（1.国防科学技术大学 计算机学院，湖南 长沙 410073；2.山东工商学院 数学与信息科学学院，山东烟台 264005）
摘 要：针对电子商务中用户交易行为合法与否的问题，提出了一种基于共生矩阵的异常检测算法。该算法利用共生矩阵对用户的交易行为建模，通过PCA方法建立共生矩阵空间，从而得到用户正常交易模式。在检测阶段，对待测数据产生的共生矩阵进行了修正并获取用户的交易模式，通过矩阵2-范数计算用户交易模式和其正常模式之间的距离并以此来判断用户的交易行为是否异常。实验表明，相比于其它的几种方法，本文的方法具有更高的检测性能。
关键词：异常检测；用户行为；电子商务；共生矩阵；PCA
Anomaly Detection on E-commerce Transactions Log
based on Co-occurrence Matrix
QUAN Yong1, LI Shu-dong1,2, JIA Yan1, HAN Wei-hong1
(1.School of Computer Science and Technology, National University of Defense Technology,
Changsha 410073, China
2.College of Mathematics and Information Science, Shandong Institute of Business and Technology,
Shandong 264005, China)
Abstract: In order to determine whether the user behavior is normal or not in e-commerce transactions, an algorithm of anomaly detection based on co-occurrence matrix was presented. It accurately modeled user behavior with using co-occurrence matrix, and established the co-occurrence matrix space to obtain profiles of the normal user behavior through the method of principal component analysis. In the detection phase, it acquired the trading patterns of the user in the audit data which converted to the revised co-occurrence matrix, and then to exactly classify the user behavior as normal or malicious by measuring the distance between the patterns and profile employing the second matrix norm. Compared to several other methods, the experiment results show that the proposed method has a higher performance.
Key words: anomaly detection; user behavior; electronic commerce; co-occurrence matrix; PCA

参考文献：
[1] AGYEMANG, M., BARKER, K., ALHAJJ, R. A compreh- ensive survey of numeric and symbolic outlier mining techniques[J]. Intel. Data Anal. 2006. 10(6): 521–538.
[2] 李超，田新广，肖喜，等. 基于Shell命令共生矩阵的用户行为异常检测方法[J]. 计算机研究与发展. 2012. 49(9): 1982—1990.
 LI CHAO, TIAN XINGUANG, XIAO XI, et al. Anomaly detection of user behavior based on shell commands and co-occurrence matrix[J]. Journal of Computer Research and Development. 2012. 49(9): 1982—1990.
[3] SUN, P., CHAWLA, S., ARUNASALAM, B. Mining for outliers in sequential databases[C]. In Proceedings of the SIAM International Conference on Data Mining. 2006.
[4] CHANDOLA, V., BORIAH, S., KUMAR, V. UnderStand- ing categorical similarity measures for outlier detection[R]. Tech. rep. 2008. 08-008, University of Minnesota.
[5] DONOHO, S. Early detection of insider trading in option markets[C]. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2004. ACM Press, 420–429.
[6] CHANDOLA, V., BANERJEE, A., KUMAR, V. Anomaly Detection：A survey[J]． ACM Computing Surveys. 2009. 41(3): 15-58.
[7] OTEY, M., PARTHASARATHY, S., GHOTING, A., et al. Towards NIC-based intrusion detection[C]. In Proceedings of the 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2003. ACM Press, 723–728.
[8] OTEY, M. E., GHOTING, A., PARTHASARATHY, S. Fast distributed outlier detection in mixed-attribute data sets[J]. Data Mining and Knowledge Discovery. 2006. 12, 2-3, 203–228.
[9] JHA, S., TAN., K.M.C.,MAXION, R.A. Markov Chains, Classifiers and Intrusion Detection[C]. In Proc. of 14th IEEE Computer Security Foundations Workshop. 2001. 206–219
[10] WARRENDER, C., FORREST, S., PEARLMUTTER, B.  Detecting intrusions using system calls: alternative data models[J]. In 1999 IEEE Symposium on Security and Privacy, IEEE Computer Society. 1999. p: 133–145.
[11] DAS, K. SCHNEIDER, J. Detecting anomalous records in categorical datasets[C]. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2007. ACM Press.
[12] DUMOUCHEL, W. Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities[J]. Technical Report TR91, National Institute of Statistical Sciences (NISS). 1999. 
[13] OKA, M., OYAMA, Y., ABE, H., ET A1. 2004. Anomaly detection using layered networks based on eigen co-occurrence matrix[G]//LNCS 3224. Berlin：Springer, 223—237
[14] LAKHINA, A., CROVELLA, M., AND DIOT, C. Mining anomalies using traffic feature distributions[C]. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM Press, 2005. 217–228.

基金项目：国家高技术研究发展计划（2012AA01A401）；国家自然科学基金（61202362，61262057）

作者简介：
全 拥，1988年生，男，湖南常德人，国防科大在读研究生，主要研究方向数据挖掘与信息安全。