[go: up one dir, main page]

CN113706177B - Threat identification method based on big data security and data security server - Google Patents

Threat identification method based on big data security and data security server Download PDF

Info

Publication number
CN113706177B
CN113706177B CN202111028016.XA CN202111028016A CN113706177B CN 113706177 B CN113706177 B CN 113706177B CN 202111028016 A CN202111028016 A CN 202111028016A CN 113706177 B CN113706177 B CN 113706177B
Authority
CN
China
Prior art keywords
big data
participant
session
cloud service
operation log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111028016.XA
Other languages
Chinese (zh)
Other versions
CN113706177A (en
Inventor
赵琦
林楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Aofei Data Technology Co ltd
Original Assignee
Guangdong Aofei Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Aofei Data Technology Co ltd filed Critical Guangdong Aofei Data Technology Co ltd
Priority to CN202111028016.XA priority Critical patent/CN113706177B/en
Publication of CN113706177A publication Critical patent/CN113706177A/en
Application granted granted Critical
Publication of CN113706177B publication Critical patent/CN113706177B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • G06F16/355Creation or modification of classes or clusters
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/205Parsing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Finance (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Medical Informatics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Databases & Information Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application relates to the technical field of big data and information threat protection, in particular to a threat identification method based on big data security and a data security server, which can determine an operation intention expression having a forward effect on the detection precision and the reliability of a digital threat identification result from a target big data service operation log set through a visual description mining idea, further realize threat identification on the target big data service operation log, ensure the accuracy and the reliability of the digital threat identification result as much as possible, and reduce the influence and the interference of noise except the operation intention expression on the digital threat identification result.

