[go: up one dir, main page]

CN113949577A - Data attack analysis method applied to cloud service and server - Google Patents

Data attack analysis method applied to cloud service and server Download PDF

Info

Publication number
CN113949577A
CN113949577A CN202111217358.6A CN202111217358A CN113949577A CN 113949577 A CN113949577 A CN 113949577A CN 202111217358 A CN202111217358 A CN 202111217358A CN 113949577 A CN113949577 A CN 113949577A
Authority
CN
China
Prior art keywords
service
intention
analysis
event
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111217358.6A
Other languages
Chinese (zh)
Inventor
闫传红
覃麟凯
许胜楠
陈伟宗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Kufeng Technology Development Co ltd
Original Assignee
Guangzhou Kufeng Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Kufeng Technology Development Co ltd filed Critical Guangzhou Kufeng Technology Development Co ltd
Priority to CN202111217358.6A priority Critical patent/CN113949577A/en
Publication of CN113949577A publication Critical patent/CN113949577A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Molecular Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to the technical field of cloud service and data attack analysis, in particular to a data attack analysis method and a server applied to cloud service, and the method and the server are characterized in that in an attack intention analysis process, service event positioning processing can analyze a random variable service environment, so that a first target service session set in a cloud service log triggering a data attack analysis condition is determined according to at least one first sensitive interactive event, a first multi-modal interactive event corresponding to the first target service session set is determined, namely an intention analysis result in the attack intention analysis process is obtained, further according to the first multi-modal interactive event, the attack intention positioning processing is started, so that a first target data attack intention corresponding to the first target service session set in a service scene can be obtained, and the purpose of the service session set in different states in the cloud service log triggering the data attack analysis condition can be efficiently and accurately divided into the purpose of the attack sets And (6) analyzing.

