CN115033715A - Interception feedback processing method based on big data analysis interception and information interception system - Google Patents

Interception feedback processing method based on big data analysis interception and information interception system Download PDF

Info

Publication number
CN115033715A
CN115033715A CN202210830243.2A CN202210830243A CN115033715A CN 115033715 A CN115033715 A CN 115033715A CN 202210830243 A CN202210830243 A CN 202210830243A CN 115033715 A CN115033715 A CN 115033715A
Authority
CN
China
Prior art keywords
interception
feedback
access
knowledge
backward
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210830243.2A
Other languages
Chinese (zh)
Inventor
王超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202210830243.2A priority Critical patent/CN115033715A/en
Publication of CN115033715A publication Critical patent/CN115033715A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2216/00Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
    • G06F2216/03Data mining

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application discloses an interception feedback processing method and an information interception system based on big data analysis interception, forward feedback knowledge points and backward feedback knowledge points in interception feedback data are respectively added to different feedback knowledge maps, based on historical frequent entities of the forward feedback knowledge maps and the backward feedback knowledge maps, forward key knowledge entities and backward key knowledge entities associated with each concerned feedback flow are combined to obtain combined key knowledge entities of each concerned feedback flow, corresponding interception feedback reference data are generated, combined association in data collection flows can be achieved, operation processing of follow-up manual association is reduced, and then efficiency of follow-up response measures for optimizing an interception strategy is improved.

