CN113239065A - Big data based security interception rule updating method and artificial intelligence security system - Google Patents

Big data based security interception rule updating method and artificial intelligence security system Download PDF

Info

Publication number
CN113239065A
CN113239065A CN202110708155.0A CN202110708155A CN113239065A CN 113239065 A CN113239065 A CN 113239065A CN 202110708155 A CN202110708155 A CN 202110708155A CN 113239065 A CN113239065 A CN 113239065A
Authority
CN
China
Prior art keywords
interception
security
target
rule
interception rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110708155.0A
Other languages
Chinese (zh)
Inventor
尹晓兵
古丽波
莫正兵
黄昌源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hemeixin Precision Electronics Co ltd
Original Assignee
Shenzhen Hemeixin Precision Electronics Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hemeixin Precision Electronics Co ltd filed Critical Shenzhen Hemeixin Precision Electronics Co ltd
Priority to CN202110708155.0A priority Critical patent/CN113239065A/en
Publication of CN113239065A publication Critical patent/CN113239065A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosed embodiment provides a safety interception rule updating method based on big data and an artificial intelligence safety system, wherein a safety interception rule cluster of an information safety operation framework for intercepting application services is matched according to service risk loopholes, then a plurality of target screening safety interception rule clusters are screened for the service risk loopholes according to safety interception service intervals of all safety interception rules in the safety interception rule clusters, and loophole pre-repairing is carried out according to the target screening safety interception rule clusters.