Description

Data attack analysis method applied to cloud service and server
Technical Field
The embodiment of the application relates to the technical field of cloud service and data attack analysis, in particular to a data attack analysis method and a server applied to cloud service.
Background
Cloud services (Cloud Serving) is an augmentation, usage and interaction model of internet-based related services, typically involving the provision of dynamically scalable and often virtualized resources over the internet, and may also be understood as obtaining a desired service over a network in an on-demand, scalable manner, which may be IT and software, internet-related, or other services. The continuous development of cloud services improves the processing efficiency of various business services, but the subsequent data information security problem cannot be ignored. In recent years, the security events of data information caused by network attacks are more and more serious, and more or less loss is caused to individuals or enterprises. However, the analysis and positioning technology for network attacks has the defect of low precision, so that accurate positioning and analysis of network attacks are difficult to realize.
Disclosure of Invention
In view of this, the embodiment of the present application provides a data attack analysis method and a server applied to cloud services.
The embodiment of the application provides a data attack analysis method applied to cloud service, which is applied to a data attack analysis server, and the method at least comprises the following steps: performing key event identification on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition; determining a first target service session set in the cloud service log which triggers the data attack analysis condition based on the at least one first sensitive interaction event, and determining a first multi-modal interaction event corresponding to the first target service session set; and obtaining a first target data attack intention corresponding to the first target service session set by starting attack intention positioning processing based on the first multi-modal interaction event.
Under some independently implementable design considerations, the first sensitive interaction event comprises a first sensitive interaction event description; the determining a first set of target service sessions in the cloud service log that triggers the data attack analysis condition based on the at least one first sensitive interaction event comprises: performing first differential processing on service session messages in the cloud service log of the trigger data attack analysis condition by using at least one first sensitive interactive event description to obtain a first original service session set in the cloud service log of the trigger data attack analysis condition; based on the at least one first sensitive interaction event description, performing second differential processing on service session messages in the cloud service log triggering the data attack analysis condition to obtain a first hot spot session set in the cloud service log triggering the data attack analysis condition, wherein the first hot spot session set corresponds to a hot spot session time period of the first original service session set; determining the first set of target service sessions based on the first set of original service sessions and the first set of hotspot sessions.
Under some independently implementable design considerations, the first sensitive interaction event comprises a first sensitive interaction event description, and the first multi-modal interaction event comprises a first multi-modal interaction event expression; the determining a first multi-modal interaction event corresponding to the first set of target service sessions based on the at least one first sensitive interaction event comprises: determining a multi-mode interaction event expression corresponding to each service session message in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description; and determining the first multi-mode interaction event expression based on the multi-mode interaction event expression corresponding to each service session message and the distribution condition of the first target service session set.
Under some design considerations which can be independently implemented, the obtaining, based on the first multimodal interaction event, a first target data attack intention corresponding to the first target service session set by enabling attack intention positioning processing includes: enabling attack intention positioning processing according to the first multi-modal interactive event expression to obtain a plurality of data attack intents corresponding to the first target service session set; and starting iterative optimization processing according to the plurality of data attack intents to obtain the first target data attack intention.
Under some independently implementable design ideas, the data attack analysis method applied to the cloud service is implemented through an intention analysis learning model; the training paradigm for the intent analysis learning model includes: an example cloud service log, a reference service session set in the example cloud service log, and a reference multi-modal interaction event corresponding to the reference service session set; the method further comprises the following steps: performing key event identification on the sample cloud service log through an original learning model to obtain at least one second sensitive interaction event corresponding to the sample cloud service log; based on the at least one second sensitive interaction event, determining a second set of target service sessions in the sample cloud service log, and determining a second multi-modal interaction event corresponding to the second set of target service sessions; based on the second multi-modal interaction event, obtaining a second target data attack intention corresponding to the second target service session set by starting attack intention positioning processing; determining a first intent resolution rating based on the second set of target service sessions and the set of reference service sessions, and determining a second intent resolution rating based on the second target data attack intent and the reference multi-modal interaction event; improving model variables of the original learning model based on the first intention analysis evaluation and the second intention analysis evaluation to obtain the trained intention analysis learning model;
Under some design ideas which can be independently implemented, the training example further includes a plurality of reference service topics corresponding to the reference service session set; the method further comprises the following steps: based on the multiple reference service topics, performing service topic screening processing on the reference service session set to obtain multiple screened service topics, wherein keywords among the associated screened service topics are consistent; and enabling event analysis processing according to the plurality of screened service themes to obtain the reference multi-modal interaction event.
Under some independently implementable design considerations, the reference multi-modal interaction event comprises a reference multi-modal interaction event expression; the obtaining the reference multi-modal interaction event by enabling event analysis processing on the plurality of screened service topics comprises: obtaining a service theme set corresponding to the plurality of screened service themes by determining the precedence relationship between the original screened service theme in the plurality of screened service themes and each screened service theme; and starting event analysis processing according to the service theme set to obtain the reference multi-mode interactive event expression.
Under some independently implementable design considerations, the determining a second intent resolution evaluation based on the second target data attack intent and the reference multi-modal interaction event includes: enabling attack intention positioning processing according to the reference multi-modal interaction event expression to obtain a third target data attack intention corresponding to the reference service session set; determining the second intent resolution rating based on a comparison between the second target data attack intent and the third target data attack intent.
Under some independently implementable design considerations, the second sensitive interaction event comprises a second sensitive interaction event description; the determining a second set of target service sessions in the example cloud service log based on the at least one second sensitive interaction event comprises: performing third differentiation processing on the service session messages in the example cloud service log by using at least one second sensitive interactive event description to obtain a second original service session set in the example cloud service log; performing fourth differentiation processing on the service session messages in the example cloud service log based on the at least one second sensitive interaction event description to obtain a second hotspot session set in the example cloud service log, wherein the second hotspot session set corresponds to a hotspot session period of the second original service session set; determining the second set of target service sessions based on the second set of original service sessions and the second set of hotspot sessions.
Under some independently implementable design considerations, the determining a first intent resolution rating based on the second set of target service sessions and the set of reference service sessions comprises: determining a reference hotspot session set based on the reference service session set and a setting adjustment instruction, wherein the reference hotspot session set corresponds to a hotspot session period of the reference service session set; determining a third intent resolution rating based on a comparison between the second target set of service sessions and the reference set of service sessions; determining a fourth intent parsing evaluation based on a comparison between the second set of hotspot sessions and the set of reference hotspot sessions; determining the first intent resolution rating based on the third intent resolution rating and the fourth intent resolution rating.
The embodiment of the application also provides a data attack analysis server, which comprises a processor, a communication bus and a memory; the processor and the memory communicate via the communication bus, and the processor reads the computer program from the memory and runs the computer program to perform the method described above.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
In the embodiment of the application, key event identification is performed on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition, and since in the attack intention analysis process, service event positioning processing can analyze a randomly variable service environment, according to the at least one first sensitive interaction event, a first target service session set in the cloud service log triggering the data attack analysis condition is determined, and a first multi-modal interaction event corresponding to the first target service session set is determined, that is, an intention analysis result in the attack intention analysis process is obtained, and further according to the first multi-modal interaction event, by enabling attack intention positioning processing, a first target data attack intention corresponding to the first target service session set in a service scene can be obtained, therefore, the intention analysis of the service session sets in different states in the cloud service logs triggering the data attack analysis conditions can be efficiently and accurately realized.
Drawings
Fig. 1 is a schematic block diagram of a data attack analysis server according to an embodiment of the present application.
Fig. 2 is a flowchart of a data attack analysis method applied to cloud services according to an embodiment of the present disclosure.
Fig. 3 is a block diagram of a data attack analysis device applied to a cloud service according to an embodiment of the present disclosure.
Detailed Description
Fig. 1 shows a block schematic diagram of a data attack analysis server 10 provided in an embodiment of the present application. The data attack analysis server 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the data attack analysis server 10 includes: the system comprises a memory 11, a processor 12, a communication bus 13 and a data attack analysis device 20 applied to cloud services.
The memory 11, processor 12 and communication bus 13 are electrically connected, directly or indirectly, to enable the transfer or interaction of data. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a data attack analysis device 20 applied to a cloud service, the data attack analysis device 20 applied to the cloud service includes at least one software functional module which can be stored in the memory 11 in a form of software or firmware (firmware), and the processor 12 executes various functional applications and data processing by running software programs and modules stored in the memory 11, for example, the data attack analysis device 20 applied to the cloud service in the embodiment of the present application, so as to implement the data attack analysis method applied to the cloud service in the embodiment of the present application.
It is to be understood that the configuration shown in fig. 1 is merely illustrative, and that data attack analysis server 10 may include more or fewer components than shown in fig. 1, or may have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 2 shows a flowchart of data attack analysis applied to a cloud service according to an embodiment of the present application. The method steps defined by the flow related to the method are applied to the data attack analysis server 10 and can be realized by the processor 12, and the method comprises the following contents.
For step S11, performing key event identification on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition.
For step S12, according to the at least one first sensitive interaction event, a first target service session set in the cloud service log that triggers the data attack analysis condition is determined, and a first multi-modal interaction event corresponding to the first target service session set is determined.
For step S13, according to the first multi-modal interaction event, by enabling the attack intention positioning process, a first target data attack intention corresponding to the first target service session set is obtained.
For example, in step S11, the cloud service log that triggers the data attack analysis condition may be understood as the cloud service log to be detected, and the cloud service relates to fields including, but not limited to, a payment field, an office field, a medical field, an enterprise service field, a game field, a smart city field, a logistics order field, and the like. Further, the data attack analysis condition may be set for a set time period, may also be set for a set service scenario, and may also be set for a set operation behavior, which is not limited in the embodiment of the present application. Further, the key event identification may be understood as feature extraction or feature mining, and correspondingly, the sensitive interaction event may be an interaction event that is abnormal or needs to be focused, and the interaction event may be understood differently corresponding to different service fields, which is not exhaustive in the embodiments of the present application.
For example, in step S12, the target service session set may be understood as a part of a cloud service log, and may be considered as a local log or a log segment in a certain sense, and may also be understood as a result of aggregating a plurality of session messages, which is not limited in the embodiment of the present application. In addition, the multi-mode interaction event can reflect the relevant characteristics and characteristics of the corresponding interaction event from multiple layers or multiple dimensions, so that the data attack analysis can be suitable for different service scenes by covering complete relevant bases which can be used for the data attack analysis as far as possible, and the accuracy and the reliability of the subsequent data attack analysis can be guaranteed.
For example, in step S13, the attack intention localization process may be understood as performing attack intention localization and parsing on the multi-modal interaction event to determine a first target data attack intention corresponding to the first target service session set, where the first target data attack intention includes, but is not limited to, different data information attack intentions such as data theft, information tampering, delay attack, fragment attack, and the like. Furthermore, the first target data attack intent may represent embodiments of the present application by a feature set or in other forms without limitation.
It should be understood that the above-mentioned examples are to be considered as a reference and not as a limitation to the embodiments of the present application, and the relevant examples given below and the above-mentioned examples can be understood in combination or separately and should be regarded as a reasonable explanation of the technical solutions of the present application.
In the embodiment of the application, key event identification is performed on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition, and since in the attack intention analysis process, service event positioning processing can analyze a randomly variable service environment, according to the at least one first sensitive interaction event, a first target service session set in the cloud service log triggering the data attack analysis condition is determined, and a first multi-modal interaction event corresponding to the first target service session set is determined, that is, an intention analysis result in the attack intention analysis process is obtained, and further according to the first multi-modal interaction event, by enabling attack intention positioning processing, a first target data attack intention corresponding to the first target service session set in a service scene can be obtained, therefore, the intention analysis of the service session sets in different states in the cloud service logs triggering the data attack analysis conditions can be efficiently and accurately realized.
In an independently implementable embodiment, the data attack analysis method applied to the cloud service is implemented by an intention analysis learning model. For example, the cloud service log triggering the data attack analysis condition may be transmitted to the intention analysis learning model, and intention analysis may be efficiently and accurately performed on service session sets in different states in the cloud service log triggering the data attack analysis condition, so as to obtain a data attack intention corresponding to the service session set.
In an independently implementable embodiment, the intent analysis learning model may include a key event recognition submodel and a predictor submodel. And transmitting the cloud service log triggering the data attack analysis condition into the intention analysis learning model, and performing key event identification on the cloud service log triggering the data attack analysis condition by using the key event identification submodel to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition.
In an independently implementable embodiment, the key event recognizer model may include convolutional layers and multi-dimensional transform layers (feature pyramid layers). It can be understood that after the cloud service log triggering the data attack analysis condition is transmitted into the intention analysis learning model, the convolution layer and the multi-dimensional transformation layer perform key event identification on the cloud service log triggering the data attack analysis condition to obtain a plurality of first sensitive type interaction events with different dimensions, and at least one first sensitive type interaction event is selected to be transmitted into the predictor model for prediction and determination. The number and dimension of the first sensitive interaction events that are passed into the predictor model can be determined according to actual expectations, which is not further limited by the present application. The relevant structure of the key event identifier sub-model may include, in addition to the convolution layer and the multi-dimensional transformation layer, other model network layers, which is not further limited in this application.
