior record, the corresponding access path and the access behavior, the data are used as node data to be input into the visualization tool, and the node data are connected in series through the visualization tool to obtain the behavior track.

In the embodiment, the behavior track of the target log is analyzed to obtain the visual behavior track corresponding to the target user identifier, so that whether the abnormality exists or not can be quickly determined through the visual behavior track subsequently, and the monitoring efficiency of behavior data can be improved.

In some optional implementations of this embodiment, the method for monitoring the behavior data after step S205 further includes:

and if the judgment result is that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.

Specifically, when the judgment result is that the operation behavior corresponding to the target user identifier is abnormal, an early warning is triggered, and early warning processing is executed according to a preset early warning mode.

The preset early warning mode can be divided into different early warning levels according to the degree of the abnormal behavior, for example, notification reminding, mail early warning, telephone early warning and the like

In the embodiment, the early warning of the abnormal behavior is facilitated to be improved.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

Fig. 3 shows a schematic block diagram of a monitoring device for behavior data, which corresponds one-to-one to the above-described monitoring method implemented as data. As shown in fig. 3, the monitoring apparatus for behavior data includes a characterstring generation module 31, alog collection module 32, alog query module 33, abehavior visualization module 34, and anabnormality determination module 35. The functional modules are explained in detail as follows:

a characterstring generating module 31, configured to, each time an access request is detected, obtain a user identifier from the access request, and generate a random character string based on the user identifier;

thelog acquisition module 32 is used for adding the random character string into the request message and the response message, generating log data according to the request message and the response message, and storing the log data into the log cloud platform;

thelog query module 33 is configured to, if a query request for a user operation behavior is received, obtain a user identifier included in the query request as a target user identifier, and obtain log data corresponding to the target user identifier from the log cloud platform as a target log;

thebehavior visualization module 34 is configured to perform behavior trajectory analysis on the target log to obtain a visualization behavior trajectory corresponding to the target user identifier;

and theabnormality judgment module 35 is configured to judge whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory.

Optionally, thelog collection module 32 includes:

the request message updating unit is used for analyzing the request message and adding the random character string into the log jump parameter field of the request message to obtain an updated request message;

and the response message generating unit is used for generating a response message based on the updated request message.

Optionally, thelog collection module 32 further includes:

the timing acquisition unit is used for collecting log data according to a preset time interval by adopting a timing script and compressing the collected log data to obtain compressed data;

the distributed transmission unit is used for uploading the compressed log data to a distributed file system for storage;

the slicing analysis unit is used for slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks and analyzing the log files corresponding to the slicing tasks;

and the classification storage unit is used for storing the data classification statistical result into the log cloud platform according to the request interface path of the log file corresponding to each analyzed slicing task.

Optionally, thelog query module 33 includes:

the initial query unit is used for executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;

and the traversal query unit is used for traversing the initial query result to acquire log data containing the target user identification as a target log.

Optionally, thebehavior visualization module 34 includes:

the grouping unit is used for acquiring the random character strings contained in each target log and taking the target logs with the same random character strings as a group of behavior logs;

the sorting unit is used for sorting each group of behavior logs according to the log generation time point to obtain an access sequence corresponding to the behavior logs;

and the log association unit is used for extracting the behavior record of each log in the access sequence aiming at each access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.

Optionally, the monitoring device for behavior data further includes:

and the early warning module is used for executing early warning processing according to a preset early warning mode if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal.

For specific limitations of the monitoring device for behavior data, reference may be made to the above limitations of the monitoring method for behavior data, which are not described herein again. The modules in the behavior data monitoring device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4, fig. 4 is a block diagram of a basic structure of a computer device according to the present embodiment.

The computer device 4 comprises amemory 41, aprocessor 42, anetwork interface 43 communicatively connected to each other via a system bus. It is noted that only the computer device 4 having thecomponents connection memory 41,processor 42,network interface 43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.

The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.

Thememory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, thememory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, thememory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, thememory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, thememory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as program codes for controlling electronic files. Further, thememory 41 may also be used to temporarily store various types of data that have been output or are to be output.

Theprocessor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. Theprocessor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, theprocessor 42 is configured to execute the program code stored in thememory 41 or process data, such as program code for executing control of an electronic file.