Description

Threat identification method based on big data security and data security server
Technical Field
The embodiment of the application relates to the technical field of big data and information threat protection, in particular to a threat identification method based on big data security and a data security server.
Background
With the development of big data, big data security has been extended to the cloud business processing field from the traditional fields of safe cities, intelligent traffic management, environmental protection, hazardous chemical transportation monitoring, food safety monitoring and the like. At present, security of big data is more focused on security protection processing of a data information layer so as to ensure that data information of a user is not threatened by various network attacks. In the practical application process, threat identification of data information security is important for various services, however, the inventor finds that the related information security threat identification technology is easily interfered and influenced in the research and analysis processes, so that the accuracy and reliability of identification of the information security threats are difficult to ensure.
Disclosure of Invention
In view of this, the embodiment of the present application provides a threat identification method based on big data security and a data security server.
The embodiment of the application provides a threat identification method based on big data security, which is applied to a data security server, and the method comprises the following steps: performing persistent label analysis processing on at least one cloud service participant label activated in a target big data service operation log set covering a plurality of cloud service participant labels, and determining the state updating condition of each cloud service participant label in the target big data service operation log set; and performing visual description mining according to the state updating condition obtained in the target big data service operation log set, and determining a digital threat identification result corresponding to a plurality of cloud service participant labels in the target big data service operation log set according to an operation intention expression obtained by the visual description mining.
The embodiment of the application also provides a data security server, which comprises a processor, a communication bus and a memory; the processor and the memory communicate via the communication bus, and the processor reads the computer program from the memory and runs the computer program to perform the method described above.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
In the application, the state updating condition of the cloud service participant label in the target big data service operation log set is determined by performing persistent label analysis processing on the cloud service participant label activated in the target big data service operation log set. And then, performing visual description mining processing according to the state updating condition to obtain an operation intention expression corresponding to the target big data service operation log set, and determining a digital threat identification result corresponding to a plurality of cloud service participant labels in the target big data service operation log set according to the operation intention expression. Therefore, through the visual description mining idea, the operation intention expression with positive effect on the detection precision and the credibility of the digital threat identification result is determined from the target big data service operation log set, so that the threat identification of the target big data service operation log is realized, the accuracy and the reliability of the digital threat identification result are ensured as much as possible, and the influence and the interference of noise except the operation intention expression on the digital threat identification result are reduced.
Drawings
Fig. 1 is a schematic block diagram of a data security server provided in an embodiment of the present application.
Fig. 2 is a flowchart of a threat identification method based on big data security provided in an embodiment of the present application.
Fig. 3 is a block diagram of a threat identification apparatus based on big data security provided in an embodiment of the present application.
Detailed Description
Fig. 1 shows a block schematic diagram of a data security server 10 according to an embodiment of the present application. The data security server 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the data security server 10 includes: memory 11, processor 12, communication bus 13, and big data security based threat identification apparatus 20. The memory 11, processor 12 and communication bus 13 are electrically connected, directly or indirectly, to enable the transfer or interaction of data. An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 2 shows a flowchart of threat identification based on big data security provided in an embodiment of the present application. The method steps defined by the flow related to the method are applied to the data security server 10 and can be realized by the processor 12, and the method comprises the following contents.
Step102, performing persistent tag analysis processing on at least one cloud service participant tag activated in a target big data service operation log set covering a plurality of cloud service participant tags, and determining the state updating condition of each cloud service participant tag in the target big data service operation log set.
And 104, performing visual description mining according to the state updating condition obtained in the target big data service operation log set, and determining a digital threat identification result corresponding to a plurality of cloud service participant labels in the target big data service operation log set according to the operation intention expression obtained by the visual description mining.
The threat identification method based on big data security can be applied to a data security server. The data security server can execute the threat identification method based on big data security by installing a functional thread corresponding to the threat identification method based on big data security. The data security server can be a portable computer, a large computer, a cloud server and the like. The actual category of the data security server is not further limited by the application. It can be understood that the threat identification method based on big data security can be independently realized only by the service side or the server side, and can also be realized by the mutual cooperation of the service side and the server side.
The threat identification method based on big data security can be divided into two processes of acquiring a target big data service operation log set and carrying out digital threat identification on the target big data service operation log set. The acquisition process may be deployed in the service user equipment and distributed on the service side. The digital threat identification process can be deployed in a data security server and distributed on the server side. The service side can initiate a digital threat identification application to the server side after acquiring the target big data service operation log set. After receiving the digital threat identification application, the server side can execute the threat identification method based on big data security protection on the target big data service operation log set based on the digital threat identification application.
It is understood that, in an actual implementation process, the target big data service operation log set may be obtained first. The target big data service operation log set can be understood as a big data service operation log set which covers a plurality of digital cloud service participant labels and needs to detect a digital threat identification result. Multiple sets of big data service operation logs may be included in the set of target big data service operation logs. In addition, the fields to which the big data service operation log relates may include blockchain payment, smart medicine, teleworking, online education, smart cities, automation plants, cloud games, administrative enterprise cloud services, and the like.
By way of some possible embodiments, the target big data service operation log set in the embodiment of the present application may include a streaming log set or multiple big data service operation log sets that do not have time-sequential contact. The streaming log set comprises F groups of big data service operation logs which are in time sequential connection and cover a plurality of cloud service participant labels, wherein F is a positive integer. It can be understood that there may be a plurality of operation log sets for obtaining the target big data service, and the embodiments of the present application are not limited thereto.
After the target big data service operation log set is obtained, step102 may be continuously performed, and persistent tag analysis processing is performed on at least one cloud service participant tag activated in the target big data service operation log set covering the plurality of cloud service participant tags, so as to determine a state update condition of each cloud service participant tag in the target big data service operation log set.
In this embodiment of the present application, the persistent tag analysis processing may refer to performing uninterrupted analysis on the same cloud service participant tag appearing in each group of big data service operation logs. When persistent tag analysis processing is performed, determining that the same cloud service participant tag activated in each group of big data service operation logs can be partially understood as persistent tag analysis processing.
In the embodiment of the application, the state updating condition can be understood as service interaction change information of a cloud service participant label in a target big data service operation log set. For example, in a digital office environment, persistent label analysis can be performed on a digital cloud service participant, and interaction operation state data of the same digital cloud service participant in each group of big data service operation logs can be determined, so that service interaction changes of the digital cloud service participant in a target big data service operation log set are determined. It can be understood that the above status update condition can represent the interactive operation status data of the cloud service participant tag in each big data service operation log, and the characteristic information at the time level. The interactive operation state data of the cloud service participant tags can represent cloud service participant tag keywords. The characteristic information of the time layer can represent the time sequence description corresponding to the cloud service participant label in each state.
Illustratively, the obtained target big data service operation log set may be input into the persistent tag analysis processing node in the present application to perform the above step 102.
The persistent tag analysis processing node further may implement step 1022 through a function module deployed by the data security server, and utilize the cloud service participant tag state identification network to sequentially execute state identification operations on each big data service operation log, so as to determine the interactive operation state data of each cloud service participant tag in each big data service operation log.
For this step, a cloud service participant tag state identification network may be utilized to sequentially perform state identification operations on the big data service operation logs, and determine interactive operation state data of the cloud service participant tag in each big data service operation log. The cloud service participant label state identification network comprises an identification network obtained by debugging a plurality of debugging examples carrying interactive operation state data of cloud service participant labels, wherein the debugging can be understood as training.
Further, the above cloud service participant tag state identification network may be an AI neural network. Before the method is used, the state recognition network can be debugged by using a debugging example of the interactive operation state data carrying the cloud service participant label until the network meets the set conditions.
After the interactive operation state data is determined, step 1024 may be implemented in the persistent tag analysis processing node, and based on the interactive operation state data, persistent tag analysis processing is performed on the cloud service participant tag, so as to determine a state update condition of the cloud service participant tag in the target big data service operation log set.
The method of persistent tag analysis processing is not further limited in this application, and two persistent tag analysis processing methods are schematically given below.
For the first persistent tag analysis processing method, in step 1024, a time-series iterative processing strategy (such as a related filtering algorithm) may be used to perform persistent tag analysis processing on each cloud service participant tag, so as to determine a state update condition of each cloud service participant tag. Regarding some possible embodiments, two consecutive groups of big data service operation logs may be determined as the current two groups of big data service operation logs one by one from the first group of big data service operation logs according to the time sequence of obtaining the big data service operation logs, and the following steps are implemented: determining interactive operation state data corresponding to cloud service participant labels carried in the current two groups of big data service operation logs by using a time sequence iteration processing strategy; and respectively pairing the interactive operation state data corresponding to the cloud service participant labels carried by the first big data service operation log in the two groups of current big data service operation logs with the interactive operation state data corresponding to the cloud service participant labels carried by the second big data service operation log in the two groups of current big data service operation logs.
Further, when the pairing operation is performed, the difference data between the interactive operation state data corresponding to each cloud service participant tag carried in the first big data service operation log and the interactive operation state data corresponding to each cloud service participant tag carried in the second big data service operation log may be determined. If the determined difference data is smaller than the set difference judgment value, the two interactive operation state data corresponding to the difference data can be determined to be the two interactive operation state data in the pairing.
After the pairing operation is executed, two cloud service participant tags corresponding to two interactive operation state data in the pairing can be determined as the same cloud service participant tag activated in the two current groups of big data service operation logs, so that the cloud service participant tags are subjected to persistent tag analysis processing. After the steps are executed for all continuous big data service operation logs, the state updating condition of the cloud service participant label is determined based on the interaction operation state data of the same cloud service participant label in each big data service operation log captured continuously.
In the method, the same cloud service participant label activated in each big data service operation log can be determined, so that the same cloud service participant label is continuously analyzed and processed in each big data service operation log. After the persistent tag analysis processing of the cloud service participant tag is realized, the state update condition of the cloud service participant tag in the target big data service operation log set can be determined based on the interactive operation state data of the cloud service participant tag in each big data service operation log.
For the first persistent tag analysis processing method, when step 1024 is implemented, the same cloud service participant tag activated in each big data service operation log may be determined according to a participant tag positioning thread, so as to implement persistent tag analysis processing on each cloud service participant tag.
The above participant tag location thread includes a network generated based on AI artificial intelligence. The cloud service participant description corresponding to the digital cloud service participant label included in the big data service operation log can be detected through the participant label positioning thread. Viewed in some possible embodiments, the above cloud business participant descriptions may be expressed in behavioral descriptions. After detecting the cloud service participant descriptions included in each big data service operation log, the cloud service participant descriptions carried by two different groups of big data service operation logs can be subjected to quantitative comparison result determination, and the cloud service participant labels of which the quantitative comparison results reach the second difference determination value are determined as the same cloud service participant label.
For example, in a digital office environment, the above cloud service participant tag targets may be digital cloud service participants. At this time, office behavior description expressions carried by the big data service operation logs can be detected through the participant tag positioning thread. After the office behavior description expressions included in the big data service operation logs are detected, quantitative comparison results of the behavior description expressions carried by the two different big data service operation logs can be determined, and the office behavior description expressions of which the quantitative comparison results reach the second difference judgment value are determined to be the same office behavior description expression. After the description expression of the same office behavior is determined, the two groups of big data service operation logs can be determined to activate the same digital cloud service participant.
After the same cloud service participant tag activated in each group of big data service operation logs is determined, the state updating condition of each cloud service participant tag can be determined according to the interaction operation state data of the same cloud service participant tag in each big data service operation log captured continuously.
Regarding some possible embodiments, after determining the state update condition corresponding to the cloud service participant tag, the state update condition corresponding to each cloud service participant tag may be stored in a set form. The state update condition may be stored, for example, by a multidimensional array. It will be appreciated that the above multidimensional arrays may be determined as the set of significance descriptions corresponding to the above target big data service operation log set.
It can be understood that the above status update situation has a time-level feature, and can indicate the update situation of the status keyword in the process that the cloud service participant label changes within the time-level feature constraint shown in the above target big data service operation log set. Based on the state updating condition corresponding to each cloud service participant tag activated in the target big data service operation log set, the change condition of each cloud service participant tag can be determined, namely whether each cloud service participant tag is in a normal service interaction state or an abnormal service interaction state. Therefore, it is feasible to perform digital threat identification result detection based on the status update situation.
In some other independently implementable technical solutions, after determining the above status update condition, step104 may be continuously implemented, and a visual description mining process is performed based on the above status update condition obtained in the above target big data service operation log set, and a digital threat identification result corresponding to a plurality of cloud service participant tags in the above target big data service operation log set is determined based on an operation intention expression obtained by the visual description mining.
Further, step 1042 may be implemented first, and a visual description mining process is performed based on the above status update condition obtained in the above target big data service operation log set, so as to obtain an operation intention expression corresponding to the above target big data service operation log set.
The above operations are intended to express that the method may include performing a significant description set or description content (such as a feature vector) determined by a visual description mining process (including scene visual description mining and visual description mining of temporal features). It can be understood that the above operation intention expression is determined based on the state update condition of a plurality of digital cloud service participant tags in the target big data service operation log set, and therefore the above operation intention expression is guaranteed for determining the accuracy and reliability of the digital threat identification result.
To be seen in some possible embodiments, before implementing step 1042, a visual association between cloud service participant tags in each big data service operation log included in the above target big data service operation log set may be determined. Viewed in some possible embodiments, the above visual association may be represented by a relational expression corresponding to a big data service operation log. The following is a method for determining a visual association condition of a cloud service participant tag in a big data service operation log according to the present application.
Step 302, determining an interactive transfer condition between two cloud service participant tags carried by each big data service operation log included in the target big data service operation log set.
In the embodiment of the present application, the interactive transfer situations (such as the connection relationships) determined by the different interactive transfer situation positioning policies correspond to different understandings. For example, the interaction delivery condition determined by the quantitative comparison result size between the two cloud service participant tags can characterize the correlation evaluation condition between the two cloud service participant tags from a common aspect (such as a similarity angle). As another example, an interaction delivery scenario determined by a difference data size between two cloud service participant tags may actually guide a correlation evaluation scenario between the two cloud service participant tags from a difference data perspective.
To be seen in some possible embodiments, in step 302, constraint description vectors corresponding to cloud service participant tags carried in the big data service operation logs may be extracted. The constrained description vector represents the operation environment description vector corresponding to each cloud service participant label. The constraint description vector may include information of a service flow level of a state where each cloud service participant tag is located, and an interactive transfer condition between the cloud service participant tags may be determined by comparing the information of the service flow level of the state where each cloud service participant tag is located.