Description

Interception feedback processing method based on big data analysis interception and information interception system
The application is a divisional application of Chinese application with the name of 'interception feedback processing method and information interception system based on big data analysis interception', which is filed on application number 202111483892.1 and application date of 2021, 12 and month 07.
Technical Field
The application relates to the technical field of artificial intelligence, in particular to an interception feedback processing method and an information interception system based on big data analysis interception.
Background
With the advent of the big data era, information security issues are always the focus of cloud computing development. The traditional safety idea is difficult to solve the problems of cloud boundary breaking and the like, and the cloud computing is lack of safe deep accumulation in the development process. Based on the information security protection method, the interception decision is necessary information security protection activity for the access activity needing to be intercepted, such as attack access activity, privacy access activity and the like.
Because each interception decision is not required to meet the requirements of an actual service scene, after the interception decision is made, related feedback collection and processing are often required to be performed, so that the subsequent interception feedback reference data is provided for optimizing the interception strategy. The inventor researches and discovers that correlation of related data is needed in the process of intercepting feedback, however, in the related art, a scheme of combining correlation in a data collection process is not realized temporarily, and often, a developer needs to perform manual correlation operation processing, so that the efficiency of optimizing an intercepting strategy by taking subsequent response measures is difficult to ensure.
Disclosure of Invention
The application provides an interception feedback processing method and an information interception system based on big data analysis interception.
In a first aspect, an embodiment of the present application provides an interception feedback processing method based on big data analysis interception, which is applied to an information interception system, and includes:
performing interception decision on the target access activity based on a target access activity associated target interception decision basis of the target access activity transmitted in real time by a business service system, and acquiring interception feedback data of the target access activity in an intercepted feedback flow after the target access activity is determined to be intercepted;
adding a plurality of forward feedback knowledge points in the interception feedback data to a forward feedback knowledge map, and adding a plurality of backward feedback knowledge points in the interception feedback data to a backward feedback knowledge map;
respectively searching key knowledge entities for the forward feedback knowledge graph and the backward feedback knowledge graph to obtain a forward key knowledge entity and a backward key knowledge entity associated with each concerned feedback flow in the interception feedback flow;
combining the forward key knowledge entity and the backward key knowledge entity associated with each attention feedback process based on the historical frequent entity of the forward feedback knowledge map and the backward feedback knowledge map to obtain a combined key knowledge entity of each attention feedback process;
and generating corresponding interception feedback reference data based on the combined key knowledge entity of each concerned feedback process.
In a possible implementation manner of the first aspect, the generating of the target interception decision basis associated with the target access activity includes:
generating a corresponding target access trigger event when receiving the target access trigger event of the access activity transmitted in real time by the service system;
according to a first access activity interception decision network, based on the target access trigger event, making a decision to generate a basic interception decision basis related to the target access activity; the first access activity interception decision network is obtained by performing network convergence optimization according to a basic reference data set, wherein the basic reference data set comprises a first reference access trigger event and a basic reference interception basis carried by the first reference access trigger event, and the basic reference interception basis is obtained based on whether an access activity maintaining state is configured in a destruction state after the access activity corresponding to the first reference access trigger event is released;
according to a second access activity interception decision network, based on the target access trigger event, making a decision to generate a further interception decision basis related to the target access activity; the second access activity interception decision network is obtained by performing network convergence optimization according to an advanced reference data set, wherein the advanced reference data set comprises a second reference access trigger event and an advanced reference interception basis carried by the second reference access trigger event, and the advanced reference interception basis represents a tag attribute of an access activity corresponding to the second reference access trigger event;
determining a target interception decision basis associated with the target access activity based on the basic interception decision basis and the advanced interception decision basis; the target intercept decision outputs a view in terms of a threat representative of the subject access activity.
For example, in a possible implementation manner of the first aspect, the basic reference data set further adds destruction timing data of an access state corresponding to the first reference access trigger event;
if it is determined that the access activity maintaining state is configured in a destruction state after releasing the access activity corresponding to the first reference access triggering event, classifying the basic reference interception into an interception access activity according to a criterion that the access activity corresponding to the first reference access triggering event is represented, wherein destruction time sequence data of the access state represents time sequence interval information between the access activity corresponding to the first reference access triggering event and a comparison access activity, and the comparison access activity is the last access activity released before the access activity maintaining state is configured in the destruction state;
if the access activity maintaining state is not searched to be configured in the destruction state after the access activity corresponding to the first reference access triggering event is determined to be released, the basic reference interception criterion represents that the access activity corresponding to the first reference access triggering event is classified into the non-intercepted access activity, and the destruction time sequence data of the access state is the time sequence interval value of the non-intercepted access activity.
For example, in a possible implementation manner of the first aspect, the deciding, based on the target access triggering event, to generate a basic interception decision basis associated with the target access activity according to the first access activity interception decision network includes:
acquiring destruction time sequence data of a calibrated access state; the calibrated destruction timing sequence data of the access state is obtained based on the destruction timing sequence data of the access state in the basic reference data set, which is called when the first access activity interception decision network is optimized in network convergence;
and generating the basic interception decision basis based on the targeted access trigger event and the calibrated destruction time sequence data of the access state according to the first access activity interception decision network.
For example, in a possible implementation manner of the first aspect, the first access activity interception decision network includes a first basic description variable mining unit and a first interception decision unit, and the second access activity interception decision network includes a second basic description variable mining unit and a second interception decision unit;
the step of, by the first access activity interception decision network, based on the target access trigger event, making a decision to generate a basic interception decision basis associated with the target access activity includes:
according to the first basic description variable mining unit, mining a basic description variable corresponding to each access unit in the target access triggering event;
according to the first interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, deciding to generate the basic interception decision basis;
the step of deciding to generate a further interception decision basis associated with the target access activity based on the target access trigger event according to the second access activity interception decision network includes:
according to the second basic description variable mining unit, mining a basic description variable corresponding to each access unit in the target access triggering event;
and deciding to generate the advanced interception decision basis based on the basic description variable corresponding to each access unit in the target access trigger event according to the second interception decision unit.
In a possible implementation manner of the first aspect, the first access activity interception decision network and the second access activity interception decision network include network parameter layers of the same network weight information;
training the first and second access activity interception decision networks in accordance with:
according to a first basic access activity interception decision network, based on the first reference access trigger event in the basic reference data set, making a decision to generate a first access activity interception decision basis;
determining a first interception prediction cost based on the first access activity interception decision basis and the base reference interception basis in the base reference data set;
performing network convergence optimization on the first basic access activity interception decision network according to the first interception prediction cost;
synchronously configuring the network weight information of the network parameter layer in the first basic access activity interception decision network to the network parameter layer in a second basic access activity interception decision network;
according to the second basic access activity interception decision network, based on the second reference access trigger event in the advanced reference data set, making a decision to generate a second access activity interception decision basis;
determining a second interception prediction cost based on the second access activity interception decision basis and the advanced reference interception basis in the advanced reference data set;
performing network convergence optimization on the second basic access activity interception decision network according to the second interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the second basic access activity interception decision network to the network parameter layer in the first basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost;
and combining the network convergence optimization of the first basic access activity interception decision network and the second basic access activity interception decision network according to the target interception prediction cost.
In one possible implementation of the first aspect, the method further comprises:
acquiring an access trigger event decision network initialized by weight and a third reference data set; the access trigger event decision network is configured to execute a basic access trigger event decision flow, the access trigger event decision network comprising the network parameter layer; the third reference data set comprises a third reference access triggering event and a carried training reference basis, and the training reference basis represents the label attribute of the third reference access triggering event in the access triggering event decision flow;
deciding to generate a third access activity interception decision basis based on the third reference access trigger event in the third reference data set according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
performing network convergence optimization on the access triggering event decision network according to the third interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the access trigger event decision network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; combining the network convergence optimization of the first basic access activity interception decision network and the second basic access activity interception decision network according to the target interception prediction cost, comprising:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost and the third interception prediction cost;
and combining the first basic access activity interception decision network, the second basic access activity interception decision network and the access trigger event decision network for network convergence optimization according to the target interception prediction cost.
For example, in one possible implementation of the first aspect, the method further comprises:
acquiring a description variable mining network with initialized weight and a fourth reference data set; the description variable mining network is configured to mine access description variables corresponding to each access unit in an access triggering event, and comprises the network parameter layer; the fourth reference data set comprises a fourth reference access trigger event;
mining a decision access description variable corresponding to each access unit in the fourth reference access trigger event according to the description variable mining network;