Description

Big data based security interception rule updating method and artificial intelligence security system
Technical Field
The disclosure relates to the technical field of big data, in particular to a safety interception rule updating method based on big data and an artificial intelligence safety system.
Background
The internet wind control is usually based on big data and belongs to a data application layer. For internet service providers, the core value of wind control is information security risk identification. For example, the security risks on the internet are increasing and the variety is becoming more and more complicated, and nowadays, a large number of malware samples can be continuously detected, most of them are well-targeted, adopt a secret way to steal confidential data, and are evolving themselves.
Information security risks are the process of discovering, understanding, assessing, and mitigating risks and their underlying vulnerabilities, as well as the process of understanding the impact on information, information systems, and internet service providers that rely on information for their operations. To meet the goal of risk management as a network security preparation component, internet service providers must build powerful information security risk identification programs. After the information security risk is identified, in order to ensure the subsequent information security reliability, service risk vulnerabilities need to be further performed and vulnerability pre-repair needs to be performed in time. However, in the related art, matching with an interception application service (such as an application service provided by a third-party interception service provider, an application service iteratively introduced by an internet service provider, etc.) is not considered during vulnerability pre-repairing, and thus it is difficult to ensure an optimal vulnerability repairing effect.
Disclosure of Invention
In order to overcome at least the above disadvantages in the prior art, an object of the present disclosure is to provide a big data based security interception rule updating method and an artificial intelligence security system.
In a first aspect, the present disclosure provides a big data-based security interception rule updating method, which is applied to an artificial intelligence security system, where the artificial intelligence security system is in communication connection with a plurality of internet service terminals, and the method includes:
acquiring a service risk loophole of the intercepted application service of the Internet service terminal, which is acquired based on the target security interception event big data to be identified;
acquiring a safety interception rule cluster of which the service risk loophole is matched with an information safety operation framework for intercepting the application service, and performing rule screening on the safety interception rule cluster according to a safety interception service interval of each safety interception rule in the safety interception rule cluster to obtain a target screening safety interception rule cluster;
and carrying out vulnerability pre-repairing on the Internet service terminal according to the target screening safety interception rule cluster.
In a second aspect, an embodiment of the present disclosure further provides a big data-based security interception rule updating system, where the big data-based security interception rule updating system includes an artificial intelligence security system and a plurality of internet service terminals communicatively connected to the artificial intelligence security system;
the artificial intelligence security system is configured to:
acquiring a service risk loophole of the intercepted application service of the Internet service terminal, which is acquired based on the target security interception event big data to be identified;
acquiring a safety interception rule cluster of which the service risk loophole is matched with an information safety operation framework for intercepting the application service, and performing rule screening on the safety interception rule cluster according to a safety interception service interval of each safety interception rule in the safety interception rule cluster to obtain a target screening safety interception rule cluster;
and carrying out vulnerability pre-repairing on the Internet service terminal according to the target screening safety interception rule cluster.
Based on any one of the above aspects, the vulnerability matching method and system can match a security interception rule cluster of an information security operation framework for intercepting application services according to service risk vulnerabilities, then screen a plurality of target screening security interception rule clusters for the service risk vulnerabilities according to security interception service intervals of each security interception rule in the security interception rule clusters, and perform vulnerability pre-repairing according to the target screening security interception rule clusters, so that the characteristics of the security interception rule of the information security operation framework for intercepting the application services are considered, and the security interception service intervals of the security interception rules are also considered, therefore, the matching degree with the intercepted application services can be improved during vulnerability pre-repairing, and further the vulnerability repairing effect can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that need to be called in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present disclosure, and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram of a specific service environment of a big data-based security interception rule updating system according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a big data-based security interception rule updating method according to an embodiment of the present disclosure;
fig. 3 is a schematic block diagram of structural components of an artificial intelligence security system for implementing the big data-based security interception rule updating method according to the embodiment of the present disclosure.
Detailed Description
The present disclosure is described in detail below with reference to the drawings, and the specific operation methods in the method embodiments can also be applied to the device embodiments or the system embodiments.
Fig. 1 is an interaction diagram of a big data based security interception rule updating system 10 according to an embodiment of the present disclosure. The big data-based security interception rule updating system 10 may include an artificial intelligence security system 100 and an internet service terminal 200 communicatively connected to the artificial intelligence security system 100. The big data based security interception rule updating system 10 shown in fig. 1 is only one possible example, and in other possible embodiments, the big data based security interception rule updating system 10 may also include only at least some of the components shown in fig. 1 or may also include other components.
In an embodiment, the artificial intelligence security system 100 and the internet service terminal 200 in the big data based security interception rule updating system 10 can cooperatively perform the big data based security interception rule updating method described in the following method embodiment, and the detailed description of the method embodiment can be referred to in the following steps of the artificial intelligence security system 100 and the internet service terminal 200.
In order to solve the technical problem in the foregoing background art, fig. 2 is a schematic flowchart of a big data based security interception rule updating method provided in an embodiment of the present disclosure, and the big data based security interception rule updating method provided in this embodiment may be executed by the artificial intelligence security system 100 shown in fig. 1, which is described in detail below.
Step S110, obtaining service risk loopholes of the intercepted application service of the Internet service terminal based on the target security interception event big data to be identified.
Step S120, a safety interception rule cluster of which the service risk loophole is matched with the information safety operation framework for intercepting the application service is obtained, and the safety interception rule cluster is subjected to rule screening according to the safety interception service interval of each safety interception rule in the safety interception rule cluster to obtain a target screening safety interception rule cluster.
In this embodiment, the service risk vulnerability is a candidate vulnerability image of a vulnerability pre-repair instruction that needs to be determined and is to be subjected to vulnerability pre-repair. The safety interception rule cluster is an information safety interception rule cluster reflecting the port connectivity between a safety interception rule source and the vulnerability characteristics of the service risk vulnerability. The artificial intelligence security system 100 can obtain the security interception rule cluster of the service risk vulnerability through a preset security interception rule source or an externally bound security interception rule source associated with the artificial intelligence security system 100.
In this embodiment, the information security operation framework for intercepting the application service may be preset by the application service, and is not specifically limited herein.
The security interception rule source may specifically be an abnormal advertisement interception rule source. The safety interception rule cluster is a safety interception rule cluster consisting of interception function labels of a plurality of safety interception rules, and the interception function labels refer to port connectivity values between abnormal advertisement interception rule sources and service risk loopholes. By obtaining vulnerability coverage rate information of the service risk vulnerability, representing the connectivity of different ports by different labels for the security interception rule cluster of the service risk vulnerability, so as to obtain the security interception rule cluster.
And S130, carrying out vulnerability pre-repairing on the Internet service terminal according to the target screening safety interception rule cluster.
Based on the above steps, the embodiment matches the service risk vulnerability with the security interception rule cluster of the information security operation framework for intercepting the application service, and then screens a plurality of target screening security interception rule clusters for the service risk vulnerability according to the security interception service interval of each security interception rule in the security interception rule clusters, and performs vulnerability pre-repairing according to the target screening security interception rule clusters, so that the characteristics of the security interception rule of the information security operation framework for intercepting the application service are considered, and the security interception service interval of the security interception rule is also considered, and therefore, the matching degree with the intercepted application service can be improved when vulnerability pre-repairing is performed, and further, the vulnerability repairing effect can be improved.
On the basis of the above description, in an independently implementable embodiment, the step S130 may be implemented by the following exemplary sub-steps.
The substep S131 is that port distribution is carried out according to the interception function labels of the safety interception rules in the same target screening safety interception rule cluster to obtain target ports corresponding to all the target screening safety interception rule clusters; the port distribution refers to port distribution of a target port which is fitted according to security interception dimension classification of each security interception rule in the same target screening security interception rule cluster, so that the sum of port connectivity degrees of each security interception rule in the same target screening security interception rule cluster to the corresponding target port is minimum, and the security interception dimension classification comprises an interception performance evaluation tag and an interception function tag of the security interception rule.
The port distribution refers to fitting port distribution according to the known security interception dimension classification of each security interception rule, so that the sum of the port connectivity of the target port obtained by fitting to all the security interception rules is minimum.
For example, the artificial intelligence security system 100 performs port allocation according to the interception function tag of the security interception rule in a target screening security interception rule cluster to obtain a target port corresponding to the target screening security interception rule cluster, and obtains the target port corresponding to each target screening security interception rule cluster by referring to the same method.
The substep S132 is to determine a key safety interception rule according to the port connectivity from each safety interception rule in the safety interception rule cluster to the corresponding target port, and determine a vulnerability pre-repairing instruction corresponding to the service risk vulnerability according to the key safety interception rule;
and a substep S133 of performing vulnerability pre-repairing on the Internet service terminal according to a vulnerability pre-repairing instruction corresponding to the service risk vulnerability.
For example, the artificial intelligence security system 100 filters out the key security interception rules according to the port connectivity degree from each security interception rule in the security interception rule cluster to the corresponding target port. When the port connectivity of the security interception rule to the corresponding target port is greater than a preset threshold, it may be determined that the security interception rule is a key security interception rule. The artificial intelligence security system 100 determines a vulnerability pre-repair instruction corresponding to the service risk vulnerability according to the interception performance evaluation label distribution of the key security interception rule.
In the embodiment, the security interception rule cluster of the service risk vulnerability is obtained; performing rule screening on the safety interception rule clusters according to the safety interception service intervals of each safety interception rule in the safety interception rule clusters to obtain target screening safety interception rule clusters; carrying out port distribution according to the interception function tags of the safety interception rules in the same target screening safety interception rule cluster to obtain target ports corresponding to each target screening safety interception rule cluster; and determining key safety interception rules according to the port connectivity from each safety interception rule in the safety interception rule cluster to the corresponding target port, and determining vulnerability pre-repairing instructions corresponding to the service risk vulnerabilities according to the key safety interception rules. Therefore, the bug pre-repairing instruction can be automatically determined according to the security interception rule cluster of the service risk bug, and the bug pre-repairing efficiency is improved.
In a separately implementable embodiment, step S120 may be implemented by the following exemplary substeps, described in detail below.
And step S121, determining a key security interception rule based on the change history of the security interception service interval.
And step S122, carrying out port distribution on the key safety interception rule to obtain at least one key distribution port.
And S123, performing rule screening on the safety interception rule cluster according to the key distribution port to obtain a target screening safety interception rule cluster.
The port allocation means that a key allocation port sequence is allocated according to the known interception positions of each key security interception rule, so that the sum of port connectivity degrees of the key allocation port sequence obtained by port allocation to the corresponding key security interception rule is the minimum. The key safety interception rule is an edge safety interception rule of a target screening safety interception rule cluster and can be determined according to the change history of a safety interception service interval. The change history of the security interception service interval refers to a change floating value of the security interception service interval of a certain security interception rule in the security interception rule cluster in active and passive interception dimensions, and the change floating value is obtained by comparing the current security interception rule with the security interception service interval of the associated security interception rule. Therefore, when the difference between the security interception service intervals of two associated security interception rules of one security interception rule is large, that is, the change history of the security interception service interval of the security interception rule is large, it can be determined that the security interception rule is the key security interception rule.
For example, the artificial intelligence security system 100 can determine key security interception rules in a cluster of security interception rules based on a history of changes in security interception traffic intervals. The artificial intelligence security system 100 performs port allocation on the key security interception rule to obtain at least one key allocation port. The artificial intelligence safety system 100 performs rule screening on the safety interception rule cluster according to the key distribution port to obtain a target screening safety interception rule cluster. The artificial intelligence security system 100 may also perform rule screening on the security interception rule clusters according to the key distribution port to obtain a plurality of initially screened security interception rule clusters, and perform screening on the initially screened security interception rule clusters to obtain a target screened security interception rule cluster.
In an embodiment that can be implemented independently, before port allocation is performed on the artificial intelligence security system 100, the key security interception rules may be aggregated according to the rule-related parameters of each key security interception rule to obtain each key security interception rule sequence, and port allocation is performed on the key security interception rules in the same key security interception rule sequence to obtain the key allocation ports corresponding to each key security interception rule sequence. The artificial intelligence security system 100 can specifically include a key security interception rule having a rule-related parameter within a preset threshold into a key security interception rule sequence.
In this embodiment, a key security interception rule is determined based on a change history of a security interception service interval, a port of the key security interception rule is allocated to obtain at least one key allocation port, and a security interception rule cluster is subjected to rule screening according to the key allocation port to obtain a target screening security interception rule cluster. Therefore, the target screening safety interception rule cluster can be automatically obtained from the safety interception rule cluster based on the change history of the safety interception service interval, the rule screening efficiency is high, and the vulnerability pre-repairing efficiency is improved.
In a separately implementable embodiment, step S123 may be implemented by the following exemplary substeps.
And step S1221, performing rule screening on the security interception rule clusters according to the key distribution port to obtain a plurality of initially screened security interception rule clusters.
Step S1222, obtaining a plurality of sequentially associated initial screening security interception rule clusters with the same interception dimension, to obtain each target screening security interception rule cluster, where the interception function tag of each target screening security interception rule cluster is regularly changed according to the distribution of the interception ports.
Step S1223, the initial screening safety interception rule cluster which has the interception increasing trend with the interception dimension of the target screening safety interception rule cluster is obtained as the target screening safety interception rule cluster.
For example, the artificial intelligence security system 100 performs rule screening on the security interception rule clusters according to the key distribution ports, and may obtain a plurality of initially screened security interception rule clusters. The artificial intelligence security system 100 obtains a plurality of sequentially associated initial screening security interception rule clusters having the same interception dimension from the initial screening security interception rule clusters, and one initial screening security interception rule cluster is used as one target screening security interception rule cluster to obtain each target screening security interception rule cluster. The interception function labels of each target screening safety interception rule cluster are regularly changed according to the distribution of the interception ports. The artificial intelligence security system 100 acquires, from the initial screening security interception rule cluster, an initial screening security interception rule cluster that is in an interception increasing trend with the interception dimension of the target screening security interception rule cluster as a target screening security interception rule cluster. It can be understood that if there is no initial screening security interception rule cluster in the initial screening security interception rule cluster that has an interception increasing trend with the interception dimension of the target screening security interception rule cluster, there is no target screening security interception rule cluster.