In an independently implementable embodiment, the predictor model may include a differentiation processing unit (classification unit) and a quantitative relationship analysis unit (regression analysis unit). In combination with the above, after the at least one first sensitive interaction event is transmitted to the predictor model, the differentiation processing unit determines a first target service session set in the cloud service log that triggers the data attack analysis condition by using the at least one first sensitive interaction event, and the quantitative relationship analysis unit determines a first multi-modal interaction event expression corresponding to the first target service session set by using the at least one first sensitive interaction event.
In an embodiment that can be implemented independently, the difference processing unit and the quantitative relation analysis unit may respectively include 6 × 6 moving average cores and a 2 × 2 moving average core, and a trigger unit (for example, reevalatiationu) is connected after each moving average core. The correlation model network layer of the differentiation processing unit and the quantitative relation analysis unit may also include other types according to actual expectation, which is not further limited in this application.
In a separately implementable embodiment, the first sensitive interaction event comprises a first sensitive interaction event description; determining, using at least one first sensitive interaction event, a first set of target service sessions in a cloud service log that triggers a data attack analysis condition, comprising: performing first differentiation processing on service session messages in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interactive event description to obtain a first original service session set in the cloud service log triggering the data attack analysis condition; performing second differential processing on service session messages in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interactive event description to obtain a first hot spot session set in the cloud service log triggering the data attack analysis condition, wherein the first hot spot session set corresponds to a hot spot session time period of a first original service session set; a first target service session set is determined according to the first original service session set and the first hotspot session set.
It can be understood that, by determining the first original service session set and the first hot spot session set respectively, the related noise service sessions can be effectively cleaned, so that the prediction accuracy of the first target service session set obtained by the final prediction determination can be improved.
Please continue to combine the related content, the differentiation processing unit obtains a first original service session set and a first hot spot session set in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description, and then determines a first target service session set in the cloud service log triggering the data attack analysis condition according to the first original service session set and the first hot spot session set. The relevant determination process of the differentiation processing unit is further explained below.
The differentiation processing unit performs first differentiation processing on service session messages in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description, determines a first prediction possibility corresponding to each service session message in the cloud service log triggering the data attack analysis condition, wherein the first prediction possibility is used for indicating the possibility that each service session message is located in a service session set, and further determines a first original service session set according to the first prediction possibility corresponding to each service session message in the cloud service log triggering the data attack analysis condition, and the first prediction possibility corresponding to each service session message in the first original service session set is greater than a first judgment value. An exemplary value of the first determination value may be determined according to actual expectations, which is not further limited in this application.
The differentiation processing unit performs second differentiation processing on the service session messages in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description, determines a second prediction possibility corresponding to each service session message in the cloud service log triggering the data attack analysis condition, wherein the second prediction possibility is used for indicating the possibility that each service session message is located in the hot spot session set, and further determines a first hot spot session set according to the second prediction possibility corresponding to each service session message in the cloud service log triggering the data attack analysis condition, and the second prediction possibility corresponding to each service session message in the first hot spot session set is greater than the second determination value. An exemplary value of the second determination value may be determined according to actual expectations, which is not further limited in this application.
Weighting a first prediction possibility corresponding to each service session message in a first original service session set and a second prediction possibility corresponding to each service session message in a first hot spot session set according to the corresponding service session messages to obtain a third prediction possibility corresponding to each service session message, and further determining a first target service session set according to the third prediction possibility corresponding to each service session message, wherein the third prediction possibility of each service session message in the first target service session set is greater than a third judgment value. An exemplary value of the third determination value may be determined according to actual expectations, which is not further limited in this application.
In an independently implementable embodiment, the first sensitive interaction event comprises a first sensitive interaction event description, and the first multi-modal interaction event comprises a first multi-modal interaction event representation; determining a first multi-modal interaction event corresponding to a first target service session set by using at least one first sensitive interaction event, comprising: determining a multi-mode interaction event expression corresponding to each service session message in a cloud service log which triggers a data attack analysis condition by using at least one first sensitive interaction event description; and determining the first multi-modal interaction event expression according to the multi-modal interaction event expression corresponding to each service session message and the distribution condition of the first target service session set.
The intention analysis learning model can utilize at least one sensitive interactive event description to quickly determine the multi-modal interactive event expression corresponding to each service session message in the cloud service log triggering the data attack analysis condition, and the distribution condition of the first target service session set in the cloud service log triggering the data attack analysis condition is determined, so that the first multi-modal interactive event expression corresponding to the first target service session set can be quickly determined and obtained. The first sensitive interactive event may include, in addition to the description of the first sensitive interactive event, other forms of sensitive interactive events, such as a sensitive interactive event variable, a sensitive interactive event list, etc., according to actual desires, and the first multi-modal interactive event may include, in addition to the first multi-modal interactive event expression, other forms of multi-modal interactive events, such as a multi-modal interactive event list, a multi-modal interactive event variable, etc., according to actual desires, which is not further limited in this application.
Please continue to combine the related content, and the quantitative relationship analysis unit determines to obtain the multi-modal interaction event expression of each service session message in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description. For any business conversation message, the multi-modal interaction event expression of the business conversation message comprises the intention analysis weight of a plurality of corresponding phases of the business conversation message. For example, for any service session message, the quantitative relationship analysis unit determines to obtain the intent analysis weights of multiple stages corresponding to the service session message [. multidot.,. weight-2, weight-1, weight0, weight1, weight2,. ], and obtains the multi-modal interaction event expression corresponding to the service session message according to the intent analysis weights of the multiple stages corresponding to the service session message. Wherein weight N is the intent analysis weight of the Nth stage.
In the embodiment of the application, the larger the numerical interval of N is, the higher the accuracy of the data attack intention obtained by analyzing the service session set by the intention analysis learning model based on the multi-modal interactive event expression formed by the intention analysis weights of multiple stages is, that is, the higher the intention analysis accuracy of the intention analysis learning model is, but the computation overhead of the intention analysis learning model is also increased. For example, the numerical range of N is determined to be from-3 to +3, that is, the intention analysis weights of the multiple stages are [ weight-3, weight-2, weight-1, weight0, weight1, weight2 and weight3], and at this time, the intention analysis learning model can not only realize the intention analysis with higher precision on the service session sets in different states, but also ensure that the computation overhead of the intention analysis learning model meets the expectation.
In view of that the differentiation processing unit has already determined the first target service session set, the first multi-modal interaction event expression corresponding to each service session message in the first target service session set may be determined based on the multi-modal interaction event expression corresponding to each service session message in the cloud service log that triggers the data attack analysis condition and is determined by the quantitative relationship analysis unit.
Since the first multi-modal interaction event expressions corresponding to the service session messages in the first target service session set are all used to describe the constraint of the first target service session set, the first multi-modal interaction event expressions corresponding to the service session messages in the first target service session set are the same except for the hot spot session period service session messages of the first target service session set. The hotspot session period service session message can be determined according to the intention analysis weight of the initial stage included in the first multi-modal interactive event expression.
For example, a hotspot session period service session message (textual _0, description _ 0) is determined in the first set of target service sessions according to the initial stage intention analysis weight0 included in the first multimodal interaction event expression. The hot spot session period service session message may be determined by other technical schemes besides the above technical scheme, which is not further limited in this application.
In an independently implementable embodiment, obtaining a first target data attack intention corresponding to a first set of target service sessions by enabling attack intention localization processing according to a first multimodal interaction event includes: starting attack intention positioning processing according to the first multi-modal interactive event expression to obtain a plurality of data attack intents corresponding to the first target service session set; and starting iterative optimization processing according to the plurality of data attack intents to obtain a first target data attack intention.
Because the first multi-modal interaction event expressions corresponding to the service session messages in the first target service session set are all used for describing the constraints of the first target service session set, attack intention positioning processing is started according to the first multi-modal interaction event expressions corresponding to the service session messages in the first target service session set, a plurality of data attack intents corresponding to the first target service session set can be obtained, iterative optimization processing (for example, the iterative optimization processing is realized by using iteration-traversal-cleaning operation steps) is started for the plurality of data attack intents in order to clean redundant data attack intents, and finally, the first target data attack intention corresponding to the first target service session set is obtained, so that intention analysis of the cloud service log triggering data attack analysis conditions is realized.
With reference to the above related contents, based on the intention analysis learning model, first target service session sets in different states in the cloud service log triggering the data attack analysis condition may be migrated to the attack intention analysis process through service event positioning processing, on the premise that the cloud service log triggering the data attack analysis condition includes a plurality of first target service session sets, different first multi-modal interaction event expressions (different intention analysis weights) may be used to represent different first target service session sets, attack intention positioning processing and iterative optimization processing are further enabled according to the first multi-modal interaction event expression corresponding to each first target service session set, and the intention analysis learning model finally outputs a first target data attack intention corresponding to each first target service session set in the cloud service log triggering the data attack analysis condition, the intention analysis learning model has flexible adaptability, and flexible analysis and positioning of service session sets in different states in the cloud service log which triggers the data attack analysis conditions can be realized.
In an independently implementable embodiment, the intention analysis learning model is trained before the intention analysis is carried out on the service session sets of different states in the cloud service log triggering the data attack analysis condition by using the intention analysis learning model. And (3) training the intention analysis learning model, namely training a key event identifier model and a prediction submodel in the intention analysis learning model.
The training process for the intent analysis learning model is further described below.
In a separately implementable embodiment, the training paradigm for the intent analysis learning model includes: the method comprises the steps that an example cloud service log, a reference service session set in the example cloud service log and a reference multi-mode interaction event corresponding to the reference service session set are obtained; the data attack analysis method applied to the cloud service further comprises the following steps: performing key event identification on the sample cloud service log through an original learning model to obtain at least one second sensitive interaction event corresponding to the sample cloud service log; determining a second target service session set in the sample cloud service log by using at least one second sensitive interaction event, and determining a second multi-modal interaction event corresponding to the second target service session set; according to the second multi-modal interaction event, obtaining a second target data attack intention corresponding to the second target service session set by starting attack intention positioning processing; determining a first intention analysis evaluation according to the second target service session set and the reference service session set, and determining a second intention analysis evaluation according to the second target data attack intention and the reference multi-modal interaction event; and improving the model variables of the original learning model according to the first intention analysis evaluation and the second intention analysis evaluation to obtain the trained intention analysis learning model.
It is to be understood that the above references may be understood as annotation content and the intent resolution evaluation may be understood as model loss or a model loss function. By creating a training example of the intention analysis learning model in advance, the original learning model is trained by using the example cloud service log in the training example, the reference service session set in the example cloud service log and the reference multi-modal interaction event expression corresponding to the reference service session set, so that the intention analysis of the service session sets in different states can be realized by the intention analysis learning model obtained after training. The raw learning model may be a learning model (such as an AI intelligence model) having the same model network layer as the intention analysis learning model, but different model variables, and having an intention analysis function.
In an independently implementable embodiment, the training paradigm may include at least one paradigm cloud service log, and each paradigm cloud service log includes at least one reference service session set. The number of example cloud service logs included in the training examples and the number of reference service session sets included in any example cloud service log may be determined according to the actually acquired example cloud service logs, which is not further limited in this application.
With reference to the above related contents, the example cloud service log in the training example is transmitted to the intention analysis learning model, and the key event recognizer model recognizes the key event of the example cloud service log to obtain at least one second sensitive interaction event corresponding to the example cloud service log. The relevant process of the key event recognition sub-model for carrying out key event recognition on the sample cloud service logs is similar to the relevant process of carrying out key event recognition on the cloud service logs triggering the data attack analysis conditions by the key event recognition sub-model, and the description is not repeated here.
And the quantitative relationship analysis unit determines a second multi-modal interaction event corresponding to the second target service session set by using the at least one second sensitive type interaction event.
In a separately implementable embodiment, the second sensitive interaction event comprises a second sensitive interaction event description; determining a second set of target service sessions in the exemplar cloud service log using the at least one second sensitive interaction event, comprising: performing third differentiation processing on the service session messages in the example cloud service log by using at least one second sensitive interactive event description to obtain a second original service session set in the example cloud service log; performing fourth differentiation processing on the service session messages in the example cloud service log by using at least one second sensitive interactive event description to obtain a second hotspot session set in the example cloud service log, wherein the second hotspot session set corresponds to a hotspot session time period of a second original service session set; and determining a second target service session set according to the second original service session set and the second hotspot session set.