determining a forward extended access unit and a backward extended access unit which are respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable which is respectively corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of the forward extended access unit which is respectively associated with each reference access unit, and a decision access description variable of the backward extended access unit which is respectively associated with each reference access unit; performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the description variable mining network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; combining the network convergence optimization of the first basic access activity interception decision network and the second basic access activity interception decision network according to the target interception prediction cost, comprising:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost and the fourth interception prediction cost;
and combining the first basic access activity interception decision network, the second basic access activity interception decision network and the description variable mining network for network convergence optimization according to the target interception prediction cost.
For example, in a possible implementation manner of the first aspect, the determining, for each reference access unit in the fourth reference access trigger event, a forward extended access unit and a backward extended access unit that are respectively associated includes:
for each reference access unit in the fourth reference access trigger event, determining the rest of reference access units except the reference access unit in the fourth reference access trigger event, and determining the reference access units as the forward extended access units associated with the reference access units;
for each reference access unit in the fourth reference access trigger event, determining a reference access unit in the rest access trigger events except the fourth reference access trigger event, and determining the reference access unit as a backward extension access unit associated with the reference access unit;
determining a fourth interception prediction cost based on a decision access description variable corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of a forward extension access unit associated with each reference access unit, and a decision access description variable of a backward extension access unit associated with each reference access unit, including:
for each reference access unit in the fourth reference access trigger event, forming a forward extension cluster associated with the reference access unit based on the reference access unit and a carried forward extension access unit, and determining a matching value between a decision access description variable of the forward extension access unit in the forward extension cluster and a decision access description variable of the reference access unit, and determining the matching value as a matching value associated with the forward extension cluster;
forming a backward extension cluster associated with the reference access unit based on the reference access unit and a carried backward extension access unit, determining a matching value between a decision access description variable of the backward extension access unit in the backward extension cluster and a decision access description variable of the reference access unit, and determining the matching value as the matching value associated with the backward extension cluster;
for each reference access unit in the fourth reference access trigger event, determining an extension cost associated with the reference access unit based on a matching value associated with each forward extension cluster associated with the reference access unit and a matching value associated with each backward extension cluster associated with the reference access unit;
determining a fourth interception prediction cost based on the extension cost respectively associated with each reference access unit in the fourth reference access trigger event;
the determining the extension cost associated with the reference access unit based on the matching value associated with each forward extension cluster associated with the reference access unit and the matching value associated with each backward extension cluster associated with the reference access unit includes:
determining a plurality of forward and backward extended clusters associated with the reference access unit according to each forward extended cluster associated with the reference access unit and each backward extended cluster associated with the reference access unit; each forward-backward extension cluster comprises one forward extension cluster and one backward extension cluster;
calculating a difference value between a matching value associated with a forward extension cluster and a matching value associated with a backward extension cluster in the forward and backward extension clusters aiming at each forward and backward extension cluster associated with the reference access unit, and determining the difference value as an extension cost associated with the forward and backward extension clusters;
and determining the extension cost associated with the reference access unit based on the extension costs respectively associated with the forward and backward extension clusters associated with the reference access unit.
For example, in one possible implementation of the first aspect, the method further comprises:
acquiring an access trigger event decision network and a description variable mining network initialized by weight, and a third reference data set and a fourth reference data set; the access trigger event decision network is configured to an execution-based access trigger event decision process, the description variable mining network is configured to mine access description variables corresponding to each access unit in an access trigger event, and both the access trigger event decision network and the description variable mining network comprise the network parameter layer; the third reference data set comprises a third reference access triggering event and a carried training reference basis, and the training reference basis represents the label attribute of the third reference access triggering event in the access triggering event decision flow; the fourth reference data set comprises a fourth reference access trigger event;
deciding to generate a third access activity interception decision basis based on the third reference access trigger event in the third reference data set according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
performing network convergence optimization on the access triggering event decision network according to the third interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the access triggering event decision network to the network parameter layer in the description variable mining network;
mining a decision access description variable corresponding to each access unit in the fourth reference access trigger event according to the description variable mining network; determining a forward extended access unit and a backward extended access unit which are respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable which is respectively corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of the forward extended access unit which is respectively associated with each reference access unit, and a decision access description variable of the backward extended access unit which is respectively associated with each reference access unit;
performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the description variable mining network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; combining the network convergence optimization of the first basic access activity interception decision network and the second basic access activity interception decision network according to the target interception prediction cost, comprising:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost, the third interception prediction cost and the fourth interception prediction cost;
and combining the network convergence optimization of the first basic access activity interception decision network, the second basic access activity interception decision network, the access trigger event decision network and the description variable mining network according to the target interception prediction cost.
Compared with the prior art, the method has the advantages that the forward feedback knowledge points and the backward feedback knowledge points in the interception feedback data are respectively added to different feedback knowledge maps, the forward key knowledge entities and the backward key knowledge entities associated with each attention feedback process are combined based on the historical frequent entities of the forward feedback knowledge maps and the backward feedback knowledge maps, the combined key knowledge entities of each attention feedback process are obtained, corresponding interception feedback reference data are generated, the combined association in the data collection process can be realized, the operation processing of subsequent manual association is reduced, and the efficiency of optimizing the interception strategy by adopting response measures subsequently is improved.
Drawings
Fig. 1 is a schematic flowchart illustrating steps of an interception feedback processing method based on big data analysis and interception according to an embodiment of the present application;
fig. 2 is a schematic block diagram of an information interception system according to an embodiment of the present application, configured to execute the interception feedback processing method based on big data analysis interception in fig. 1.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Step S110, based on the target interception decision basis associated with the target access activity of the target access activity transmitted in real time by the business service system, carrying out interception decision on the target access activity to obtain the interception feedback data of the target access activity in the interception feedback process after interception is determined.
Step S120, adding a plurality of forward feedback knowledge points in the interception feedback data to a forward feedback knowledge map, and adding a plurality of backward feedback knowledge points in the interception feedback data to a backward feedback knowledge map.
The feedback knowledge points may be feedback knowledge points after the interception decision and before the interception execution, the feedback knowledge points after the interception decision and after the interception execution, each feedback knowledge point may be feedback activity of an interception rule vector specifically for the interception policy, such as service conflict feedback, interception deviation feedback, and the like, and the feedback knowledge points may reflect problems at different stages after the interception decision to a certain extent.
In an exemplary design approach, adding a plurality of feedforward knowledge points in the intercepted feedback data to the feedforward knowledge graph may include: rejecting noise fields of each forward feedback knowledge point in intercepted feedback data; performing the following steps corresponding to each feedforward knowledge point of the culled noise field: analyzing the forward feedback knowledge points into a plurality of sequential knowledge points based on a first forward feedback sequence, and sequentially adding the sequential knowledge points into a forward feedback knowledge map based on a second forward feedback sequence; wherein the first and second feed-forward orders are opposite.
In an exemplary design concept, before removing the noise field of each feedforward knowledge point in the intercepted feedback data, the method may further include: performing relevance cascade on a plurality of forward feedback knowledge points in the intercepted feedback data to obtain cascade forward feedback knowledge points; determining the relevance cost between two cascaded knowledge points at the head and the tail in the cascaded forward feedback knowledge points; and when the relevance cost between the head and the tail of the two cascaded knowledge points in the cascaded feedforward knowledge points is greater than the relevance cost between the head and the tail of the two cascaded knowledge points in the cascaded feedforward knowledge map, determining to eliminate the noise field of each feedforward knowledge point in the intercepted feedback data.
In an exemplary design idea, the relevance cascading of the plurality of feedforward knowledge points in the intercepted feedback data may be to cascade the plurality of feedforward knowledge points based on a knowledge point vector of the relevance of each feedforward knowledge point to obtain cascaded feedforward knowledge points.
In an exemplary design concept, adding a plurality of backward feedback knowledge points in the intercepted feedback data to the backward feedback knowledge graph may include: extracting backward feedback knowledge point distribution from the intercepted feedback data, wherein the backward feedback knowledge point distribution comprises a plurality of backward feedback knowledge points; expanding the distribution of the backward feedback knowledge points to obtain a plurality of expanded backward feedback knowledge points respectively associated with the plurality of backward feedback knowledge points; dividing the backward feedback knowledge map into a plurality of backward feedback knowledge point partitions, wherein the number of the plurality of backward feedback knowledge point partitions is not less than the number of the plurality of extended backward feedback knowledge points; and sequentially adding the plurality of extended backward feedback knowledge points into a plurality of backward feedback knowledge point partitions, wherein each backward feedback knowledge point partition at most comprises one extended backward feedback knowledge point.
Therefore, the backward feedback knowledge graph is divided into a plurality of backward feedback knowledge point partitions, and then the extended decision is carried out on the divided backward feedback knowledge point partitions, so that the extension efficiency of the backward feedback knowledge graph can be improved.
Step S130, performing key knowledge entity search on the forward feedback knowledge graph and the backward feedback knowledge graph respectively, and obtaining a forward key knowledge entity and a backward key knowledge entity associated with each attention feedback process in the intercepted feedback processes.
In an exemplary design idea, key knowledge entity search can be performed on a forward feedback knowledge graph and a backward feedback knowledge graph respectively to obtain a forward key knowledge entity and a backward key knowledge entity associated with each attention feedback process in an interception feedback process.