In this embodiment, the security interception rule clusters are subjected to rule screening according to the key distribution port to obtain a plurality of initially screened security interception rule clusters, a plurality of consecutive initially screened security interception rule clusters which are sequentially associated and have the same interception dimension are obtained to obtain each target screened security interception rule cluster, the interception function tag of each target screened security interception rule cluster regularly changes according to the distribution of the interception ports, and the initially screened security interception rule cluster which has an interception dimension increasing trend with the target screened security interception rule cluster is obtained as the target screened security interception rule cluster. Therefore, the target screening safety interception rule cluster can be quickly screened from the initial screening safety interception rule clusters according to the interception port distribution and the interception function labels of each initial screening safety interception rule cluster.
In a separately implementable embodiment, step S131 may be implemented by the following exemplary substeps.
Step S1311, forming a key distribution port along the distribution direction of the interception ports of the target screening safety interception rule clusters to perform rule screening on each target screening safety interception rule cluster, and obtaining target screening sub-interception rule clusters corresponding to each target screening safety interception rule cluster.
For example, the artificial intelligence security system 100 may form a key distribution port along the distribution direction of the interception ports of the target screening security interception rule clusters to perform rule screening on each target screening security interception rule cluster, so as to obtain a target screening sub-interception rule cluster corresponding to each target screening security interception rule cluster. For example, if the target screening security interception rule clusters are sequentially arranged along the active interception dimension in an associated manner, a key distribution port may be formed along the active interception dimension to perform rule screening on each target screening security interception rule cluster. The artificial intelligence security system 100 may perform rule screening once to obtain two target screening sub-interception rule clusters corresponding to each target screening security interception rule cluster, and the artificial intelligence security system 100 may also perform rule screening n times to obtain n +1 target screening sub-interception rule clusters corresponding to each target screening security interception rule cluster.
Step S1312, determining the interception rule calling characteristics of each target screening safety interception rule cluster according to the interception rule calling data of the safety interception rules in the associated target screening safety interception rule cluster.
The interception rule calling data may be called statistical data, such as calling times, calling time, calling types, and the like, of the interception function tags of all the security interception rules in the target screening security interception rule cluster.
For example, the artificial intelligence security system 100 may determine the interception rule calling feature of each target screening security interception rule cluster according to the interception rule calling data of the security interception rules within the associated target screening security interception rule cluster.
Step S1313, determining validity of each target screening sub-interception rule cluster according to the interception rule calling data of the safety interception rules in each target screening sub-interception rule cluster, which have consistent interception rule calling characteristics in the same key safety interception rule cluster.
The validity is used for judging whether the target screening sub-interception rule cluster is valid, whether the target screening sub-interception rule cluster is a normal safe interception rule cluster or not, and whether the target screening sub-interception rule cluster can be used for port allocation or not. And when the interception rule calling data corresponding to the target screening sub-interception rule cluster meet the preset conditions, determining the target screening sub-interception rule cluster as an effective and normal target screening sub-interception rule cluster, wherein the target screening sub-interception rule cluster can be used for port allocation. And when the interception rule calling data corresponding to the target screening sub-interception rule cluster does not meet the preset condition, determining that the target screening sub-interception rule cluster is an invalid and key target screening sub-interception rule cluster, and filtering when ports are distributed.
For example, the artificial intelligence security system 100 forms key distribution ports along the distribution direction of the interception ports of the target screening security interception rule clusters to perform rule screening on each target screening security interception rule cluster, so as to obtain a corresponding key security interception rule cluster. For example, if a key distribution port is formed along the active interception dimension for rule screening once, two key security interception rule clusters associated along the passive interception dimension can be obtained. The artificial intelligence security system 100 may determine the validity of each target screening sub-interception rule cluster according to the interception rule calling data of the security interception rules in each target screening sub-interception rule cluster having the same interception rule calling characteristics in the same key security interception rule cluster. The artificial intelligence security system 100 may also improve accuracy by referring to the security interception rule cluster when determining the validity of each target screening child interception rule cluster.
And step S1314, carrying out port distribution on the interception function tags of the safety interception rules in the effective target screening sub-interception rule clusters in the same target screening safety interception rule cluster according to the effectiveness to obtain target ports corresponding to each target screening safety interception rule cluster.
For example, after determining the validity of each target screening sub-interception rule cluster, the artificial intelligence security system 100 may perform port allocation according to the interception function tag of the security interception rule in the target screening sub-interception rule cluster valid in the same target screening security interception rule cluster, to obtain the target port corresponding to each target screening security interception rule cluster.
In the embodiment, key distribution ports are formed along the distribution direction of the interception ports of the target screening safety interception rule clusters to carry out rule screening on each target screening safety interception rule cluster to obtain target screening sub-interception rule clusters corresponding to each target screening safety interception rule cluster, the interception rule calling characteristics of each target screening safety interception rule cluster are determined according to the interception rule calling data of the safety interception rules in the associated target screening safety interception rule cluster, the effectiveness of each target screening sub-interception rule cluster is determined according to the interception rule calling data of the safety interception rules in each target screening sub-interception rule cluster with consistent interception rule calling characteristics in the same key safety interception rule cluster, and the port distribution is carried out on the interception function tags of the safety interception rules in the effective target screening sub-interception rule clusters in the same target screening safety interception rule cluster according to the effectiveness, and obtaining the target ports corresponding to the target screening safety interception rule clusters. Therefore, effective target screening sub-interception rule clusters are screened out according to the interception rule calling data of the safety interception rules in each target screening sub-interception rule cluster with consistent interception rule calling characteristics in the same key safety interception rule cluster, and port distribution is carried out according to the effective target screening sub-interception rule clusters, so that more accurate target ports can be obtained, and the bug repairing effect of the bug pre-repairing instruction is improved.
In a separately implementable embodiment, step S1313 may be implemented by the following exemplary implementation.
(1) And taking each target screening sub-interception rule cluster with consistent interception rule calling characteristics in the same key safety interception rule cluster as an associated sub-safety interception rule cluster, and classifying the associated sub-safety interception rule clusters into the same associated sub-safety interception rule cluster set to obtain an associated sub-safety interception rule cluster set corresponding to each interception rule calling characteristic in each key safety interception rule cluster.
(2) And obtaining first reference rule calling data corresponding to each association sub-security interception rule cluster set according to the interception rule calling data corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set.
(3) And when the data difference between the interception rule calling data of the safety interception rule in the target screening sub-interception rule cluster and the corresponding first reference rule calling data is smaller than a first preset threshold value, determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster.
For example, the artificial intelligence security system 100 may use each target screening sub-interception rule cluster having the same interception rule calling feature in the same key security interception rule cluster as an associated sub-security interception rule cluster, and put the associated sub-security interception rule cluster into the same associated sub-security interception rule cluster set, so as to obtain an associated sub-security interception rule cluster set corresponding to each interception rule calling feature in each key security interception rule cluster. The artificial intelligence security system 100 may obtain first reference rule calling data corresponding to each association sub-security interception rule cluster set according to the interception rule calling data corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set. When the data difference between the interception rule calling data of the security interception rule in the target screening sub-interception rule cluster and the corresponding first reference rule calling data is smaller than the first preset threshold, the artificial intelligence security system 100 may determine that the target screening sub-interception rule cluster is an effective target screening sub-interception rule cluster. Therefore, the artificial intelligence security system 100 can screen each effective target screening sub-interception rule cluster from all the target screening sub-interception rule clusters, and then perform port allocation according to each effective target screening sub-interception rule cluster. The first preset threshold value can be set according to actual requirements.
In this embodiment, each target screening sub-interception rule cluster having consistent interception rule calling characteristics within the same key security interception rule cluster is taken as an associated sub-security interception rule cluster, and is classified into the same associated sub-security interception rule cluster set to obtain an associated sub-security interception rule cluster set corresponding to each interception rule calling characteristic within each key security interception rule cluster, obtaining first reference rule calling data corresponding to each association sub-security interception rule cluster set according to the interception rule calling data corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set, when the data difference between the interception rule calling data of the safety interception rule in the target screening sub-interception rule cluster and the corresponding first reference rule calling data is less than a first preset threshold value, and determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster.
In a separately implementable embodiment, and still with respect to step S1313, this may also be implemented by the following exemplary implementation.
(1) Performing rule screening on the target screening safety interception rule cluster along the key distribution port interception dimension of the associated target screening safety interception rule cluster to obtain a reference screening sub-interception rule cluster corresponding to the target screening safety interception rule cluster; and the reference screening sub-interception rule cluster corresponds to the target screening safety interception rule cluster one by one.
(2) And acquiring data difference between the interception rule calling data of the safety interception rule in the target screening sub-interception rule cluster and the interception rule calling data of the safety interception rule in the corresponding reference sub-safety interception rule cluster as evaluation difference, and acquiring the evaluation difference corresponding to each target screening sub-interception rule cluster.
(3) And obtaining second reference rule calling data corresponding to each association sub-security interception rule cluster set according to the evaluation difference corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set.
(4) And when the data difference between the evaluation difference corresponding to the target screening sub-interception rule cluster and the corresponding second reference rule calling data is smaller than a second preset threshold value, determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster.
For example, when there is a reference filter interception rule cluster, the validity of the target filter interception rule cluster may be determined by the reference filter interception rule cluster assistance. The artificial intelligence security system 100 may perform rule screening on the target screening security interception rule cluster along the key distribution port interception dimension of the associated target screening security interception rule cluster, that is, perform rule screening on the target screening security interception rule cluster by expanding the key distribution port of the associated target screening security interception rule cluster, to obtain a reference screening sub-interception rule cluster corresponding to the target screening security interception rule cluster. One reference screening sub-interception rule cluster corresponds to one target screening safety interception rule cluster. The artificial intelligence security system 100 may obtain a data difference between the interception rule calling data of the security interception rule in the target screening sub-interception rule cluster and the interception rule calling data of the security interception rule in the corresponding reference sub-security interception rule cluster as an evaluation difference, and obtain an evaluation difference corresponding to each target screening sub-interception rule cluster. The artificial intelligence security system 100 may obtain second reference rule calling data corresponding to each association sub-security interception rule cluster set according to the evaluation difference corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set, specifically, may calculate an average value of the evaluation differences corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set, and use the average value calculated by each association sub-security interception rule cluster set as the second reference rule calling data corresponding to each association sub-security interception rule cluster set. When the data difference between the evaluation difference corresponding to the target screening sub-interception rule cluster and the corresponding second reference rule calling data is smaller than a second preset threshold, the artificial intelligence security system 100 may determine that the target screening sub-interception rule cluster is an effective target screening sub-interception rule cluster. Therefore, the artificial intelligence security system 100 can screen each effective target screening sub-interception rule cluster from all the target screening sub-interception rule clusters, and then perform port allocation according to each effective target screening sub-interception rule cluster. The second preset threshold value can be set according to actual requirements. For example, the second preset threshold is 10.
In this embodiment, the target screening security interception rule cluster is subjected to rule screening along the key distribution port interception dimension of the associated target screening security interception rule cluster to obtain a reference screening sub-interception rule cluster corresponding to the target screening security interception rule cluster; the reference screening sub-interception rule clusters and the target screening safety interception rule clusters are in one-to-one correspondence, the data difference between the interception rule calling data of the safety interception rule in the target screening sub-interception rule cluster and the interception rule calling data of the safety interception rule in the corresponding reference sub-safety interception rule cluster is obtained as an evaluation difference, and the evaluation difference corresponding to each target screening sub-interception rule cluster is obtained, obtaining second reference rule calling data corresponding to each association sub-security interception rule cluster set according to the evaluation difference corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set, when the evaluation difference corresponding to the target filter interception rule cluster and the data difference of the corresponding second reference rule calling data are smaller than a second preset threshold value, and determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster. Therefore, the effectiveness of the target screening sub-interception rule cluster is determined by referring to the screening sub-interception rule cluster in an auxiliary mode, and the accuracy of effectiveness evaluation can be improved.
In an embodiment that can be implemented independently, determining a key security interception rule according to a port connectivity from each security interception rule in a security interception rule cluster to a corresponding target port, and determining a vulnerability pre-repair instruction corresponding to a service risk vulnerability according to the key security interception rule includes: when the port connectivity from the security interception rule in the security interception rule cluster to the corresponding target port is greater than a third preset threshold value, determining the corresponding security interception rule as a key security interception rule; aggregating the key security interception rules according to the rule related parameters of each key security interception rule, and determining an associated security interception rule sequence according to an aggregation result; and determining a vulnerability pre-repairing instruction according to the interception performance evaluation label distribution of the security interception rules in the associated security interception rule sequence.
For example, the artificial intelligence security system 100 may screen out a key security interception rule from all security interception rules according to the port connectivity degree from each security interception rule in the security interception rule cluster to the corresponding target port, and specifically, may determine that the corresponding security interception rule is the key security interception rule when the port connectivity degree from the security interception rule in the security interception rule cluster to the corresponding target port is greater than a third preset threshold. After all the key security interception rules are screened out, the artificial intelligence security system 100 aggregates the key security interception rules according to the rule-related parameters of each key security interception rule, and determines an associated security interception rule sequence according to the aggregation result.
In this embodiment, when the port connectivity from the security interception rule in the security interception rule cluster to the corresponding target port is greater than a third preset threshold, determining that the corresponding security interception rule is a key security interception rule; aggregating the key security interception rules according to the rule related parameters of each key security interception rule, and determining an associated security interception rule sequence according to an aggregation result; and determining a vulnerability pre-repairing instruction according to the interception performance evaluation label distribution of the security interception rules in the associated security interception rule sequence. Therefore, the key security interception rule can be quickly determined according to the port connectivity from the security interception rule to the corresponding target port, and the bug pre-repairing instruction can be quickly determined according to the rule related parameters and the position distribution of the key security interception rule, so that the bug pre-repairing efficiency is improved.
In an embodiment that can be implemented independently, step S110 can be implemented by the following exemplary substeps, which are described in detail below.
Step S111, acquiring target security interception event big data to be identified, and mining interception features of the target security interception event big data to obtain target interception features, wherein the target interception features comprise target interception knowledge network features corresponding to the target security interception event big data.