After determining the description of the cloud service participants corresponding to the cloud service participant tags, a quantitative comparison result between two cloud service participant tags in the cloud service participant tags can be determined according to the constraint description vector corresponding to the cloud service participant tags. And determining the two cloud service participant labels corresponding to the quantitative comparison result which does not reach the first set judgment value as the two cloud service participant labels with the interactive transmission condition. Further, the above first set determination value includes a threshold value set according to an actual demand. The first setting determination value is not further limited in the present application.
It is to be understood that the method of determining the quantitative comparison result is not further limited in this application. For example, the above method for determining the quantized comparison result may be determined according to actual difference comparison conditions.
To be seen in some possible embodiments, in order to improve the threat identification accuracy of the target big data service operation log set, in step 302, the interactive transfer condition between the cloud service participant tags may be determined according to the difference data between the cloud service participant tags.
Furthermore, the operation log analysis processing can be sequentially executed on the big data service operation logs, and the interactive operation state data of the cloud service participant labels in the big data service operation logs is determined. After the interactive operation state data in each big data service operation log is determined, the difference data between two cloud service participant tags in each cloud service participant tag can be determined according to the interactive operation state data corresponding to each cloud service participant tag. After the difference data between the two cloud service participant tags is determined, the interactive transmission condition between the two cloud service participant tags carried by each big data service operation log can be determined according to the difference data.
Regarding some possible embodiments, when determining an interactive transfer situation between two cloud service participant tags carried by each big data service operation log based on the difference data, two cloud service participant tags corresponding to the difference data that do not reach the second set determination value may be determined as two cloud service participant tags having the interactive transfer situation. It is to be understood that the above second setting determination value includes a threshold value configured according to actual demand. The second setting determination value is not further limited in the present application.
Viewed in some possible embodiments, if it is determined that there is an interactive transfer situation between two cloud service participant tags, the associated importance evaluation between the two cloud service participant tags is configured as "Y", otherwise, the associated importance evaluation between the two cloud service participant tags is configured as "N".
Since the above interaction delivery situation is determined by the difference data between the cloud service participant tags, the multi-modal feature determined based on the interaction delivery situation may indicate the difference data relationship between the cloud service participant tags, and the operation intention expression determined after the visual description mining operation is performed on the multi-modal feature may also include the difference data information between the cloud service participant tags. Therefore, when the digital threat identification result in the target big data service operation log set is detected based on the operation intention expression, the threat identification precision such as flow attack, information stealing or data tampering can be improved.
Viewed in some possible embodiments, in order to further improve the threat identification accuracy, the relevance importance evaluation between two cloud service participant tags may be determined according to actual difference data between the two cloud service participant tags.
Further, the determined migration of difference data between two of the cloud service participant tags may be transformed into a constraint determined by a third set decision value and a fourth set decision value. Wherein the above third set determination value and the above fourth set determination value are threshold values set based on actual demand. In view of some possible embodiments, the above third set criterion value is "num 1", and the above fourth set criterion value is "num 2".
After the migration transformation (mapping) is completed, the difference data between the two cloud service participant tags after the migration transformation is completed can be determined as the relevance importance evaluation between the two cloud service participant tags, and the interaction transfer condition between the two cloud service participant tags is indicated through the relevance importance evaluation between the two cloud service participant tags.
Since the interactive transfer situation between the two cloud service participant tags is determined through the actual difference data of the two cloud service participant tags in the above example, the above multi-modal characteristics can indicate difference data information more suitable for reality, thereby further improving the threat identification accuracy.
After determining the interactive transmission condition between two cloud service participant tags carried by each big data service operation log included in the target big data service operation log set, step 304 may be continuously performed, and based on the cloud service participant tags carried by each big data service operation log and the determined interactive transmission condition, the visual association condition between the cloud service participant tags in each big data service operation log is respectively determined.
For this step, the cloud service participant label included in the big data service operation log may be used as a center C _ label of the relational expression content, and the determined interactive transmission condition between the two cloud service participant labels is determined as a directed relation R, so as to determine the relational expression DES (C _ label, R) corresponding to the big data service operation log. It is to be seen that the above relational expressions may be represented by a common key description set in some possible embodiments.
After determining the visual association between the cloud service participant tags in each big data service operation log in the above target big data service operation log set, step104 may be continuously performed.
Further, the above step 1042 can be implemented by a visual type description mining network. The visual description mining network may be a model generated based on a multidimensional visual description mining processing network. The multidimensional visual description mining network at least comprises a scene visual description mining network used for performing scene visual description mining processing on each group of big data service operation logs and an identification network based on a set priority order and used for identifying the service scene saliency content corresponding to each group of big data service operation logs based on the set priority order.
Further, when the step 1042 is implemented, the state update condition may be input into a scene visual description mining network included in the visual description mining network to execute the step 402, and based on the interactive operation state data of the cloud service participant tags in each big data service operation log included in the target big data service operation log set and the visual association condition between the cloud service participant tags in each big data service operation log, which are represented by the state update condition, the scene visual description mining process is sequentially executed on each big data service operation log, so as to obtain the service scene saliency content corresponding to each big data service operation log. For this step, the common key description set ch _ a corresponding to each big data service operation log may be determined according to the relational expression corresponding to each big data service operation log. And determining a saliency description set remappable _ DES _ x0 corresponding to each big data service operation log based on the interactive operation state data of the cloud service participant label.
After the common key description set and the saliency description set are determined, the scene visual description mining processing can be completed according to the common key description set and the saliency description set, and service scene saliency content corresponding to each big data service operation log is obtained.
It is to be understood that the above visual-type description mining strategy is not further limited in this application. After obtaining the service scene saliency content corresponding to each big data service operation log, the service scene saliency content may be input into an identification network based on a set priority order included in the visual description mining network to execute step 404, and the identification processing based on the set priority order is performed on the service scene saliency content corresponding to each big data service operation log to obtain an operation intention expression corresponding to the target big data service operation log set.
For this step, the service scene saliency content corresponding to each of the big data service operation logs can be sorted according to the time-level feature information represented by the above status update condition. And then based on a set linear moving average processing unit, carrying out linear moving average processing on the service scene significance contents respectively corresponding to the sorted big data service operation logs to obtain the operation intention expression corresponding to the target big data service operation log set.
Based on the above, after obtaining the operation intention expression corresponding to the target big data service operation log set, step 1044 may be continuously performed to determine the digital threat identification result corresponding to the plurality of cloud service participant tags in the target big data service operation log set based on the operation intention expression.
For this step, the above operation intention expression can be input into a multi-classification thread debugged in advance for digital threat identification, so as to obtain the above digital threat identification result.
The following is a description of the relevant content of a digital threat identification process presented herein. The multi-classification thread comprises a feature reduction module and a classification identification module. The feature reduction module may be configured to process the operation intention expression to obtain corresponding description content. For example, the above feature reduction module may be a down-sampling node. The classification identification module is used for carrying out digital threat identification based on the description content to obtain a credibility coefficient corresponding to each set threat type.
In the implementation of step 1044, the above operation intention expression may be input into the feature reduction module to perform step 502, and the above operation intention expression is averaged and pooled to obtain the corresponding description content. After obtaining the above description content, the description content may be input into a classification and identification module to execute step 504, and the description content is subjected to classification and identification processing to obtain a confidence coefficient corresponding to each set threat type.
After obtaining each credibility coefficient, the type of the digital threat identification result corresponding to the maximum credibility coefficient can be determined as the digital threat identification result corresponding to more than one cloud service participant label in the target big data service operation log set. Wherein, the digital threat identification result at least comprises one of the following: flow attack; information stealing; data tampering; identity falsification.
In the method, the state updating condition of the cloud business participant label in the target big data service operation log set is determined by performing persistent label analysis processing on the cloud business participant label activated in the target big data service operation log set. And then, performing visual description mining processing based on the state updating condition to obtain an operation intention expression corresponding to the target big data service operation log set, and determining a digital threat identification result corresponding to more than one cloud service participant label in the target big data service operation log set based on the operation intention expression. Therefore, the operation intention expression which has a positive effect on the detection precision and the reliability of the digital threat identification result is determined from the target big data service operation log set through the visual description mining idea, and the accurate and reliable detection of the digital threat identification result represented by the target big data service operation log set is further realized.
The following description of the embodiments is provided in connection with a digital office environment. The digital office environment is generally provided with office information security software. The office information security software can generally collect a streaming log set. It can be understood that in a digital office environment, the digital threat identification is actually performed on a streaming log set collected by office information security software.
The following is a related content of a digital threat identification process.
After the target streaming log set is obtained, step 602 may be executed according to the keyword determination node, and operation log analysis processing is sequentially executed on each big data service operation log included in the target streaming log set, so as to determine interactive operation state data of the digital cloud service participant activated in the streaming log in each big data service operation log.
After determining the above interactive operation state data, step 604 may be executed according to the persistent tag analysis unit, and based on the above interactive operation state data, persistent tag analysis processing is performed on the above digital cloud service participants, so as to determine a state update condition of the above digital cloud service participants in the above target big data service operation log set.
After determining the above status update condition, step 606 may be executed according to a log mining sub-thread included in the visual description mining detection thread, and a visual description mining process is performed based on the above status update condition, so as to obtain an operation intention expression corresponding to the above target big data service operation log set.
The visual description mining detection thread can be further a detection thread generated based on a visual description mining network and a multi-detection thread. Through the visual description mining detection thread, on one hand, visual description mining operation can be performed on multi-modal features, and operation intention expressions corresponding to the multi-modal features are determined; on the other hand, the digital threat identification processing can be carried out on the target big data service operation log set according to the operation intention expression, and the threat category of the set is determined.
After determining the above operation intention expression, a multi-detection thread execution step 608 included in the mining detection thread according to the above visual description may determine, based on the above operation intention expression, a digital threat identification result corresponding to a plurality of cloud service participant tags in the above target big data service operation log set.
In the above scheme, firstly, a visual description mining principle is utilized, and an operation intention expression capable of reflecting the difference data updating condition of each digital cloud service participant in the flow log set is determined based on the state updating condition of the digital cloud service participants in the flow logs. And then determining the threat category of the streaming log set based on the operation intention expression, thereby improving the accuracy of threat identification and detection.
The above is an explanation of the threat identification scheme of the big data service operation log set shown in the present application, and the following is an explanation of the debugging method of the visual description mining detection thread used. The above visual type description mining detection thread may be used to implement the above visual type description mining process.
Viewed in some possible embodiments, the above visual-type description mining detection threads may include a visual-type description mining network as well as multiple detection threads. In the visual description mining network, the status update condition of each cloud service participant tag in the target big data service operation log set can be used as input to perform visual description mining processing, so as to obtain the operation intention expression corresponding to the target big data service operation log set. The multi-detection thread can take the operation intention expression as input, and carry out digital threat identification processing on the operation intention expression to obtain a digital threat identification result represented by the target big data service operation log set.
It will be appreciated that the debugging of the visual profile mining detection thread is actually the process of determining the thread variables that the above visual profile mining network and the above multiple detection threads comprise.
The application provides a thread debugging method. The method debugs the visual description mining detection thread by generating a reference debugging example, so that the thread debugging can be realized under the condition of lacking an actual example. Accordingly, the above debugging method includes the following.
Step 702, generating a debugging example, wherein the debugging example has a state updating condition covering a plurality of cloud service participant tags and authenticity guide information of a digital threat identification result based on the state updating condition of the plurality of cloud service participant tags. For this step, step 7022 may be performed first, and based on the big data service analysis system, the service interaction category corresponding to the cloud service participant tag activated in the streaming log is set. The big data service analysis system is further any system capable of performing change analysis. Viewed in some possible embodiments, the big data business analytics system above may be an enterprise service development platform. The business interaction categories can include interaction heat and preference change. Through the service interaction categories, on one hand, keywords of the cloud service participant labels in each group of big data service operation logs included in the up-flow log can be determined, and therefore the state updating condition of each cloud service participant label in the up-flow log is determined. On the other hand, a digitized threat identification result represented by the above streaming log may be obtained. For example, in a digital office environment, when the service interaction category of each digital cloud service participant is a centralized category, it can be determined that the digital threat identification result represented by the streaming log is a traffic attack; otherwise, the digital threat identification result represented by the streaming log can be determined to be information stealing. Of course, the determination of the digital threat identification result is not limited to the above, and the embodiments of the present application are not listed.
After the service interaction category of each cloud service participant tag is determined, step 7024 may be executed to determine, based on the service interaction category, a state update condition corresponding to each cloud service participant tag, and a digital threat identification result represented by the state update condition corresponding to each cloud service participant tag. The digital threat identification result can include flow attack, information stealing, data tampering and the like.
After determining the above status update condition and the digital threat identification result represented by the above streaming log, step 7026 may be performed to generate the above debugging example based on the above status update condition and the digital threat identification result represented by the above status update condition.
After the above debugging example is obtained, step 704 may be continued to debug the above visual description mining detection thread based on the preset thread evaluation index and the above debugging example until the thread meets the set condition (e.g., the thread tends to be stable). The preset thread evaluation index may be an empirically set thread evaluation index.
In the debugging method, the visual description mining detection thread is debugged by using the debugging example, so that the debugging process does not depend on the actual debugging example.
Viewed in some possible embodiments, the method may further perform linkage debugging on a cloud service participant tag state identification network for determining a cloud service participant tag state, a persistent tag analysis processing model for performing persistent tag analysis processing, and a visual description mining detection thread for performing visual description mining processing and classification.
Regarding some possible embodiments, a streaming log representing traffic attack, information stealing and the like can be generated by a big data service analysis system, and the generated streaming log is subjected to digital threat identification result actual guidance to obtain a debugging example.
After the debugging example is obtained, the debugging example can be input to the cloud service participant tag state identification network to obtain a first processing result. And then inputting the first processing result into the persistent label analysis processing model to obtain a second processing result. And then inputting the second processing result into the visual description mining detection thread to obtain a detection result aiming at the digital threat identification result represented by the streaming log. After the correlation result is obtained, the variable update of each thread can be completed through feedback according to the authenticity guide information corresponding to the reference identification. In the above example, linked debugging of each thread can be realized, and efficient debugging is ensured.