In an exemplary design idea, the following steps are performed for each attention feedback flow in the interception feedback flow: searching key knowledge entities in the forward feedback knowledge map corresponding to the positions of the attention feedback process to obtain forward key positions of the attention feedback process; performing key knowledge entity search on the position corresponding to the attention feedback process in the backward feedback knowledge map to obtain a backward key position of the attention feedback process; determining a forward key knowledge entity associated with the attention feedback process based on the forward key position of the attention feedback process; and determining a backward key knowledge entity associated with the attention feedback process based on the backward key position of the attention feedback process.
In an exemplary design approach, determining a forward key knowledge entity associated with a feedback-concerned process based on a forward key location of the feedback-concerned process may include: and analyzing the forward key position of the attention feedback process into a sequence knowledge point attribute, and taking the forward key knowledge entity corresponding to the sequence knowledge point attribute as the forward key knowledge entity of the attention feedback process.
In an exemplary design concept, sequential knowledge point attributes and forward key knowledge entities are in one-to-one correspondence and have associated contact relationships, so that the forward key knowledge entities corresponding to the sequential knowledge point attributes can be determined by looking up the associated contact relationships.
In an exemplary design idea, determining a backward key knowledge entity associated with an attention feedback process based on a backward key location of the attention feedback process may include: and analyzing the backward key position of the attention feedback flow into backward feedback knowledge point attributes, and taking backward key knowledge entities corresponding to the backward feedback knowledge point attributes as backward key knowledge entities of the attention feedback flow.
In an exemplary design idea, the backward feedback knowledge point attributes and the backward key knowledge entities are in one-to-one correspondence and have associated contact relationships, so that the backward key knowledge entities corresponding to the backward feedback knowledge point attributes can be determined by searching the contact relationships.
Therefore, the key knowledge entity search is simultaneously carried out on the forward feedback knowledge map and the backward feedback knowledge map, the forward key knowledge entity and the backward key knowledge entity associated with each concerned feedback flow in the interception feedback flow are obtained, the backward feedback knowledge point processing and the forward feedback knowledge point processing in the interception feedback flow can be combined, and the efficiency of optimizing the interception strategy by adopting response measures subsequently is improved.
Step S140, based on the historical frequent entities of the forward feedback knowledge graph and the backward feedback knowledge graph, combining the forward key knowledge entity and the backward key knowledge entity associated with each attention feedback process to obtain a combined key knowledge entity of each attention feedback process.
In an exemplary design idea, a forward key knowledge entity and a backward key knowledge entity associated with each attention feedback process may be combined based on historical frequent entities of a forward feedback knowledge graph and a backward feedback knowledge graph to obtain a combined key knowledge entity of each attention feedback process.
For example, the following steps may be performed for each of the attention feedback flows:
(1) determining a first frequent item attribute corresponding to the attention feedback process based on the historical frequent item entity of the forward feedback knowledge graph, and determining a second frequent item attribute corresponding to the attention feedback process based on the historical frequent item entity of the backward feedback knowledge graph;
(2) and based on the first frequent item attribute and the second frequent item attribute, performing combination of matched frequent item attributes on the forward key knowledge entity associated with the attention feedback process and the backward key knowledge entity associated with the attention feedback process to obtain a combined key knowledge entity of the attention feedback process.
And S150, rendering to form an interception feedback process based on the combined key knowledge entity of each attention feedback process.
Based on the above steps, the embodiment adds forward feedback knowledge points and backward feedback knowledge points in the intercepted feedback data to different feedback knowledge maps respectively, combines forward key knowledge entities and backward key knowledge entities associated with each concerned feedback process based on historical frequent entity of the forward feedback knowledge maps and the backward feedback knowledge maps to obtain combined key knowledge entities of each concerned feedback process, generates corresponding intercepted feedback reference data, can realize combined association in data collection processes, reduces operation processing of subsequent manual association, and further facilitates improvement of efficiency of optimizing an interception strategy by taking response measures subsequently.
In an exemplary independent embodiment, the step of generating the objective interception decision basis associated with the objective access activity may include:
step S101: and determining the target access trigger event as the target access trigger event when receiving the target access trigger event of the real-time state transmission performed by the business service system.
Step S102: according to a first access activity interception decision network, based on the target access trigger event, making a decision to generate a basic interception decision basis related to the target access activity; the first access activity interception decision network is obtained by performing network convergence optimization according to a basic reference data set, the basic reference data set comprises a first reference access trigger event and a basic reference interception basis carried by the first reference access trigger event, and the basic reference interception basis is obtained based on whether an access activity maintaining state is configured in a destruction state after the access activity corresponding to the first reference access trigger event is released.
After the information interception system obtains the target access trigger event, the target access trigger event can be input into a first access activity interception decision network meeting the network deployment requirement, after the first access activity interception decision network carries out interception prediction on the target access trigger event, a basic interception decision basis related to the target access activity is correspondingly output, and the basic interception decision basis can be understood as the confidence degree that the target access activity is classified into the intercepted access activity.
For example, the foregoing first access activity interception decision network may be obtained by performing network convergence optimization according to a basic reference data set based on a benchmark supervised training learning manner. The reference supervised training learning mode can be understood as that the interception decision basis in the reference data set called in the network convergence optimization process is possibly not completely accurate; for example, the basic reference interception basis in the basic reference data set, which is called when the network convergence optimization is performed on the first access activity interception decision network, may be understood as a training reference basis with low accuracy. The basic reference data set comprises a first reference access triggering event and a basic reference interception basis carried by the first reference access triggering event; wherein, the first reference access trigger event may be an access trigger event in a past access activity; the basis reference interception criterion corresponding to the first reference access trigger event may be obtained based on whether a related process is searched for destroying the access activity maintaining state after the past access activity corresponding to the first reference access trigger event is released.
For example, if it is determined that the access activity corresponding to the first reference access trigger event is released, the related process destroys the access activity maintaining state, the basic reference interception criterion corresponding to the first reference access trigger event classifies the access activity corresponding to the first reference access trigger event as the intercepted access activity (i.e., the intercepted access activity), the destruction timing data of the access state corresponding to the first reference access trigger event corresponds to the timing interval information between the access activity corresponding to the first reference access trigger event and the comparison access activity, where the comparison access activity is the last access activity released before the access activity maintaining state is configured in the destruction state.
For example, before releasing an access activity in an access event, the information interception system correspondingly allocates a corresponding ordinal position number to each access activity in the access event based on a corresponding release sequence, wherein the earlier the release sequence is, the smaller the corresponding ordinal position number is, and the later the release sequence is, the larger the corresponding ordinal position number is. After the information interception system searches that the access activity maintaining state destruction behavior is triggered for a certain access event, it may first determine that the last access activity (i.e., the access activity with the largest corresponding ordinal position number) displayed in the access event before the access activity maintaining state is configured in the destruction state is used as a comparison access activity, and further calculate a time sequence difference between an ordinal position number associated with the comparison access activity and an ordinal position number associated with the access activity for each access activity included in the access event before the access activity maintaining state is configured in the destruction state, and determine destruction time sequence data of the access state associated with the access activity, that is, destruction time sequence data of the access state corresponding to the access triggering event in the access activity.
If the relevant process is not searched for destroying the access activity maintaining state after the access activity corresponding to the first reference access triggering event is determined to be released, the access activity corresponding to the first reference access triggering event is classified into non-intercepted access activity (namely non-intercepted access activity) according to the basic reference interception basis corresponding to the first reference access triggering event. In addition, since it is not found that the access activity maintaining state is configured in the destruction state after the access activity corresponding to the first reference access triggering event is released, it is difficult to determine the destruction time series data of the access state corresponding to the first reference access triggering event, and thus, the destruction time series data of the access state corresponding to the first reference access triggering event can be directly configured as the time series interval value of the non-intercepted access activity; the time interval value of the non-intercepted access activity may be a time interval reference value configured in advance by the information interception system, or may be determined by the information interception system based on other included basic reference interception bases as the destruction time sequence data of the access state in the basic reference data set belonging to the intercepted access activity, for example, the information interception system may acquire the included basic reference interception bases as all the basic reference data sets belonging to the intercepted access activity, further calculate a mean time interval value of the destruction time sequence data of the access state included in the basic reference data sets, determine the destruction time interval value as the time interval value of the non-intercepted access activity, and herein, the determination implementation manner of the time interval value of the non-intercepted access activity is not limited.
By the design, destruction time series data of the access state is expanded in a basic reference data set used for training the first access activity interception decision network, so that the first access activity interception decision network has the capability of comprehensively considering access activity access trigger events and destruction time series data of the access state to identify whether the access activity can be classified into the intercepted access activity, and the accuracy of the first access activity interception decision network decision interception access activity can be improved.
In addition, if it is determined that the basic reference data set called by the first access activity interception decision network is trained to include the destruction time series data of the access state, when the first access activity interception decision network is applied to identify whether the access activity can be classified into the intercepted access activity, the destruction time series data of the access state and the access activity access trigger event calibrated by the first access activity interception decision network can be simultaneously used for executing the access activity decision flow. Namely, when a first access activity interception decision network is used to determine a basic interception decision basis associated with a target access activity, the destruction time sequence data of a calibrated access state is acquired, and the destruction time sequence data of the calibrated access state can be determined based on the destruction time sequence data of the access state in a basic reference data set called when the first access activity interception decision network is trained; and further, generating a basic interception decision basis related to the target access activity based on the target access trigger event in the target access activity and the destruction time sequence data of the calibrated access state according to the first access activity interception decision network.
