CN112395431A - Method for constructing behavior model, electronic device and electronic equipment - Google Patents

Method for constructing behavior model, electronic device and electronic equipment Download PDF

Info

Publication number
CN112395431A
CN112395431A CN202110061124.0A CN202110061124A CN112395431A CN 112395431 A CN112395431 A CN 112395431A CN 202110061124 A CN202110061124 A CN 202110061124A CN 112395431 A CN112395431 A CN 112395431A
Authority
CN
China
Prior art keywords
logical
model
physical layer
layer
physical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110061124.0A
Other languages
Chinese (zh)
Other versions
CN112395431B (en
Inventor
陆先玉
马聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingwei Technology Co ltd
Original Assignee
Beijing Jingwei Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingwei Technology Co ltd filed Critical Beijing Jingwei Technology Co ltd
Priority to CN202110061124.0A priority Critical patent/CN112395431B/en
Publication of CN112395431A publication Critical patent/CN112395431A/en
Application granted granted Critical
Publication of CN112395431B publication Critical patent/CN112395431B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present disclosure provides a method, an electronic device and an electronic device for constructing a behavior model. The method comprises the following steps: receiving a first operation of a user on an element in a physical layer; determining an element in the physical layer based on the received first operation; receiving a second operation of the user on the element in the logic layer; determining an element in the logical layer based on the received second operation; associating the element in the physical layer with the element in the logical layer based on the first operation and the second operation; constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer; wherein the behavioral model is used to construct a knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is the dataset used to construct the knowledgegraph.

Description

Method for constructing behavior model, electronic device and electronic equipment
Technical Field
The present disclosure relates to a knowledge graph, and more particularly, to a method, an electronic device, and an electronic apparatus for constructing a behavior model, which may be used to construct a knowledge graph.
Background
The knowledge graph technology is a modern theory which achieves the aim of multi-discipline fusion by combining theories and methods of applying subjects such as mathematics, graphics, information visualization technology, information science and the like with methods such as metrology introduction analysis, co-occurrence analysis and the like and utilizing a visual graph to vividly display the core structure, development history, frontier field and overall knowledge framework of the subjects. The method displays the complex knowledge field through data mining, information processing, knowledge measurement and graph drawing, reveals the dynamic development rule of the knowledge field, and provides a practical and valuable reference for subject research.
The knowledge graph has huge data amount and strong analysis capability, so that the knowledge graph provides various possibilities for massive analysis of data. However, the conventional knowledge graph must be implemented by professional data analysis or code writing work of developers, and cannot be used by people who know the business but do not understand the analysis and development, which hinders the application of the knowledge graph.
Disclosure of Invention
The present disclosure has been made in view of the above problems. The present disclosure provides a method, an electronic apparatus, an electronic device, and a computer-readable storage medium for constructing a behavior model.
According to an aspect of the present disclosure, there is provided a method for constructing a behavior model, the method including: receiving a first operation of a user on an element in a physical layer; determining an element in the physical layer based on the received first operation; receiving a second operation of the user on the element in the logic layer; determining an element in the logical layer based on the received second operation; associating the element in the physical layer with the element in the logical layer based on the first operation and the second operation; constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer; wherein the behavioral model is used to construct the knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is the dataset used to construct the knowledgegraph.
According to another aspect of the present disclosure, there is provided an electronic device for building a behavior model, comprising: the receiving unit is used for receiving a first operation of a user on an element in the physical layer and a second operation of the user on the element in the logic layer; a behavior model construction unit for: determining an element in the physical layer based on the received first operation; determining an element in the logical layer based on the received second operation; associating the element in the physical layer with the element in the logical layer based on the first operation and the second operation; constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer; wherein the behavioral model is used to construct the knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is the dataset used to construct the knowledgegraph.
According to yet another aspect of the present disclosure, there is provided an electronic device for building a behavior model, the electronic device including: a processor and a memory having stored thereon processor-executable instructions that, when executed by the processor, cause the processor to perform a method for building a behavioral model according to an embodiment of the present disclosure.
According to yet another aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon processor executable instructions which, when executed by a processor, cause the processor to perform a method for building a behavior model according to an embodiment of the present disclosure.
As will be described in detail below, according to the method for constructing a behavior model, the electronic device, the electronic apparatus, and the computer-readable storage medium of the embodiments of the present disclosure, a behavior model that can be used for constructing a knowledge graph is constructed in a simple graph interaction manner, so that difficulty in developing the knowledge graph is reduced, and a service person can also develop the knowledge graph, thereby reducing or eliminating the need for the service person to learn professional development knowledge or rely on a professional developer. Furthermore, the construction of behavioral models according to embodiments of the present disclosure is based on ontologies and digital twins, enabling knowledge-graph technologies to be described in popular and easy-to-understand business languages. Further, the construction of the behavioral model according to the embodiment of the present disclosure is constructed based on the physical layer model of the generic model that is constructed in advance without being specific to the preceding data set of the target data set, and thus is easy to expand, and can be applied to the construction of various knowledge maps.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and are intended to provide further explanation of the claimed technology, and are not intended to limit the technical concepts of the present disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in more detail embodiments of the present disclosure with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the principles of the disclosure and not to limit the disclosure. In the drawings, like reference numbers generally represent like parts or steps.