The further determination process of the second target service session set in the example cloud service log by the differentiation processing unit is similar to the further determination process of the first target service session set in the cloud service log triggering the data attack analysis condition by the differentiation processing unit, and a description thereof is omitted here. The second multi-modal interaction event includes a second multi-modal interaction event expression, and the further determination process of the quantitative relationship analysis unit on the second multi-modal interaction event expression corresponding to the second target service session set is similar to the further determination process of the quantitative relationship analysis unit on the first multi-modal interaction event expression corresponding to the first target service session set, and therefore the description is omitted here. The second sensitive interactive event may include, in addition to the description of the second sensitive interactive event, other forms of sensitive interactive events, such as a sensitive interactive event variable, a sensitive interactive event list, etc., according to actual desires, and the second multi-modal interactive event may include, in addition to the second multi-modal interactive event expression, other forms of multi-modal interactive events, such as a multi-modal interactive event list, a multi-modal interactive event variable, etc., according to actual desires, which is not further limited in this application.
It can be understood that after the second multi-modal interaction event expressions corresponding to the second target service session set are determined, since the second multi-modal interaction event expressions corresponding to the second target service session set are all used for describing constraints of the second target service session set, attack intention positioning processing is enabled according to the second multi-modal interaction event expressions, a plurality of data attack intentions corresponding to the second target service session set can be obtained, iterative optimization processing is enabled on the plurality of data attack intentions in order to clean up redundant data attack intentions, and finally, a second target data attack intention corresponding to the second target service session set is obtained, so that intention analysis of the intention analysis learning model on the sample cloud service log is achieved.
By analyzing the intention analysis evaluation, model variables of the original learning model can be improved according to the intention analysis evaluation, and training of the intention analysis learning model is further achieved. In analyzing the intention analysis evaluation, the loss of the differentiation processing means and the quantitative relation analyzing means is considered in all aspects. For example, the intention analysis evaluation of the intention analysis learning model can be determined by the following algorithm: evaluation _ classification + Q evaluation _ R.
In the above algorithm, evaluation _ classification is a first intention analysis evaluation corresponding to the differentiation processing unit, and evaluation _ R is a second intention analysis evaluation corresponding to the quantitative relation analysis unit. Further, Q may be understood as a variable for adjusting the first intention-resolving evaluation _ classification and the second intention-resolving evaluation _ R. Exemplary values of Q may be determined according to actual expectations, which are not further limited in this application.
In a separately implementable embodiment, determining a first intent resolution rating from a second set of target service sessions and a set of reference service sessions comprises: determining a reference hotspot session set according to the reference service session set and the setting adjustment instruction, wherein the reference hotspot session set corresponds to a hotspot session time period of the reference service session set; determining a third intention analysis evaluation according to a comparison result between the second target service session set and the reference service session set; determining a fourth intention analysis evaluation according to a comparison result between the second hotspot session set and the reference hotspot session set; and determining the first intention analysis evaluation according to the third intention analysis evaluation and the fourth intention analysis evaluation.
Since the differentiation processing unit determines the second hotspot session set in the process of determining the second target service session set, when determining the first intention analysis evaluation corresponding to the differentiation processing unit, the intention analysis evaluation on the second target service session set and the second hotspot session set is considered in all directions.
In an actual application process, in order to determine the intention analysis evaluation of the differentiation processing unit on the second hotspot session set, information compression or information amplification processing can be performed on the reference service session set by setting an adjustment instruction, so that the reference hotspot session set is determined and obtained in a hotspot session period of the reference service session set. An exemplary value of the setting adjustment indication may be determined according to actual expectations, which is not further limited in the embodiment of the present application, for example, the setting adjustment indication may be 0.6.
In some other embodiments, the first intention analysis evaluation corresponding to the differentiation processing unit may be determined by the following algorithm.
evaluation_classification=evaluation_A+evaluation_B。
In the above algorithm, evaluation _ a is a third intention analysis evaluation determined according to a comparison result between the second target service session set and the reference service session set, and evaluation _ B is a fourth intention analysis evaluation determined according to a comparison result between the second hotspot session set and the reference hotspot session set. The third intention analysis evaluation and the fourth intention analysis evaluation may be both cost functions, which are not further limited in this application.
In the model training of the intention analysis learning model, an active paradigm (such as a positive example) and a passive paradigm (such as a negative example) are included in the example cloud service log, wherein the active paradigm is a service session set and the passive paradigm is a non-service session set. When the active and passive paradigm number differences in the example cloud service log are unbalanced, e.g., when the passive paradigm number difference is significantly higher than the active paradigm, i.e., the non-service session set is large relative to the service session set, it is not favorable for training the intent analysis learning model, resulting in lower accuracy of intent analysis of the trained intent analysis learning model, and therefore, to solve the problem of paradigm adjustability, the number differences of the active and passive paradigms in the example cloud service log are balanced, e.g., the ratio of the passive paradigm to the active paradigm is 4: 1. exemplary values of the number difference between the active and passive paradigms may be set according to actual desire, which is not further limited by the present application.
Since the attack intention of the second target data corresponding to the second target service session set is determined by locating the attack intention based on the second multimodal interaction event corresponding to the second target service session set determined by the quantitative relationship analysis unit, in order to determine the second intention analysis evaluation corresponding to the quantitative relationship analysis unit, the reference multimodal interaction event corresponding to the reference service session set is used to obtain the attack intention of the reference data corresponding to the reference service session set according to the attack intention locating of the reference multimodal interaction event, and the second intention analysis evaluation corresponding to the quantitative relationship analysis unit is determined according to the comparison result between the attack intention of the second target data and the attack intention of the reference data.
The determination of the reference multimodal interaction events corresponding to the set of reference service sessions included in the training paradigm is further described below.
In an independently implementable embodiment, the training paradigm further comprises a plurality of reference service topics corresponding to the reference service session set; the method further comprises the following steps: according to the multiple reference service topics, performing service topic screening processing on the reference service session set to obtain multiple screened service topics, wherein keywords among the related screened service topics are consistent; and enabling event analysis processing according to the plurality of screened service themes to obtain a reference multi-modal interaction event.
Because the number of reference service topics corresponding to different reference service session sets may not be completely the same when the sample cloud service log includes a plurality of reference service session sets, and the distribution of the reference service topics corresponding to each reference service session set may not be balanced, in order to improve the training quality and achieve the processing capability for different samples, for any reference service session set, the reference service session set is subjected to service topic screening processing according to the plurality of reference service topics corresponding to the reference service session set to obtain a plurality of screened service topics corresponding to the reference service session set, and further event analysis processing is enabled according to the plurality of screened service topics to obtain reference feature descriptions corresponding to the reference service session sets with higher accuracy.
The form of the multiple reference service topics corresponding to the reference service session set may be multiple reference service topics with poor relevance, may be reference data attack intents formed by multiple reference service topics with strong relevance, and may also be multiple reference service topics in other forms distributed on the reference service session set constraint, which is not further limited in this application.
With reference to the above related content, the reference service session set includes a plurality of reference service topics having a first service scenario state, and the reference service session set is subjected to service topic screening processing based on the plurality of reference service topics, so as to obtain a plurality of screened service topics having a second service scenario state and balanced in distribution.
In a separately implementable embodiment, referencing the multi-modal interaction event comprises referencing a multi-modal interaction event representation; the method for obtaining the reference multi-modal interaction event by starting event analysis processing on a plurality of screened service themes comprises the following steps: obtaining a service theme set corresponding to a plurality of screened service themes by determining the precedence relationship between the original screened service theme in the plurality of screened service themes and each screened service theme; and starting event analysis processing according to the service theme set to obtain the reference multi-mode interactive event expression.
For the same reference service session set, different multi-modal interactive event expressions may be generated by different queues formed by a plurality of screened service topics, so that in order to ensure that the reference multi-modal interactive event expression corresponding to one reference service session set has independence and to perform model training more efficiently, independent service topic sets corresponding to the plurality of screened service topics are obtained by determining the precedence relationship between the original screened service topics and each screened service topic in the plurality of screened service topics, and further, the obtained reference multi-modal interactive event expression also has independence after the event analysis processing is enabled for the service topic sets. In an embodiment, the service session set is determined to be the original screened service topic by the most marginal matching result between the message tag of the service session message of the hot spot session period of the reference service session set and the reference service session set. For example, the service session message information is an original screened service topic of the reference service session set. Besides the determination method, the original screened service theme can also be determined by other determination methods, which is not further limited in the present application.
In an independently implementable embodiment, the precedence relationship between the screened service topics is determined as an order starting from the original screened service topics. The precedence relationship between the screened service topics may also be determined in other manners, which is not further limited in this application. And enabling event analysis processing according to the service theme set to obtain a reference multi-mode interactive event expression, wherein the reference multi-mode interactive event expression comprises intention analysis weights of a plurality of stages. For example, the set of service topics is [ the 1, the 2., the then., the emem ], where the emem is the mth filtered service topic in the set of service topics. And then, service event positioning processing can be carried out on the service theme set to obtain the intention analysis weights of multiple stages, and further obtain a reference multi-modal interactive event expression formed by the intention analysis weights of the multiple stages.
In a separately implementable embodiment, determining a second intent resolution rating based on the second target data attack intent and with reference to the multi-modal interaction event comprises: starting attack intention positioning processing according to the reference multi-modal interactive event expression to obtain a third target data attack intention corresponding to the reference service session set; and determining a second intention analysis evaluation according to a comparison result between the second target data attack intention and the third target data attack intention.
Since the final output of the intention analysis learning model is the second target data attack intention in the service scene, that is, the final attack intention positioning result is still the fuzzy expression in the service scene, in order to improve the intention analysis precision of the trained intention analysis learning model, the continuous tracking training needs to be performed on the quantitative relationship analysis unit in the intention analysis learning model in the service scene, and since the second target data attack intention is obtained by performing attack intention positioning on the second multimodal interaction event expression, the attack intention positioning processing is enabled according to the reference multimodal interaction event expression, the corresponding third target data attack intention of the reference service session set in the service scene is obtained, and further, according to the comparison result between the second target data attack intention and the third target data attack intention, that is, the comparison result in the service scene, and determining a second intention analysis evaluation corresponding to the quantitative relation analysis unit.
In a possible example, the attack intention positioning processing and the event analysis processing are reciprocal, after a first intention analysis evaluation corresponding to the differentiation processing unit and a second intention analysis evaluation corresponding to the quantitative relationship analysis unit are determined, model variables of the original learning model are improved according to the first intention analysis evaluation and the second intention analysis evaluation, the trained intention analysis learning model can be obtained by repeatedly executing the model training process, and the trained intention analysis learning model can realize efficient and accurate intention analysis on service session sets in different states.
In an independently implementable embodiment, after obtaining a first target data attack intent corresponding to the first set of target service sessions, the method further comprises: determining to-be-processed risk intention big data of the first target data attack intention, and updating a risk intention database according to the to-be-processed risk intention big data; responding to a user behavior analysis request, and processing service interaction big data of a user behavior event to be analyzed through the risk intention data set to obtain target risk intention big data; performing big data protection analysis on the user behavior event to be analyzed according to the target risk intention big data to obtain a big data protection analysis result; and starting a target data security protection strategy based on the big data protection analysis result.
In the embodiment of the application, the to-be-processed risk intention big data corresponding to the first target data attack intention can be queried according to a preset mapping relation, and further, the incidence relation and timeliness characteristics of the risk intention big data in the risk intention database can be updated according to the to-be-processed risk intention big data, so that the risk intention big data can be positioned subsequently.
In an embodiment that can be implemented independently, the processing of the business interaction big data of the user behavior event to be analyzed by the risk intention data set to obtain the target risk intention big data may include the following: collecting service interaction big data of a user behavior event to be analyzed; accessing a behavior demand information set through the service interaction big data of the user behavior event to be analyzed to obtain first behavior demand information which has an incidence relation with the service interaction big data of the user behavior event to be analyzed, wherein the behavior demand information set covers a plurality of behavior demand information; and obtaining at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed based on the first behavior demand information and a risk intention data set, wherein the risk intention data set covers a plurality of risk intention big data.
In an embodiment that can be implemented independently, an exemplary technical solution for obtaining target risk intention big data by processing business interaction big data of a user behavior event to be analyzed through the risk intention data set may include the following relevant contents.
Step 100, collecting service interaction big data of a user behavior event to be analyzed.
In the embodiment of the present application, the service interaction metadata of the user behavior event to be analyzed may refer to service interaction metadata including a behavior requirement of the user behavior event to be analyzed, and may include online service interaction metadata of the behavior requirement or service session metadata including the behavior requirement in the service session. For example, the service interaction big data of the user behavior event to be analyzed may be service session big data, may be a service interaction session message in a service session log of the service user interaction terminal, may also be an independent piece of service interaction big data or a group of service interaction big data, and may also be from another interaction terminal.
Illustratively, the user behavior event to be analyzed may be a behavior event with security analysis requirements, such as an authentication event and a payment behavior event of a payment service, a file transfer event of an office service, a user information anonymization processing behavior event of an intelligent medical service, and the like. In addition, the service interaction big data can include information of multiple dimensions or information of multiple layers, and can be used as a raw material for security analysis, but data security analysis is directly performed on the service interaction big data, and large noise may exist, so that subsequent behavior requirements and risk intention mining and analysis need to be performed, and the accuracy and the reliability of data information security processing and analysis are improved.
And 102, accessing a behavior demand information set by using the service interaction big data of the user behavior event to be analyzed, and acquiring first behavior demand information which has an association relation with the service interaction big data of the user behavior event to be analyzed.