In an exemplary design idea, the first access activity interception decision network may include a first basic description variable mining unit and a first interception decision unit, and the first access activity interception decision network summarizes a specific application process, and may first mine a basic description variable corresponding to each access unit in a target access trigger event according to the first basic description variable mining unit; and then, according to the first interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, making a decision to generate a basic interception decision basis related to the target access activity.
For example, the first access activity interception decision network may include a first base description variable mining unit a1 and a first interception decision unit a 2; for example, the first base description variable mining unit a1 may include an RNN unit, which may be, for example, a GRU, an LSTM, and a fully-connected unit, and the first interception decision unit a2 may include a first fully-connected unit, a CNN unit, a dimension reduction unit, and a second fully-connected unit.
In the application process of the first access activity interception decision network, according to the RNN unit in the first basic description variable mining unit a1, the access description variable mining may be performed on each access unit included in the target access trigger event to obtain the basic access description variable corresponding to each access unit in the target access trigger event, and then according to the full connection unit in the first basic description variable mining unit a1, the basic access description variable corresponding to each access unit in the target access trigger event is processed to obtain the basic description variable corresponding to each access unit in the target access trigger event. Then, according to the first full connection unit, the CNN unit, the dimension reduction unit, and the second full connection unit in the first interception decision unit a2, the basic description variables respectively corresponding to each access unit in the target access trigger event are sequentially processed, so as to obtain a basic interception decision basis associated with the target access activity.
Step S103: according to a second access activity interception decision network, based on the target access trigger event, making a decision to generate a further interception decision basis related to the target access activity; the second access activity interception decision network is obtained by performing network convergence optimization according to an advanced reference data set, wherein the advanced reference data set comprises a second reference access trigger event and an advanced reference interception basis carried by the second reference access trigger event, and the advanced reference interception basis represents a tag attribute of an access activity corresponding to the second reference access trigger event.
After the information interception system obtains the target access trigger event, the target access trigger event can be further input into a second access activity interception decision network meeting the network deployment requirement, and after the second access activity interception decision network carries out interception prediction on the target access trigger event, an advanced interception decision basis associated with the target access activity is correspondingly generated, and the advanced interception decision basis can be, for example, a confidence coefficient that the target access activity is classified into the intercepted access activity.
And the second access activity interception decision network is obtained by performing network convergence optimization according to the advanced reference data set based on advanced supervised training learning. The difference between advanced supervised training learning and the baseline supervised training learning is that the interception decision basis in the invoked reference data set is comprehensive and accurate; for example, the advanced reference interception basis in the advanced reference data set, which is called when the network convergence optimization is performed on the second access activity interception decision network, is a comprehensive and accurate training reference basis. The advanced reference data set comprises a second reference access triggering event and an advanced reference interception basis carried by the second reference access triggering event. The advanced reference interception criterion corresponding to the second reference access trigger event may be labeled with respect to the access activity corresponding to the second reference access trigger event, and may represent a tag attribute of the access activity corresponding to the second reference access trigger event, that is, comprehensively and accurately represent whether the access activity corresponding to the second reference access trigger event can be classified as an intercepted access activity.
In an exemplary design idea, the second access activity interception decision network may include a second basic description variable mining unit and a second interception decision unit, and in an application process of the second access activity interception decision network, the second access activity interception decision network may first mine a basic description variable corresponding to each access unit in a target access trigger event according to the second basic description variable mining unit; and then, according to the second interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, making a decision to generate a further interception decision basis related to the target access activity.
For example, the second access activity interception decision network comprises a second basic description variable mining unit B01 and a second interception decision unit B02; for example, the second base description variable mining unit B01 may include an RNN unit and a fully-connected unit, the RNN unit may be a GRU or LSTM structure, and the second interception decision unit B02 may include a first fully-connected unit, a CNN unit, a pooling unit, and a second fully-connected unit.
In the application process of the second access activity interception decision network, according to the RNN unit in the second basic description variable mining unit B01, access description variable mining may be performed on the target access trigger event that is input and includes each access unit, to obtain basic access description variables corresponding to each access unit in the target access trigger event, and then, according to the full connection unit in the second basic description variable mining unit B01, the basic access description variables corresponding to each access unit in the target access trigger event are processed, to obtain basic description variables corresponding to each access unit in the target access trigger event. Then, according to the first full connection unit, the CNN layer, the pooling layer, and the second full connection unit in the second interception decision unit B02, the basic description variables respectively corresponding to each access unit in the subject access trigger event are sequentially processed to obtain a further interception decision basis associated with the subject access activity.
Wherein, on the basis that the first access activity interception decision network comprises a first basic description variable mining unit and a first interception decision unit, and the second access activity interception decision network comprises a second basic description variable mining unit and a second interception decision unit, in order to improve the network convergence speed of the first access activity interception decision network and the second access activity interception decision network, network parameter layers can be arranged in the first basic variable mining unit and the second basic variable mining unit, when the first access activity interception decision network and the second access activity interception decision network are trained, the network parameter layers included in the two interception decision networks can be the same network weight information, that is, the network weight information of the network parameter layer in the first access activity interception decision network is synchronously configured in the network parameter layer in the second access activity interception decision network, or the network weight information of the network parameter layer in the second access activity interception decision network is synchronously configured in the network parameter layer in the first access activity interception decision network, so that the network convergence processes of the two interception decision networks can be referred to each other, and the network convergence speed and accuracy are further improved.
The aforementioned network parameter layer may include at least one of: and the RNN unit in the first basic description variable mining unit and the second basic description variable mining unit, and the full connection unit in the first basic description variable mining unit and the second basic description variable mining unit. In other words, in the model training phase, the information interception system may enable the RNN unit in the first basic description variable mining unit and the RNN unit in the second basic description variable mining unit to perform the same network weight information, may also enable the fully-connected unit in the first basic description variable mining unit and the fully-connected unit in the second basic description variable mining unit to perform the same network weight information, and may also enable the RNN unit and the fully-connected unit in the first basic description variable mining unit and the RNN unit and the fully-connected unit in the second basic description variable mining unit to perform the same network weight information, respectively.
Step S104: determining a target interception decision basis associated with the target access activity based on the basic interception decision basis and the advanced interception decision basis; the target intercept decision outputs a view in terms of a threat representative of the subject access activity.
After obtaining the basic interception decision basis associated with the target access activity according to step S102 and the advanced interception decision basis associated with the target access activity according to step S103, the information interception system may determine the target interception decision basis associated with the target access activity by comprehensively considering the basic interception decision basis and the advanced interception decision basis, where the target interception decision basis represents whether the target access activity can be classified as an intercepted access activity.
For example, on the basis that the basic interception decision-making basis and the advanced interception decision-making basis are confidence levels that the target access activity is classified into the intercepted access activity, the information interception system may perform weight fusion on the basic interception decision-making basis and the advanced interception decision-making basis based on setting an importance parameter, the obtained confidence level is a target interception decision-making basis associated with the target access activity, if it is determined that the confidence level is greater than a target confidence level, it may be determined that the target access activity is classified into the intercepted access activity, and if it is determined that the confidence level is not greater than the target confidence level, it may be determined that the target access activity does not belong to the intercepted access activity.
Based on the steps, a first access activity interception decision network obtained by performing network convergence optimization according to standard supervised training learning and a second access activity interception decision network obtained by performing network convergence optimization according to advanced supervised training learning are respectively used for carrying out interception decision on the target access activity, so that whether the target access activity can be classified into the intercepted access activity or not is determined by combining the interception decision bases obtained by the interception decision networks of two different training modes. The first access activity interception decision network is obtained by performing network convergence optimization on a basic reference data set labeled according to a benchmark annotation policy, wherein the benchmark annotation policy refers to whether a relevant process destruction access activity maintenance state is searched after access activities corresponding to reference access trigger events in the reference data set are released to label whether the access activities corresponding to the reference access trigger events can be classified into interception access activities. Based on whether a first access activity interception decision network assists in deciding whether an access activity can be classified as an intercepted access activity, the requirements for the training data set of the second access activity interception decision network may be reduced, e.g. the number of reference data sets invoked when performing a network convergence optimization process on the second access activity interception decision network may be reduced, thereby reducing the training workload of the second access activity interception decision network. Therefore, the interception decision accuracy of the access activities can be improved and the network convergence optimization performance can be improved by combining the first access activity interception decision network and the second access activity interception decision network to decide the interception access activities.
In an exemplary design idea, the basic reference data set further adds destruction timing sequence data of an access state corresponding to the first reference access trigger event.
On the basis, if it is found that the access activity maintaining state is configured in a destruction state after the access activity corresponding to the first reference access trigger event is released, the base reference interception is classified into an intercepted access activity according to access activities corresponding to the first reference access trigger event, destruction time sequence data of the access state represents time sequence interval information between the access activity corresponding to the first reference access trigger event and comparison access activities, and the comparison access activities are the last access activities released before the access activity maintaining state is configured in the destruction state;