FIG. 1 illustrates a network environment to which a method for building a behavioral model according to an embodiment of the present disclosure may be applied;
FIG. 2 illustrates an example architecture diagram of a knowledge-graph according to an embodiment of the present disclosure;
FIG. 3 illustrates an example knowledge graph of a network system according to an embodiment of the present disclosure;
FIG. 4 is an example flow diagram of a method for building a behavioral model according to an embodiment of the present disclosure;
FIG. 5 is an example flow diagram of a method of building a knowledge-graph using behavioral models according to embodiments of the present disclosure, according to an embodiment of the present disclosure;
FIG. 6 is an example flow diagram of generating graphical function blocks in a logical layer model according to an embodiment of the present disclosure;
FIG. 7 is an example flow diagram of building a physical layer model according to an embodiment of the disclosure;
fig. 8A and 8B are schematic diagrams for explaining processing of a constructed physical layer diagram according to an embodiment of the present disclosure;
FIG. 9 is an example flow diagram of preprocessing a prior data set for building a physical layer model according to an embodiment of the present disclosure, according to an embodiment of the present disclosure;
FIG. 10 is a schematic diagram of a firewall system for illustrating a method for building a behavioral model according to an embodiment of the present disclosure;
FIG. 11 illustrates an example theoretical behavior model of the firewall system shown in FIG. 10, in accordance with an embodiment of the present disclosure;
FIG. 12 illustrates an example of preprocessing a prior data set of the firewall system shown in FIG. 10, according to an embodiment of the present disclosure;
FIG. 13 illustrates an example physical layer model of the firewall system shown in FIG. 10 constructed in accordance with embodiments of the disclosure;
FIG. 14 is an exemplary diagram illustrating the construction of a logical layer model of the firewall system shown in FIG. 10, according to an embodiment of the present disclosure;
fig. 15 is an exemplary diagram for explaining a behavior model for constructing the firewall system shown in fig. 10 according to an embodiment of the present disclosure;
FIG. 16 illustrates an example knowledge-graph of the firewall system shown in FIG. 10 generated from the behavioral model constructed as shown in FIG. 15;
FIG. 17 illustrates an electronic device for building a behavioral model according to an embodiment of the present disclosure; and
FIG. 18 shows an electronic device for building a behavior model, in accordance with embodiments of the present disclosure.
Detailed Description
The technical scheme of the disclosure is clearly and completely described in the following with reference to the accompanying drawings. It is to be understood that the described embodiments are only a few, and not all, of the disclosed embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In the description of the present disclosure, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing and simplifying the present disclosure, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present disclosure. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Also, the use of the terms "a," "an," or "the" and similar referents do not denote a limitation of quantity, but rather denote the presence of at least one. The word "comprising" or "comprises", and the like, means that the element or item appearing before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
In the description of the present disclosure, it is to be noted that the terms "mounted," "connected," and "connected" are to be construed broadly unless otherwise explicitly stated or limited. For example, the connection can be fixed, detachable or integrated; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present disclosure can be understood in specific instances by those of ordinary skill in the art.
In addition, technical features involved in different embodiments of the present disclosure described below may be combined with each other as long as they do not conflict with each other.
With the development of computer technology, mobile terminals, the internet and the like, modern life is closely connected with information data. More and more people or organizations and their activities in physical space are being digitized. It can be said that with the development of information technology, a digital world (i.e., a virtual world formed of data) has been formed that can reflect a person or an organization in the real world and its activities in the real world. Mapping a person or an organization and its activities in the real world to the digital world is called a digital twin. The digital world formed by the digital twinning technology can contribute to the development of various industries.
People or organizations and their activities in the real world are complex, and it is therefore a considerable problem how to reflect them in the digital world. The scholars propose to conduct digital twinning through ontology. Ontology is a theory that explores the origin or stroma of the world. The essence of the method is that the essence of things is researched, and the basic particles and the operation rules of things are found. For the digital twin, the core of building the digital world through ontology is to find the "fundamental particles" and the "rules of operation" of the digital world.
The present disclosure proposes a method, an electronic apparatus, an electronic device, and a computer-readable storage medium for constructing a behavior model based on digital twin and ontology. As will be described in detail below with reference to the accompanying drawings, the present disclosure graphically builds a behavioral model that can be used to build a knowledge graph of a network system based on "base particles" and "run rules" of the network system.
For convenience of description and better understanding of the present disclosure by those skilled in the art, some terms that will be used hereinafter in the present disclosure are explained herein.
In the context of the present disclosure, it is,
specific physical entities may refer to: in the physical space of the network, an undetachable basic information body such as "IP (218.89.222.212)", "MAC (C8-5B-76-7B-31-5F)" or "port (8080)" is stored in a data structure.
An abstract physical body may be an abstraction of a class of concrete physical bodies having features of a common nature, such as "IP", "MAC" or "port", etc.
The physical layer model may refer to: composed of abstract physical bodies, a model of concrete physical bodies corresponding to the abstract physical bodies in the input data and their relationships therebetween can be extracted (e.g., a physical layer model 1300 as shown in fig. 13).
The specific logical body may refer to: the service logic needs information body, such as "segment a", "device a", or "zhang san", etc.
An abstract logical body may be an abstraction of a class of concrete logical bodies having features of a common nature, such as a "segment," "device," or "person," etc.
The logical layer model may refer to: a model (e.g., logical layer model 1400 as shown in fig. 14) comprised of abstract logical bodies and/or relationships therebetween.
The behavioral model may refer to: associating at least an abstract logical body in the logical layer model with an abstract physical body in the physical layer model may extract a model (e.g., behavior model 1500 as shown in FIG. 15) of the input data (i.e., the target system) for the concrete logical body corresponding to the abstract logical body and the relationships between them.
Fig. 1 illustrates a network environment to which a method for building a behavior model according to an embodiment of the present disclosure may be applied. As shown in fig. 1, a network environment to which a method for building a behavior model according to an embodiment of the present disclosure may be applied may include a first system 110, a second system 120, and a third system 130. The first system 110, the second system 120, and the third system 130 are interconnected by a network 140. The first system 110 may include a server 110_2, clients 110_4, and 110_ 6. The server 110_2 and the clients 110_4 and 110_6 are interconnected through a network 110_ 8. The second system 120 may include a server 120_2, clients 120_4, 120_6, and 120_ 8. The server 120_2 and the clients 120_4, 120_6, and 120_8 are interconnected through the network 120_ 10. The third system 130 may include a server 130_2, clients 130_4, 130_6, 130_8, and 130_ 10. The server 130_2 and the clients 130_4 and 130_6 are interconnected through the network 130_12, and the server 130_2 and the clients 130_8 and 130_10 are interconnected through the network 130_ 14.
In one implementation, the first system 110 may be a system implementing a method for building a behavioral model according to embodiments of the present disclosure, and the second system 120 and the third system 130 are target systems. The first system 110 may build a behavioral model for the second system 120 and/or the third system 130 by implementing a method for building a behavioral model according to an embodiment of the present disclosure. The knowledge-graph of the second system 120 and/or the third system 130 may then be constructed through the behavioral models constructed for the second system 120 and/or the third system 130. In another implementation, the method for building a behavioral model according to embodiments of the present disclosure may be implemented by a server (e.g., the server 110_2 of the first system) and/or a client device (e.g., the client 110_4 of the first system) in the respective systems. In yet another embodiment, data may be collected from a system (e.g., the first system 110) and then the method for building a behavioral model according to an embodiment of the present disclosure may be implemented by another system not connected thereto (e.g., a fourth system not shown in FIG. 1 that is not connected to the first system).