Under some independently implementable technical solutions, the method further comprises: and on the premise that the digital threat identification results corresponding to the cloud service participant labels in the target big data service operation log set are identity falsifications, determining a service session flow record according to the digital threat identification results, performing anti-fraud detection processing on the basis of the service session flow record to obtain an anti-fraud detection result, and performing information protection processing according to the anti-fraud detection result.
Thus, through secondary detection (anti-fraud detection), handling processing of digital threats can be achieved, and safety of user information is guaranteed.
Under some independently implementable technical solutions, performing anti-fraud detection processing based on the service session streaming record to obtain an anti-fraud detection result, which may include the following contents: analyzing the received service session stream record to obtain the description of the user session event; analyzing the received anti-fraud detection authorization information record to obtain session event description to be subjected to anti-fraud detection; determining a detection constraint characteristic which is linked with the anti-fraud detection authorization information record on the premise that the session event description to be anti-fraud detected accords with a first anti-fraud detection condition and the user session event description accords with a second anti-fraud detection condition; and performing anti-fraud detection processing on at least part of the session event description in the user session event description through the detection constraint characteristics.
Under some independently implementable technical solutions, performing anti-fraud detection processing based on the service session streaming record to obtain an anti-fraud detection result can be implemented by the following technical solutions.
STEP101, parsing the received service session stream record to obtain a user session event description. In some possible embodiments, the service session streaming record is a streaming record of which the visual feature information includes session entries to be parsed, and may be, for example, a log record organized according to chronological order, where the number of session entries to be parsed may be one, two, or more than two, and so on.
For some possible implementation manners, for each to-be-analyzed session item in the service session stream record, a service session sample having a pairing relationship with the session item is adopted to analyze an event attribute (for example, an event feature) of each event attribute record, and simultaneously, an event attribute analysis result is optimized in combination with a connection condition between associated event attribute records in the to-be-analyzed session item, so that a user session event description with a significant visualization (for example, user session event data can be understood) is obtained. The relationship between the associated event attribute records in the session item to be analyzed can be understood as the corresponding relationship between the static event attribute (fixed and unchangeable event characteristic) in a group of session items and the dynamic event attribute (dynamically changeable event characteristic) in the session item. Therefore, aiming at the corresponding relation among the associated event attribute records in a group of session items to be analyzed, the event attributes in the event attribute analysis result of the session items are associated and then output, and the user session event description with obvious visualization can be obtained. Under the premise that the service session stream record comprises a plurality of groups of session matters to be analyzed, each group of session matters to be analyzed has a significant visual event attribute analysis result, so that complete and rich user session event description can be obtained.
In the embodiment of the present application, the user session event relates to various digital services, including but not limited to payment service, office service, car networking service, automated production service, intelligent education service, cloud game service, and the like.
The STEP102 parses the received anti-fraud detection authorization information record to obtain a session event description to be anti-fraud detected. In some possible embodiments, the anti-fraud detection authorization information is recorded as a streaming record of which the visual characteristic information includes the anti-fraud detection authorization information to be parsed; and the anti-fraud detection authorization information is used for carrying out a verification result of anti-fraud detection. The anti-fraud detection authorization information can be used as a wind vane for anti-fraud detection. For example, the anti-fraud detection authorization information m1 represents that the adopted anti-fraud detection mode is F1, and the anti-fraud detection authorization information m2 represents that the object of anti-fraud detection is payment service behavior data and the like.
For some possible implementation manners, event attribute analysis is performed on the anti-fraud detection authorization information to be analyzed in the anti-fraud detection authorization information records, and in combination with a significant distinguishing relationship (for example, a semantic relationship can be understood) between different event attribute records in the anti-fraud detection authorization information, significant visualization processing is performed on an event attribute analysis result, so that event attributes in the event attribute analysis result have a pairing relationship, that is, an obtained session event description to be subjected to anti-fraud detection has significant visualization.
In one possible example, the anti-fraud detection authorization information is broken down into a plurality of event attribute records according to visual type restriction information in the anti-fraud detection authorization information record; and analyzing the connection condition among the event attribute records to determine the output result connection of the event attributes in the event attribute analysis result, namely which event attributes and which event attributes are associated data. Therefore, the session event description to be subjected to anti-fraud detection with obvious visualization is obtained and output, and the use efficiency of the session event description to be subjected to anti-fraud detection is improved.
STEP103, determining a detection constraint characteristic associated with the anti-fraud detection authorization information record on the premise that the session event description to be anti-fraud detected conforms to the first anti-fraud detection condition and the user session event description conforms to the second anti-fraud detection condition.
In some possible embodiments, the first anti-fraud detection condition is that the session event description to be anti-fraud detected includes a number of verification success messages equal to a set decision value; determining that the session event description to be subjected to anti-fraud detection meets the first anti-fraud detection condition on the premise of responding that the number is equal to a set judgment value by determining the number of verification success messages included in the session event description to be subjected to anti-fraud detection. The setting determination value may be determined based on the number of important verification angles (different verification levels), for example, if there are 5 points of interest in the verification angles, the setting determination value may be set to 5.
Based on the above, the session event description to be anti-fraud detected meets the first anti-fraud detection condition, which indicates that the session event description to be anti-fraud detected has passed through the multi-stage verification. And outputting the description of the user session event after performing event attribute detection and event attribute analysis on the service session stream record and performing content significant visualization on an event attribute analysis result. After the anti-fraud detection authorization information record is subjected to event attribute detection and event attribute analysis and the content of an event attribute analysis result is obviously visualized, session event description to be subjected to anti-fraud detection is output. And judging the quantitative adaptation degree between the user session event description and the session event description to be subjected to anti-fraud detection, and if the user session event description corresponds to the session event description to be subjected to anti-fraud detection, further judging whether the user session event description meets a target anti-fraud detection index, for example, whether the user session event description meets an indication of an anti-fraud detection thread on anti-fraud detection requirements.
For some possible implementation manners, the second anti-fraud detection condition is that the user session event description corresponds to a session event description to be anti-fraud detected, and the user session event description meets the target anti-fraud detection index, and it may be verified whether the user session event description meets the second anti-fraud detection condition through the following process, where relevant contents are as follows.
Step1, determining a first quantitative adaptation degree between the session event description of the user and the session event description to be subjected to anti-fraud detection.
In some possible embodiments, first, the items to be anti-fraud detected in the session event description to be anti-fraud detected are differentially analyzed (classified); then, for each differentiated analysis result, data belonging to the category (for example, a category keyword) is searched for in the user session event description, and finally, whether the data of the keyword in the user session event description matches with the data of the keyword in the session event description to be subjected to anti-fraud detection is judged. Therefore, the quantization adaptation degree can be understood as a matching degree.
And 2, responding to the first quantitative adaptation degree not less than a set quantitative adaptation degree threshold value, determining that the user session event description corresponds to the session event description to be subjected to anti-fraud detection, and determining whether the user session event description meets a target anti-fraud detection index. In some possible embodiments, the relevancy determination is performed for each keyword in the session event description to be anti-fraud detected, and if the user session event description of each keyword matches with the session event description to be anti-fraud detected, it is determined that the user session event description corresponds to the session event description to be anti-fraud detected. For example, if the payment-class anti-fraud detection dimension in the session event description to be subjected to anti-fraud detection is 20, then in the user session event description, the session transaction dimension belonging to the payment class is searched, and the global dimension of the payment-class session transaction is determined; if the global dimension of the payment session item is not more than 20, the session event description to be subjected to anti-fraud detection of the payment session item is matched with the user session event description; if the global dimension of the payment class session item is larger than 20, the session event description which shows that the payment class is to be subjected to anti-fraud detection is matched with the session event description part of the user. If the session transactions belonging to the payment class are not looked for in the user session event description, it is indicated that the session event description to be anti-fraud detected does not match the user session event description.
And 3, responding to the fact that the user session event description meets the target anti-fraud detection index, and determining that the user session event description meets a second anti-fraud detection condition. In some possible embodiments, the user session event description is determined to be in compliance with the second anti-fraud detection condition if the user session event description both matches the session event description to be anti-fraud detected and also complies with the target definition. Thus, the verification of the items of the session to be resolved can be intelligently realized through the steps 1 to 3.
For some possible implementation manners, the verification of the session event description to be subjected to the anti-fraud detection may be implemented through a process of verifying whether the session event description to be subjected to the anti-fraud detection includes a verification success message meeting certain data, that is, verifying whether the anti-fraud detection authorization information passes through a multi-stage verification. And if the session event description to be subjected to the anti-fraud detection comprises a set number of successful verification messages, determining that the session event description to be subjected to the anti-fraud detection meets a first anti-fraud detection condition, namely indicating that the anti-fraud detection authorization information passes multi-stage verification. And finally, determining a detection constraint characteristic under the condition that the session event description to be subjected to anti-fraud detection conforms to a first anti-fraud detection condition and the user session event description conforms to a second anti-fraud detection condition. The detection constraint characteristics linked with the anti-fraud detection authorization information record comprise anti-fraud detection request terminal information determined based on the anti-fraud detection authorization information record, a service interaction terminal pointed by the anti-fraud detection request terminal, an identity security check terminal and other detection constraint information used for realizing anti-fraud detection on the user session event description. The target anti-fraud detection index can be understood as a condition set by the anti-fraud detection thread aiming at the conversation matters needing anti-fraud detection; for example, dimensions of a single set of business sessions, types of session transactions, session transaction periods, etc.; and judging whether the session items to be analyzed meet the set conditions or not so as to realize the verification of the session items to be analyzed.
STEP104, based on the detection constraint characteristics, performs anti-fraud detection processing on at least part of the session event descriptions in the user session event descriptions. In some possible embodiments, for an anti-fraud detection task for a keyword (a category), if the global dimension of a session item belonging to the keyword in the user session event description is less than or equal to the to-be-anti-fraud detection dimension of the keyword included in the anti-fraud detection authorization information record, it is indicated that the global dimension of the session item of the keyword in the user session event description does not exceed the dimension of the keyword in the anti-fraud detection authorization information. For example, if the dimension of fraud detection to be performed on the payment class in the anti-fraud detection authorization information is 20, and the global dimension of the session transaction belonging to the payment class in the user session event description is 18, then the anti-fraud detection process is performed on all the session transactions to be resolved in the user session event description. If the dimension to be anti-fraud detected of the payment class in the anti-fraud detection authorization information is 20, and the global dimension of the session item belonging to the payment class in the user session event description is 24, determining the payment class session item with the global dimension of 20 in the user session event description, performing anti-fraud detection on the payment class session item with the global dimension of 20, and performing no anti-fraud detection on the remaining 4 payment class session items. For some possible implementations, if anti-fraud detection is performed on part of the description information of the user session event description, then the session item to be parsed for the remaining description information may be determined based on the remaining description information; and feeding back the to-be-analyzed session items of the residual description information to the anti-fraud detection request side, so that the anti-fraud detection request side cancels the to-be-analyzed session items of the residual description information.
In the embodiment of the application, for the received service session stream recording and anti-fraud detection authorization information record, the service session stream recording and the anti-fraud detection authorization information record are firstly intelligently analyzed to obtain the description of the user session event and the description of the session event to be subjected to anti-fraud detection; therefore, the service session stream recording and anti-fraud detection authorization information recording analysis can be carried out in a self-adaptive manner, and the relation between the service sessions can be analyzed; then after the session event description to be subjected to anti-fraud detection and the user session event description are verified, the detection constraint characteristics which are linked with the anti-fraud detection authorization information records are determined in a targeted manner, so that the targeted identification of the user session event description can be realized; and finally, carrying out anti-fraud detection processing on the user session event description by utilizing the corresponding detection constraint characteristics, thus carrying out anti-fraud detection processing on the user session event description based on the detection constraint characteristics which are verified, realizing targeted and self-adaptive anti-fraud detection, ensuring to meet different anti-fraud detection requirements and improving the accuracy and reliability of anti-fraud detection.
In some possible embodiments, the service session is associated with the service session sample in the service session data set to obtain the reliability index of the service session, so that the service session sample with a high reliability index is determined as the service session sample to be used, the service session analysis is intelligently implemented, and the session processing efficiency is improved, that is, STEP101 may be described as follows.
STEP201, in the service session stream recording, dividing the stream recording content where the session item to be analyzed is located to obtain at least one local recording description. In some possible embodiments, a set of session entries to be parsed corresponds to a local record description. The session items to be analyzed in the service session stream record can be one group or multiple groups; carrying out stream recording processing on session information comprising one or more groups of session items to be analyzed to obtain the service session stream record; or, performing streaming recording processing on a plurality of session items to be analyzed, and combining the sorted streaming records to obtain a service session streaming record including the plurality of session items to be analyzed.
In the service session stream recording, the stream recording content of each to-be-analyzed session item is determined, and the stream recording contents are subjected to partial splitting processing, so that a plurality of partial recording descriptions of which the visual characteristic information comprises one to-be-analyzed session item can be obtained. For some possible implementations, if the service session streaming record includes 6 groups of session items to be parsed, the streaming record content in which the 6 groups of session items to be parsed are located is respectively divided to obtain a local record description corresponding to each group of session items to be parsed.
For some possible implementation manners, after performing partial splitting processing on streaming record content in which a session item to be analyzed in a service session streaming record is located, to obtain a plurality of streaming record contents, performing feature recognition degree optimization operation on visual feature information in a local record description in response to that the local record description is in a feature recognition degree abnormal state, and taking the streaming record obtained after the feature recognition degree optimization operation as the local record description. In this way, the feature recognition degree optimization processing is performed on the streaming contents of each streaming content so as to return the feature recognition degree of the streaming content to normal, which can be realized by the following procedure.
Step1, in the service session stream recording, the stream recording content of each session item to be analyzed is subjected to partial splitting processing to obtain at least two partial splitting processing stream recordings. And 2, responding to the condition that the local splitting processing stream recording is in the abnormal state of the characteristic identification degree, performing characteristic identification degree optimization operation on visual characteristic information in the local splitting processing stream recording, and using the stream recording obtained after the characteristic identification degree optimization operation as local recording description. For example, the feature recognition degree optimization operation may be understood as feature recognition degree correction or amendment to ensure that the feature recognition degree of the visual feature information is as normal as possible.
STEP202, parsing the local record description to obtain the user session event description. In some possible embodiments, performing range analysis on each group of local record descriptions, calling a service session sample with a higher credibility index from a set service session set to perform event attribute detection and event attribute analysis, and performing significant visualization processing on an event attribute analysis result in combination with a connection condition between different event attribute records in the local record descriptions to obtain a user session event description with significant visualization.
For some possible implementations, the parsing of the local record description is implemented by looking for a service session sample with a higher degree of quantitative adaptation to the local record description in the service session dataset, that is, the STEP202 may be implemented by the following process.
STEP231, obtaining the session item keyword corresponding to the local record description. In some possible embodiments, for the obtained multiple local record descriptions, performing differentiation analysis on the session items to be parsed included in the local record descriptions to obtain session item keywords corresponding to the local record descriptions.
STEP232, searching for a target service session sample having a matching relationship with the session transaction key words in the set service session data set. In some possible embodiments, according to the session item keyword, in the set service session data set, the reliability index of the service session sample belonging to the keyword and the local record description is determined, and the service session sample with the reliability index greater than or equal to the set reliability index threshold is used as the target service session sample of the local record description.