The target security interception event big data is the security interception event big data to be analyzed, and the specific service environment of the target security interception event big data can be determined according to actual needs, for example, the target security interception event big data may be a private service environment or a public service environment. The one target security interception event big data may include a plurality of interception scheduling data, and the target security interception event big data may be split to obtain a plurality of interception scheduling data. Plural means at least two. The splitting mode may be an interception scheduling data splitting mode based on statistics, and is not particularly limited.
In this embodiment, intercepting feature mining refers to converting security interception event big data into a vector for representation. The target interception feature is feature information obtained by mining interception features of the target security interception event big data. The target interception knowledge network feature is feature information of an interception knowledge network (a network graph composed of a plurality of interception knowledge entities) representing large data of a target security interception event. The target interception knowledge network characteristics are obtained by mining interception characteristics according to each interception scheduling data of the target security interception event big data, and the interception knowledge network information of each interception scheduling data in the security interception event big data is fused. The target interception features can also comprise an interception scheduling behavior feature cluster which comprises interception scheduling data features corresponding to each piece of interception scheduling data, and the interception scheduling data features refer to feature information obtained by mining the interception features of the interception scheduling data. And sequencing the characteristic information obtained by mining the interception characteristics of the interception scheduling data according to the sequence of the corresponding interception scheduling data in the target security interception event big data to form an interception scheduling behavior characteristic cluster.
For example, the artificial intelligence safety system can obtain target safety interception event big data to be identified, split the target safety interception event big data into an interception scheduling data sequence with interception knowledge network rationality, and perform interception feature mining on the target safety interception event big data according to an interception feature mining model to obtain target interception features, wherein the target interception features comprise an interception scheduling behavior feature cluster and a target interception knowledge network feature. Wherein the interception feature mining model may be based on BERT. When the target security interception event big data is given and comprises N pieces of interception scheduling data, a process of acquiring an interception scheduling behavior feature cluster can be realized by performing interception feature mining on each piece of interception scheduling data based on an interception feature mining model T-Encoder to acquire target interception features.
For example, the target security interception event big data may be split to obtain N pieces of interception scheduling data (Dispatch), where N is a positive integer and is denoted as Dispatch11 and Dispatch2 … … Dispatch N. Adding a mark of 'FE' ('FE') before Dispatch11, wherein [ FE ] represents classification, performing E [ FE ] operation on the next layer, E represents transmission characteristics in the operation process of a certain interception path, for example, the transmission characteristics in the operation process of the interception path of [ FE ] are E [ FE ], T represents an interception characteristic mining vector obtained by intercepting characteristic mining, performing C extraction operation on the next network entity object, and C is an interception knowledge network characteristic and is an interception knowledge network representation characteristic corresponding to [ FE ], namely, an interception knowledge network interception characteristic mining vector. Namely, the artificial intelligence security system can input target security interception event big data comprising N pieces of interception scheduling data into the interception feature mining model, and the interception feature mining model outputs an interception knowledge network representation feature C (called as target interception knowledge network feature) of [ FE ] corresponding to the security interception event big data and an interception scheduling data feature T corresponding to each piece of interception scheduling data.
And step S112, acquiring a target interception operation object in the target security interception event big data, and determining a first linkage interception operation object corresponding to the target interception operation object.
For example, the interception operation object refers to an operation object with a specific interception meaning, and may include at least one of a threat interception operation object, a harassment interception operation object, and the like. The target interception operand is an interception operand in the target security interception event big data, and one target security interception event big data may include one or more target interception operands.
The first linkage interception operation object is an interception operation object which has an interception service path with a target interception operation object. The interception service path may be, for example, a direct docking path or an indirect docking path. The linkage interception operation object corresponding to the target interception operation object can be obtained according to an interception operation object network relation map. The intercepted operation object network relationship map can be used for describing the intercepted operation objects and the intercepted service paths of the intercepted operation objects, so that the linked intercepted operation objects with the intercepted service paths existing between the intercepted operation objects and the target intercepted operation objects in the intercepted operation object network relationship map can be obtained. The first linkage interception operation object may include at least one of an interception operation object having a direct interception service path with a target interception operation object and an interception operation object having an indirect interception service path in an interception operation object network relationship map. The direct interception service path refers to the connection of a target interception operation object and a first linkage interception operation object in a butt joint relation, and the indirect interception service path refers to the connection between the target interception operation object and the first linkage interception operation object and the linkage interception operation object in the middle. For example, in the network relationship map of the interception operation objects, if a target interception operation object is a, a direct docking relationship object of a is B, a direct docking relationship object of B is C, that is, a connection of a docking relationship exists between a and B, and a connection of a docking relationship exists between B and C, then B is a first linkage interception operation object of which an interception service path directly exists with a, and C is a first linkage interception operation object of which an interception service path indirectly exists with a. The linkage cost of the interception service paths among the interception operation objects can be represented by linkage strength, the interception operation object with the interception service path direct to the target interception operation object is called a first-level linkage interception operation object of the target interception operation object, and the interception operation object with the interception service path direct to the first-level linkage interception operation object is called a second-level linkage interception operation object of the target interception operation object. The first interlocking interception operation object may be an interlocking interception operation object whose strength of association with the target interception operation object is within a preset strength of association, and the preset strength of association may be set as needed, for example, and may be 2.
For example, the artificial intelligence security system can perform interception operation object identification on the target security interception event big data to obtain a target interception operation object. The artificial intelligence safety system can obtain a linkage interception operation object of which the linkage strength with the target interception operation object is within the preset linkage strength in the network relation map of the interception operation object as a first linkage interception operation object.
It should be noted that the interception service path may be obtained by performing interception path statistics on data of historical interception services, and the interception path statistics is calculated in the prior art and is not described herein again.
And S113, determining a target interception portrait label characteristic corresponding to the target interception operation object according to the interception path characteristic of the first linkage interception operation object and corresponding interception path cost information, wherein the interception path cost information is obtained according to the interception operation correlation degree between the target interception knowledge network characteristic and the interception service path characteristic, and the interception service path characteristic is a characteristic representing an interception service path of the interception operation object.
For example, the interception path feature refers to a transfer feature in a running process for representing an interception path for intercepting an operation object.
In this embodiment, the intercepted path cost information is obtained according to the interception operation correlation between the target interception knowledge network feature and the interception service path feature, the intercepted path cost information and the interception operation correlation have a positive correlation, and the larger the interception operation correlation is, the larger the corresponding intercepted path cost information is. The interception operation correlation between the target interception knowledge network feature and the interception service path feature may be at least one of a direct interception operation correlation or an indirect interception operation correlation. The direct interception operation correlation degree refers to calculating the interception operation correlation degree, such as similarity, of the target interception knowledge network feature and the interception service path feature as the interception operation correlation degree between the target interception knowledge network feature and the interception service path feature. The indirect interception operation correlation degree refers to further processing the target interception knowledge network characteristics, further processing the interception service path characteristics, and obtaining the interception operation correlation degree between the target interception knowledge network characteristics and the interception service path characteristics based on the processed target interception knowledge network characteristics and the processed interception service path characteristics. For example, the target interception knowledge network characteristics and the interception service path characteristics may be input into a trained model, and the target interception knowledge network characteristics and the interception service path characteristics are processed according to the model operation weight parameters.
The interception service path feature may be feature information indicating an interception service path between the first linkage interception operation object and the target interception operation object, or may be an interception scheduling relationship feature indicating an interception scheduling relationship between the first linkage interception operation objects, for example, the interception path cost information corresponding to the first linkage interception operation object may be obtained according to interception path cost information of a docking relationship of a closest interception path passed from the first linkage interception operation object to the target interception operation object, for example, the interception path cost information of the docking relationship of the shortest passing interception path may be obtained by fusion. For example, assuming a → B → C, the target interception operand is a, and for the first linkage interception operand C, the corresponding interception path cost information may be calculated as follows: and fusing the interception path cost information obtained based on the interception operation correlation degree of the interception service path characteristics between B and C and the target interception knowledge network characteristics with the interception path cost information obtained based on the interception operation correlation degree of the interception service path characteristics between A and B and the target interception knowledge network characteristics to obtain the interception path cost information corresponding to the first linkage interception operation object C.
The blocked portrait tag feature is feature information obtained based on the distribution of the blocked portrait and is used for representing the distribution of the blocked portrait. The linkage interception operation object corresponding to the target interception operation object and the interception service path between the target interception operation object and the linkage interception operation object are distributed as the intercepted portrait and can be obtained based on the network relation map of the interception operation object, so that the characteristic information obtained according to the interception path characteristic and the interception service path characteristic of the linkage interception operation object corresponding to the target interception operation object is called as the intercepted portrait label characteristic.
For example, the artificial intelligence security system can input the interception path characteristics of the first linkage interception operation object, the interception service path characteristics between the first linkage interception operation object and the target interception operation object, and the interception service path characteristics between the first linkage interception operation objects into the interception figure decision model, and the interception figure decision model determines the interception path cost information corresponding to each first linkage interception operation object according to the interception operation correlation degree between the target interception knowledge network characteristics and the interception service path characteristics. Namely, the interception operation correlation between the target interception knowledge network characteristic and the interception service path characteristic can represent the influence degree of the relation between the interception operation objects on the interception knowledge network of the target security interception event big data, and for the relation more relevant to the interception knowledge network, the relation is more useful interception portrait distribution, and the linkage interception operation object corresponding to the relation needs to be focused. Wherein, the intercepted sketch decision model may be GNN.
In an embodiment that can be implemented independently, an interception operation object network composed of a first linkage interception operation object and a target interception operation object can be obtained, interception path features corresponding to each interception entity in the interception operation object network and interception service path features representing interception service paths among the interception operation objects in the interception entity are obtained and input into a graph neural network model, and a mode that the graph neural network model determines an interception portrait tag feature of the interception entity includes: and for any intercepting entity, processing the intercepting path characteristics of the associated intercepting entity of the intercepting entity and the intercepting service path characteristics representing the relation between the intercepting entity and the associated intercepting entity based on the model operation weight parameters to obtain a first intercepting portrait label characteristic corresponding to the intercepting entity. When a plurality of associated intercepting entities are provided, a plurality of first intercepting portrait label features corresponding to the intercepting entities are obtained, so that intercepting path cost information corresponding to each first intercepting portrait label feature can be obtained, weighting calculation is performed according to the first intercepting portrait label features and the corresponding intercepting path cost information, and a target intercepting portrait label feature corresponding to the intercepting entity is obtained.
And step S114, performing feature fusion on the target interception feature and the target interception portrait label feature corresponding to the target interception operation object to obtain a target fusion feature, and determining security risk identification information corresponding to the target security interception event big data according to the target fusion feature.
In the feature fusion process, the target interception portrait tag feature corresponding to the target interception operation object and the target interception feature may be input into a feature fusion structure for processing, and the feature fusion structure may be, for example, a multilayer perceptron model, a cyclic neural network model, a convolutional neural network model, or the like, but is not limited thereto.
In an embodiment that can be implemented independently, the target interception feature includes an interception scheduling behavior feature cluster, and performing feature fusion on the target interception feature and a target interception portrait tag feature corresponding to a target interception operation object to obtain a target fusion feature includes: intercepting portrait mapping processing is carried out on the intercepting scheduling data characteristics corresponding to the target intercepting scheduling data according to the target intercepting portrait label characteristics corresponding to the target intercepting operation object, and intercepting portrait mapping characteristics corresponding to the target intercepting scheduling data are obtained; updating the interception scheduling data characteristics corresponding to the target interception scheduling data in the interception scheduling behavior characteristic cluster according to the interception portrait mapping characteristics corresponding to the target interception scheduling data to obtain an updated interception scheduling behavior characteristic cluster; and performing feature fusion on the updated interception scheduling behavior feature cluster and the target interception knowledge network feature according to the feature fusion structure to obtain the feature-fused interception scheduling behavior feature cluster and the feature-fused target interception knowledge network feature.
The target interception scheduling data refers to interception scheduling data corresponding to a target interception operation object, and the interception scheduling data is characterized by an interception feature mining vector corresponding to the interception scheduling data in the target security interception event big data, and the target interception operation object is an interception operation object in the target security interception event big data, so the interception scheduling data of the target security interception event big data comprises the interception scheduling data corresponding to the target interception operation object, and the interception scheduling data characteristics corresponding to the target interception scheduling data can be obtained.
The interception portrait mapping processing means that target interception portrait label features are fused into interception scheduling data features, and the interception portrait mapping processing can be feature fusion or weighted summation, such as vector condition mining service. For example, feature fusion processing may be performed according to a target interception portrait tag feature corresponding to a target interception operation object and an interception scheduling data feature corresponding to target interception scheduling data, feature fusion may be directly performed on the target interception portrait tag feature corresponding to the target interception operation object and an interception scheduling data feature corresponding to the target interception scheduling data to obtain an interception portrait mapping feature corresponding to the target interception scheduling data, or feature fusion may be performed after advanced further processing. For example, the feature fusion structure may include two feature fusion kernels, one of the feature fusion kernels processes the interception and scheduling behavior feature cluster in the interception and scheduling behavior feature cluster, the other feature fusion kernel processes the target interception portrait tag feature, and feature fusion is performed on the interception and scheduling data feature processed by the feature fusion kernels and the target interception portrait tag feature processed by the feature fusion kernels to obtain an interception portrait mapping feature.