Servers 110_2, 120_2, and 130_2 in this disclosure refer to devices that provide computing services, including but not limited to file servers, database servers, application servers, WEB servers, and the like. The client devices 110_4 and 110_6 and the like in the present disclosure include, but are not limited to, a mobile terminal or a fixed terminal having data processing capability, such as a notebook computer, a desktop computer, a smart phone, a tablet computer and the like. Further, networks 140 and 110_8, etc. in the present disclosure include, but are not limited to, wireless fidelity (Wi-Fi) networks, Wireless Local Area Networks (WLANs), Local Area Networks (LANs), and/or Metropolitan Area Networks (MANs), etc.
It should be understood that although in fig. 1, the network environment to which the method for building a behavior model according to the embodiment of the present disclosure may be applied includes three systems, the first system 110, the second system 120, and the third system 130, this is merely an example and not a limitation of the present disclosure, that is, the network environment to which the method for building a behavior model according to the embodiment of the present disclosure may include more or less than three systems, and each system may include more or less than the servers or clients illustrated in fig. 1. In addition, the three systems described in fig. 1 can also be regarded as one system.
Knowledge Graph (Knowledge Graph) is a series of different graphs displaying the relation between the Knowledge development process and the structure, and uses visualization technology to describe Knowledge resources and carriers thereof, and excavates, analyzes, constructs, draws and displays Knowledge and the mutual relation between the Knowledge resources and the carriers. FIG. 2 illustrates an example architecture diagram of a knowledge-graph according to an embodiment of the present disclosure. As shown in fig. 2, in the present disclosure, knowledge may be composed of subjects and relationships. The body may include an abstract logical body, an abstract physical body, and a concrete physical body, etc.; relationships may include relationships between abstract logical bodies, relationships between concrete physical bodies and relationships between abstract physical bodies, and so forth. As shown in fig. 2, a specific physical body may be associated with a specific logical body, for example, "device ID a" may be associated with "device a", and in some cases, the specific physical body may also be referred to as an attribute of the specific logical body, thereby constituting the relationship. An abstract logical body is an abstraction of a concrete logical body, i.e., a collection of a class of concrete logical bodies that have substantial properties in common, e.g., "device" is a collection of multiple concrete devices, e.g., "device A", "device B", and "device C". As also shown in FIG. 2, in the present disclosure, relationships between concrete physical bodies may reflect relationships between abstract physical bodies and relationships between concrete logical bodies, i.e., relationships between concrete physical bodies may map to or be associated with relationships between abstract physical bodies and relationships between concrete logical bodies; and the relationship between concrete logical bodies may reflect the relationship between abstract logical bodies. For example, the relationship between a particular physical agent "device ID a" and "device ID B" is "access", i.e., "device ID a", "access", "device ID B", since the particular physical agent "device ID a" and "device ID B" are associated with a particular logical agent "device a" and "device B", respectively, the relationship "access" between "device ID a" and "device ID B" may be mapped to the relationship between a particular logical agent "device a" and "device B", i.e., the relationship between a particular logical agent "device a" and "device B" may be "access". Since the relationship between the concrete logical body "device a" and "device B" may be "access", the relationship between the abstract logical body "device" and "device" associated therewith may be "access". For another example, the relationship between the concrete physical body "IP a" and the "device ID a" is a "one-to-one correspondence", and thus the relationship between the abstract physical body "IP" and the "device ID" associated therewith may be a "one-to-one correspondence". It should be understood that the architecture diagram of the knowledge-graph shown in FIG. 2 is an example only, and not a limitation of the present disclosure. For example, in some embodiments, the body may further include an abstract physical body, and the relationship may further include a relationship between the concrete physical body and the concrete logical body and a relationship between the abstract physical body and the abstract logical body.
The architecture of the knowledge graph as shown in fig. 2 is based on ontologies and digital twins, and by associating elementary particles in the digital world, namely "concrete physical subjects" and the relationships between them, with "abstract physical subjects", "concrete logical subjects" and "abstract logical subjects" and the relationships between them, a mapping of the digital world to the real world is achieved, enabling the description of the knowledge graph technology in a colloquially understandable business language.
Fig. 3 illustrates an example knowledge graph of a network system according to an embodiment of the present disclosure. As shown in fig. 3, in the present disclosure, a subject may be represented by a circle and a relationship may be represented by an arrow. The example knowledge-graph shown in FIG. 3 includes specific physical bodies: "IP A", "IP B", "IP C", and "IP D"; the specific logic bodies "segment a", "segment B", and "segment C", and "device a" and "device B"; the abstract logical bodies "segments" and "devices". The relationship between a particular physical principal "IP a", "IP B", "IP C" and "IP D" and a particular logical principal "segment a", "segment B" and "segment C" may be a "belonging" relationship, which may be represented by unidirectional arrow 330. The relationship between the specific logical entities "segment a" and "segment B" may be an "allowed" relationship, which may be represented by unidirectional arrow 310, indicating that "segment a" may access "segment B" but "segment B" may not. The relationship between the specific logical entities "segment B" and "segment C" is a "bidirectional permission" relationship, which may be represented by bidirectional arrow 320, indicating that "segment a" may access "segment B" and "segment B" may access "segment a". The relationship between the specific physical bodies "IP a" and "IP C" and the specific logical bodies "device a" and "device B" may be a "one-to-one" relationship, i.e., an "attribute" relationship, in other words, an attribute that may refer to "IP a" as "device a", which may be represented by a unidirectional arrow 360. The relationship between the concrete logical bodies "device A" and "device B" and the abstract logical body "device" may be a "belonging" relationship, which may be represented by the unidirectional arrow 350. Since the relationship between "IP a" and "IP B" and "device a" and "device B" is a "one-to-one" relationship, and the relationship between "IP a" and "IP B" and "segment a" and "segment C" is a "belonging" relationship, the relationship between a concrete logical agent "device a" and "device B" and another concrete logical agent "segment a" and "segment C" may be a "belonging" relationship, which may be represented by a one-way arrow 370, and the relationship between an abstract logical agent "device" and another abstract logical agent "segment" is also a "belonging" relationship, which is represented by a one-way arrow 340. In the present disclosure, the relationship may include a static relationship, such as a static relationship "allow" or "block" between network segments, and may also include various relationships such as a dynamic relationship, such as real-time "access" of a device to a network segment.