in addition, if it is determined that the access activity maintaining state is not searched to be configured in the destruction state after the access activity corresponding to the first reference access triggering event is released, the basic reference interception is classified into the non-intercepted access activity according to the access activity corresponding to the first reference access triggering event, and the destruction time sequence data of the access state is the time sequence interval value of the non-intercepted access activity.
In an exemplary design idea, on the basis of the destruction timing sequence data of the access state corresponding to the first reference access trigger event being added, for step S120, calibrated destruction timing sequence data of the access state may be obtained, for example, the calibrated destruction timing sequence data of the access state is obtained based on the destruction timing sequence data of the access state in the basic reference data set called when performing network convergence optimization on the first access activity interception decision network. Then, the basic interception decision basis may be generated based on the targeted access trigger event and the calibrated destruction timing data of the access state according to the first access activity interception decision network.
In another exemplary design concept, the first access activity interception decision network includes a first basic description variable mining unit and a first interception decision unit, and the second access activity interception decision network includes a second basic description variable mining unit and a second interception decision unit.
On this basis, for step S120, for example, the basic description variable corresponding to each access unit in the target access trigger event may be mined according to the first basic description variable mining unit. Then, according to the first interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, making a decision to generate the basic interception decision basis;
on this basis, for step S130, for example, the basic description variable corresponding to each access unit in the target access trigger event may be mined according to the second basic description variable mining unit. And then, according to the second interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, making a decision to generate the advanced interception decision basis.
In an exemplary design idea, the first base descriptor mining unit and the second base descriptor mining unit may be configured with network parameter layers of the same network weight information. Wherein the network parameter layer comprises at least one of: a cyclic neural network layer in the first basic descriptor mining unit and the second basic descriptor mining unit, and a full connection unit in the first basic descriptor mining unit and the second basic descriptor mining unit.
In an exemplary design, the first access activity interception decision network and the second access activity interception decision network include network parameter layers with the same network weight information. The first and second access activity interception decision networks may be trained in the following manner:
step S101, according to a first basic access activity interception decision network, based on the first reference access trigger event in the basic reference data set, deciding to generate a first access activity interception decision basis;
step S102, determining a first interception prediction cost based on the first access activity interception decision basis and the basic reference interception basis in the basic reference data set;
step S103, according to the first interception prediction cost, carrying out network convergence optimization on the first basic access activity interception decision network;
step S104, synchronously configuring the network weight information of the network parameter layer in the first basic access activity interception decision network to the network parameter layer in a second basic access activity interception decision network;
step S105, according to the second basic access activity interception decision network, based on the second reference access trigger event in the advanced reference data set, making a decision to generate a second access activity interception decision basis;
step S106, determining a second interception prediction cost based on the second access activity interception decision basis and the advanced reference interception basis in the advanced reference data set;
step S107, according to the second interception prediction cost, network convergence optimization is carried out on the second basic access activity interception decision network;
step S108, synchronously configuring the network weight information of the network parameter layer in the second basic access activity interception decision network to the network parameter layer in the first basic access activity interception decision network;
step S109, determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost;
step S1010, performing network convergence optimization on the first basic access activity interception decision network and performing network convergence optimization on the second basic access activity interception decision network in combination according to the target interception prediction cost.
In an exemplary design idea, an embodiment of the present application further provides an interception decision network training method based on artificial intelligence, which may include the following steps:
step Q110, obtaining a weight-initialized access trigger event decision network and a third reference data set; the access trigger event decision network is configured to execute a basic access trigger event decision flow, the access trigger event decision network comprising the network parameter layer; the third reference data set comprises a third reference access triggering event and a carried training reference basis, and the training reference basis represents the label attribute of the third reference access triggering event in the access triggering event decision flow;
step Q120, based on the third reference access trigger event in the third reference data set, deciding to generate a third access activity interception decision basis according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
step Q130, according to the third interception prediction cost, network convergence optimization is carried out on the access triggering event decision network;
step Q140, synchronously configuring the network weight information of the network parameter layer in the access trigger event decision network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
on this basis, for the foregoing step S109 and step S1010, the target interception prediction cost may be determined based on the first interception prediction cost, the second interception prediction cost, and the third interception prediction cost, and the network convergence optimization, the second basic access activity interception decision network, and the access trigger event decision network are performed on the first basic access activity interception decision network in combination according to the target interception prediction cost.
In an exemplary design idea, an embodiment of the present application further provides an interception decision network training method based on artificial intelligence, which may include the following steps:
step W110, acquiring a description variable mining network initialized by weight and a fourth reference data set; the description variable mining network is configured to mine access description variables corresponding to each access unit in an access triggering event, and comprises the network parameter layer; the fourth reference data set comprises a fourth reference access trigger event;
step W120, mining a decision access description variable corresponding to each access unit in the fourth reference access triggering event according to the description variable mining network;
step W130, determining a forward extended access unit and a backward extended access unit respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of a forward extended access unit respectively associated with each reference access unit, and a decision access description variable of a backward extended access unit respectively associated with each reference access unit; performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;
step W140, network weight information of the network parameter layer in the description variable mining network is configured to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network synchronously.
In an exemplary design idea, based on the above, for the foregoing step S109 and step S1010, the target interception prediction cost may be determined based on the first interception prediction cost, the second interception prediction cost, and the fourth interception prediction cost, and the network convergence optimization is performed on the first basic access activity interception decision network, the second basic access activity interception decision network, and the description variable mining network in combination according to the target interception prediction cost.
In an exemplary design idea, in step W130, for each reference access unit in the fourth reference access trigger event, the remaining reference access units except for the reference access unit in the fourth reference access trigger event may be determined, and determined as the forward extended access units associated with the reference access unit, and for each reference access unit in the fourth reference access trigger event, the reference access units in the remaining access trigger events except for the fourth reference access trigger event may be determined, and determined as the backward extended access units associated with the reference access unit.
In an exemplary design concept, in step W130, the following exemplary steps can be implemented.
Step W131, for each reference access unit in the fourth reference access trigger event, based on the reference access unit and a carried forward extended access unit, forming a forward extended cluster associated with the reference access unit, and determining a matching value between a decision access description variable of the forward extended access unit in the forward extended cluster and a decision access description variable of the reference access unit, which is determined as the matching value associated with the forward extended cluster.
Step W132, forming a backward extension cluster associated with the reference access unit based on the reference access unit and the carried backward extension access unit, and determining a matching value between the decision access description variable of the backward extension access unit in the backward extension cluster and the decision access description variable of the reference access unit, and determining the matching value as the matching value associated with the backward extension cluster.
Step W133, for each reference access unit in the fourth reference access trigger event, determining an extension cost associated with the reference access unit based on a matching value associated with each forward extension cluster associated with the reference access unit and a matching value associated with each backward extension cluster associated with the reference access unit.
Step W134, determining the fourth interception prediction cost based on the extension cost respectively associated with each reference access unit in the fourth reference access trigger event.
In an exemplary design idea, in step W133, a plurality of forward-backward extension clusters associated with the reference access unit may be determined according to each forward-extension cluster associated with the reference access unit and each backward-extension cluster associated with the reference access unit; each forward-backward extension cluster comprises one forward extension cluster and one backward extension cluster.
On this basis, for each forward-backward extension cluster associated with the reference access unit, a difference between a matching value associated with a forward extension cluster and a matching value associated with a backward extension cluster in the forward-backward extension cluster is calculated, and an extension cost associated with the forward-backward extension cluster is determined.
In an exemplary design idea, an embodiment of the present application further provides an interception decision network training method based on artificial intelligence, which may include the following steps:
step R110, acquiring an access trigger event decision network and a description variable mining network initialized by weight, and a third reference data set and a fourth reference data set; the access trigger event decision network is configured to an execution-based access trigger event decision process, the description variable mining network is configured to mine access description variables corresponding to each access unit in an access trigger event, and both the access trigger event decision network and the description variable mining network comprise the network parameter layer; the third reference data set comprises a third reference access triggering event and a carried training reference basis, and the training reference basis represents the label attribute of the third reference access triggering event in the access triggering event decision flow; the fourth reference data set comprises a fourth reference access trigger event;
step R120, based on the third reference access trigger event in the third reference data set, deciding to generate a third access activity interception decision basis according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
step R130, according to the third interception prediction cost, performing network convergence optimization on the access trigger event decision network;
step R140, synchronously configuring the network weight information of the network parameter layer in the access triggering event decision network to the network parameter layer in the description variable mining network;