STEP233, on the premise of looking for the target service session sample, performing event attribute analysis on the event attribute record in the local record description through the target service session sample to obtain an event attribute analysis result. In some possible embodiments, a target service session sample is found in the set service session dataset, that is, it is described that a service session sample whose reliability index is greater than a set reliability index threshold exists in the set service session dataset, and the target service session sample is called to perform event attribute detection and event attribute analysis on each event attribute record in the local record description, so as to obtain an event attribute analysis result. For example, the service session streaming record includes 3 to-be-analyzed session transactions, and for the to-be-analyzed session transaction event _1, the session transaction key of the to-be-analyzed session transaction event _1 is an enterprise service session transaction, and then, in the related service session samples in which the service session samples are set, a target service session sample with a higher reliability index is found from the local record description of the to-be-analyzed session transaction event _ 1. And by calling a target service session sample, performing event attribute detection on the local record description of the session event case _1 to be analyzed to obtain each event attribute record including the event attribute in the local record description. The event attribute analysis result comprises event attributes in any event attribute record in the local record description.
STEP234, parsing the result based on the event attribute, and recording the relation between different event attributes to obtain the user session event description. In some possible embodiments, on the premise that a group of local record descriptions is included in the service session streaming record, that is, independent local record descriptions, according to a target service session sample of the local record description, a connection condition between associated event attribute records in the to-be-parsed session item described by the local record description is determined. And performing obvious visualization processing on the event attribute analysis result based on the connection condition between the associated event attribute records to realize event attribute matching, thereby obtaining an event attribute output result with obvious visualization.
For the case that the service session stream record includes multiple sets of local record descriptions, the association between related information needs to be processed and analyzed to associate the event attributes in the event attribute analysis result. For some possible implementations, different session entries to be parsed are associated by different time periods in the sets of local record descriptions.
In the technical scheme, a target service session sample with a high credibility index is called in a set service session data set, and the local record description is subjected to operations such as event attribute detection, event attribute analysis and optimization processing, so that the event attribute analysis and association of the service session can be performed in a self-adaptive manner, the processing efficiency is improved, and unnecessary resource overhead is reduced.
In some possible embodiments, if the target service session target is not sought in the set-up service session dataset, the user session event description may be obtained in two ways, the first of which is shown as STEP235 to STEP 237.
STEP235, in response to not looking for the target service session sample, performing event attribute analysis on the local record description to obtain a first session scene analysis result. In some possible embodiments, according to the credibility indexes of the local record description and the business session samples, the target business session samples with higher credibility indexes are searched in the set business session data set, and if the credibility indexes of the business session samples in the set business session data set are all lower than a set credibility index threshold value, the target business session samples are indicated to be not searched. Then when a service session sample matching is performed on the local record description, even if the service session sample with the highest confidence index is found, the confidence index of the service session sample still does not reach the set confidence index threshold. Based on the above, performing scoped event attribute analysis on the local record description to obtain a scoped event attribute analysis result, namely a first session scene analysis result; in this way, secondary verification can be performed based on the significance distinguishing information described by the local record in combination with the first session scene analysis result (global analysis result) to obtain an accurate analysis result.
STEP236, improving the first session scene parsing result through the salient distinguishing information in the local record description to obtain a transitional parsing result, and taking the transitional parsing result as the user session event description. In some possible embodiments, the saliency differentiation information in the local record description is used to describe the visual characteristic information of the local record description and to indicate the saliency differentiation of individual features in the visual characteristic information of the local record description. For some possible implementation manners, after performing range event attribute analysis on the local record description, combining the significance distinguishing information in the local record description, according to the significance distinguishing information, the event attribute in the first session scene analysis result is improved, so that the obtained transition type analysis result conforms to the significance distinguishing information, and the transition type analysis result can be used as the user session event description. Then STEP237 is entered.
STEP237, sending the local record description and the transitional parsing result to a check thread, so as to obtain the user session event description from the check thread. In some possible embodiments, the verification thread may be a machine learning based verification thread to which the local record description and the transitional parsing result are sent. Therefore, the obtained transitional analysis result can be verified and modified by utilizing the verification thread and based on the local record description, so that accurate user session event description can be obtained.
A way of implementing "parsing the at least two local record descriptions to obtain the user session event description" is provided in the above-mentioned STEPs 235 to 237, in which if it is set that the target traffic session sample is not included in the traffic session data set, the local record descriptions are verified based on machine learning to obtain a user session event description with higher accuracy.
The second method is shown as STEP238 to STEP 240.
STEP238, on the premise that the target service session sample is not searched, presenting a set visualization guide to obtain the session transaction streaming record corresponding to the local record description. In some possible embodiments, on the premise that the set service session data set does not include the target service session sample, the local record description that is not matched to the target service session sample may also be fed back, so that the anti-fraud detection request performs the importing of the local record description again, that is, the high-quality session event streaming record corresponding to the local record description. Namely, outputting an anti-fraud detection result, wherein the anti-fraud detection result can be used for prompting that the anti-fraud detection request end has a session item with fraud risk; if the keyword of the session item to be parsed in the local record description is resolvable, i.e. the keyword of the session item to be parsed can be parsed, the anti-fraud detection result is generated based on the visual characteristic information of the local record description, so that the anti-fraud detection result can correspond to the local record description. Furthermore, the anti-fraud detection results may also be represented by different levels, e.g. level 1 indicating a high fraud risk, level 2 indicating a low fraud risk, and level 3 indicating no fraud risk. STEP239 determines the session transaction tag of the session transaction stream. In some possible embodiments, the conversation item tag includes key information or topic information of a plurality of cover papers of the conversation item, such as a conversation name, a conversation period, a conversation participant, a conversation task, an item progress condition, and the like, and the embodiments of the present application are not limited thereto. STEP240, searching for a service session sample having a pairing relationship with the session transaction label in the set service session data set, taking the service session sample as the target service session sample, and performing event attribute analysis on the local record description to obtain the user session event description. In some possible embodiments, the service session sample having the pairing relationship with the session event label corresponds to the session event label for the sample anti-fraud topic information in the service session sample, and further, the event attribute analysis may be performed on the local record description in the target service session sample based on the target service session sample to obtain the user session event description.
The above-mentioned STEP238 to STEP240 provide another way to obtain a target service session sample, in this way, for the local record description matched to the target service session sample in the set service session data set, feedback is performed, and the anti-fraud detection request end is prompted to re-introduce the session transaction stream record described by the local record description, so that the session transaction to be analyzed can be matched to the target service session sample through the re-introduced high-quality session transaction stream record, so as to improve the matching efficiency of the service session sample, and further improve the accuracy and reliability of the analysis result obtained by performing event attribute analysis on the local record description.
In other embodiments, after STEP238 feeds back the local record description that does not match to the target business session sample, it may prompt to re-import the session transaction streaming record, i.e., prompt the anti-fraud detection requester to import the session transaction tag that describes the corresponding session transaction for the local record. Therefore, when the local record description is matched with the service session sample, the credibility index between the local record description and the service session sample does not need to be judged, the target service session sample with the session item label having the matching relation can be directly called, and the timeliness and the accuracy of the service session sample adaptation are improved.
In some possible embodiments, on the premise that the target service session sample does not exist in the set service session data set, a new service session sample may be generated based on the session item tag of the session item to be analyzed, so as to implement the replacement of the set service session sample, which may be implemented through the following process.
And step1, responding to the business session sample which is not searched for and has a pairing relation with the session transaction label, and generating a current business session sample based on the session transaction label. In some possible embodiments, the confidence indexes of the service session samples in the service session data set and the sorting conditions of the session transaction tags are both set to be smaller than a confidence index threshold, or the keywords of the service session samples in the service session data set are set to be free from the keywords of the session transaction to be analyzed corresponding to the session transaction tag, that is, the service session samples having a matching relationship with the session transaction tag are determined not to be found in the set service session data set. In this case, the current business session sample may be generated by analyzing the session transaction tags. For example, although the keyword of the service session sample in the set service session dataset includes the keyword of the to-be-analyzed session item corresponding to the session item tag, since the different scenes have different arrangements of the session items with respect to the same keyword, the service session sample of the keyword existing in the set service session dataset is not adapted to the to-be-analyzed session item; based on the method, the arrangement of the conversation matters can be analyzed according to the conversation matter label, so that a new business conversation sample is generated. Or, the session item is a non-hotspot session item, and the keywords of the service session sample in the set service session data set do not have the keywords of the session item, so that the non-hotspot session item can be analyzed according to the session item label, and a new service session sample is generated, and the new service session sample can be understood as the current service session sample.
And 2, loading the current service session sample to the set service session data set. In some possible embodiments, after generating a current traffic session sample by analyzing the session transaction tag, the current traffic session sample is added to the set traffic session data set. For some possible implementation manners, the old sorted service session samples may be cleaned according to a certain step length for setting the service session samples in the service session data set, so as to update the current service session data set in time. In the embodiment of the application, the set service session data set is replaced, so that the replaced set service session data set can conform to the replacement iteration of the session item arrangement, and the service session sample with the high credibility index can be conveniently described and matched for the local record.
In some possible embodiments, for the anti-fraud detection authorization information record in which the obtained visual feature information includes the anti-fraud detection authorization information to be parsed, parsing of the content of the anti-fraud detection authorization information may be implemented in the following two ways to obtain a session event description to be anti-fraud detected with significant visualization, that is, the STEP102 may be implemented in the following two ways.
First mode
STEP121, parsing the visual type restriction information in the anti-fraud detection authorization information record to obtain a plurality of authorization event sets formed by combining the visual type restriction information. In some possible embodiments, since the anti-fraud detection authorization information record includes a plurality of visual type restriction information and a restriction range formed by combining different visual type restriction information, the anti-fraud detection authorization information record is disassembled, and one restriction range is disassembled into one authorization event set, so as to obtain a plurality of authorization event sets. Wherein, the authorization event may be understood as a related event allowing anti-fraud detection, for example, the authorization event 1 may be allowing anti-fraud detection for XXX, and the authorization event 2 may be allowing anti-fraud detection for XXX in YYY.
STEP122, parsing the event attributes in each authorized event set to obtain a visual type parsing result. In some possible embodiments, event attribute parsing may be performed visually and graphically to obtain event attributes in each authorized event set.
STEP123, associating event attributes in the visual type parsing result corresponding to the authorization event sets with differences according to the contact conditions between the authorization event sets with differences, so as to obtain the session event description to be subjected to anti-fraud detection. In some possible embodiments, the relationship between the authorization event sets with differences is determined by performing a significance differentiation analysis on a plurality of authorization event sets. For example, the content in the associated authorized event set associated with any authorized event set in the anti-fraud detection authorization information record is analyzed to determine the contact condition with the authorized event set. Based on the above, the event attributes in the visual analysis result are improved according to the relation between the authorized event sets, so that the event attributes in the improved event attribute output result are related, that is, the session event description to be subjected to anti-fraud detection with obvious visualization is output.
In the first mode, the visual limiting information in the anti-fraud detection authorization information record is analyzed, and the event attributes in each authorization event set are analyzed by taking a constraint interval formed by combining a plurality of groups of visual limiting information as a reference, so that the subsequent analysis is more targeted, the event attributes in one authorization event set are analyzed no matter based on the significance difference analysis or the association analysis, and the accuracy and the reliability of the event attribute analysis can be improved.
Second mode
STEP124, determining the authorization information discriminative expression in the anti-fraud detection authorization information record. In some possible embodiments, the differentiated representation of authorization information may be understood as a category of authorization information. For some possible implementation modes, the differentiated expression of the authorization information is determined by analyzing the subject name of the anti-fraud detection authorization information record; for example, if the subject name is game anti-fraud detection authorization information, then the authorization information is distinctively expressed as a game class. Or the static description in the anti-fraud detection authorization information record is analyzed to determine the differential expression of the authorization information.
STEP125, in the set anti-fraud topic data set, searches for a target anti-fraud topic sample that is differentially expressed and adapted to the authorization information. In some possible embodiments, after determining the type of the anti-fraud detection authorization information, since different anti-fraud detection authorization information typically has static anti-fraud subject matter samples, the authorization information may be sought to differentially express anti-fraud subject matter samples belonging to the type from the set anti-fraud subject matter data set based on the type of the anti-fraud detection authorization information. For example, if the type of the anti-fraud detection authorization information is game-class anti-fraud detection authorization information, anti-fraud subject samples belonging to the game class are searched in the set anti-fraud subject data set to obtain target anti-fraud subject samples.
STEP126, in response to looking for the target anti-cheating subject matter sample, determines a set of exemplars that includes the static description and a set of samples to be parsed that includes the dynamic description. In some possible embodiments, the sample set is a set with static descriptions that may be understood as invariant content and dynamic descriptions that may be understood as variant content.
STEP127, based on the sample set of examples and the sample set to be analyzed, analyzes the event attribute in the anti-fraud detection authorization information record to obtain a session event description to be anti-fraud detected. In some possible embodiments, after the target anti-fraud subject matter sample is determined, the target anti-fraud subject matter sample may be analyzed by analyzing the sample set marked in the target anti-fraud subject matter sample and the sample set to be parsed associated with the sample set. The same kind of target anti-fraud subject samples are called in the set anti-fraud subject data set according to the differential expression of the authorization information, so that the efficiency of analyzing the event attributes of the anti-fraud detection flow record can be improved.
In some possible embodiments, in the process of adapting the anti-fraud topic sample to the anti-fraud detection authorization information record, the target sample set to be analyzed of the sample set may be obtained by performing event attribute analysis on the scoped stream record and then searching for a portion adapted to the event attribute of the sample set in the event attribute analysis result, which may be implemented as follows.
And step1, performing range analysis on the event attribute in the anti-fraud detection authorization information record to obtain a second session scene analysis result. In some possible embodiments, in the process of adapting the anti-fraud detection authorization information record to the anti-fraud topic sample, a visual analysis technique is used to perform range event attribute analysis on the anti-fraud detection authorization information record to obtain an event attribute analysis result, that is, a second session scenario analysis result. And step2, searching partial analysis results which have pairing relation with each sample set in the second session scene analysis results. In some possible embodiments, in the second session scenario parsing result, a static description of the marked sample set, i.e., a partial parsing result, is looked up. And 3, determining a target sample set to be analyzed, which is in connection with the sample set corresponding to the partial analysis result, based on the partial analysis result. In some possible embodiments, in the second session scenario parsing result, a parsing result associated with a part of the parsing results is determined, and a to-be-parsed sample set corresponding to the associated parsing result is a target to-be-parsed sample set. And 4, associating the static event attributes positioned in the example sample sets and the dynamic descriptions positioned in the target sample sets to be analyzed in the second session scene analysis result based on the relation between each example sample set and the target sample sets to be analyzed so as to obtain the session event descriptions to be subjected to anti-fraud detection.
In some possible embodiments, for each example sample set, in the second session scene parsing result, a target sample set to be parsed corresponding to the example sample set is determined; in this way, a matching relation between the static description and the dynamic description in the second session scene analysis result is established based on the relation between each example sample set and the target sample set to be analyzed; and outputting the session event description to be subjected to anti-fraud detection based on the matching relationship. In this way, the display areas of the static description of the sample set of the example and the dynamic description of the target sample set to be analyzed can be determined, so that the optimization processing of the analysis result of the second conversation scene is realized; and enabling the static event attributes positioned in the sample set and the display area positioned in the dynamic description of the target sample set to be analyzed in the output session event description to be subjected to anti-fraud detection to meet the actual requirement.