In storing a knowledge-graph as shown in FIG. 3, the knowledge-graph may be stored using multivariate data (e.g., a ternary array). For example, the set of triplets { segment A, allowed, segment B } may be used to store the knowledge-graphs "segment A" and "segment B" shown in FIG. 3 and the relationship "allowed" between them. It should be understood that the knowledge-graph illustrated in FIG. 3 and the method of storing the knowledge-graph by multivariate data is merely an example and not a limitation of the present disclosure.
In the above, the present disclosure describes, in conjunction with fig. 1-3, a network environment and a knowledge graph to which a method for building a behavior model according to an embodiment of the present disclosure may be applied. Hereinafter, the present disclosure will describe a method for constructing a behavior model and a method for constructing a knowledge graph by the constructed behavior model according to an embodiment of the present disclosure in conjunction with fig. 4 to 9.
FIG. 4 is an example flow diagram of a method for building a behavioral model according to an embodiment of the present disclosure. As depicted in fig. 4, a method for building a behavioral model according to an embodiment of the present disclosure begins at step S410. At step S410, a first operation, e.g., a mouse click operation, by a user on an element (e.g., a device ID) in the physical layer is received. In one embodiment, the elements in the physical layer comprise abstract physical bodies. In another embodiment, the elements in the physical layer include both abstract physical bodies and relationships between abstract physical bodies. Thereafter, based on the received first operation, an element in the physical layer is determined (step S420). After that, the method proceeds to step S430. At step S430, a second operation, e.g., a mouse click operation, by the user on an element (e.g., a device) in the logical layer is received. In one embodiment, the elements in the logical layer comprise abstract logical bodies. In another embodiment, the elements in the logical layer include both an abstract logical body and a relationship between the abstract logical body. Thereafter, based on the received second operation, an element in the logical layer is determined. After determining the elements in the physical layer and the elements in the logical layer, the method proceeds to step S450. At step S450, elements in the physical layer are associated with elements in the logical layer based on the first operation and the second operation. Thereafter, the method proceeds to step S460, at which step S460 a behavioral model is constructed based on the association of the elements in the physical layer with the elements in the logical layer. The constructed behavior model can be used to construct a knowledge graph, the specific method of which will be described in detail later in conjunction with fig. 5. In the present disclosure, the physical layer model is a generic model that is pre-constructed based on a prior data set that is not specific to a target data set, wherein the target data set is the data set used to construct the knowledge-graph.
In one embodiment, the physical layer model and/or the logical layer model may have been previously developed by a developer, and the business personnel only operate on the elements (e.g., the first operation and the second operation as described above) in the physical layer model and the logical layer model developed by the developer. Alternatively, in another embodiment, the physical layer model and/or the logical layer model may be built by the business person themselves based on the methods described below in connection with fig. 6-9. In the present disclosure, a developer refers to a person having code development ability, and a business person refers to a person having business knowledge but almost no code development ability. Of course, persons having both business knowledge and code development capabilities may also implement the method for building a behavioral model according to embodiments of the present disclosure.
The method for constructing a behavior model described above in conjunction with fig. 4 constructs a behavior model that can be used for constructing a knowledge graph by simply operating elements in the physical layer model and the logical layer model, reduces the difficulty in developing the knowledge graph, and enables business personnel to develop the knowledge graph, thereby reducing or eliminating the need for business personnel to learn professional development knowledge or rely on professional developers. Furthermore, the construction of behavioral models according to embodiments of the present disclosure is based on ontologies and digital twins, enabling knowledge-graph technologies to be described in popular and easy-to-understand business languages. Further, the construction of the behavioral model according to the embodiment of the present disclosure is constructed based on the physical layer model of the generic model that is constructed in advance without being specific to the preceding data set of the target data set, and thus is easy to expand, and can be applied to the construction of various knowledge maps.
In one embodiment, the method for building a behavior model according to the embodiment of the disclosure may further include displaying a connection line connecting the element in the physical layer and the element in the logical layer based on the association between the element in the physical layer and the element in the logical layer, which facilitates the operation of an operator (e.g., a business person) more conveniently, and further reduces the difficulty in developing a knowledge graph.
FIG. 5 is an example flow diagram of a method of building a knowledge-graph using a built behavioral model in accordance with an embodiment of the present disclosure. As shown in fig. 5, the method of building a knowledge-graph by using a behavioral model according to an embodiment of the present disclosure starts at step S510. At step S510, a target data set, such as the data set of system 110 or 120 or 130 in fig. 1, is received. After the target data set is received, a relationship between a concrete logical body and a concrete logical body in the target data set is determined through the behavioral model (S520), wherein the concrete logical body corresponds to the abstract logical body in the behavioral model. Thereafter, a knowledge graph is constructed based on the determined specific logical body and the relationship between the specific logical bodies (S530). Theoretically, the behavior model according to the embodiment of the present disclosure may extract specific logical bodies and relationships therebetween from the input target data set, and then may construct a knowledge graph based on the specific logical bodies and relationships therebetween extracted by the behavior model.
Specifically, in one embodiment, a node may be created for each particular logical body, and then a wire between the particular logical bodies may be created based on the determined relationship between the particular logical bodies (e.g., as shown in FIG. 3). The constructed knowledge graph can be used in various scenarios and applications, such as data analysis, information security, and the like. In one embodiment, the constructed knowledge graph may be used to determine or predict security anomalies in the target system corresponding to the target data set, such as an unauthorized user accessing a certain website, and so forth.
With respect to the construction of the behavioral model, as previously described, it is performed by associating elements in the physical layer with elements in the logical layer. Thus, the physical layer model and the logical layer model may be built prior to building the behavioral model.
In one implementation, the theoretical behavior model may be constructed prior to constructing the behavior model. Illustratively, abstract physical and logical bodies and relationships between various abstract physical bodies, relationships between various abstract logical bodies, and/or relationships between various abstract physical and logical bodies may be extracted from a large number of technical documents associated with a system. And then extracts a required abstract physical body and abstract logical body and their relationships from the extracted abstract physical body and abstract logical body and their relationships based on conditions such as design requirements, system characteristics, and/or the number of times or probability that the abstract physical body and abstract logical body and their relationships occur, etc. This may simplify the construction of the entire behavior model. After the required abstract physical and logical bodies and their relationships have been extracted, a theoretical behavioral model can be constructed based on them.