For example, after the artificial intelligence security system obtains the interception portrait mapping feature corresponding to the target interception scheduling data, the interception scheduling data feature corresponding to the target interception scheduling data in the interception scheduling behavior feature cluster is replaced according to the interception portrait mapping feature, and the updated interception scheduling behavior feature cluster is obtained. The artificial intelligence safety system can input the updated interception scheduling behavior feature cluster and the target interception knowledge network feature into a fusion layer of the feature fusion structure for feature fusion to obtain at least one of the interception scheduling behavior feature cluster after the feature fusion and the target interception knowledge network feature after the feature fusion.
For example, the target fusion feature may be a feature-fused interception scheduling behavior feature cluster or a feature-fused target interception knowledge network feature. The target fusion features are determined according to a specific scene. The artificial intelligence safety system can input the target fusion characteristics into the training prediction model, and the training prediction model processes the target fusion characteristics to obtain safety risk identification information.
In an embodiment that can be implemented independently, for a security risk identification task, the feature-fused target interception knowledge network feature is a target fusion feature, and the feature-fused target interception knowledge network feature can be input into a security risk identification model to obtain security risk identification information.
In an embodiment that can be implemented independently, for intercepting operation object identification, the intercepting scheduling behavior feature cluster after feature fusion is a target fusion feature, and intercepting scheduling data features corresponding to intercepting operation objects in the intercepting scheduling behavior feature cluster after feature fusion can be identified according to intercepting operation object identifiers, so as to identify the intercepting operation objects according to the intercepting scheduling data features corresponding to the intercepting operation objects.
In the above embodiment, the target interception portrait tag feature is fused in the target interception feature, and is obtained according to the interception path feature and the interception path cost information of the first linkage interception operation object corresponding to the target interception operation object in the target security interception event big data, and since the interception path cost information is obtained according to the interception operation correlation between the target interception knowledge network feature and the interception service path feature, the influence value of the interception path feature of the linkage interception operation object on the interception portrait tag of the target interception operation object can be determined according to the interception knowledge network of the target security interception event big data, and the interception path cost information can be determined according to the influence value, so that the target interception portrait tag feature obtained based on the interception path cost information and the interception path feature can promote the learning of the interception knowledge network of the target security interception event big data, therefore, safety risk identification information corresponding to the target safety interception event big data is obtained based on the target fusion characteristics, and the accuracy of safety risk identification is improved.
In an embodiment that can be implemented independently, the step S113 of determining the target intercepted portrait tag feature corresponding to the target intercepted operation object according to the intercepted path feature of the first linkage intercepted operation object and the corresponding intercepted path cost information includes the following steps:
step S1131, an interception operation object network composed of the first linkage interception operation object and the target interception operation object is obtained.
For example, the intercept operand network includes network entity objects and interfacing relationships. The network entity object is an interception operation object, and the existence of a butt joint relation among the interception operation objects indicates that a direct interception service path exists among the interception operation objects.
It can be understood that the interfacing relationship between the networks of interception operands may also be of an interception dimension, and the relationship between the interception operands may be represented by a triplet (h, r, t), where h is the starting interception operand, r is the relationship, and t is the ending interception operand.
In an independently implementable embodiment, the linkage interception operation object with the association linkage strength of the target interception operation object at the preset association linkage strength can be acquired from the network relationship map of the interception operation object to form an interception operation object network.
Step S1132, for an interception entity in the interception operation object network, acquiring an interception service path feature indicating an interception service path between the interception entity and an associated interception entity.
The interception entity refers to an interception operation object in an interception operation object network, and the target interception operation object and the first linkage interception operation object are interception operation objects in a network relation graph. The association interception entity refers to an interception operation object connected with the interception entity in a docking relationship.
Step S1133, obtaining an interception operation correlation degree according to the interception service path characteristics and the target interception knowledge network characteristics, and determining interception path cost information corresponding to the associated interception entity according to the interception operation correlation degree.
Wherein, the correlation degree of the interception operation refers to the similarity degree of the features. The correlation degree of the interception operation and the cost information of the interception path form a positive correlation. Namely, the greater the correlation degree of the interception operation, the greater the intercepted path cost information.
For example, the artificial intelligence security system may use the correlation degree of the interception operation as the information of the interception path cost, or may perform normalization processing on the correlation degree of the interception operation to obtain the information of the interception path cost.
In an embodiment that can be implemented independently, the interception sketch tag feature corresponding to the interception entity is output by an interception sketch decision model, the interception sketch decision model includes at least one target decision structure, and the corresponding interception path cost information may be unchanged or may be changed for different decision structures. For example, obtaining an interception operation correlation degree according to the interception service path feature and the target interception knowledge network feature, and determining the interception path cost information corresponding to the associated interception entity according to the interception operation correlation degree includes: processing the interception service path characteristics according to a second decision structure parameter in the target decision structure to obtain a first decision description; processing the network characteristics of the target interception knowledge according to a third decision structure parameter in the target decision structure to obtain a second decision description; calculating according to the first decision description and the second decision description to obtain the correlation degree of the interception operation; and determining the interception path cost information corresponding to the associated interception entity according to the interception operation correlation, wherein the interception operation correlation and the interception path cost information corresponding to the associated interception entity have positive correlation.
The interception path cost mechanism may include a first decision description (K1) and a second decision description (K2), where the first decision description (K1) and the descriptor (the first interception portrait label feature) have a corresponding relationship. The interception path cost information corresponding to the associated interception entity may be determined based on the correlation of the first decision description (K1) and the second decision description (K2). The second decision structure parameter is a model operation weight parameter used for processing the interception service path feature in the target decision structure, the third decision structure parameter is a model operation weight parameter used for processing the target interception knowledge network feature in the target decision structure, and different decision structures, the corresponding second decision structure parameter and third decision structure parameter are changed, so that the interception path cost information is also changed, which is equivalent to the interception path cost information obtained by synthesizing the interception path cost information obtained by different decision structures when the target interception portrait label feature is obtained, and the accuracy of the obtained target interception portrait label feature can be improved. The interception operation correlation may be a feature similarity.
For example, the artificial intelligence security system may input the interception service path feature and the target interception knowledge network feature into a target decision structure, obtain a first decision description through calculation of a second decision structure parameter of the target decision structure, obtain a second decision description through calculation of a third decision structure parameter of the target decision structure, calculate a similarity between the second decision description and the first decision description, and perform normalization processing on the similarity to obtain the interception path cost information.
Step S1134, determining a target intercepted portrait label characteristic corresponding to the intercepting entity according to the intercepting path cost information corresponding to the associated intercepting entity and the intercepting path characteristic of the associated intercepting entity.
For example, one or more associated intercepting entities corresponding to one intercepting entity may be provided, and the artificial intelligence security system may perform weighted summation on the intercepting path cost information and the intercepting path characteristics of the associated intercepting entities to obtain the intercepting portrait label characteristics corresponding to the intercepting entities. Or processing the interception path characteristics of the associated interception entity according to the model operation weight parameters of the interception portrait decision model obtained by meeting the model convergence condition to obtain first interception portrait label characteristics, and then performing weighting processing on the first interception portrait label characteristics and the interception path cost information corresponding to the associated interception entity to obtain target interception portrait label characteristics corresponding to the interception entity. The intercepted portrait decision model may include one or more hidden layers (hidden layers), and for at least one of the hidden layers, a step of performing weighting processing according to the tag characteristics of the first intercepted portrait and the interception path cost information corresponding to the associated intercepting entity may be performed.
In an embodiment that can be implemented independently, the intercepting portrait tag feature corresponding to the intercepting entity is output by an intercepting portrait decision model, the intercepting portrait decision model includes at least one target decision structure, and determining the target intercepting portrait tag feature corresponding to the intercepting entity according to the intercepting path cost information corresponding to the associated intercepting entity and the intercepting path feature of the associated intercepting entity includes: inputting the interception path characteristics and the interception service path characteristics of the associated interception entities into a target decision structure for processing to obtain first interception portrait label characteristics corresponding to the interception entities; and determining the target interception portrait label characteristic corresponding to the interception entity according to the first interception portrait label characteristic corresponding to the interception entity and the corresponding interception path cost information corresponding to the associated interception entity.
Wherein, the decision structure is the abbreviation of hidden layer. The goal decision structure may be one or more. The decision structure comprises a model operation weight parameter obtained by model training, and the interception path feature is processed based on the model operation weight parameter.
For example, the artificial intelligence security system may perform weighting processing on the first intercepted portrait tag feature corresponding to the intercepting entity and the intercepted path cost information corresponding to the associated intercepting entity to obtain the intercepted portrait tag feature corresponding to the intercepting entity. The intercepting path characteristics and the intercepting service path characteristics of the associated intercepting entities are input into the decision structure to be processed, and the intercepted portrait label characteristics are determined by combining the intercepting path characteristics and the intercepting service path characteristics, so that the obtained intercepted portrait label characteristics are more accurate.
In an embodiment that can be implemented independently, a target interception feature mining service is determined according to an interception service path of an interception operation object between an interception entity and a corresponding associated interception entity, where the target interception feature mining service is a conditional mining service or an unconditional mining service; mining interception path characteristics of the associated interception entities and interception service path characteristics according to the target interception characteristic mining service to obtain an interception portrait vector sequence corresponding to the interception entities; and processing the intercepted portrait vector sequence according to the decision structure parameters in the target decision structure to obtain a first intercepted portrait label characteristic corresponding to the intercepted entity.
For example, when the interception service path of the interception operation object is that the interception entity is a start interception operation object and the associated interception entity is an end interception operation object, the target interception feature mining service is an unconditional mining service. And when the interception service path of the interception operation object is that the interception entity is the interception ending operation object and the associated interception entity is the initial interception operation object, the target interception feature mining service is the conditional mining service. When determining the interception path feature and the interception service path feature in the network of the interception operation object, the relationship of the interception operation object may be regarded as a translation operation from the start interception operation object to the end interception operation object, that is, the end interception operation object may be obtained according to the start interception operation object and the interception service path, and therefore, the interception path feature of the start interception operation object plus the interception service path feature may represent the end interception operation object. Or the interception path characteristic of the ending interception operation object minus the interception service path characteristic may represent the starting interception operation object. Therefore, the interception portrait vector sequence refers to feature information representing the interception entity obtained by mining the interception path feature and the interception service path feature of the associated interception entity according to the target interception feature mining service. Therefore, the intercepted portrait vector sequence is processed based on the target decision structure, and the first intercepted portrait label characteristic corresponding to the intercepted entity can be accurately obtained.
In an independently implemented embodiment, the artificial intelligence security system can obtain a decision portrait vector sequence corresponding to an associated interception entity, which is output by a previous decision structure corresponding to a target decision structure in an interception portrait decision model; and the target decision structure processes the interception portrait vector sequence and the decision portrait vector sequence according to the first decision structure parameter to obtain a first interception portrait label characteristic corresponding to the interception entity.
Step S1135, extracting target interception portrait tag features corresponding to the target interception operation object from the target interception portrait tag features corresponding to each interception entity of the interception operation object network.
For example, since the network of interception operation objects includes a target interception operation object, that is, the target interception operation object is one of the interception entities, after the obtained interception portrait tag feature corresponding to the interception entity, the interception portrait tag feature corresponding to the target interception operation object may be extracted and obtained.
In an embodiment that can be implemented independently, the following describes a model training method based on artificial intelligence, including the following steps:
step S1101, acquiring reference security interception event big data and reference security risk identification information corresponding to the reference security interception event big data.
The reference security risk identification information refers to a reference labeling result of the reference security interception event big data.
Step S1102, inputting the reference security interception event big data into an interception feature mining model to obtain reference interception features, wherein the reference interception features comprise reference interception knowledge network features corresponding to the reference security interception event big data.
For example, the interception feature mining model may perform interception feature mining on the reference security interception event big data, for example, split the reference security interception event big data to obtain corresponding reference interception scheduling data sequences, and perform interception feature mining on the reference interception scheduling data corresponding to each reference interception scheduling data sequence to obtain reference interception scheduling data features corresponding to each reference interception scheduling data and reference interception knowledge network features of the interception knowledge network representing the reference security interception event big data.
Step S1103, obtaining a reference interception operation object corresponding to the reference security interception event big data, and determining a second linkage interception operation object corresponding to the reference interception operation object.
For example, the second linkage interception operand refers to an interception operand having an interception service path with the reference interception operand. The second interlocking interception operation object may be, for example, an interlocking interception operation object whose strength of association linkage with the reference interception operation object is within a preset strength of association linkage. The manner of obtaining the reference interception operation object and the second linkage interception operation object corresponding to the reference interception operation object may refer to the manner of step S112, and is not described herein again.
Step S1104, inputting an interception path feature corresponding to the second linkage interception operation object into the interception sketch decision model, and determining a reference interception sketch tag feature corresponding to the reference interception operation object according to the interception path feature and corresponding interception path cost information, where the interception path cost information is obtained according to an interception operation correlation between the reference interception knowledge network feature and the interception service path feature, and the interception service path feature is a feature representing an interception service path of the interception operation object.
For example, an interception portrait decision model is used to derive an interception portrait tag feature. The way how to obtain the tag feature of the reference interception figure can refer to the way to obtain the tag feature of the target interception figure.
For example, the artificial intelligence security system may obtain a training network relationship map composed of a reference interception operation object and a second linkage interception operation object, and obtain, for an interception entity in the training network relationship map, an interception service path feature indicating an interception service path of the interception entity and an associated interception entity; obtaining interception operation correlation according to the interception service path characteristics and the reference interception knowledge network characteristics, and determining interception path cost information corresponding to the associated interception entity according to the interception operation correlation; determining reference interception portrait label characteristics corresponding to each interception operation object in a training network relation map according to interception path cost information corresponding to the associated interception entity and interception path characteristics of the associated interception entity; and extracting the reference interception portrait label characteristics corresponding to the reference interception operation object from the reference interception portrait label characteristics corresponding to each interception entity of the training network relation atlas.