step R150, mining a decision access description variable corresponding to each access unit in the fourth reference access trigger event according to the description variable mining network; determining a forward extended access unit and a backward extended access unit which are respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable which is respectively corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of the forward extended access unit which is respectively associated with each reference access unit, and a decision access description variable of the backward extended access unit which is respectively associated with each reference access unit;
step R160, according to the fourth interception prediction cost, carrying out network convergence optimization on the description variable mining network;
step R170, synchronously configuring network weight information of the network parameter layer in the description variable mining network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
in an exemplary design idea, based on the above step S109 and step S1010, the target interception prediction cost may be determined based on the first interception prediction cost, the second interception prediction cost, the third interception prediction cost, and the fourth interception prediction cost, and the network convergence optimization, the second basic access activity interception decision network, the access trigger event decision network, and the description variable mining network may be performed on the first basic access activity interception decision network in combination according to the target interception prediction cost.
Based on the same inventive concept, an information interception system is also provided in the embodiments of the present application, referring to fig. 2, fig. 2 is a structural diagram of the information interception system 100 provided in the embodiments of the present application, and the information interception system 100 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 112 (e.g., one or more processors) and a memory 111. Wherein the memory 111 may be a transient storage or a persistent storage. The program stored in the memory 111 may include one or more modules, each of which may include a series of instructions operating on the information interception system 100. Further, the central processor 112 may be configured to communicate with the memory 111, and execute a series of instruction operations in the memory 111 on the information interception system 100.
The information interception system 100 can also include one or more power supplies, one or more communication units 113, one or more input-output interfaces, and/or one or more operating systems, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps performed by the information interception system in the above embodiment may be based on the structure of the information interception system shown in fig. 2.
In addition, a storage medium is provided in an embodiment of the present application, and the storage medium is used for storing a computer program, and the computer program is used for executing the method provided in the embodiment.
Embodiments of the present application further provide a computer program product including instructions, which when executed on a computer, cause the computer to execute the method provided by the above embodiments.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-only Memory (ROM), RAM, magnetic disk, or optical disk.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. An interception feedback processing method based on big data analysis interception is applied to the information interception system and is characterized by comprising the following steps:
when receiving an access trigger event of a target access activity transmitted in a real-time state by a business service system, generating a corresponding target access trigger event;
according to a first access activity interception decision network, based on the target access trigger event, making a decision to generate a basic interception decision basis related to the target access activity; the first access activity interception decision network is obtained by performing network convergence optimization according to a basic reference data set, the basic reference data set comprises a first reference access trigger event and a basic reference interception basis carried by the first reference access trigger event, the basic reference interception basis is obtained based on whether an access activity maintaining state is configured in a destruction state after releasing access activity corresponding to the first reference access trigger event, and the first reference access trigger event is an access trigger event in past access activity;
according to a second access activity interception decision network, based on the target access trigger event, making a decision to generate a further interception decision basis related to the target access activity; the second access activity interception decision network is obtained by performing network convergence optimization according to an advanced reference data set, wherein the advanced reference data set comprises a second reference access trigger event and an advanced reference interception basis carried by the second reference access trigger event, and the advanced reference interception basis represents a tag attribute of an access activity corresponding to the second reference access trigger event;
determining a target interception decision basis associated with the target access activity based on the basic interception decision basis and the advanced interception decision basis, and performing interception decision on the target access activity based on the target interception decision basis to obtain interception feedback data of the target access activity in an interception feedback process after interception is determined; the target interception decision basis represents a threat output viewpoint of the target access activity, wherein on the basis that the basic interception decision basis and the advanced interception decision basis are confidence degrees that the target access activity is classified into the intercepted access activity, based on the set importance parameter, the confidence degree obtained by performing weight fusion on the basic interception decision basis and the advanced interception decision basis is the target interception decision basis associated with the target access activity, if the confidence degree is determined to be greater than the target confidence degree, the target access activity is determined to be classified into the intercepted access activity, and if the confidence degree is determined not to be greater than the target confidence degree, the target access activity is determined not to belong to the intercepted access activity;
adding a plurality of forward feedback knowledge points in the interception feedback data to a forward feedback knowledge map, and adding a plurality of backward feedback knowledge points in the interception feedback data to a backward feedback knowledge map;
respectively searching key knowledge entities for the forward feedback knowledge graph and the backward feedback knowledge graph to obtain a forward key knowledge entity and a backward key knowledge entity associated with each concerned feedback flow in the interception feedback flow;
combining the forward key knowledge entity and the backward key knowledge entity associated with each attention feedback process based on the historical frequent entity of the forward feedback knowledge map and the backward feedback knowledge map to obtain a combined key knowledge entity of each attention feedback process;
and generating corresponding interception feedback reference data based on the combined key knowledge entity of each concerned feedback process.
2. The big data analysis interception based interception feedback processing method according to claim 1, wherein said adding a plurality of feedforward knowledge points in said interception feedback data to a feedforward knowledge graph comprises:
rejecting noise fields of each forward feedback knowledge point in the intercepted feedback data;
performing the following steps corresponding to each of the feedforward knowledge points with the noise field removed:
and analyzing the feedforward knowledge points into a plurality of sequential knowledge points based on a first feedforward sequence, and sequentially adding the sequential knowledge points into the feedforward knowledge map based on a second feedforward sequence, wherein the first feedforward sequence is opposite to the second feedforward sequence.
3. The big data analysis interception based interception feedback processing method according to claim 2, wherein before said removing noise field of each feedforward knowledge point in said interception feedback data, said method further comprises:
performing relevance cascade on a plurality of forward feedback knowledge points in the interception feedback data to obtain cascade forward feedback knowledge points;
determining the relevance cost between the head cascaded knowledge point and the tail cascaded knowledge point in the cascaded forward feedback knowledge points;
and when the relevance cost between the head and the tail of the two cascaded knowledge points in the cascaded feedforward knowledge points is greater than the relevance cost between the head and the tail of the two cascaded knowledge points in the cascaded feedforward knowledge graph, determining to eliminate the noise field of each feedforward knowledge point in the intercepted feedback data.
4. The big data analysis interception based interception feedback processing method according to claim 1, wherein said adding a plurality of backward feedback knowledge points in said interception feedback data to a backward feedback knowledge graph comprises:
extracting backward feedback knowledge point distribution from the intercepted feedback data, wherein the backward feedback knowledge point distribution comprises the plurality of backward feedback knowledge points;
expanding the distribution of the backward feedback knowledge points to obtain a plurality of expanded backward feedback knowledge points respectively associated with the plurality of backward feedback knowledge points;
grouping a plurality of backward feedback knowledge point partitions to the backward feedback knowledge map, wherein the number of the plurality of backward feedback knowledge point partitions is not less than the number of the plurality of extended backward feedback knowledge points;
and sequentially adding the plurality of extended backward feedback knowledge points into the plurality of backward feedback knowledge point partitions, wherein each backward feedback knowledge point partition at most comprises one extended backward feedback knowledge point.
5. The big data analysis interception based interception feedback processing method according to claim 1, wherein said performing key knowledge entity search on said forward feedback knowledge base and said backward feedback knowledge base respectively to obtain forward key knowledge entities and backward key knowledge entities associated with each feedback flow of interest in said interception feedback flow comprises:
for each attention feedback flow of the interception feedback flows, performing the following steps:
searching key knowledge entities in the forward feedback knowledge map corresponding to the positions of the attention feedback process to obtain forward key positions of the attention feedback process;
performing key knowledge entity search on the position corresponding to the attention feedback process in the backward feedback knowledge map to obtain a backward key position of the attention feedback process;
determining a forward key knowledge entity associated with the attention feedback process based on the forward key position of the attention feedback process;
and determining a backward key knowledge entity associated with the attention feedback process based on the backward key position of the attention feedback process.
6. The big data analysis interception based interception feedback processing method according to claim 5, wherein said determining the forward key knowledge entity associated with the attention feedback process based on the forward key location of the attention feedback process comprises:
analyzing the forward key position of the attention feedback process into a sequence knowledge point attribute, and taking a forward key knowledge entity corresponding to the sequence knowledge point attribute as the forward key knowledge entity of the attention feedback process;
the determining the backward key knowledge entity associated with the attention feedback process based on the backward key position of the attention feedback process comprises:
analyzing the backward key position of the attention feedback flow into backward feedback knowledge point attributes, and taking backward key knowledge entities corresponding to the backward feedback knowledge point attributes as backward key knowledge entities of the attention feedback flow.
7. The big data analysis interception based interception feedback processing method according to claim 1, wherein said combining the forward key knowledge entity and the backward key knowledge entity associated with each attention feedback process based on the historical frequent entities of the forward feedback knowledge graph and the backward feedback knowledge graph to obtain the combined key knowledge entity of each attention feedback process comprises:
performing the following steps for each attention feedback procedure:
determining a first frequent item attribute corresponding to the attention feedback process based on the historical frequent item entity of the forward feedback knowledge graph, and determining a second frequent item attribute corresponding to the attention feedback process based on the historical frequent item entity of the backward feedback knowledge graph;
and based on the first frequent item attribute and the second frequent item attribute, performing combination of matched frequent item attributes on the forward key knowledge entity associated with the attention feedback process and the backward key knowledge entity associated with the attention feedback process to obtain a combined key knowledge entity of the attention feedback process.
8. An information interception system, comprising:
a processor;
a memory having stored therein a computer program that, when executed, implements the big data analytics interception based interception feedback processing method of any of claims 1-7.
CN202210830243.2A 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system Withdrawn CN115033715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210830243.2A CN115033715A (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111483892.1A CN114117079B (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system
CN202210830243.2A CN115033715A (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202111483892.1A Division CN114117079B (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system