After the theoretical behavior model is built, a logical layer model may be built based on the extracted abstract logical bodies and their relationships. In one embodiment, the logical layer model may be built graphically through the flow shown in FIG. 6. At step S610, a third operation of the user, e.g., a mouse click operation, e.g., a mouse click on an abstract logical body "segment" in a predefined logical layer 1430 in fig. 14, is received. At step S620, based on the received third operation, elements in the predefined logical layer for which the graphical function block is to be generated are determined. For example, after mouse clicking on the abstract logical body "segment" in fig. 14, it is determined that the element in the predefined logical layer 1430 where the graphic function block is to be generated is a logical body "segment". At step S630, a fourth operation of the user, e.g., a drag operation, is received, e.g., dragging an abstract logical body "segment" from the predefined logical layer 1430 to the behavioral model construction area 1440. Thereafter, based on the received fourth operation, a graphics function block, e.g., the graphics function block "segment" in fig. 14, is generated.
With respect to the building of the physical layer model, in one embodiment, the physical layer model may be built by the process illustrated in FIG. 7. As shown in fig. 7, an example method for building a physical layer model according to an embodiment of the present disclosure may begin with step S710. At step S710, a prior data set is preprocessed. In one embodiment, the pre-processing may include at least one of: logic processing, data operation, data cleaning, data conversion, data understanding, data enrichment and Natural Language Processing (NLP) content identification. Wherein, the data conversion can convert the data into a specified format for subsequent processing. Data enrichment enriches data in a prior data set based on existing or known knowledge, making the data more complete and useful. For example, assuming that the prior data set includes only flight numbers, the data enrichment may supplement the flight information, such as flight time, departure point, and/or destination, based on the flight number.
After that, the method proceeds to step S720. At step S720, a physical layer model is constructed based on the pre-processed prior data set. In one embodiment, a physical layer graph may be constructed based on the preprocessed previous data sets, and then a physical layer model may be constructed based on the constructed physical layer graph, i.e., abstract physical bodies and/or relationships between abstract physical bodies may be extracted from the constructed physical layer graph. In one embodiment, prior to extracting abstract physical bodies and/or relationships between abstract physical bodies from a physical layer diagram, the physical layer diagram may be processed to enrich and/or simplify the physical layer diagram. Specifically, the relationship between specific physical bodies in the constructed physical layer diagram may be increased, and/or a part of specific physical bodies in the constructed physical layer diagram may be deleted, as shown in fig. 8A and 8B.
FIG. 8A is an example of a physical layer map constructed based on a pre-processed prior data set. The physical layer diagram shown in fig. 8A includes five concrete physical bodies A, B, C, D and E. The relationship between them is: a through B, B through C and C through D have single connectivity 810, 820, and 830 (e.g., A has access to B but B does not), E is an isolated concrete physical subject. In processing the physical layer diagram shown in FIG. 8A, the isolated specific physical entity E may be deleted and the single connectivity relationships 840 and 850 of A to D and B to D may be added to form the physical layer diagram shown in FIG. 8B.
It should be understood that the above processing of the physical layer diagram described with reference to fig. 8A and 8B is only for better understanding of the present disclosure by those skilled in the art, and is not a limitation of the present disclosure. Those skilled in the art can perform appropriate processing on the physical layer diagram according to the characteristics of the physical layer diagram or design requirements.
With respect to the building of the physical layer model, in one embodiment, the physical layer model may be built graphically through the flow shown in FIG. 9. At step S910, input related to a prior data set is received, wherein the input may include at least one of: string entry, field type entry, or selection. In one embodiment, input related to a prior data set may be received by a graphics function block capable of receiving the input. For example, field input may be received by graphics function block 1204, shown in FIG. 12, string input may be received by graphics function block 1206, and so forth. At step S920, a fifth operation, such as a mouse click operation, on a graphic function block by the user is received, for example, a mouse click on the graphic function block 1204 in fig. 12 is received. At step S930, a sixth operation by the user on another graphic function block is received, for example, a mouse click on the graphic function block 1206 in fig. 12. At step S940, the one graphics function block is associated with the other graphics function block, e.g., graphics function block 1204 in fig. 12 is associated with graphics function block 1206, based on the received fifth and sixth operations. Multiple graphics function blocks may be associated with each other in the manner described above, including but not limited to comparison graphics function blocks, conditional judgment graphics function blocks, arithmetic operation graphics function blocks, data conversion graphics function blocks, and so forth. Thereafter, the previous data set may be processed through the received input and associated graphical function block related to the previous data set (S950).
The logic layer model and the physical layer model are built in a graphical mode, so that business personnel can build the logic layer model and the physical layer model which are required by the business personnel, the development difficulty of the knowledge graph is further reduced, and the dependence on professional developers is further reduced.
After the knowledge graph of the target system is constructed based on the target dataset using the behavioral model as described above, the behavioral model may also be updated based on the target dataset. For example, at least one of an abstract physical body, a relationship between abstract physical bodies, and a relationship between abstract logical bodies and abstract logical bodies may be added to the behavioral model based on the target dataset. Updating the behavior model based on the target data set can perfect and expand the constructed behavior model, thereby adapting to various applications and scenes.
In the above, the present disclosure describes, with reference to fig. 1 to 9, a method for constructing a behavior model, which constructs a behavior model that can be used for constructing a knowledge graph in a simple graph interaction manner, reduces the difficulty of developing the knowledge graph, and enables business personnel to develop the knowledge graph, thereby reducing or eliminating the need for business personnel to learn professional development knowledge or rely on professional developers. In addition to building behavioral models based on physical layer models and logical layer models developed by technicians, the present disclosure also discloses methods of building physical layer models and behavioral layer models in a graphical manner, which may further reduce the difficulty of knowledge graph development. Furthermore, as described above, the construction of behavioral models according to embodiments of the present disclosure is based on ontologies and digital twins, enabling the description of knowledgegraph technologies in popular and easy-to-understand business languages. Further, the construction of the behavioral model according to the embodiment of the present disclosure is constructed based on the physical layer model of the generic model that is constructed in advance without being specific to the preceding data set of the target data set, and thus is easy to expand, and can be applied to the construction of various knowledge maps.