In the embodiment of the application, the anti-fraud detection authorization information records are associated with the anti-fraud subject samples to call the anti-fraud subject samples of the same type to realize the event attribute analysis of the anti-fraud detection authorization information, and the event attribute analysis result is obviously visualized through the annotated sample set in the anti-fraud subject samples and the associated sample set to be analyzed, so that the accuracy and the service adaptability of the obtained session event description to be subjected to the anti-fraud detection can be improved.
In some possible embodiments, if a sample of the differential expression of the authorization information is not included in the set anti-fraud subject data set, then the same target anti-fraud subject sample as the differential expression of the authorization information cannot be found, then a real-time anti-fraud subject sample may be generated based on the differential expression of the authorization information in combination with a static description of the sample set in the anti-fraud detection authorization information; and the generated real-time anti-fraud subject sample is stored in the set anti-fraud subject data set so as to realize the replacement of the set anti-fraud subject data set, so that the replaced set anti-fraud subject data set can accord with various types of anti-fraud detection authorization information, and the accuracy and the reliability of sample adaptation of the anti-fraud detection authorization information record are improved.
In some possible embodiments, after analyzing the event attribute of the service session streaming record and the anti-fraud detection authorization information record, it is necessary to determine a quantitative adaptation degree between the obtained session event description of the user and the session event description to be subjected to anti-fraud detection, so as to verify the session event to be analyzed and the anti-fraud detection authorization information in the service session streaming record, and further determine whether the session event description of the user meets the second anti-fraud detection condition, which may be implemented through the following processes.
STEP151, performing a differential analysis on the session event description to be anti-fraud detected through the static description in the sample set of the anti-fraud detection authorization information records to obtain an anti-fraud detection keyword set. In some possible embodiments, for the session event description to be anti-fraud detected included in the anti-fraud detection authorization information record, by analyzing the static description in the sample set of anti-fraud detection authorization information records, it is possible to obtain which anti-fraud detection keywords are included in the anti-fraud detection authorization information record.
STEP152, in the user session event description, determines the diversified features of the session item to be analyzed corresponding to each anti-fraud detection keyword. In some possible embodiments, since the service session stream includes multiple sets of session items to be resolved, the multiple sets of session items to be resolved may be session items of the same keyword or session items of different keywords. After the anti-fraud detection keywords included in the anti-fraud detection authorization information are determined, in the description of the user session events, the session items to be analyzed are subjected to differential analysis according to the anti-fraud detection keyword set, so that the description of the user session events corresponding to the session items of each anti-fraud detection keyword, namely diversified characteristics, is obtained. For example, if the anti-fraud detection keyword is a payment class, then in the user session event description, the user session event description corresponding to the session item determined as the payment class, that is, the diversified features of the payment class.
STEP153, for each anti-fraud detection keyword, determining a quantitative adaptation degree between the session event description to be anti-fraud detected corresponding to each anti-fraud detection keyword and the diversified features of each anti-fraud detection keyword. In some possible embodiments, according to the anti-fraud detection keyword in the anti-fraud detection authorization information, the session event description and the user session event description to be subjected to anti-fraud detection are verified, whether data provided by the session item of the keyword in each anti-fraud detection keyword is matched with data in the anti-fraud detection authorization information or not is verified respectively, and verification of the anti-fraud detection authorization information and the session item is realized based on the verification. The diversified features of each anti-fraud detection keyword include: the global dimension, interaction period and the like of the conversation items of the anti-fraud detection keywords; and determining the quantitative adaptation degree between the session event description to be anti-fraud detected corresponding to each anti-fraud detection keyword and the diversified characteristics of each anti-fraud detection keyword by comparing whether each item of data in the diversified characteristics is matched with the session event description to be anti-fraud detected of the anti-fraud detection keyword.
STEP154, on the premise that the quantitative adaptation degree is not less than the set quantitative adaptation degree threshold, determining that the user session event description corresponds to the session event description to be anti-fraud detected. In some possible embodiments, if the diversified features of the anti-fraud detection keyword in the user session event description are consistent with the data of the anti-fraud detection keyword in the anti-fraud detection authorization information, then the quantitative adaptation degree is indicated to be not less than the set quantitative adaptation degree threshold.
In the embodiment of the application, the content in the anti-fraud detection streaming record and the content included in the session item to be analyzed are verified to determine whether the session event description of the user is consistent with the session event description to be subjected to anti-fraud detection, so that the anti-fraud detection authorization information and the session item can be verified in a self-adaptive manner, and the efficiency of verifying the anti-fraud detection authorization information and the session item in the anti-fraud detection process is improved.
In some possible embodiments, the following procedure may be implemented by verifying the user session event description of the session item to be parsed with the anti-fraud detection condition to determine whether the session item in the service session streaming record meets the anti-fraud detection condition.
STEP161 determines, in the user session event description, an independent session event description belonging to each session item to be parsed. In some possible embodiments, for each to-be-parsed session entry in the traffic session stream record, determining an independent session event description for a set of to-be-parsed session entries; e.g., dimensions of a single set of business sessions, business interaction periods, etc.
STEP162, determining whether the independent session event description meets the target anti-fraud detection indicator to determine whether the user session event description meets the second anti-fraud detection condition. In some possible embodiments, it is determined whether the independent session event description meets a target anti-fraud detection criterion, and in response to the independent session event description meeting the target anti-fraud detection criterion, it is determined that the user session event description meets a second anti-fraud detection condition. By judging each item in the user session event description of the single group of session items, if the user session event description of the single group of service session conforms to the target anti-fraud detection index, it is indicated that each session item to be analyzed in the service session stream record conforms to the target anti-fraud detection index, so that the user session event description is determined to conform to the second anti-fraud detection condition.
For some possible implementation manners, firstly, determining an independent event description dimension in the independent session event description, and/or determining a target session item type carrying a derivative detection index, and/or determining discriminative content of a to-be-analyzed session item corresponding to the independent session event description; then, on the premise that the independent event description dimension is not larger than a set dimension boundary, and/or the derivative content of the target session item category corresponds to the derivative index, and/or the discriminative content belongs to a set service session content set, determining that the user session event description meets a target anti-fraud detection index, so as to determine that the user session event description meets the second anti-fraud detection condition.
Based on this, the verification of whether the user session event description meets the target anti-fraud detection index may be achieved in a number of ways.
First mode
Step1, determining an independent event description dimension of the independent session event description. In some possible embodiments, for a single set of user session event descriptions of a session entry to be parsed, determining a dimension of the session entry, i.e., an independent event description dimension; for example, for a cloud office conversation item, the dimensions of the conversation item file interactions are determined.
And 2, responding to the fact that the dimension of the independent event description is not larger than the set dimension boundary, and determining that the user session event description meets the target anti-fraud detection index. In some possible embodiments, if the dimension of the single group service session is less than or equal to the set dimension boundary of the set single group service session, it may be further determined whether the global dimension of all session items belonging to the same keyword as the session item exceeds the set total dimension constraint, and if the global dimension is not greater than the set total dimension constraint, it is determined that the user session event description meets the target anti-fraud detection index. In the embodiment of the present application, the dimension is used to indicate different interaction levels or analysis levels, such as a business level, an object level, a network environment level, and the like.
Second mode
Step1, determining the target session item category carrying the derived detection index. In some possible embodiments, the target session item category may be set in the target anti-fraud detection index, and may also be determined based on a refinement degree of the visual characteristic information of the session item to be parsed. And step2, responding to the fact that the derived content of the target session item category corresponds to the derived index, and determining that the user session event description meets the target anti-fraud detection index. In some possible embodiments, first, in the user session event description, look for derivatives of the session transaction (which may be some additional details, for example) that fit the target session transaction category; and further judging the quantitative adaptation degree of the derived content and the derived index of the target session item type, if the quantitative adaptation degree is higher, indicating that the corresponding detailed content is actually added to the session item type with the derived detection index, and therefore determining that the user session event description conforms to the target anti-fraud detection index.
Third mode
Step1, determining the distinguishing content of the session item to be analyzed corresponding to the independent session event description. In some possible embodiments, the discriminative content of the session transactions to be parsed includes: the session item number and the session item field of the session item to be analyzed can uniquely distinguish the information of the session item to be analyzed. And step2, responding to the situation that the differentiated content belongs to the set service session content set, and determining that the description of the user session event meets the target anti-fraud detection index. In some possible embodiments, the set of service session identifiers is an identifier library capable of finding session item identifiers on a specified platform, and if the session item identifier of the session item to be analyzed is included in the set of service session identifiers, it indicates that the session item to be analyzed is a valid session item, and further, it is determined that the user session event description meets the target anti-fraud detection index.
In the embodiment of the present application, the first to third manners may be three manners of verifying whether the user session event description conforms to the target anti-fraud detection index in parallel, or may be any two or three of the first to third manners set a precedence relationship or a bearing relationship to verify whether the user session event description conforms to the target anti-fraud detection index; for example, the precedence order of mode 3 has precedence over mode 1, and the precedence order of mode 1 has precedence over mode 2; that is, firstly, judging whether the differentiated content belongs to a set of set service session content; and finally, if the independent event description dimension of the effective service session is less than or equal to the dimension boundary, judging whether the derived content of the target session item category corresponds to the derived index, and if the derived content of the target session item category corresponds to the derived index, determining that the user session event description conforms to the target anti-fraud detection index.
In another implementation, a sequential relationship may also be set for the first and third modes, for example, first, whether the differentiated content belongs to a set of set service session content is determined; and finally, if the independent event description dimension of the effective service session is less than or equal to the dimension boundary, determining that the user session event description conforms to the target anti-fraud detection index.
In the embodiment of the application, the session item to be analyzed is verified in various ways to determine whether the user session event description of the session item to be analyzed meets the anti-fraud detection condition, so that the verification of the session item data and the anti-fraud detection requirement can be performed in a self-adaptive manner.
In some possible embodiments, after the session event description to be anti-fraud detected and the user session event description are detected, the anti-fraud detection is performed on the session item to be parsed, that is, the STEP103 may be implemented by the following process.
STEP131, in response to that the session event description to be anti-fraud detected conforms to the first anti-fraud detection condition and the user session event description conforms to the second anti-fraud detection condition, determining at least the detection constraint type and the anti-fraud detection object information pointed by the anti-fraud detection authorization information record. In some possible embodiments, on the premise that the session event description to be anti-fraud detected conforms to the first anti-fraud detection condition and the user session event description conforms to the second anti-fraud detection condition, determining relevant basic information of an anti-fraud detection object in the anti-fraud detection authorization information record; and determining detection constraint types pointed by the anti-fraud detection authorization information records, such as various anti-fraud detection limiting conditions, by analyzing the anti-fraud detection object information.
STEP132 takes at least the detection constraint category and the anti-fraud detection object information as the detection constraint characteristics. In some possible embodiments, annotation information for the user session event description is determined based on detecting anti-fraud detection object information in the constraint feature; and the detection constraint category, the anti-fraud detection object information, the annotation information and the like are used as detection constraint characteristics, so that the anti-fraud detection processing of the user session event description is realized.
In the embodiment of the application, after the anti-fraud detection authorization information and the session items are verified, the anti-fraud detection object information is extracted from the anti-fraud detection authorization information record to determine the relevant detection constraint characteristics, so that the intelligent anti-fraud detection is realized.
In other embodiments, after detecting the fraud, the following may be included: determining the dimension of the completed anti-fraud detection in the description of the user session event; based on the dimensions for which anti-fraud detection has been completed, anti-fraud detection results are created and presented.
In some possible embodiments, it may be that an anti-fraud detection result is generated that has a pairing relationship with the dimension for which the anti-fraud detection has been completed.
In some embodiments, the information protection processing according to the anti-fraud detection result may include the following: acquiring an information risk description record aiming at an anti-fraud detection result, wherein the information risk description record comprises at least two information risk descriptions; obtaining quantitative adaptation data between each information risk description in the information risk description record and the anti-fraud detection result; sorting the information risk descriptions according to the quantitative adaptive data corresponding to the information risk descriptions and the risk tendency expression of the information risk descriptions to obtain corresponding information risk description sorting results; generating a target protection strategy sorting result aiming at the anti-fraud detection result based on the information risk description sorting result, wherein the target protection strategy sorting result comprises at least two target protection strategies; and sequentially performing information protection processing according to the sequence of the target protection strategies in the target protection strategy sorting result.
It can be understood that, in the embodiment of the present application, by considering quantitative adaptation data between the information risk description and the anti-fraud detection result, priority adjustment of the information risk description can be implemented, so as to determine an ordered target protection policy sorting result, so that when information protection processing is performed in sequence on the sequence of the target protection policies in the target protection policy sorting result, conflicts between the front and rear policies can be avoided as much as possible, and meanwhile, timeliness and reliability of information protection can be improved.
In some embodiments that can be implemented independently, the sorting the information risk descriptions according to the quantized adaptation data corresponding to the information risk descriptions and the risk tendency expression of the information risk descriptions to obtain corresponding information risk description sorting results specifically includes: according to the quantitative adaptive data corresponding to each information risk description and the risk tendency expression of each information risk description, disassembling each information risk description to obtain at least two information risk descriptor records; and sorting the information risk description sub-records, and sorting the information risk descriptions in the information risk description sub-records respectively to obtain the information risk description sorting result. Therefore, the information risk description sorting result can be completely and accurately determined.
In some embodiments that can be implemented independently, the disassembling the information risk descriptions according to the quantitative adaptation data corresponding to the information risk descriptions and the risk tendency expression of the information risk descriptions to obtain at least two information risk descriptor records specifically includes: performing attention processing on the risk tendency expression of each information risk description according to the quantitative adaptive data corresponding to each information risk description to obtain the attention risk tendency expression of each information risk description; and integrating the information risk descriptions according to the attention risk tendency expression of the information risk descriptions to obtain at least two information risk descriptor records. Thus, confusion between information risk descriptor records can be avoided.
In some embodiments that can be implemented independently, the sorting of the information risk description sub-records and the sorting of the information risk descriptions in the information risk description sub-records to obtain the information risk description sorting result specifically include: sorting the information risk descriptor records according to the number of the information risk descriptions contained in the information risk descriptor records; and for each information risk descriptor record, respectively performing the following operations: sorting the information risk descriptions in the information risk descriptor records according to the common situation of the risk tendency expression of the information risk descriptions in the information risk descriptor records and the information risk descriptor records; and generating an information risk description sorting result based on the sorting result among the information risk description sub-records and the sorting result of the information risk descriptions in the information risk description sub-records. Thus, the integrity of the information risk description arrangement result can be ensured.
Based on the same inventive concept, there is also provided a threat identification apparatus 20 based on big data security, which is applied to a data security server 10, and the apparatus includes:
the tag analysis module 21 is configured to perform persistent tag analysis processing on at least one cloud service participant tag activated in a target big data service operation log set that covers a plurality of cloud service participant tags, and determine a state update condition of each cloud service participant tag in the target big data service operation log set;
and the threat identification module 22 is configured to perform visual description mining according to the state update condition obtained in the target big data service operation log set, and determine a digital threat identification result corresponding to a plurality of cloud service participant tags in the target big data service operation log set according to an operation intention expression obtained by the visual description mining.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (6)