Thenetwork interface 43 may comprise a wireless network interface or a wired network interface, and thenetwork interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.

The present application further provides another embodiment, which is to provide a computer-readable storage medium, wherein the computer-readable storage medium stores an interface display program, and the interface display program can be executed by at least one processor, so as to enable the at least one processor to execute the steps of the monitoring method for behavior data as described above.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.

It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.

Claims (10)

1. A method for monitoring behavior data is characterized by comprising the following steps:

when an access request is detected each time, acquiring a user identifier from the access request, and generating a random character string based on the user identifier;

adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data to a log cloud platform;

if an inquiry request aiming at user operation behaviors is received, acquiring a user identifier contained in the inquiry request as a target user identifier, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;

analyzing the behavior track of the target log to obtain a visual behavior track corresponding to the target user identifier;

and judging whether the operation behavior corresponding to the target user identification is abnormal or not based on the visual behavior track.

2. The method for monitoring behavioral data according to claim 1, wherein the request message and the response message contain log jump parameter fields, and the adding the random string to the request message and the response message includes:

analyzing the request message, and adding the random character string into a log jump parameter field of the request message to obtain an updated request message;

and generating the response message based on the updated request message.

3. The method for monitoring behavioral data according to claim 1, wherein the storing the log data to a log cloud platform includes:

collecting the log data according to a preset time interval by adopting a timing script, and compressing the collected log data to obtain compressed data;

uploading the compressed log data to a distributed file system for storage;

slicing the program running logs stored in the distributed file system to form a plurality of slicing tasks, and analyzing log files corresponding to each slicing task;

and storing the data classification statistical result into a log cloud platform according to the request interface path for the log file corresponding to each slice task after analysis.

4. The method for monitoring behavioral data according to claim 1, wherein the query request includes a query time range and a query path range, and the obtaining, from the log cloud platform, log data corresponding to the target user identifier as a target log includes:

executing query processing in the log cloud platform based on the query time range and the query path range to obtain an initial query result;

and traversing the initial query result to obtain log data containing the target user identification as the target log.

5. The method for monitoring behavioral data according to any one of claims 1 to 4, wherein the performing behavior trace analysis on the target log to obtain a visual behavior trace corresponding to the target user identifier includes:

acquiring a random character string contained in each target log, and taking the target logs with the same random character string as a group of behavior logs;

for each group of behavior logs, sequencing according to log generation time points to obtain access sequences corresponding to the behavior logs;

and for each access sequence, extracting the behavior record of each log in the access sequence, and connecting the behavior records in series according to the sequence of the behavior logs in the access sequence to obtain a behavior track.

6. The method for monitoring behavioral data according to claim 1, wherein after determining whether the operation behavior corresponding to the target user identifier is abnormal based on the visualized behavior trajectory, the method for monitoring behavioral data further comprises:

and if the judgment result shows that the operation behavior corresponding to the target user identification is abnormal, executing early warning processing according to a preset early warning mode.

7. A device for monitoring behavior data, comprising:

the character string generating module is used for acquiring a user identifier from an access request every time the access request is detected, and generating a random character string based on the user identifier;

the log acquisition module is used for adding the random character string into a request message and a response message, generating log data according to the request message and the response message, and storing the log data into a log cloud platform;

the log query module is used for acquiring a user identifier contained in a query request as a target user identifier if the query request aiming at the user operation behavior is received, and acquiring log data corresponding to the target user identifier from the log cloud platform as a target log;

the behavior visualization module is used for analyzing the behavior track of the target log to obtain a visualization behavior track corresponding to the target user identifier;

and the abnormity judgment module is used for judging whether the operation behavior corresponding to the target user identifier is abnormal or not based on the visual behavior track.

8. The apparatus for monitoring behavioral data according to claim 7, wherein the log collection module includes:

a request message updating unit, configured to parse the request message, and add the random character string to a log skip parameter field of the request message, to obtain an updated request message;

and the response message generating unit is used for generating the response message based on the updated request message.

9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method of monitoring behavioural data as claimed in any one of claims 1 to 6 when executing the computer program.

10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out a method of monitoring behavioural data as claimed in any one of claims 1 to 6.

Images