For better understanding of the present disclosure by those skilled in the art, hereinafter, the present disclosure will show an example of building a behavior model of a firewall system using a method for building a behavior model according to an embodiment of the present disclosure in conjunction with fig. 10 to 16.
Fig. 10 is a schematic diagram of a firewall system for explaining a method for building a behavior model according to an embodiment of the present disclosure. As shown in FIG. 10, the firewall 1010 manages the source segments 1020_ A, 1020_ B, and 1020_ C and the target segments 1030_ A and 1030_ B. There is one requirement: connectivity between any two network segments is queried. To accomplish this, a knowledge graph of the relationships between the various network segments managed by the firewall 1010 may be constructed.
First, an information security subject library may be extracted based on a large number of information security technology documents, for example, based on the frequency and number of times a subject (i.e., an abstract physical subject, an abstract logical subject, and a relationship therebetween) appears, and the like, and in this example, the extracted subject library is as shown in table 1.
Name (R) Type (B) Species of
IP Character string Abstract physical body
MAC Character string Abstract physical body
Port(s) Integer number of Abstract physical body
Protocol Character string Abstract physical body
Machine name Character string Abstract physical body
Device ID Character string Abstract physical body
Time of day Time of day Abstract physical body
Mailbox Character string Abstract physical body
Employee number Character string Abstract physical body
Operation of Character string Abstract physical body
Staff member - Abstract logical body
Device - Abstract logical body
Policy - Abstract logical body
Network segment - Abstract logical body
Domain - Abstract logical body
Table 1 information security principal library.
Thereafter, from the subject library shown in table 1, for example, based on design requirements, subjects required for building a theoretical firewall behavior model are extracted, and in this example, the extracted subjects required for building the theoretical firewall behavior model are shown in table 2.
Name (R) Type (B) Species of
IP Character string Abstract physical body
Port(s) Integer number of Abstract physical body
Device ID Character string Abstract logical body
Operation of Character string Abstract logical body
Network segment - Abstract logical body
Device - Abstract logical body
Table 2 is used to build the body of the theoretical firewall behavior model.
After extracting the subjects necessary for constructing the theoretical firewall behavior model, the theoretical firewall behavior model as shown in fig. 11 is constructed based on the extracted subjects. As shown in fig. 11, in this example, the theoretical firewall behavior model includes abstract logical principals "segment" and "device," segment "being defined by abstract physical principals" begin IP "and" end IP, "device" being defined by abstract physical principals "device ID," and the relationship between abstract physical principals "begin IP-end IP and begin IP-end IP" (i.e., "operations" in table 2 relating to abstract physical principals "begin IP" and "end IP") being associated with the relationship between abstract logical principals "segment-to-segment relationship" (i.e., "operations" in table 2 relating to abstract physical principals "segment"). In addition, the theoretical firewall behavioral model may also include abstract physical body "ports".
After the theoretical firewall behavior model is constructed, a physical layer model may be constructed based on a firewall log (note that the firewall log may or may not be a previous log of the firewall system to be monitored, i.e., a previous data set that is not specific to the target data set). Specifically, the imported firewall log may be preprocessed first. In particular, the firewall log may be pre-processed by way of graphical interaction as shown in connection with fig. 9. Illustratively, the pre-processing of the firewall log by way of graphical interaction may be as shown in fig. 12. The method comprises the steps of inputting fields to be extracted, namely Type and Action through graphic function blocks 1204 and 1214, respectively, inputting a character string to be concerned, namely config, through a graphic function block 1006, so as to extract data to be concerned in a firewall log, inputting a character string, namely, low, through a graphic function block 1220, and inputting words, namely, low, permission and the like, through a graphic function block 1216, so that words with the same meaning as the low correspond to the low operation, and data conversion is realized; and associating the various graphic function blocks shown in fig. 12 by means of mouse clicking, for example, so as to realize the preprocessing of the firewall log. After the above-mentioned preprocessing of the firewall log, the physical layer model shown in fig. 13 can be generated based on the preprocessed data. The physical layer model 1300 shown in fig. 13 includes "IP _ source _ start", "IP _ source _ end", "IP _ destination _ start", "IP _ destination _ end", "device ID", "port", and "relationship".
It should be understood that the graphical function blocks and their associations (i.e., the connection relationships of the graphical function blocks shown in fig. 12) for pre-processing firewall logs shown in fig. 12 are merely examples and are not limiting on the present disclosure. Those skilled in the art can develop appropriate graphic function blocks according to the characteristics, requirements and the like of the target system and perform appropriate association.
After the physical layer model 1300 shown in FIG. 13 is constructed, a behavior model can be constructed based on the theoretical firewall behavior model shown in FIG. 11 and the need-query connectivity between any two network segments. Specifically, a logical layer model 1400 as shown in fig. 14 may be first constructed based on theoretical firewall behavior models and requirements. Specifically, the logical layer model 1400 may be constructed by: determining that a graphic function block to be generated in the logical layer model to be built is a logical entity "segment" by, for example, mouse clicking on an abstract logical entity "segment" in the predefined logical layer 1430; the logical agent "segments" are then dragged to the behavioral model construction zone 1440, thereby generating the graphical function blocks "segments" in the logical layer model 1400. In the same way, further graphical function blocks in the logical layer model 1400 may be generated as further "segments" and "allow/block" (i.e., the relationship between abstract logical body "segments"). Finally, the abstract logical body "gateway" is associated with the relation "allow/block" by connecting the graphical function block "segment" and the graphical function block "allow/block" by e.g. mouse click. Associating the abstract logical body "gateway" with the relationship "allow/block" means that the relationship between the abstract logical body "gateway" can be either "allow" or "block".