For another example, the interception path features and the interception service path features of the associated interception entities may be input into a target decision structure for processing, so as to obtain first interception portrait label features corresponding to each interception entity in the training network relationship map, and determine reference interception portrait label features corresponding to the interception entities according to the first interception portrait label features corresponding to the interception entities and the interception path cost information corresponding to the associated interception entities. In the training phase, the model configuration weights of the target decision structure may be continuously optimized.
Step S1105, inputting the reference interception feature and the reference interception portrait label feature corresponding to the reference interception operation object into the feature fusion structure for feature fusion to obtain the reference fusion feature.
For example, obtaining the reference fusion feature may refer to obtaining the target fusion feature, and is not described in detail herein.
For example, the artificial intelligence security system can perform interception figure mapping processing on interception scheduling data characteristics corresponding to reference interception scheduling data according to reference interception figure tag characteristics corresponding to a reference interception operation object to obtain interception figure mapping characteristics corresponding to the reference interception scheduling data; updating the interception scheduling behavior feature cluster in the training interception scheduling behavior feature cluster according to the interception portrait mapping feature corresponding to the reference interception scheduling data, and obtaining an updated interception scheduling behavior feature cluster by referring to the interception scheduling data feature corresponding to the interception scheduling data; and performing feature fusion on the updated interception scheduling behavior feature cluster and the reference interception knowledge network feature according to the feature fusion structure to obtain the feature-fused interception scheduling behavior feature cluster and the feature-fused reference interception knowledge network feature.
And step S1106, processing the reference fusion characteristics according to the training prediction model to obtain a reference training prediction result.
For example, a predictive model is trained for handling security interception event big data. For example, a translation model or a security risk identification model. Can be set according to different requirements.
Step S1107, the model configuration weight of the training prediction model is adjusted according to the reference training prediction result and the reference security risk identification information, or the model configuration weights of the training prediction model and a target AI model are adjusted, wherein the target AI model comprises an interception feature mining model, an interception portrait decision model and a feature fusion structure.
For example, the reference training prediction result refers to an output result of the model. The target AI model is a prediction probability distribution of a security interception event big data sequence and represents the possibility of existence of the security interception event big data of a specific sequence with a specific length. The initial target AI model may be trained according to a large number of security interception event big data records, and projects words in the security interception event big data to a tensor space, and the initial target AI model may be, for example, an initial model such as BERT. The mining model comprises a target AI model and a training prediction model, and the training prediction model can be different according to different processing tasks, for example, the training prediction model can be a model for safety risk identification. The target AI model comprises an interception feature mining model, an interception portrait decision model and a feature fusion structure. During model training, if the model is in the fine tuning stage, only the model operation weight parameters of the training prediction model may be adjusted, or the model operation weight parameters of the training prediction model and the target AI model may be adjusted at the same time. In the initial stage, the model operation weight parameters of the training prediction model and the target AI model can be adjusted simultaneously.
In an embodiment that can be implemented independently, the artificial intelligence security system can obtain a training evaluation index according to a data difference between a reference training prediction result and reference security risk identification information, and the larger the training evaluation index is, the larger the training evaluation index is. And adjusting the model configuration weight of the model towards the interception dimension which enables the training evaluation index to be reduced until the model converges to obtain the trained target AI model. The model convergence may refer to that the training evaluation index is smaller than a preset evaluation index value.
In the initial stage, in order to better map the intercepted portrait to the initial target AI model, the intercepted operation objects in the security interception event big data can be randomly hidden and referred, the mining model learns to use the intercepted operation objects in the security interception event big data to represent feature prediction of the hidden intercepted operation objects, which intercepted operation objects are in the network relationship maps of the intercepted operation objects, namely the prediction probability that the intercepted operation objects in the network relationship maps of the intercepted operation objects are the hidden intercepted operation objects, the prediction probability that the intercepted operation objects in the network relationship maps of the intercepted operation objects are the hidden intercepted operation objects is obtained according to the prediction, cross entropy evaluation index values are obtained through the cross entropy function calculation, and the model configuration weight of the model is adjusted according to the cross entropy evaluation index values.
In the method, because the target AI model comprises an interception feature mining model, an interception portrait decision model and a feature fusion structure, the interception portrait decision model can determine a reference interception portrait label feature corresponding to a reference interception operation object according to the interception path feature and corresponding interception path cost information, the interception path cost information is obtained according to the interception operation correlation degree between the reference interception knowledge network feature and the interception service path feature, the interception service path feature is a feature representing the interception service path of the interception operation object, and the interception path cost information is obtained according to the interception operation correlation degree between the reference interception knowledge network feature and the interception service path feature, the influence value of the interception path feature of the linkage interception operation object on the interception portrait label of the reference interception operation object can be determined according to an interception knowledge network of reference security interception event big data, the interception path cost information is determined according to the influence value, so that the obtained reference interception portrait label features can better promote the learning of an interception knowledge network of reference security interception event big data, the security interception event big data learning capacity of the obtained target AI model and the training prediction model is improved, and the accuracy of security risk identification is improved.
Step S115, vulnerability document traceability data of each security risk partition in one or more security risk partitions in the security risk identification information are obtained, a first vulnerability knowledge attribute of each security risk partition is obtained, the vulnerability document traceability data of each security risk partition is vulnerability document traceability data of the security risk partition corresponding to the security risk identification information, the first vulnerability knowledge attribute of the security risk partition is used for indicating vulnerability knowledge tag distribution of the security risk partition, and the vulnerability knowledge tag distribution of the security risk partition is used for representing vulnerability knowledge tendency of the security risk partition.
Step S116, acquiring corresponding vulnerability basic knowledge data from one or more security risk partitions according to the first vulnerability knowledge attribute of each security risk partition, and acquiring vulnerability document traceability data of the vulnerability basic knowledge data from vulnerability document traceability data of one or more security risk partitions.
Step S117, identifying vulnerability basic knowledge data in the security risk identification information according to vulnerability document traceability data of the vulnerability basic knowledge data to obtain service risk vulnerabilities of the vulnerability basic knowledge data.
For example, in an embodiment that can be implemented independently, the first vulnerability knowledge attribute includes a dynamic vulnerability knowledge attribute indicating a first vulnerability knowledge attribute of a security risk partition, and the obtaining the first vulnerability knowledge attribute of each security risk partition in step S115 includes: after the first risk frequent item feature of the safety risk identification information is obtained, first interception feature mining is carried out on the first risk frequent item feature of the safety risk identification information to obtain a second risk frequent item feature of the safety risk identification information. And mining the first vulnerability knowledge attribute of the second risk frequent item feature of the security risk identification information to obtain a first vulnerability knowledge attribute of each security risk partition, wherein the first vulnerability knowledge attribute comprises a knowledge point under a dynamic vulnerability discovery mode and a knowledge point under a non-dynamic vulnerability discovery mode.
The first vulnerability knowledge attribute also comprises protection rules of inclined knowledge points and protection rules of non-inclined knowledge points. The first vulnerability knowledge attribute further includes a derived vulnerability knowledge attribute, the derived vulnerability knowledge attribute is used for indicating a second vulnerability knowledge attribute of the security risk partition, the first vulnerability knowledge attribute is an auxiliary attribute of the second vulnerability knowledge attribute, and the step of obtaining the first vulnerability knowledge attribute of each security risk partition in step S115 further includes: and after the first risk frequent item characteristic of the safety risk identification information is obtained, second interception characteristic mining is carried out on the first risk frequent item characteristic to obtain a third risk frequent item characteristic of the safety risk identification information. And performing feature fusion on the second risk frequent item feature and the third risk frequent item feature to obtain a fourth risk frequent item feature of the safety risk identification information. And performing third interception feature mining on the fourth risk frequent item feature to obtain a fifth risk frequent item feature of the safety risk identification information. And performing second vulnerability knowledge attribute mining on the fifth risk frequent item characteristic to obtain a derivative vulnerability knowledge attribute of each security risk partition. And the second vulnerability knowledge attribute comprises a protection rule and a knowledge point.
For example, in an embodiment that can be implemented independently, the obtaining vulnerability document source data of each security risk partition in the one or more security risk partitions in the security risk identification information in step S115 includes: after the first risk frequent item feature of the security risk identification information is obtained, document tracing operation is carried out on one or more security risk partitions in the security risk identification information according to the first risk frequent item feature of the security risk identification information, so that vulnerability document tracing data of each security risk partition in the one or more security risk partitions are obtained.
In step S117, the vulnerability basic knowledge data in the security risk identification information is identified according to the vulnerability document traceability data of the vulnerability basic knowledge data to obtain a service risk vulnerability of the vulnerability basic knowledge data, including: and finding out vulnerability tendency data blocks containing vulnerability basic knowledge data from the security risk identification information according to vulnerability document traceability data of the vulnerability basic knowledge data, wherein the vulnerability tendency data blocks are part of the security risk identification information. Intercepting feature mining is carried out on the vulnerability basic knowledge data in the vulnerability tendency data block to obtain a first risk frequent item feature of the vulnerability basic knowledge data. And determining candidate vulnerability images and a first prediction probability of the vulnerability basic knowledge data according to the first risk frequent item characteristics of the vulnerability basic knowledge data, wherein the first prediction probability is the prediction probability of the vulnerability images of the vulnerability basic knowledge data as the candidate vulnerability images. And acquiring a service risk vulnerability of the vulnerability basic knowledge data according to the candidate vulnerability image and the first prediction probability of the vulnerability basic knowledge data.
The service risk vulnerability comprises a vulnerability portrait of vulnerability basic knowledge data or a blank vulnerability portrait marked with a second vulnerability knowledge attribute, wherein the second vulnerability knowledge attribute is used for indicating unidentified vulnerability basic knowledge data, the preset feature library comprises M risk frequent item features and vulnerability portraits corresponding to each risk frequent item feature in the M risk frequent item features, and M is an integer greater than or equal to 0.
Acquiring a service risk vulnerability of vulnerability basic knowledge data according to a candidate vulnerability image and a first prediction probability of the vulnerability basic knowledge data, wherein the service risk vulnerability acquiring method comprises the following steps: and when the first prediction probability is higher than the preset prediction probability, determining the candidate vulnerability image of the vulnerability basic knowledge data as the vulnerability image of the vulnerability basic knowledge data. When the first prediction probability is not higher than the preset prediction probability, M second prediction probabilities are obtained according to the first risk frequent item features and the M risk frequent item features of the vulnerability basic knowledge data, the M second prediction probabilities correspond to the M risk frequent item features one by one, and the second prediction probability corresponding to the kth risk frequent item feature in the M risk frequent item features is used for representing the vulnerability picture of the vulnerability basic knowledge data as the prediction probability of the vulnerability picture corresponding to the kth risk frequent item feature. And if the M second prediction probabilities are lower than the preset prediction probability, determining the second vulnerability knowledge attribute as a vulnerability portrait of vulnerability basic knowledge data. If the prediction probability higher than the preset prediction probability exists in the M second prediction probabilities, determining the vulnerability portrait corresponding to the target risk frequent item feature as the vulnerability portrait of the vulnerability basic knowledge data, wherein the target risk frequent item feature is a risk frequent item feature higher than the highest prediction probability in the preset prediction probabilities.
Wherein each risk frequent item feature of the M risk frequent item features includes L sub-risk frequent item features, and the M second prediction probabilities are obtained according to the first risk frequent item feature and the M risk frequent item features of the vulnerability basic knowledge data, including: and for any target risk frequent item feature in the M risk frequent item features, calculating to obtain L third prediction probabilities according to the first risk frequent item feature of the vulnerability basic knowledge data and the L sub-risk frequent item features of the target risk frequent item feature. And the third prediction probability is used for representing the prediction probability of the vulnerability image of the vulnerability basic knowledge data, which is the vulnerability image corresponding to the target risk frequent item characteristics. And calculating to obtain a second prediction probability corresponding to the target risk frequent item characteristic according to the L third prediction probabilities.
Based on the above, in step S117, after the vulnerability basic knowledge data in the security risk identification information is identified according to the vulnerability document source data of the vulnerability basic knowledge data to obtain the service risk vulnerability of the vulnerability basic knowledge data, the service risk vulnerability of the vulnerability basic knowledge data may be displayed to the internet service terminal corresponding to the intercepted application service. Receiving a first update request for intercepting the application service, wherein the first update request comprises a third vulnerability knowledge attribute of the vulnerability base knowledge data. And storing the third vulnerability knowledge attribute of the vulnerability basic knowledge data and the first risk frequent item characteristic of the vulnerability basic knowledge data into a preset characteristic library. And receiving a second updating request for intercepting the application service, wherein the second updating request is used for indicating the application service to update the vulnerability basic knowledge data, and the second updating request comprises a third vulnerability knowledge attribute of the vulnerability basic knowledge data. The method comprises the steps of obtaining a plurality of first vulnerability tendency data of vulnerability basic knowledge data, wherein the first vulnerability tendency data are vulnerability tendency data of different knowledge labels of the vulnerability basic knowledge data. And acquiring a plurality of third risk frequent item features of the vulnerability basic knowledge data according to the plurality of first vulnerability tendency data. The multiple third risk frequent item features correspond to the multiple first vulnerability trend data one by one. And clustering the plurality of third risk frequent item features according to a clustering algorithm to obtain L sub-risk frequent item features. And storing a third label of the vulnerability basic knowledge data and a second risk frequent item feature into a preset feature library, wherein the second risk frequent item feature is obtained according to the L sub-risk frequent item features, or the second risk frequent item feature comprises the L sub-risk frequent item features.
Fig. 3 illustrates a hardware structure diagram of an artificial intelligence security system 100 for implementing the big data based security interception rule updating method, according to an embodiment of the present disclosure, and as shown in fig. 3, the artificial intelligence security system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a transceiver 140.
In a specific implementation process, at least one processor 110 executes computer-executable instructions stored in the machine-readable storage medium 120, so that the processor 110 may perform the big data based security interception rule updating method according to the above method embodiment, the processor 110, the machine-readable storage medium 120, and the transceiver 140 are connected through the bus 130, and the processor 110 may be configured to control transceiving actions of the transceiver 140, so as to perform data transceiving with the aforementioned internet service terminal 200.
For the specific implementation process of the processor 110, reference may be made to the above-mentioned various method embodiments executed by the artificial intelligence security system 100, which implement similar principles and technical effects, and this embodiment is not described herein again.
In addition, the embodiment of the present disclosure also provides a readable storage medium, where a computer execution instruction is preset in the readable storage medium, and when a processor executes the computer execution instruction, the above security interception rule updating method based on big data is implemented.
Finally, it should be understood that the examples in this specification are only intended to illustrate the principles of the examples in this specification. Other variations are also possible within the scope of this description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims (10)