In the embodiment of the present application, the behavior requirement information set may be a relational database (e.g., MySQL) that is built in advance and used for storing the behavior requirement information. The behavior requirement information set may include a plurality of behavior requirement information of one or more user behavior events, and each user behavior event may correspond to one or more behavior requirement information.
It can be understood that the behavior demand information included in the behavior demand information set may be obtained by performing behavior demand mining on service session big data in one or more service sessions, or the behavior demand information included in the behavior demand information set may also be obtained by performing behavior demand mining on online service interaction big data.
It can be understood that the number of the first behavior requirement information may be one or more, in other words, the at least one first behavior requirement information having an association relationship with the business interaction big data of the user behavior event to be analyzed may be obtained by using the business interaction big data access behavior requirement information set of the user behavior event to be analyzed.
For example, the behavior demand information set requirement _ collection includes behavior demand information of a plurality of user behavior events, the behavior demand information of each user behavior event may be one or more, and the following behavior demand information having an association relationship with the service interaction big DATA ser _ DATA of the user behavior event to be analyzed is accessed based on the behavior demand information set requirement _ collection: the first behavior demand information req _ information _1, req _ information _2, and req _ information _ 3. The first behavior demand information req _ information _1, req _ information _2, and req _ information _3 is the behavior demand information that matches the service interaction metadata ser _ DATA of the user behavior event to be analyzed with the same user behavior event.
For example, the behavior requirement information may be used to characterize an interaction requirement or an interaction requirement corresponding to a user behavior event, so as to provide a more targeted analysis material for subsequent intent mining.
And 104, obtaining at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed according to the first behavior demand information and the risk intention data set.
In the embodiment of the application, the risk intention data set may be a relational database which is built in advance and used for recording risk intention big data. The risk intent dataset may contain a plurality of risk intent big data for one or more user behavioral events, each of which may correspond to one or more risk intent big data.
It is to be appreciated that the risk intent big data included in the risk intent data set can be obtained by performing a risk intent mining process on the service session big data in the one or more service sessions, wherein a service session provider of the risk intent big data in the risk intent data set can be identical, partially identical, or completely different from a service session provider of the behavior demand information in the behavior demand information set. Or, the risk intention big data in the risk intention data set may be obtained by performing risk intention mining on the online business interaction big data, and the provider of the risk intention big data included in the risk intention data set is not limited in the embodiment of the present application.
On the basis of the above, at least one target risk intention big data can be obtained according to each first action demand information and risk intention data set. The target risk intention big data may be obtained by accessing a risk intention data set, but the embodiment of the present application does not limit the target risk intention big data.
For example, the risk intention DATA set risk _ interaction _ collection may include risk intention big DATA of one or more user behavior events, the risk intention big DATA of each user behavior event may be multiple, risk intention big DATA risk _ interaction _ DATA1 and risk intention big DATA k _ interaction _ DATA2 associated with the business interaction big DATA server _ DATA of the user behavior event to be analyzed may be collected according to the risk intention DATA set risk _ interaction _ collection and the first behavior requirement information req _ information _1, risk intention big DATA risk _ interaction _ DATA 26 associated with the business interaction big DATA server _ DATA of the user behavior event to be analyzed may be collected according to the risk intention DATA set risk _ interaction _ collection and the first behavior requirement information req _ information _2, risk intention big DATA risk _ interaction _ DATA3 associated with the business interaction big DATA server _ DATA of the user behavior event to be analyzed may be collected according to the risk intention DATA set risk _ interaction _ collection and the first behavior requirement information req _ DATA3 associated with the business interaction big DATA of the user behavior event to be analyzed risk _ entry _ DATA4 and risk intent big DATA risk _ entry _ DATA 5. In this way, 5 target risk intention big DATA risk _ interaction _ DATA 1-risk intention big DATA risk _ interaction _ DATA5 associated with the business interaction big DATA of the user behavior event to be analyzed can be obtained.
In the embodiment of the present application, the step 102 may be regarded as a behavior requirement analysis process, and the step 104 may be regarded as a risk intention analysis process. In addition, the risk intention big data can comprise various abnormal behavior intentions or behavior tendencies, such as abnormal login intentions, abnormal interaction intentions, abnormal identification intentions and the like, and can be used as the basis for security processing of the big data information.
The embodiment of the application is based on a comprehensive analysis mode combining behavior demand analysis and risk intention analysis, on one hand, first behavior demand information which has an association relation with business interaction big data of a user behavior event to be analyzed is obtained according to behavior demand information set access, on the other hand, at least one target risk intention big data which has an association relation with the business interaction big data of the user behavior event to be analyzed is acquired according to a risk intention data set and the first behavior demand information, the method has the advantages of strong time sequence continuity and high accuracy of behavior demand analysis and high detection sensitivity of risk intention analysis, the accuracy and reliability of risk intention mining and analysis aiming at the user behavior event to be analyzed are improved, in addition, by considering behavior demand and risk intention, the hierarchy of risk intention mining analysis can be realized to ensure the integrity of the risk intention big data, in this way, when the target risk intention big data is used as the data information protection analysis basis, the reliability of data information protection can be guaranteed.
In some embodiments, which can be implemented independently, the following is another implementation of the big data protection method based on user behavior according to the embodiments of the present application.
And 200, generating a behavior demand information set and a risk intention data set.
In the embodiment of the present application, the generation processes of the behavior requirement information set and the risk intention data set may be isolated from each other, have no influence on each other, and may be implemented simultaneously or in a random order, which is not limited in the embodiment of the present application. The generation of the behavioral need information set and the risk intent data set will be described separately below.
STEP1 generates behavior requirements information set
STEP1-1 behavior demand mining process
The behavior requirement mining processing can be performed on the service session big data included in each service session in the at least one service session to obtain a plurality of behavior requirement information, and the information of each behavior requirement information in the plurality of behavior requirement information is added to the behavior requirement information set.
Viewed from some exemplary perspectives, the information of the behavioral need information may include one or more of the following: service session information bound by the behavior demand information, distribution information (precedence information or sequence number information) of the behavior demand information, service interaction big data description information (relative position information of the behavior demand information in the service session big data) of the behavior demand information in the service session big data, and the like.
The distribution information of the behavior requirement information may indicate the service session big data bound by the behavior requirement information, or the service session big data bound by the behavior requirement information may also be indicated by other parameters. It is to be understood that the business interaction big data description information of the behavior requirement information in the service session big data may indicate the description of the behavior requirement information in the service session big data, for example, the business interaction big data description information of the behavior requirement information in the service session big data may include constraint tag description information (such as the location of the identification set) of the behavior requirement information. It is understood that the information of the behavior requirement information may also include other information, which is not limited in this application.
For example, the service session conversion _1 may be disassembled to obtain two sets of service session big DATA conversion _ DATA1 and conversion _ DATA 2. Then, the behavior demand mining process may be performed on the service session big DATA conversion _ DATA1 and the conversion _ DATA2, and the following behavior demand information is obtained from the service session big DATA conversion _ DATA1, which are respectively:
behavior demand information conversion _ req _ information 1;
Behavioral requirement information conversion _ req _ information2, and
behavior requirement information conversion _ req _ information 3.
The following behavior requirement information is obtained from the service session big DATA conversion _ DATA2, which are respectively:
behavioral requirement information conversion _ req _ information4, and
behavior requirement information conversion _ req _ information 5.
On the basis, the characteristics of the information of each behavior demand are collected. The characteristics of the behavior demand information conversion _ req _ information1 include: characteristics of the example service interaction big DATA conversion _ DATA1, such as tag, sequence number, DATA amount, timing characteristics, etc. of the example service interaction big DATA conversion _ DATA1, corresponding distribution _1 of the service session big DATA conversion _ DATA1, description information of the behavior requirement information conversion _ req _ information1 in the example service interaction big DATA conversion _ DATA1, and so on.
Wherein:
behavior requirement information conversion _ req _ information2,
Behavior requirement information conversion _ req _ information3,
Behavioral requirement information conversion _ req _ information4, and
the characteristics of the behavior requirement information conversion _ req _ information5 are similar to those of the behavior requirement information conversion _ req _ information1, and are not described herein again.
Based on the above, the behavior requirement information conversion _ req _ information1,
Behavior requirement information conversion _ req _ information2,
Behavior requirement information conversion _ req _ information3,
The behavioral demand information conversion _ req _ information4 and behavioral demand information conversion _ req _ information5 and the respective characteristics are added to the behavioral demand information set requirement _ collection.
STEP1-2 behavior demand persistence analysis process
And performing behavior demand continuity analysis processing on the plurality of behavior demand information obtained by the behavior demand mining processing to obtain at least one behavior demand visual record, wherein each behavior demand visual record covers at least two behavior demand information in the plurality of behavior demand information. The behavioral need visual record may include at least two behavioral need information paired to the same user behavioral event. It is to be appreciated that information indicative of a correspondence between the plurality of behavioral requirement information and the at least one behavioral requirement visual record may be added to the set of behavioral requirement information. As one possible embodiment, the information of each of the at least one behavioral need visual record may be added to the behavioral need information set. It will be appreciated that the information of the behavioral need visual record may include identifying information of the behavioral need information included in the behavioral need visual record.
It is to be appreciated that the depolarizing significance expression of each of the at least one behavioral need visual records can be determined based on at least two behavioral need information included in each of the at least one behavioral need visual records, and the depolarizing significance expression of each of the at least one behavioral need visual records can be added to the set of behavioral need information.
For example, the behavior demand information conversion _ req _ information1,
Behavior requirement information conversion _ req _ information2,
Behavior requirement information conversion _ req _ information3,
The behavior demand information conversion _ req _ information4 and the behavior demand information conversion _ req _ information5 perform behavior demand persistence analysis processing to obtain behavior demand visual records visual _ record _1 and visual _ record _ 2.
The behavior demand visual record visual _ record _1 includes behavior demand information conversion _ req _ information1, conversion _ req _ information3, and behavior demand information conversion _ req _ information5, and the behavior demand visual record visual _ record _2 includes behavior demand information conversion _ req _ information2 and conversion _ req _ information 4.
Further, on the basis of the above, it is possible to determine the saliency expressions of behavior demand information conversion _ req _ information1, conversion _ req _ information3, and behavior demand information conversion _ req _ information5 below, respectively, and to determine the saliency expressions of behavior demand information conversion _ req _ information1, conversion _ req _ information3, and behavior demand information conversion _ req _ information5 (averaging processing results) as the saliency expression conversion _ average _1 of behavior demand visual recording visual _ record _1, and to determine the saliency expressions of behavior demand information conversion _ req _ information conversion 5639, conversion _ req _ information4, and to determine the saliency expressions of behavior demand information conversion _ expression _ conversion _2, conversion _ req _ information conversion _2, and conversion _ expression _ inversion _ visual _ inversion _ information 3526, respectively, as the saliency expression of behavior demand information conversion _ req _ expression conversion _ expression _ inversion _ recovery _ inversion _ information 4. Finally, the depolarizing significance expression, namely, the depolarizing significance _ ave _1 of the behavior demand visual record visual _ record _1 and the depolarizing significance expression, namely, the depolarizing significance _ ave _2 of the behavior demand visual record visual _ record _2 are added to the behavior demand information collection requirement _ collection.
It is to be understood that, in the above example, the result of the depolarization processing of the saliency expressions of the plurality of behavior requirement information included in the behavior requirement visual record is taken as the depolarization saliency expression of the behavior requirement visual record, in this embodiment, the depolarization saliency expression of the behavior requirement visual record may be obtained by processing the saliency expressions of at least two behavior requirement information included in the behavior requirement visual record, and this embodiment does not limit further implementation of the processing.
In some other possible examples, the information of the behavior requirement visual record bound by the behavior requirement information may be added to the behavior requirement information set as the information of the behavior requirement information, for example, the information of the behavior requirement information includes identification information and/or a saliency representation of the behavior requirement visual record bound by the behavior requirement information, which is not limited by the embodiment of the present application.
It can be understood that, in the process of generating the behavior requirement information set, an AI intelligent model and the like may be used to perform behavior requirement mining processing and behavior requirement continuity analysis processing, and the embodiments of the present application do not limit the technical means used for the behavior requirement mining processing and the behavior requirement continuity analysis processing.
STEP2 generates a risk intent data set
STEP2-1 Risk intent mining Process
And performing risk intention mining processing on the service session big data in each service session in at least one service session to obtain a plurality of risk intention big data, and adding the information of each risk intention big data in the plurality of risk intention big data to a risk intention data set. Viewed from some exemplary perspectives, the information of the risk intent big data may include one or more of the following: the service session information bound by the risk intention big data, the distribution information of the risk intention big data, and the business interaction big data description information of the risk intention big data in the service session big data.
The distribution information of the risk intention big data may indicate the service session big data to which the risk intention big data is bound, or the service session big data to which the risk intention big data is bound may also be indicated by other parameters. It is to be understood that the business interaction big data description information of the risk intention big data in the service session big data may indicate the description of the risk intention big data in the service session big data, for example, the business interaction big data description information of the risk intention big data in the service session big data may include constraint tag description information of the risk intention big data. It is to be understood that the information of the risk intention big data may also include other information, which is not limited by the embodiment of the present application. The embodiment of the risk intent mining process may refer to the embodiment of the behavior requirement mining process, and is not described herein again.
STEP2-2 Risk intention persistence analysis processing
And performing risk intention persistence analysis processing on the plurality of risk intention big data to obtain at least one risk intention visual record, wherein each risk intention visual record covers at least two risk intention big data in the plurality of risk intention big data. The risk intent visual record includes at least two risk intent big data that can be matched to the same user behavioral event. It may be appreciated that information indicating a correspondence between the plurality of risk intent big data and the at least one risk intent visual record may be added to the behavioral need information set. Viewed from some exemplary perspective, information for each of the at least one risk intent visual record may be added to the behavioral need information set. It will be appreciated that the information of the risk intent visual record may include identifying information of the risk intent big data included in the risk intent visual record.