After the physical layer model 1300 shown in FIG. 13 and the logical layer model 1400 shown in FIG. 14 are built, a behavioral model may be built as shown in FIG. 15. In particular, as can be seen from the theoretical behavioral model shown in fig. 11, the abstract logical agent "segment" is associated with both the abstract physical agent "start IP" and "end IP"; the relationship between abstract logical principals "network segments" the relationship between network segments "is associated with the relationship between the beginning IP-ending IP and the beginning IP-ending IP. Based on this, the behavioral model may be constructed by associating elements in the physical layer with elements in the logical layer by: mouse click on element "IP _ source _ start" in physical layer model 1300; determining an element in the physical layer to be used for building a behavior model as 'IP _ Source _ Start' based on clicking of the 'IP _ Source _ Start' by a mouse; clicking the element 'segment' on the upper side in the logical layer model 1300 with a mouse; the element to be used for building the behavior model in the logical layer is determined to be the "segment" based on the click of the mouse on the "segment", and the element "IP _ source _ start" in the physical layer 1300 is associated with the element "segment" on the upper side in the logical layer 1400 based on the click of the mouse on the "IP _ source _ start" and the "segment". After association, arrow 1510, as shown in FIG. 15, may be displayed. The "IP source end" can be associated with the element "segment" on the upper side in the logical layer 1400 in the same manner, and an arrow 1520 as shown in fig. 15 is displayed. Thereafter, the elements "IP _ purpose _ start" and "IP _ purpose _ end" in the physical layer model 1300 may be associated with the lower element "segment" in the logical layer model and the element "relationship" in the physical layer model 1300 may be associated with the middle element "allow/block" in the logical layer model 1400 in the same manner, thereby forming the behavior model 1500 shown in fig. 15.
After the behavioral model 1500 is constructed as shown in FIG. 15, it can be used to construct a knowledge graph of the firewall system shown in FIG. 16 that is related to the above requirements. Specifically, a rule of the target firewall system, such as the firewall system shown in fig. 10, may be input, and the form of the rule may be, for example, < IP _ source _ start, IP _ source _ end, IP _ destination _ start, IP _ destination _ end, protocol, port, allow/block >. After entering firewall rules, the constructed behavior model 1500 may extract from the rules the segments consisting of "IP _ source _ start" and "IP _ source _ end" and the segments consisting of "IP _ destination _ start" and "IP _ destination _ end" and extract the relationships in the rules and map them to "allowed" or "end" as the relationships between the segments. For example, assume that the 4 rules entered for the target firewall system are:
< IP _ source _ start _1020_ a, IP _ source _ end _1020_ a, IP _ destination _ start _1030_ a, IP _ destination _ end _1030_ a, protocol a, port a, allow >,
< IP _ source _ start _1020_ B, IP _ source _ end _1020_ B, IP _ destination _ start _1030_ a, IP _ destination _ end _1030_ a, protocol B, port B, block >,
< IP _ source _ start _1020_ B, IP _ source _ end _1020_ B, IP _ destination _ start _1030_ B, IP _ destination _ end _1030_ B, protocol a, port C, allow >,
< IP _ source _ start _1020_ C, IP _ source _ end _1020_ C, IP _ destination _ start _1030_ B, IP _ destination _ end _1030_ B, protocol C, port D, allow >,
then when these logs are entered into the behavior model 1500 shown in fig. 15, the behavior model can extract the specific logical entities "network segment 1020_ a", "network segment 1020_ B", "network segment 1020_ C", "network segment 1030_ a", and "network segment 1030_ B" and the relationship therebetween. A knowledge graph may then be established based on the extracted specific logical bodies and the relationships between them. For example, 5 nodes may be established for "segment 1020_ a", "segment 1020_ B", "segment 1020_ C", "segment 1030_ a", and "segment 1030_ B" and the relationship between them, "allow" 1610, "block" 1620, "allow" 1630, and "allow" 1640 may be established as shown in fig. 16.
In the above, the present disclosure describes an example of building a behavior model of a firewall system using a method for building a behavior model according to an embodiment of the present disclosure, and building a knowledge graph using the built behavior model, in conjunction with fig. 10 to 16. Although in the above example, only the construction of the knowledge-graph shown in fig. 16 based on the constructed physical layer model 1300 is shown, as shown in fig. 13, the constructed physical layer model 1300 further includes an abstract physical body "device ID", and thus the constructed physical layer model 1300 may also be used to construct a knowledge-graph related to "device ID" that is different from the knowledge-graph shown in fig. 16. In addition, the physical layer model 1300 may be extended, for example, to add an abstract physical body included in the physical layer model 1300, so that the abstract physical body can be applied to other scenes and applications.
Furthermore, it should be understood that the above examples described in connection with fig. 10 to 16 are only for better understanding of the present disclosure by those skilled in the art, and are not intended to limit the present disclosure.
In the above, the present disclosure describes a method for building a behavior model according to an embodiment of the present disclosure in conjunction with fig. 1 to 9, and specific examples are given in conjunction with fig. 10 to 16. Hereinafter, the present disclosure will describe an electronic apparatus, an electronic device, a computer-readable storage medium, and a computer-executable program for building a behavior model according to an embodiment of the present disclosure in conjunction with fig. 17 and 18.
FIG. 17 illustrates an electronic device for building a behavioral model according to an embodiment of the disclosure. As shown in fig. 17, an electronic apparatus 1700 for building a behavior model according to an embodiment of the present disclosure may include: a receiving unit 1710, configured to receive a first operation on an element in the physical layer by a user and a second operation on an element in the logical layer by a user; a behavior model construction unit 1720 for: determining an element in the physical layer based on the received first operation; determining an element in the logical layer based on the received second operation; associating an element in the physical layer with an element in the logical layer based on the first operation and the second operation; constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer; wherein the behavioral model is used to construct a knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is a dataset used to construct the knowledgegraph.
Furthermore, the behavior model construction unit 1720 may also perform the method for constructing a behavior model described above. In addition, the electronic apparatus 1700 for building a behavior model may further include a knowledge graph building unit (not shown) for building a knowledge graph based on the behavior model built by the behavior model building unit 1720.
FIG. 18 shows an electronic device for building a behavior model, in accordance with embodiments of the present disclosure. As shown in fig. 18, an electronic device 1800 for building behavior models according to embodiments of the present disclosure may include a processor 1810 and a memory 1820 having stored thereon processor-executable instructions that, when executed by the processor 1810, may cause the processor 1810 to perform the methods for building behavior models and/or knowledge-maps described hereinabove.
Furthermore, the present disclosure also provides a computer-readable storage medium having stored thereon processor-executable instructions that, when executed by a processor, cause the processor to perform the method for building a behavioral model and/or a knowledge graph as described above.
Furthermore, the present disclosure also provides a computer executable program comprising instructions which, when executed by a processor, cause the processor to perform the method for building a behaviour model and/or a knowledge-graph as described hereinbefore.