1. A big data-based security interception rule updating method is applied to an artificial intelligence security system which is in communication connection with a plurality of Internet service terminals, and comprises the following steps:
acquiring a service risk loophole of the intercepted application service of the Internet service terminal, which is acquired based on the target security interception event big data to be identified;
acquiring a safety interception rule cluster of which the service risk loophole is matched with an information safety operation framework for intercepting the application service, and performing rule screening on the safety interception rule cluster according to a safety interception service interval of each safety interception rule in the safety interception rule cluster to obtain a target screening safety interception rule cluster;
and carrying out vulnerability pre-repairing on the Internet service terminal according to the target screening safety interception rule cluster.
2. The big-data-based security interception rule updating method according to claim 1, wherein said step of performing rule screening on said security interception rule cluster according to the security interception service interval of each security interception rule in said security interception rule cluster to obtain a target screened security interception rule cluster comprises:
determining a key security interception rule based on the change history of the security interception service interval;
performing port allocation on the key security interception rule to obtain at least one key allocation port;
and performing rule screening on the safety interception rule cluster according to the key distribution port to obtain the target screening safety interception rule cluster.
3. The big-data-based security interception rule updating method according to claim 2, wherein said step of performing rule screening on said security interception rule cluster according to said key distribution port to obtain said target screened security interception rule cluster comprises:
performing rule screening on the security interception rule clusters according to the key distribution port to obtain a plurality of initially screened security interception rule clusters;
acquiring a plurality of sequentially associated initial screening safety interception rule clusters with the same interception dimension to obtain each target screening safety interception rule cluster, wherein the interception function tags of each target screening safety interception rule cluster are regularly changed according to the distribution of interception ports;
acquiring an initial screening safety interception rule cluster which has an interception dimension in an interception increasing trend with the target screening safety interception rule cluster as a target screening safety interception rule cluster; the target screening security interception rule cluster is a port for assisting in determining the target.
4. The big data-based security interception rule updating method according to claim 3, wherein the step of performing vulnerability pre-fixing on the internet service terminal according to the target screening security interception rule cluster comprises:
carrying out port distribution according to the interception function tags of the safety interception rules in the same target screening safety interception rule cluster to obtain target ports corresponding to the target screening safety interception rule clusters; the port distribution refers to port distribution of a target port which is fitted according to security interception dimension classification of each security interception rule in the same target screening security interception rule cluster, so that the sum of port connectivity from each security interception rule in the same target screening security interception rule cluster to the corresponding target port is minimum, and the security interception dimension classification comprises an interception performance evaluation tag and an interception function tag of the security interception rule;
determining key safety interception rules according to the port connectivity from each safety interception rule in the safety interception rule cluster to the corresponding target port, and determining vulnerability pre-repairing instructions corresponding to the service risk vulnerabilities according to the key safety interception rules;
and performing vulnerability pre-repairing on the Internet service terminal according to the vulnerability pre-repairing instruction corresponding to the service risk vulnerability.
5. The big-data-based security interception rule updating method according to claim 4, wherein said step of performing port allocation according to the interception function tag of the security interception rule within the same target screening security interception rule cluster to obtain the target port corresponding to each target screening security interception rule cluster comprises:
forming a key distribution port along the distribution direction of the interception ports of the target screening safety interception rule clusters to carry out rule screening on each target screening safety interception rule cluster to obtain a target screening sub-interception rule cluster corresponding to each target screening safety interception rule cluster;
determining interception rule calling characteristics of each target screening safety interception rule cluster according to interception rule calling data of safety interception rules in the associated target screening safety interception rule cluster;
determining the effectiveness of each target screening sub-interception rule cluster according to the interception rule calling data of the safety interception rules in each target screening sub-interception rule cluster with consistent interception rule calling characteristics in the same key safety interception rule cluster;
and carrying out port distribution on the interception function tags of the safety interception rules in the effective target screening sub-interception rule clusters in the same target screening safety interception rule cluster according to effectiveness to obtain target ports corresponding to all the target screening safety interception rule clusters.
6. The big-data-based security interception rule updating method according to claim 5, wherein said determining validity of each target screening sub-interception rule cluster according to the interception rule calling data of the security interception rules in each target screening sub-interception rule cluster having the same interception rule calling feature in the same key security interception rule cluster comprises:
taking each target screening sub-interception rule cluster with consistent interception rule calling characteristics in the same key safety interception rule cluster as an associated sub-safety interception rule cluster, and classifying the associated sub-safety interception rule clusters into the same associated sub-safety interception rule cluster set to obtain an associated sub-safety interception rule cluster set corresponding to each interception rule calling characteristic in each key safety interception rule cluster;
obtaining first reference rule calling data corresponding to each association sub-security interception rule cluster set according to the interception rule calling data corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set;
and when the data difference between the interception rule calling data of the safety interception rule in the target screening sub-interception rule cluster and the corresponding first reference rule calling data is smaller than a first preset threshold value, determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster.
7. The big-data-based security interception rule updating method according to claim 6, wherein said determining validity of each target screening sub-interception rule cluster according to the interception rule calling data of the security interception rules in each target screening sub-interception rule cluster having the same interception rule calling feature in the same key security interception rule cluster comprises:
performing rule screening on the target screening safety interception rule cluster along the key distribution port interception dimension of the associated target screening safety interception rule cluster to obtain a reference screening sub-interception rule cluster corresponding to the target screening safety interception rule cluster; the reference screening sub-interception rule clusters correspond to the target screening safety interception rule clusters one by one;
acquiring data difference between interception rule calling data of the safety interception rules in the target screening sub-interception rule cluster and interception rule calling data of the safety interception rules in the corresponding reference screening sub-interception rule cluster as evaluation difference, and acquiring evaluation difference corresponding to each target screening sub-interception rule cluster;
obtaining second reference rule calling data corresponding to each association sub-security interception rule cluster set according to the evaluation difference corresponding to each target screening sub-interception rule cluster in each association sub-security interception rule cluster set;
and when the data difference between the evaluation difference corresponding to the target screening sub-interception rule cluster and the corresponding second reference rule calling data is smaller than a second preset threshold value, determining the corresponding target screening sub-interception rule cluster as an effective target screening sub-interception rule cluster.
8. The big-data-based security interception rule updating method according to claim 1, wherein determining a key security interception rule according to the port connectivity from each security interception rule in the security interception rule cluster to the corresponding target port, and determining a vulnerability pre-repair instruction corresponding to the service risk vulnerability according to the key security interception rule comprises:
when the port connectivity from the security interception rule in the security interception rule cluster to the corresponding target port is greater than a third preset threshold value, determining the corresponding security interception rule as a key security interception rule;
aggregating the key security interception rules according to the rule related parameters of each key security interception rule, and determining an associated security interception rule sequence according to an aggregation result;
and determining the vulnerability pre-repairing instruction according to the interception performance evaluation label distribution of the security interception rules in the associated security interception rule sequence.
9. The big data based security interception rule updating method according to any one of claims 1 to 8, wherein the step of obtaining a service risk vulnerability of an intercepted application service of the internet service terminal obtained based on the target security interception event big data to be identified comprises:
acquiring target security interception event big data to be identified, and mining interception features of the target security interception event big data to obtain target interception features, wherein the target interception features comprise target interception knowledge network features corresponding to the target security interception event big data, and the target security interception event big data are security interception event big data of a preset excavation time period of the internet service terminal;
acquiring a target interception operation object in the target security interception event big data, and determining a first linkage interception operation object corresponding to the target interception operation object;
determining a target interception portrait label characteristic corresponding to the target interception operation object according to an interception path characteristic of the first linkage interception operation object and corresponding interception path cost information, wherein the interception path cost information is obtained according to an interception operation correlation degree between the target interception knowledge network characteristic and an interception service path characteristic, and the interception service path characteristic is a characteristic representing an interception service path of the interception operation object;
performing feature fusion on the target interception feature and a target interception portrait label feature corresponding to the target interception operation object to obtain a target fusion feature, and determining security risk identification information corresponding to the target security interception event big data according to the target fusion feature;
acquiring vulnerability document traceability data of each security risk partition in one or more security risk partitions in the security risk identification information, and acquiring a first vulnerability knowledge attribute of each security risk partition, wherein the vulnerability document traceability data of each security risk partition is vulnerability document traceability data of the security risk partition corresponding to the security risk identification information, the first vulnerability knowledge attribute of the security risk partition is used for indicating vulnerability knowledge tag distribution of the security risk partition, and the vulnerability knowledge tag distribution of the security risk partition is used for representing vulnerability knowledge tendency of the security risk partition;
acquiring corresponding vulnerability basic knowledge data from the one or more security risk partitions according to the first vulnerability knowledge attribute of each security risk partition, and acquiring vulnerability document source tracing data of the vulnerability basic knowledge data from the vulnerability document source tracing data of the one or more security risk partitions;
and identifying the vulnerability basic knowledge data in the security risk identification information according to vulnerability document traceability data of the vulnerability basic knowledge data so as to obtain service risk vulnerabilities of the vulnerability basic knowledge data.
10. An artificial intelligence security system, comprising one or more processors; a machine readable storage medium storing one or more programs which, when executed by the one or more processors, cause the one or more processors to perform the big data based security interception rule updating method of any of claims 1-9.
CN202110708155.0A 2021-06-25 2021-06-25 Big data based security interception rule updating method and artificial intelligence security system Withdrawn CN113239065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110708155.0A CN113239065A (en) 2021-06-25 2021-06-25 Big data based security interception rule updating method and artificial intelligence security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110708155.0A CN113239065A (en) 2021-06-25 2021-06-25 Big data based security interception rule updating method and artificial intelligence security system