1. A threat identification method based on big data security is characterized in that the method is applied to a data security server, and the method comprises the following steps:
performing persistent label analysis processing on at least one cloud service participant label activated in a target big data service operation log set covering a plurality of cloud service participant labels, and determining the state updating condition of each cloud service participant label in the target big data service operation log set;
the persistent label analysis processing refers to the uninterrupted analysis of the same cloud service participant label appearing in each group of big data service operation logs, and when the persistent label analysis processing is carried out, the same cloud service participant label activated in each group of big data service operation logs is determined to be the persistent label analysis processing; the state updating condition is service interaction change information of a cloud service participant label in a target big data service operation log set, the state updating condition represents interaction operation state data of the cloud service participant label in each big data service operation log and time-level feature information, the interaction operation state data of the cloud service participant label represents cloud service participant label key words, and the time-level feature information represents corresponding time sequence description of the cloud service participant label in each state;
performing visual description mining according to the state updating condition obtained in the target big data service operation log set, and determining digital threat identification results corresponding to a plurality of cloud service participant labels in the target big data service operation log set according to operation intention expression obtained by the visual description mining;
wherein, the performing a visual description mining process according to the state update condition obtained in the target big data service operation log set to obtain a digital threat identification result corresponding to a plurality of cloud service participant tags in the target big data service operation log set includes: according to the interactive operation state data of the cloud service participant labels in the big data service operation logs included in the target big data service operation log set represented by the state updating condition and the visual association condition between the cloud service participant labels in the big data service operation logs, sequentially executing scene visual type description mining processing on the big data service operation logs to obtain service scene significance contents corresponding to the big data service operation logs respectively; identifying and processing service scene significance contents corresponding to the big data service operation logs respectively based on a set priority order, and determining digital threat identification results corresponding to a plurality of cloud service participant labels in the target big data service operation log set according to operation intention expressions obtained by the identification and processing based on the set priority order;
wherein, the digital threat identification result at least comprises one of the following: flow attack; information stealing; data tampering; identity counterfeiting;
wherein, the step of sequentially performing scene visual description mining on each big data service operation log according to the interaction operation state data of the cloud service participant tags in each big data service operation log included in the target big data service operation log set represented by the state update condition and the visual association condition between the cloud service participant tags in each big data service operation log to obtain the service scene significance content corresponding to each big data service operation log respectively comprises: determining a common key description set corresponding to each big data service operation log according to the visual association condition between the cloud service participant labels in each big data service operation log; determining a significance description set corresponding to each big data service operation log according to the interactive operation state data of the cloud service participant label; finishing the scene visual description mining processing according to the common key description set and the significance description set to obtain service scene significance contents corresponding to each big data service operation log;
before the step of performing visual description mining processing according to the state update condition obtained in the target big data service operation log set to obtain an operation intention expression corresponding to the target big data service operation log set, the method further includes: determining the interactive transmission condition between two cloud service participant labels carried by each big data service operation log in the target big data service operation log set; respectively determining visual association conditions among cloud service participant labels in the big data service operation logs according to the cloud service participant labels carried by the big data service operation logs and the determined interaction transfer conditions;
wherein the determining of the interactive transfer condition between two cloud service participant tags carried by each big data service operation log included in the target big data service operation log set includes: extracting constraint description vectors corresponding to the cloud service participant labels carried by the big data service operation logs; the constraint description vector represents an operation environment description vector corresponding to each cloud service participant label; determining a quantitative comparison result between two cloud service participant labels in the cloud service participant labels through the constraint description vector corresponding to each cloud service participant label; determining two cloud service participant labels corresponding to the quantitative comparison result which does not reach the first set judgment value as two cloud service participant labels with interactive transmission conditions;
wherein the determining of the interactive transfer condition between two cloud service participant tags carried by each big data service operation log included in the target big data service operation log set includes: sequentially executing operation log analysis processing on the big data service operation logs, and determining interactive operation state data of the cloud service participant label in the big data service operation logs; determining difference data between two cloud service participant labels in the cloud service participant labels according to the interactive operation state data corresponding to the cloud service participant labels; determining the interactive transmission condition between two cloud service participant labels carried by each big data service operation log according to the difference data;
determining an interactive transfer condition between two cloud service participant tags carried by each big data service operation log according to the difference data, wherein the interactive transfer condition comprises the following steps: migrating and transforming the determined difference data between two cloud service participant labels into a constraint determined by a third set judgment value and a fourth set judgment value; determining difference data between two cloud service participant labels after migration transformation is completed as correlation importance evaluation between the two cloud service participant labels; and indicating the interactive transfer condition between the two cloud service participant labels according to the relevance evaluation between the two cloud service participant labels.
2. The method of claim 1, wherein the persistent tag analysis processing of at least one cloud business participant tag activated in a target big data service operation log set covering a plurality of cloud business participant tags to determine a status update condition of each cloud business participant tag in the target big data service operation log set comprises:
sequentially executing operation log analysis processing on each big data service operation log included in the target big data service operation log set, and determining interaction operation state data of each cloud service participant label in each big data service operation log in sequence;
and performing persistent tag analysis processing on each cloud service participant tag so as to determine the state updating condition of each cloud service participant tag in the target big data service operation log set according to a persistent analysis result and the interactive operation state data.
3. The method of claim 2, wherein the performing persistent tag analysis processing on each cloud business participant tag to determine a status update condition of each cloud business participant tag in the target big data service operation log set according to a persistent analysis result and the interactive operation status data comprises:
performing persistent tag analysis processing on each cloud service participant tag by utilizing a time sequence iteration processing strategy or a participant tag positioning thread;
and determining the state updating condition of each cloud service participant label based on the interaction operation state data of the same cloud service participant label in each big data service operation log captured continuously.
4. The method of claim 1, wherein the visual-type description mining process is performed by a visual-type description mining detection thread; the debugging method of the visual description mining detection thread comprises the following steps:
generating a debugging example, wherein the debugging example has a state updating condition covering a plurality of cloud business participant tags and authenticity guide information of a digital threat identification result according to the state updating condition of the plurality of cloud business participant tags;
debugging the set visual type description mining network according to the state updating condition and the authenticity guide information of the digital threat identification result to obtain the visual type description mining detection thread;
wherein the generating of the debugging instance comprises: configuring service interaction categories corresponding to a plurality of reference cloud service participant labels based on a big data service analysis system; determining the state updating condition corresponding to each reference cloud service participant label according to the service interaction category; determining a digital threat identification result represented by the state updating condition corresponding to each reference cloud service participant label; and generating the debugging example according to the state updating condition and the digital threat identification result represented by the state updating condition.
5. A data security server is characterized by comprising a processor, a communication bus and a memory; the processor and the memory communicate via the communication bus, the processor reading a computer program from the memory and operating to perform the method of any of claims 1-4.
6. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any of claims 1-4.
CN202111028016.XA 2021-09-02 2021-09-02 Threat identification method based on big data security and data security server Active CN113706177B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111028016.XA CN113706177B (en) 2021-09-02 2021-09-02 Threat identification method based on big data security and data security server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111028016.XA CN113706177B (en) 2021-09-02 2021-09-02 Threat identification method based on big data security and data security server