It may be appreciated that a significance expression for each of the at least two risk intent big data included in the risk intent visual record may be determined, and a depolarizing significance expression for the risk intent visual record may be determined according to the significance expression for each of the risk intent big data included in the risk intent visual record. The depolarizing significance expression of the risk intention visual record may be obtained by processing a significance expression of each risk intention big data in at least two risk intention big data included in the risk intention visual record, such as a depolarizing processing, and the like.
Viewed in some exemplary perspectives, a depolarizing prominence expression for each of the at least one risk intent visual records may be determined from at least two risk intent big data included in each of the at least one risk intent visual records, and the depolarizing prominence expression for each of the at least one risk intent visual records may be added to the behavioral need information set.
In some other possible examples, the information of the risk intention visual record bound by the risk intention big data may be added to the behavior demand information set as the information of the risk intention big data, for example, the information of the risk intention big data includes identification information and/or a depolarizing significance expression of the risk intention visual record bound by the risk intention big data, which is not limited by the embodiment of the present application. The embodiment of the risk intent persistence analysis process may refer to the embodiment of the behavior requirement persistence analysis process, and is not described herein again.
For an implementation that can be implemented independently, performing behavior requirement/risk intent mining on the service session big data in the service session may refer to analyzing each piece of business interaction big data in the service session by using a behavior requirement/risk intent mining algorithm to obtain a behavior requirement/risk intent data set in each piece of business interaction big data. The behavior demand/risk intention persistence analysis processing on the service session big data in the service session may refer to mining the behavior demand/risk intention big data paired with the same user behavior event in the service session by using a behavior demand/risk intention persistence analysis algorithm, but the embodiment of the present application does not limit this.
Step 202, collecting service interaction big data of the user behavior event to be analyzed.
And 204, accessing a behavior demand information set by using the service interaction big data of the user behavior event to be analyzed, and acquiring first behavior demand information which has an association relation with the service interaction big data of the user behavior event to be analyzed.
It is understood that step 204 may include the following steps.
Step 2040, determining a first behavior requirement significance expression of the business interaction big data of the user behavior event to be analyzed.
In the embodiment of the application, a significance expression (feature vector or description vector) of business interaction big data of a user behavior event to be analyzed is referred to as a first behavior requirement significance expression. It can be understood that the first behavior requirement significance expression of the business interaction big data of the user behavior event to be analyzed can be determined based on the behavior requirement identification network, wherein the behavior requirement identification network is used for determining the behavior requirement significance expression.
In one possible implementation, the behavioral need identification network may be an AI intelligence model. For example, a behavior demand recognition network collects a first behavior demand significance expression of service interaction big data of a user behavior event to be analyzed, the first behavior demand significance expression may be a multidimensional vector, a specific dimension is related to the behavior demand recognition network, and a value of each bit feature value of the first behavior demand significance expression is normalized to ensure that an interval of the value of each bit is [ -1, 1], but the embodiment of the present application is not limited thereto.
Step 2041, according to the first behavior requirement significance expression, determining first behavior requirement information from a plurality of behavior requirement information included in the behavior requirement information set.
Viewed from some exemplary perspectives, a difference analysis result (e.g., euclidean distance) between each second behavior requirement significance expression in the plurality of second behavior requirement significance expressions corresponding to the plurality of behavior requirement information and the first behavior requirement significance expression may be respectively determined; and determining at least one behavior requirement information corresponding to a second behavior requirement significance expression with the smallest difference analysis result or the difference analysis result not exceeding a first judgment value in the plurality of second behavior requirement significance expressions as the first behavior requirement information.
The embodiment of the application refers to the significance expression of the behavior requirement information in the behavior requirement information set as a second behavior requirement significance expression. It can be understood that each behavior requirement information in the plurality of behavior requirement information may be associated with one second behavior requirement significance expression, and the second behavior requirement significance expressions corresponding to different behavior requirement information in the plurality of behavior requirement information may be the same or different. It is understood that at least two behavior requirement information pairs of the plurality of behavior requirement information that are paired with the same behavior requirement visual record have the same second behavior requirement significance expression. For example, the second behavior requirement significance expression of the at least two behavior requirement information may be a depolarization significance expression of a behavior requirement visual record to which the at least two behavior requirement information belongs, but the embodiment of the present application is not limited thereto.
Behavior requirement information conversion _ req _ information1,
Behavior requirement information conversion _ req _ information2,
Behavior requirement information conversion _ req _ information3,
Behavioral demand information conversion _ req _ information4 and behavioral demand information conversion _ req _ information5
Behavior requirement information conversion _ req _ information1,
conversion _ req _ information3 and
behavior demand information conversion _ req _ information5
Belongs to the behavioral demand visual record visual _ record _ 1.
Behavior demand information conversion _ req _ information2
And conversion _ req _ information4 does not belong to any behavior demand visual record, the second behavior demand significance expression corresponding to behavior demand information conversion _ req _ information1, the second behavior demand significance expression corresponding to behavior demand information conversion _ req _ information3, and the second behavior demand significance expression corresponding to behavior demand information conversion _ req _ information5 are all the depolarizing significance expression of behavior demand visual record visual _ record _1, and the second behavior demand significance expression of behavior demand information conversion _ req _ information2 may be the significance expression of behavior demand information conversion _ req _ information 2.
It can be understood that at least one behavior requirement information corresponding to the smallest second behavior requirement significance expression in the plurality of second behavior requirement significance expressions may be determined as the first behavior requirement information, or at least one behavior requirement information corresponding to at least one second behavior requirement significance expression that does not exceed the first determination value in the plurality of second behavior requirement significance expressions may be determined as the first behavior requirement information, where the first determination value may be set in advance according to different requirements, and the present application further does not limit this implementation.
And step 206, obtaining at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed according to the first behavior demand information and the risk intention data set.
It is understood that step 206 may include the following steps.
Step 2060, collecting first risk intention big data corresponding to the first behavior demand information.
In the embodiment of the application, the characteristics of the first behavior demand information can be collected from the behavior demand information set, and the first risk intention big data corresponding to the first behavior demand information is determined according to the collected characteristics. It is understood that the characteristic of the first behavior need information may include a characteristic of a service session to which the first behavior need information is bound and/or a distribution characteristic of the first behavior need information, or may further include a service interaction big data description characteristic of the first behavior need information. Regarding some exemplary aspects, a first service session bound by the first behavior demand information, a distribution characteristic of the first behavior demand information, and a service interaction big data description characteristic may be determined, and first risk intention big data corresponding to the first behavior demand information in the first service session is collected according to the distribution characteristic of the first behavior demand information and the service interaction big data description characteristic.
In some possible examples, the distribution characteristic of the first behavior requirement information may indicate a location of the first behavior requirement information in the first service session, and first service session big data including the first behavior requirement information in the first service session may be collected according to the distribution characteristic of the first behavior requirement information, where a location of the first service session big data bound in the first service session is paired with the distribution characteristic of the first behavior requirement information. The service interaction big data description feature of the first behavior requirement information may indicate a description of the first behavior requirement information in the bound service session big data, for example, a relative location feature of a constraint tag of the first behavior requirement information in the first service session big data, but the embodiment of the present application is not limited thereto.
It can be understood that, in the process of collecting the first risk intention big data, the following two ways can be specifically realized.
In a first mode, if the risk intention big data which are distributed and matched with the distribution information of the first action demand information and carry the first action demand information exist in the first service session, the risk intention big data containing the first action demand information are determined as first risk intention big data corresponding to the first action demand information.
For example, the first behavior demand information req _ information _1 includes risk intention big DATA risk _ interaction _ DATA1 completely containing the first behavior demand information req _ information _1 in the 20 th group of service session big DATA of the first service session service _1, and the risk intention big DATA risk _ interaction _ DATA1 is determined as the first risk intention big DATA corresponding to the first behavior demand information req _ information _1 in the 20 th group of service session big DATA of the first service session service _ 1.
In a second manner, if the first service session does not have risk intention big data which is distributed and matched with the distribution information of the first action demand information and carries the first action demand information, the first action demand information is up-sampled in the first service session big data according to the setting indication, and first risk intention big data corresponding to the first action demand information is obtained, wherein the distribution of the first service session big data in the first service session is matched with the distribution information of the first action demand information.
For example, if the first behavior demand information req _ information _2 is in the 13 th group of service session big data of the first service session service _2, and the 13 th group of service session big data of the first service session service _2 does not have risk intention big data completely containing the first behavior demand information req _ information _2, the first behavior demand information req _ information _2 may be upsampled in the 13 th group of service session big data, which is the first service session big data, according to the setting instruction, and the upsampled data set may be determined as the first risk intention big data corresponding to the first behavior demand information req _ information _ 2.
Step 2061, accessing the risk intention data set through the first risk intention big data, and obtaining at least one risk intention big data which has an association relation with the first risk intention big data.
In the embodiment of the present application, it may be understood that a first risk intention significance expression of the first risk intention big data may be determined, and at least one risk intention big data having an association relationship with the first risk intention big data may be determined from a plurality of risk intention big data included in the risk intention data set according to the first risk intention significance expression.
The embodiment of the application refers to the significance expression of the first risk intention big data as the first risk intention significance expression. It is to be understood that, when determining at least one risk intention big data having an association relationship with the first risk intention big data from among the plurality of risk intention big data included in the risk intention data set, a difference analysis result between each of the plurality of second risk intention significant expressions, of which the first risk intention significant expression corresponds to the plurality of risk intention big data, may be determined, and at least one risk intention big data corresponding to a second risk intention significant expression, of which the difference analysis result with the first risk intention significant expression is minimum or does not exceed a second determination value, among the plurality of second risk intention significant expressions, may be determined as the at least one risk intention big data having an association relationship with the first risk intention big data.
It will be appreciated that each risk intent big data of the plurality of risk intent big data may be assigned to one second risk intent significance expression, and the corresponding second risk intent significance expressions of different risk intent big data of the plurality of risk intent big data may be the same or different. It can be appreciated that at least two risk intent big data of the plurality of risk intent big data paired to the same risk intent visual record have the same second risk intent significance expression. For example, the second risk intention significance expression of the at least two risk intention big data may be a depolarizing significance expression of a risk intention visual record to which the at least two risk intention big data belong, but the embodiment of the present application is not limited thereto.
It is to be understood that at least one risk intention big data corresponding to the smallest second risk intention significance expression of the plurality of second risk intention significance expressions may be determined as the risk intention big data having an association relationship with the first risk intention big data, or at least one risk intention big data corresponding to at least one second risk intention significance expression of the plurality of second risk intention significance expressions which does not exceed a second determination value may be determined as the risk intention big data having an association relationship with the first risk intention big data, wherein the second determination value may be set in advance according to different requirements, and further implementations of the present application are not limited thereto.
Viewed from some exemplary perspectives, at least one risk intent big data associated with a first risk intent big data may be determined as a target risk intent big data associated with a business interaction big data of a user behavior event to be analyzed.
In some other possible examples, step 206 may further include: and filtering at least one risk intention big data having an association relation with the first risk intention big data to obtain at least one target risk intention big data having an association relation with the business interaction big data of the user behavior event to be analyzed.
In some other possible examples, in the embodiment of the present application, at least one target risk intention big data associated with the business interaction big data of the user behavior event to be analyzed may be determined as the access result of the user behavior event to be analyzed. Or at least one target risk intention big data having an association relationship with the business interaction big data of the user behavior event to be analyzed may be determined at first, and then the at least one target risk intention big data having an association relationship with the business interaction big data of the user behavior event to be analyzed is filtered to obtain an access result of the user behavior event to be analyzed, which is not limited in the embodiment of the present application.
And 208, filtering at least one target risk intention big data which has an association relation with the business interaction big data of the user behavior event to be analyzed to obtain an access result of the user behavior event to be analyzed.
It is to be appreciated that step 208 can be implemented in at least one of two ways.
And in the first mode, filtering at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed according to at least one of the time sequence filtering index and the service session filtering index.
In an independently implementable embodiment, the filtering index may be adjusted according to an actual situation, for example, the filtering index is filtered according to a timing filtering index (e.g., from a certain time period of a certain day), a service session filtering index (e.g., from which service end) and at least one target risk intention big data having an association relation with the service interaction big data of the user behavior event to be analyzed. In this embodiment of the present application, the filtering index includes, but is not limited to, a timing filtering index and a service session filtering index, and may further include a user behavior event filtering index, such as an event category, a number of event participants, and the like, which is not limited in this embodiment of the present application.
And secondly, performing feature analysis (clustering) on the at least one target risk intention big data by the significant expression of the at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed, and filtering according to a feature analysis result.
It can be understood that, according to the significance expression of each target risk intention big data in at least one target risk intention big data which has an incidence relation with the business interaction big data of the user behavior event to be analyzed, the at least one target risk intention big data is disassembled into at least one group of risk intention big data, and each group of risk intention big data can comprise at least one risk intention big data; determining a filtering and summarizing result of each group of risk intention big data according to the significance expression of at least one risk intention big data included in each group of risk intention big data in the at least one group of risk intention big data; and determining the risk intention big data included in one or more groups of risk intention big data in the at least one group of risk intention big data as an access result of the user behavior event to be analyzed according to the filtering and summarizing result of each group of risk intention big data in the at least one group of risk intention big data.