Publications (1)

Publication Number Publication Date
CN115033715A true CN115033715A (en) 2022-09-09

Family

ID=80367886

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210830243.2A Withdrawn CN115033715A (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system
CN202111483892.1A Active CN114117079B (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202111483892.1A Active CN114117079B (en) 2021-12-07 2021-12-07 Interception feedback processing method based on big data analysis interception and information interception system

Country Status (1)

Country Link
CN (2) CN115033715A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115168848B (en) * 2022-09-08 2022-12-16 南京鼎山信息科技有限公司 Interception feedback processing method based on big data analysis interception

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324313B (en) * 2019-05-23 2022-12-13 平安科技(深圳)有限公司 Honeypot system-based malicious user identification method and related equipment
US11128753B2 (en) * 2019-07-30 2021-09-21 At&T Intellectual Property I, L.P. Intercepting and challenging unwanted phone calls
CN111460174A (en) * 2020-04-03 2020-07-28 中国建设银行股份有限公司 Resume abnormity detection method and system based on entity knowledge reasoning
CN112073374B (en) * 2020-08-05 2023-03-24 长沙市到家悠享网络科技有限公司 Information interception method, device and equipment
CN113411342A (en) * 2021-06-25 2021-09-17 深圳市合美鑫精密电子有限公司 Big data-based information security risk identification method and artificial intelligence security system
CN113239065A (en) * 2021-06-25 2021-08-10 深圳市合美鑫精密电子有限公司 Big data based security interception rule updating method and artificial intelligence security system
CN113722719A (en) * 2021-09-01 2021-11-30 何景隆 Information generation method and artificial intelligence system for security interception big data analysis
CN114244588B (en) * 2021-12-06 2023-01-03 中咨数据有限公司 Big data analysis interception method and information interception system applying artificial intelligence analysis

Also Published As

Publication number Publication date
CN114117079B (en) 2022-10-11
CN114117079A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
Ruan et al. An efficient spectral algorithm for network community discovery and its applications to biological and social networks
Petrenko et al. Problem of developing an early-warning cybersecurity system for critically important governmental information assets
US10282542B2 (en) Information processing apparatus, information processing method, and computer readable medium
Oo et al. An efficient predictive analytics system for high dimensional big data
CN111709022B (en) Hybrid alarm association method based on AP clustering and causal relationship
CN115563610B (en) Training method, recognition method and device for intrusion detection model
US20230281516A1 (en) Intelligent Data Partitioning for Distributed Machine Learning Systems
CN114117079B (en) Interception feedback processing method based on big data analysis interception and information interception system
Dener et al. Stlgbm-dds: An efficient data balanced dos detection system for wireless sensor networks on big data environment
Di Mauro et al. A framework for Internet data real-time processing: A machine-learning approach
Hegazy et al. A mapreduce fuzzy techniques of big data classification
Hasanin et al. A comparison of performance metrics with severely imbalanced network security big data
CN114244588B (en) Big data analysis interception method and information interception system applying artificial intelligence analysis
CN115048370A (en) Artificial intelligence processing method for big data cleaning and big data cleaning system
US20220277219A1 (en) Systems and methods for machine learning data generation and visualization
US11436412B2 (en) Predictive event searching utilizing a machine learning model trained using dynamically-generated event tags
Shang et al. A DP canopy k-means algorithm for privacy preservation of hadoop platform
CN115883172A (en) Anomaly monitoring method and device, computer equipment and storage medium
Milutinovic et al. Performance of arithmetic optimization algorithm for ELM tuning applied to IoT security
Seelammal et al. Computational intelligence in intrusion detection system for snort log using hadoop
Yin et al. Experimental study on fighters behaviors mining
Massone et al. Machine learning for flare forecasting
Padavala et al. Big data feature selection model for intrusion detection using data analytics
CN115086000B (en) Network intrusion detection method and system
EP4191947A1 (en) Blocking or allowing a file stream associated with a file based on an initial portion of the file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20220909

WW01 Invention patent application withdrawn after publication