Publications (1)

Publication Number Publication Date
CN113239065A true CN113239065A (en) 2021-08-10

Family

ID=77140824

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110708155.0A Withdrawn CN113239065A (en) 2021-06-25 2021-06-25 Big data based security interception rule updating method and artificial intelligence security system

Country Status (1)

Country Link
CN (1) CN113239065A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113704771A (en) * 2021-08-31 2021-11-26 姜虎 Service vulnerability mining method based on artificial intelligence analysis and big data mining system
CN114117079A (en) * 2021-12-07 2022-03-01 宁安市伟恒互联网信息服务有限公司 Interception feedback processing method based on big data analysis interception and information interception system
CN114244588A (en) * 2021-12-06 2022-03-25 绥化市纯互联网商务有限公司 Big data analysis interception method and information interception system applying artificial intelligence analysis
CN114553683A (en) * 2022-03-08 2022-05-27 南宁市韶诚信息科技有限公司 Cloud configuration updating method based on security big data feedback and information security system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156032A1 (en) * 2005-01-03 2006-07-13 Panjwani Dileep K Network-based patching machine
CN102710642A (en) * 2012-06-01 2012-10-03 北京神州绿盟信息安全科技股份有限公司 Method and device for scanning system bug
US20130227695A1 (en) * 2012-02-23 2013-08-29 Infosys Limited Systems and methods for fixing application vulnerabilities through a correlated remediation approach
CN104618176A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website security detection method and device
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system
CN109842617A (en) * 2019-01-03 2019-06-04 深圳壹账通智能科技有限公司 Ad blocking method, apparatus and storage medium
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN111680303A (en) * 2020-06-10 2020-09-18 北京天融信网络安全技术有限公司 Vulnerability scanning method and device, storage medium and electronic equipment
CN112085588A (en) * 2020-09-02 2020-12-15 支付宝(杭州)信息技术有限公司 Method and device for determining safety of rule model and data processing method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156032A1 (en) * 2005-01-03 2006-07-13 Panjwani Dileep K Network-based patching machine
US20130227695A1 (en) * 2012-02-23 2013-08-29 Infosys Limited Systems and methods for fixing application vulnerabilities through a correlated remediation approach
CN102710642A (en) * 2012-06-01 2012-10-03 北京神州绿盟信息安全科技股份有限公司 Method and device for scanning system bug
CN104618176A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website security detection method and device
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system
CN109842617A (en) * 2019-01-03 2019-06-04 深圳壹账通智能科技有限公司 Ad blocking method, apparatus and storage medium
CN111680303A (en) * 2020-06-10 2020-09-18 北京天融信网络安全技术有限公司 Vulnerability scanning method and device, storage medium and electronic equipment
CN112085588A (en) * 2020-09-02 2020-12-15 支付宝(杭州)信息技术有限公司 Method and device for determining safety of rule model and data processing method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
SIQI MA ET AL.: "VuRLE: Automatic Vulnerability Detection and Repair by Learning from Examples", 《 EUROPEAN SYMPOSIUM ON RESEARCH IN COMPUTER SECURITY》 *
张春瑞 等: "基于漏洞扫描的入侵检测规则屏蔽方法研究", 《计算机应用与软件》 *
陈震杭: "针对预警信息的漏洞自动化防护系统", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113704771A (en) * 2021-08-31 2021-11-26 姜虎 Service vulnerability mining method based on artificial intelligence analysis and big data mining system
CN113704771B (en) * 2021-08-31 2022-04-22 西安明赋云计算有限公司 Service vulnerability mining method based on artificial intelligence analysis and big data mining system
CN114244588A (en) * 2021-12-06 2022-03-25 绥化市纯互联网商务有限公司 Big data analysis interception method and information interception system applying artificial intelligence analysis
CN114117079A (en) * 2021-12-07 2022-03-01 宁安市伟恒互联网信息服务有限公司 Interception feedback processing method based on big data analysis interception and information interception system
CN114553683A (en) * 2022-03-08 2022-05-27 南宁市韶诚信息科技有限公司 Cloud configuration updating method based on security big data feedback and information security system

Similar Documents

Publication Publication Date Title
CN113239065A (en) Big data based security interception rule updating method and artificial intelligence security system
CN113411342A (en) Big data-based information security risk identification method and artificial intelligence security system
WO2021045818A1 (en) Protecting machine learning models from privacy attacks
US20220222372A1 (en) Automated data masking with false positive detection and avoidance
US20230274003A1 (en) Identifying and correcting vulnerabilities in machine learning models
CN110768971B (en) Confrontation sample rapid early warning method and system suitable for artificial intelligence system
US11410327B2 (en) Location determination apparatus, location determination method and computer program
CN111861463A (en) Intelligent information identification method based on block chain and artificial intelligence and big data platform
CN111641614B (en) Communication data processing method based on block chain and cloud computing and edge computing platform
Takemura et al. Model extraction attacks on recurrent neural networks
CN115065545B (en) Safety protection construction method and AI protection system based on big data threat perception
CN112016078A (en) Method, device, server and storage medium for detecting forbidding of login equipment
CN112632609A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
Mhawi et al. Proposed Hybrid CorrelationFeatureSelectionForestPanalizedAttribute Approach to advance IDSs
Angelini et al. An attack graph-based on-line multi-step attack detector
Wei et al. Toward identifying APT malware through API system calls
Sathya Ensemble Machine Learning Techniques for Attack Prediction in NIDS Environment
Pranav et al. Detection of botnets in IoT networks using graph theory and machine learning
CN112329879A (en) Image scene graph generation method and system based on counterfactual multi-agent learning
KR102548321B1 (en) Valuable alert screening methods for detecting malicious threat
CN113452700B (en) Method, device, equipment and storage medium for processing safety information
EP4266200A1 (en) Generating device, generating method, and generating program
CN113935034A (en) Malicious code family classification method and device based on graph neural network and storage medium
CN113468540A (en) Security portrait processing method based on network security big data and network security system
CN112671774A (en) Cloud computing and block chain based big data analysis method and digital financial system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210810

WW01 Invention patent application withdrawn after publication