Viewed from some exemplary perspectives, the filtered summary results of a set of risk intent big data may include the depolarizing treatment results of the significance expression of at least one risk intent big data included in the set of risk intent big data, but the application embodiment is not limited thereto.
Viewed from some exemplary angles, at least one group of risk intention big data can be sorted according to the filtering and summarizing result of each group of risk intention big data, and one or more groups of risk intention big data sorted at the end points are removed to obtain the access result of the user behavior event to be analyzed.
For an independently implementable implementation, a multi-mean clustering feature analysis algorithm may be adopted to perform feature analysis on the significance expression of at least one target risk intention big data having an association relation with the business interaction big data of the user behavior event to be analyzed, to obtain significance expressions of a plurality of groups, determine, for the significance expression in each group, the number of corresponding visual records, the offset of the significance expression, and other filtering and summarizing results, and determine which groups are interference (for example, the group with the largest offset is an interference group) according to the filtering and summarizing results. For example, assuming that at least one target risk intention big data having an association relation with business interaction big data of a user behavior event to be analyzed is specifically 200 risk intention visual records, each risk intention visual record includes several risk intention big data, the significance expressions of the 200 risk intention visual records may be broken down into 20 groups by a multi-mean clustering feature analysis algorithm, specifically, 200 significance expressions of the 200 risk intention visual records may be subjected to multiple rounds of iterative multi-mean clustering feature analysis operations, and divided into 20 groups, wherein the number of the risk intention visual records included in each group may be the same or different, wherein only 10 risk intention visual records in the 20 th group are present, and the deviation of the significance expressions is the largest, then it may be determined that 10 risk intention visual records in the 20 th group are interferences, and the risk intention big data included in the 10 risk intention visual records in the 20 th group are removed from the results, the remaining results are the access results.
Based on the above description of the embodiment of the present application, the big data protection method based on user behavior according to the embodiment of the present application performs service session optimization operations (mainly including behavior requirement/risk intention mining processing and behavior requirement/risk intention persistence analysis processing) on a large number of service sessions (such as payment service sessions) in advance, and generates a behavior requirement information set and a risk intention data set. When business interaction big data of a user behavior event to be analyzed, which contains behavior requirements, are accessed, on one hand, behavior requirement analysis is carried out according to a behavior requirement information set to obtain first behavior requirement information, on the other hand, risk intention analysis is carried out on the first behavior requirement information according to a risk intention data set to obtain a plurality of risk intention big data, then, the plurality of risk intention big data are filtered, and finally, an access result of the user behavior event to be analyzed is obtained (the access result can be understood as an access result and a positioning result aiming at big data protection).
According to the method and the device for analyzing the user behavior event, based on a comprehensive analysis mode of combining behavior demand analysis and risk intention analysis, on one hand, first behavior demand information which is in an incidence relation with business interaction big data of the user behavior event to be analyzed is obtained according to behavior demand information set access, and on the other hand, at least one target risk intention big data which is in an incidence relation with the business interaction big data of the user behavior event to be analyzed is collected according to a risk intention data set and the first behavior demand information. The embodiment of the application has the advantages of strong time sequence continuity and high accuracy of behavior demand analysis and high detection sensitivity of risk intention analysis, improves accuracy and reliability of risk intention mining and analysis for behavior events of a user to be analyzed, and can realize hierarchy of risk intention mining and analysis to guarantee integrity of large risk intention data by considering behavior demand and risk intention.
In the embodiment of the application, the corresponding target data security policy may be matched from the preset data security policy library through the big data protection analysis result and enabled, so as to implement protection processing on the relevant data information, such as authority verification processing of data information access, interception processing of a specified access object, anonymization processing of relevant important information, and the like, which is not limited herein. It can be understood that, since the big data protection analysis result is obtained based on the target risk intention big data, the pertinence and reliability of the big data protection analysis result can be ensured.
In some embodiments, which can be implemented independently, the big data protection analysis is performed on the user behavior event to be analyzed according to the target risk intention big data, so as to obtain a big data protection analysis result, which may include the content described in the following steps.
Step 300, determining an event feature cluster to be subjected to protection analysis according to the target risk intention big data and the associated event of the user behavior event to be analyzed, wherein the event feature cluster to be subjected to protection analysis comprises a plurality of event features to be subjected to protection analysis.
In the embodiment of the application, the associated event may be an event associated with a time sequence or a scene of a user behavior event to be analyzed, and the event characteristic may be a continuous characteristic track.
Step 302, in the process of threat analysis processing according to the event feature cluster to be subjected to protection analysis, on the premise that a hot keyword exists in a first event feature to be subjected to protection analysis, performing event feature adjustment again on the first event feature to be subjected to protection analysis to obtain at least one second event feature to be subjected to protection analysis, wherein the first event feature to be subjected to protection analysis comprises the event feature to be subjected to protection analysis located in the identification interval of the big data protection server.
In the embodiment of the application, the heat keyword may represent that the related feature information is in a use state, and in this case, threat analysis/protection analysis of such feature information needs to be skipped, so as to ensure normal use of the feature information. Further, the identification section of the big data protection server can be understood as an identification condition or a capture condition of the big data protection server.
Step 304, optimizing the event feature cluster to be subjected to protection analysis according to the second event feature to be subjected to protection analysis to obtain an optimized event feature cluster to be subjected to protection analysis; and carrying out threat analysis processing according to the optimized event feature cluster to be subjected to protection analysis to obtain a big data protection analysis result.
It can be understood that accurate and reliable big data protection analysis can be realized on the premise of guaranteeing normal use of the characteristic information by updating the event characteristic cluster to be subjected to protection analysis and carrying out threat analysis processing. It can be understood that the feature information corresponding to the hot keywords is usually subjected to protection analysis in advance, and thus, the resource overhead of the big data protection analysis can be saved to a certain extent by the above manner.
In some embodiments that can be implemented independently, any event feature to be subjected to protection analysis includes a first feature member and a second feature member, and on the premise that a hot keyword exists in the first event feature to be subjected to protection analysis, performing event feature adjustment again on the first event feature to be subjected to protection analysis to obtain at least one second event feature to be subjected to protection analysis includes: and on the premise of identifying that the heat keywords exist in the first event features to be subjected to protection analysis, performing event feature adjustment on the first event features to be subjected to protection analysis again according to the first feature members and the second feature members of the first event features to be subjected to protection analysis and the distribution condition of the heat keywords to obtain at least one second event feature to be subjected to protection analysis.
In the embodiment of the application, the feature member may be a feature node or a feature map unit in the event feature, and by adopting the design, the event feature is disassembled, processed and analyzed, so that the second event feature to be subjected to protection analysis can be accurately and reliably adjusted.
Based on the same inventive concept, there is also provided a data attack analysis device 20 applied to a cloud service, which is applied to a data attack analysis server 10, and the device includes: the interaction event identification module 21 is configured to perform key event identification on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition; the service session determining module 22 is configured to determine, based on the at least one first sensitive interaction event, a first target service session set in the cloud service log that triggers the data attack analysis condition, and determine a first multimodal interaction event corresponding to the first target service session set; and the attack intention positioning module 23 is configured to obtain a first target data attack intention corresponding to the first target service session set by enabling attack intention positioning processing based on the first multi-modal interaction event.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A data attack analysis method applied to cloud services is characterized by being applied to a data attack analysis server, and the method at least comprises the following steps:
performing key event identification on the cloud service log triggering the data attack analysis condition to obtain at least one first sensitive interaction event corresponding to the cloud service log triggering the data attack analysis condition;
determining a first target service session set in the cloud service log which triggers the data attack analysis condition based on the at least one first sensitive interaction event, and determining a first multi-modal interaction event corresponding to the first target service session set;
and obtaining a first target data attack intention corresponding to the first target service session set by starting attack intention positioning processing based on the first multi-modal interaction event.
2. The method of claim 1, wherein the first sensitive interaction event comprises a first sensitive interaction event description; the determining a first set of target service sessions in the cloud service log that triggers the data attack analysis condition based on the at least one first sensitive interaction event comprises:
performing first differential processing on service session messages in the cloud service log of the trigger data attack analysis condition by using at least one first sensitive interactive event description to obtain a first original service session set in the cloud service log of the trigger data attack analysis condition;
based on the at least one first sensitive interaction event description, performing second differential processing on service session messages in the cloud service log triggering the data attack analysis condition to obtain a first hot spot session set in the cloud service log triggering the data attack analysis condition, wherein the first hot spot session set corresponds to a hot spot session time period of the first original service session set;
determining the first set of target service sessions based on the first set of original service sessions and the first set of hotspot sessions.
3. The method of claim 1 or 2, wherein the first sensitive interaction event comprises a first sensitive interaction event description, and the first multi-modal interaction event comprises a first multi-modal interaction event representation; the determining a first multi-modal interaction event corresponding to the first set of target service sessions based on the at least one first sensitive interaction event comprises:
determining a multi-mode interaction event expression corresponding to each service session message in the cloud service log triggering the data attack analysis condition by using at least one first sensitive interaction event description;
and determining the first multi-mode interaction event expression based on the multi-mode interaction event expression corresponding to each service session message and the distribution condition of the first target service session set.
4. The method of claim 3, wherein said obtaining a first target data attack intention corresponding to the first set of target service sessions by enabling attack intention localization processing based on the first multimodal interaction event comprises:
enabling attack intention positioning processing according to the first multi-modal interactive event expression to obtain a plurality of data attack intents corresponding to the first target service session set;
And starting iterative optimization processing according to the plurality of data attack intents to obtain the first target data attack intention.
5. The method of claim 1, wherein the data attack analysis method applied to the cloud service is implemented by an intent analysis learning model; the training paradigm for the intent analysis learning model includes: an example cloud service log, a reference service session set in the example cloud service log, and a reference multi-modal interaction event corresponding to the reference service session set;
the method further comprises the following steps:
performing key event identification on the sample cloud service log through an original learning model to obtain at least one second sensitive interaction event corresponding to the sample cloud service log;
based on the at least one second sensitive interaction event, determining a second set of target service sessions in the sample cloud service log, and determining a second multi-modal interaction event corresponding to the second set of target service sessions;
based on the second multi-modal interaction event, obtaining a second target data attack intention corresponding to the second target service session set by starting attack intention positioning processing;
determining a first intent resolution rating based on the second set of target service sessions and the set of reference service sessions, and determining a second intent resolution rating based on the second target data attack intent and the reference multi-modal interaction event;
Improving model variables of the original learning model based on the first intention analysis evaluation and the second intention analysis evaluation to obtain the trained intention analysis learning model;
wherein the training examples further include a plurality of reference service topics corresponding to the reference service session set;
the method further comprises the following steps:
based on the multiple reference service topics, performing service topic screening processing on the reference service session set to obtain multiple screened service topics, wherein keywords among the associated screened service topics are consistent;
event analysis processing is started according to the plurality of screened service themes to obtain the reference multi-modal interaction event;
wherein the reference multi-modal interaction event comprises a reference multi-modal interaction event expression; the obtaining the reference multi-modal interaction event by enabling event analysis processing on the plurality of screened service topics comprises:
obtaining a service theme set corresponding to the plurality of screened service themes by determining the precedence relationship between the original screened service theme in the plurality of screened service themes and each screened service theme;
And starting event analysis processing according to the service theme set to obtain the reference multi-mode interactive event expression.
6. The method of claim 5, wherein said determining a second intent resolution rating based on said second target data attack intent and said reference multi-modal interaction event comprises:
enabling attack intention positioning processing according to the reference multi-modal interaction event expression to obtain a third target data attack intention corresponding to the reference service session set;
determining the second intent resolution rating based on a comparison between the second target data attack intent and the third target data attack intent.
7. The method of claim 6, wherein the second sensitive interaction event comprises a second sensitive interaction event description; the determining a second set of target service sessions in the example cloud service log based on the at least one second sensitive interaction event comprises:
performing third differentiation processing on the service session messages in the example cloud service log by using at least one second sensitive interactive event description to obtain a second original service session set in the example cloud service log;
Performing fourth differentiation processing on the service session messages in the example cloud service log based on the at least one second sensitive interaction event description to obtain a second hotspot session set in the example cloud service log, wherein the second hotspot session set corresponds to a hotspot session period of the second original service session set;
determining the second set of target service sessions based on the second set of original service sessions and the second set of hotspot sessions.
8. The method of claim 7, wherein the determining a first intent resolution rating based on the second set of target service sessions and the set of reference service sessions comprises:
determining a reference hotspot session set based on the reference service session set and a setting adjustment instruction, wherein the reference hotspot session set corresponds to a hotspot session period of the reference service session set;
determining a third intent resolution rating based on a comparison between the second target set of service sessions and the reference set of service sessions;
determining a fourth intent parsing evaluation based on a comparison between the second set of hotspot sessions and the set of reference hotspot sessions;
determining the first intent resolution rating based on the third intent resolution rating and the fourth intent resolution rating.
9. A data attack analysis server is characterized by comprising a processor, a communication bus and a memory; the processor and the memory communicate via the communication bus, the processor reading a computer program from the memory and operating to perform the method of any of claims 1-8.
10. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any one of claims 1-8.
CN202111217358.6A 2021-10-19 2021-10-19 Data attack analysis method applied to cloud service and server Withdrawn CN113949577A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111217358.6A CN113949577A (en) 2021-10-19 2021-10-19 Data attack analysis method applied to cloud service and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111217358.6A CN113949577A (en) 2021-10-19 2021-10-19 Data attack analysis method applied to cloud service and server