Publications (2)

Publication Number Publication Date
CN113706177A CN113706177A (en) 2021-11-26
CN113706177B true CN113706177B (en) 2022-04-29

Family

ID=78657588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111028016.XA Active CN113706177B (en) 2021-09-02 2021-09-02 Threat identification method based on big data security and data security server

Country Status (1)

Country Link
CN (1) CN113706177B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114218566B (en) * 2021-12-06 2022-12-13 北京环球国广媒体科技有限公司 Remote office threat behavior analysis method and medium combining artificial intelligence
CN115271649A (en) * 2021-12-06 2022-11-01 钟润森 Big data processing method and storage medium for focusing information security
CN114168966B (en) * 2021-12-07 2022-07-19 深圳市晖拓信息科技有限公司 Big data analysis-based security protection upgrade mining method and information security system
CN114022049B (en) * 2021-12-10 2022-07-22 佛山市蜂王人力资源有限公司 Intelligent service information risk processing method and system based on cloud computing
CN115422592A (en) * 2021-12-15 2022-12-02 邓禄红 Big data security processing method and system
CN114399190B (en) * 2022-01-11 2022-10-04 深圳鼎邦信息技术有限公司 Risk behavior identification method and system for big data information security
CN115563611A (en) * 2022-03-03 2023-01-03 马兴忠 Threat information processing method and system based on big data
CN114322270A (en) * 2022-03-03 2022-04-12 广州海洁尔医疗设备有限公司 Air purification detection control system and method
CN115408247A (en) * 2022-03-04 2022-11-29 李永泽 Threat behavior analysis method based on big data and server
CN114564749B (en) * 2022-03-04 2022-12-23 厦门熙重电子科技有限公司 User information protection method and server for smart cloud service
CN114896401B (en) * 2022-05-23 2023-07-04 河北能瑞科技有限公司 Cloud computing business threat analysis method and server combined with AI
CN115168868B (en) * 2022-07-07 2023-05-16 广东永禾信息技术有限公司 Business vulnerability analysis method and server applied to artificial intelligence
CN115080963B (en) * 2022-07-07 2023-04-04 上海量化森林科技有限公司 Intelligent financial data protection method and server based on cloud computing
CN117671554B (en) * 2023-10-20 2025-01-17 上海盈蝶智能科技有限公司 Security monitoring method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN113051543A (en) * 2021-04-01 2021-06-29 郭洪铜 Cloud service security verification method and cloud service system in big data environment
CN113114637A (en) * 2021-03-27 2021-07-13 卢洪斌 Network resource intrusion detection method combining big data analysis and security server
CN113312671A (en) * 2021-06-25 2021-08-27 东莞市慧学慧玩教育科技有限公司 Digital business operation safety processing method and system applied to big data mining

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10142362B2 (en) * 2016-06-02 2018-11-27 Zscaler, Inc. Cloud based systems and methods for determining security risks of users and groups
CN114595367A (en) * 2021-01-26 2022-06-07 龚世燕 Big data mining method based on user interest tendency and data analysis server
CN113114690B (en) * 2021-04-15 2022-12-13 恒安嘉新(北京)科技股份公司 Threat event identification method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN113114637A (en) * 2021-03-27 2021-07-13 卢洪斌 Network resource intrusion detection method combining big data analysis and security server
CN113051543A (en) * 2021-04-01 2021-06-29 郭洪铜 Cloud service security verification method and cloud service system in big data environment
CN113312671A (en) * 2021-06-25 2021-08-27 东莞市慧学慧玩教育科技有限公司 Digital business operation safety processing method and system applied to big data mining

Also Published As

Publication number Publication date
CN113706177A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN113706177B (en) Threat identification method based on big data security and data security server
CN112738126B (en) Attack tracing method based on threat intelligence and ATT & CK
CN109816397B (en) Fraud discrimination method, device and storage medium
CN113706176B (en) Information anti-fraud processing method and service platform system combined with cloud computing
CN113706149A (en) Big data wind control processing method and system for dealing with online payment data threat
CN113949577A (en) Data attack analysis method applied to cloud service and server
CN110262949A (en) Intelligent device log processing system and method
CN114297448B (en) License applying method, system and medium based on intelligent epidemic prevention big data identification
CN114500099A (en) Big data attack processing method and server for cloud service
CN115174231A (en) AI-Knowledge-Base-based network fraud analysis method and server
CN115801369A (en) Data processing method and server based on cloud computing
CN114547254A (en) Risk identification method based on big data topic analysis and server
CN114553658A (en) Resource sharing security processing method based on cloud computing and server
CN111047173A (en) Community credibility evaluation method based on improved D-S evidence theory
CN112132368A (en) Information processing method and device, computing equipment and storage medium
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
CN114417405A (en) Privacy service data analysis method based on artificial intelligence and server
KR20200066428A (en) A unit and method for processing rule based action
CN116956346B (en) Transaction data safety supervision system and method based on big data
CN118657608A (en) Risk control optimization method and system based on user stability
CN118041587A (en) Network security test evaluation system and method
CN113946819A (en) Online payment information intrusion detection method based on cloud computing and server
CN112685510B (en) Asset labeling method, computer program and storage medium based on full flow label
CN115456390A (en) Information security processing method and system based on big data
CN111475380A (en) Log analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220407

Address after: 510000 room 1508, No. 8, Jingang Avenue, Nansha street, Nansha District, Guangzhou City, Guangdong Province

Applicant after: GUANGDONG AOFEI DATA TECHNOLOGY CO.,LTD.

Address before: 210000 203, block 11C, North building, No. 88, alfalfa Garden Street, Qinhuai District, Nanjing, Jiangsu Province

Applicant before: Zhao Qi

GR01 Patent grant
GR01 Patent grant