Publications (1)

Publication Number Publication Date
CN113949577A true CN113949577A (en) 2022-01-18

Family

ID=79331400

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111217358.6A Withdrawn CN113949577A (en) 2021-10-19 2021-10-19 Data attack analysis method applied to cloud service and server

Country Status (1)

Country Link
CN (1) CN113949577A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114546975A (en) * 2022-03-07 2022-05-27 潍坊凯智计算机科技有限公司 Business risk processing method and server combining artificial intelligence
CN114567495A (en) * 2022-03-04 2022-05-31 鹰潭市吉海智能科技有限公司 Network attack analysis method applied to cloud computing and server
CN114785579A (en) * 2022-04-14 2022-07-22 七台河达不琉网络科技有限公司 Network attack analysis method and server applied to cloud side computing
CN114896401A (en) * 2022-05-23 2022-08-12 江西省易云数据科技有限公司 AI-combined cloud computing service threat analysis method and server
CN115426193A (en) * 2022-09-14 2022-12-02 曹文升 A cyber attack analysis method and server based on business intelligence
CN115442149A (en) * 2022-09-14 2022-12-06 曹小芳 Data intrusion analysis method based on deep learning and server
CN115801306A (en) * 2022-03-07 2023-03-14 王俊文 Data processing method and server applied to artificial intelligence
CN117556221A (en) * 2024-01-09 2024-02-13 四川大学 Data analysis method and system based on intelligent electrical control interactive conversation

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567495A (en) * 2022-03-04 2022-05-31 鹰潭市吉海智能科技有限公司 Network attack analysis method applied to cloud computing and server
CN114546975A (en) * 2022-03-07 2022-05-27 潍坊凯智计算机科技有限公司 Business risk processing method and server combining artificial intelligence
CN115801306A (en) * 2022-03-07 2023-03-14 王俊文 Data processing method and server applied to artificial intelligence
CN114785579A (en) * 2022-04-14 2022-07-22 七台河达不琉网络科技有限公司 Network attack analysis method and server applied to cloud side computing
CN114896401A (en) * 2022-05-23 2022-08-12 江西省易云数据科技有限公司 AI-combined cloud computing service threat analysis method and server
CN115426193A (en) * 2022-09-14 2022-12-02 曹文升 A cyber attack analysis method and server based on business intelligence
CN115442149A (en) * 2022-09-14 2022-12-06 曹小芳 Data intrusion analysis method based on deep learning and server
CN117556221A (en) * 2024-01-09 2024-02-13 四川大学 Data analysis method and system based on intelligent electrical control interactive conversation
CN117556221B (en) * 2024-01-09 2024-03-26 四川大学 Data analysis method and system based on intelligent electrical control interactive session

Similar Documents

Publication Publication Date Title
CN113949577A (en) Data attack analysis method applied to cloud service and server
CN113706177B (en) Threat identification method based on big data security and data security server
CN113706149A (en) Big data wind control processing method and system for dealing with online payment data threat
CN108334758A (en) A kind of detection method, device and the equipment of user's ultra vires act
CN111259952A (en) Abnormal user identification method and device, computer equipment and storage medium
CN110708339B (en) Correlation analysis method based on WEB log
CN113904872A (en) A feature extraction method and system for fingerprinting attacks on anonymous service websites
CN110929525A (en) An online loan risk behavior analysis and detection method, device, equipment and storage medium
CN115987544A (en) Network security threat prediction method and system based on threat intelligence
CN112532614A (en) Safety monitoring method and system for power grid terminal
CN114124484A (en) Network attack identification method, system, device, terminal equipment and storage medium
CN113486983A (en) Big data office information analysis method and system for anti-fraud processing
Ullah et al. NIDS-VSB: Network intrusion detection system for VANET using spark-based big data optimization and transfer learning
KR102189127B1 (en) A unit and method for processing rule based action
CN116599743A (en) 4A abnormal detour detection method and device, electronic equipment and storage medium
Sumalatha et al. Data collection and audit logs of digital forensics in cloud
CN110990810B (en) User operation data processing method, device, equipment and storage medium
CN114866297A (en) Network data detection method, device, electronic device and storage medium
CN115563657B (en) Data information security processing method, system and cloud platform
CN114528550B (en) Information processing method and system applied to E-commerce big data threat identification
CN111475380A (en) Log analysis method and device
CN114896401B (en) Cloud computing business threat analysis method and server combined with AI
CN118350055B (en) Data traceability analysis system and method
CN116708708B (en) Method and system for constructing paperless conference based on distribution
CN113709092B (en) Data detection method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220118