Thus far, the present disclosure has described a method for building a behavior model according to an embodiment of the present disclosure with reference to fig. 1 to 9, specific examples are given with reference to fig. 10 to 16, and an electronic apparatus, an electronic device, a computer-readable storage medium, and a computer-executable program for building a behavior model according to an embodiment of the present disclosure are described with reference to fig. 17 and 18. The method for constructing the behavior model constructs the behavior model which can be used for constructing the knowledge graph in a simple graph interaction mode, reduces the development difficulty of the knowledge graph, enables business personnel to develop the knowledge graph, and accordingly reduces or does not need the business personnel to learn professional development knowledge or rely on professional developers. Furthermore, the construction of behavioral models according to embodiments of the present disclosure is based on ontologies and digital twins, enabling knowledge-graph technologies to be described in popular and easy-to-understand business languages. Further, the construction of the behavioral model according to the embodiment of the present disclosure is constructed based on the physical layer model of the generic model that is constructed in advance without being specific to the preceding data set of the target data set, and thus is easy to expand, and can be applied to the construction of various knowledge maps.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the particular interoperable application and design constraints of the solution. Skilled artisans may implement the described functionality in varying ways for each particular interoperable application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.
The block diagrams of devices, apparatuses, systems referred to in this disclosure are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
Also, as used herein, "or" as used in a list of items beginning with "at least one" indicates a separate list, such that, for example, a list of "A, B or at least one of C" means A or B or C, or AB or AC or BC, or ABC (i.e., A and B and C). Furthermore, the word "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be decomposed and/or re-combined. These decompositions and/or recombinations are to be considered equivalents of the present disclosure.
Various changes, substitutions and alterations to the techniques described herein may be made without departing from the techniques of the teachings as defined by the appended claims. Moreover, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. Processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (12)

1. A method for building a behavioral model, the method comprising:
receiving a first operation of a user on an element in a physical layer;
determining an element in the physical layer based on the received first operation;
receiving a second operation of the user on the element in the logic layer;
determining an element in the logical layer based on the received second operation;
associating an element in the physical layer with an element in the logical layer based on the first operation and the second operation;
constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer;
wherein the behavioral model is used to construct a knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is a dataset used to construct the knowledgegraph.
2. The method of claim 1, further comprising:
displaying a wire connecting an element in the physical layer with an element in the logical layer based on the element in the physical layer being associated with the element in the logical layer.
3. The method of claim 1, wherein the elements in the physical layer comprise abstract physical bodies and the elements in the logical layer comprise abstract logical bodies.
4. The method of claim 3, wherein the elements in the physical layer further comprise relationships between the abstract physical bodies and the elements in the logical layer further comprise relationships between the abstract logical bodies.
5. The method of claim 3 or 4, wherein constructing a knowledge graph using the behavioral model comprises:
receiving a target data set;
determining a specific logic subject in the target data set and a relation between the specific logic subject through the behavior model;
constructing the knowledge-graph based on the determined specific logical body and the relationship between the specific logical bodies,
wherein the concrete logic body corresponds to the abstract logic body.
6. The method of claim 5, wherein the constructed knowledge-graph is used to determine or predict a security anomaly in a target system corresponding to the target data set.
7. The method of claim 1, wherein the element in the logical layer is a graphical function block generated by:
receiving a third operation of the user;
determining, based on the received third operation, an element in a predefined logical layer that is to generate the graphical function block;
a fourth operation by the user is received,
generating the graphics function block based on the received fourth operation,
wherein the fourth operation is a drag operation.
8. The method of claim 1, wherein pre-constructing the physical layer model based on a prior data set that is not specific to a target data set comprises:
preprocessing the prior data set;
the physical layer model is constructed based on the preprocessed previous data set.
9. The method of claim 8, wherein preprocessing the prior data set comprises:
receiving input related to the prior data set, wherein the input comprises at least one of: string input, field type input or selection;
receiving a fifth operation of a user on a graphic function block;
receiving a sixth operation of the user on another graphic function block;
associating the one graphics function block with the other graphics function block based on the received fifth and sixth operations;
processing the prior data set by the received input and associated graphical function block related to the prior data set,
wherein the one graphics function block and the another graphics function block each include at least one of a comparison graphics function block, a condition determination graphics function block, an arithmetic operation graphics function block, and a data conversion graphics function block.
10. An electronic device for building a behavioral model, comprising:
the receiving unit is used for receiving a first operation of a user on an element in the physical layer and a second operation of the user on the element in the logic layer;
a behavior model construction unit for:
determining an element in the physical layer based on the received first operation;
determining an element in the logical layer based on the received second operation;
associating an element in the physical layer with an element in the logical layer based on the first operation and the second operation;
constructing a behavior model based on the association of the elements in the physical layer and the elements in the logical layer;
wherein the behavioral model is used to construct a knowledgegraph, and wherein the physical layer model is a generic model that is pre-constructed based on a prior dataset that is not specific to a target dataset, wherein the target dataset is a dataset used to construct the knowledgegraph.
11. An electronic device for building a behavioral model, comprising a processor and a memory having stored thereon processor-executable instructions that, when executed by the processor, cause the processor to perform the method of any one of claims 1-9.
12. A computer readable storage medium having stored thereon processor executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1-9.
CN202110061124.0A 2021-01-18 2021-01-18 Method for constructing behavior model, electronic device and electronic equipment Active CN112395431B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110061124.0A CN112395431B (en) 2021-01-18 2021-01-18 Method for constructing behavior model, electronic device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110061124.0A CN112395431B (en) 2021-01-18 2021-01-18 Method for constructing behavior model, electronic device and electronic equipment

Publications (2)

Publication Number Publication Date
CN112395431A true CN112395431A (en) 2021-02-23
CN112395431B CN112395431B (en) 2021-04-30

Family

ID=74624908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110061124.0A Active CN112395431B (en) 2021-01-18 2021-01-18 Method for constructing behavior model, electronic device and electronic equipment

Country Status (1)

Country Link
CN (1) CN112395431B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1539113A (en) * 2001-06-08 2004-10-20 �������Զ�������ƹ�˾ Representing design of sub-module in hierarchical integrated circuit design and analysis system
CN108959433A (en) * 2018-06-11 2018-12-07 北京大学 A kind of method and system extracting knowledge mapping and question and answer from software project data
CN110968700A (en) * 2019-11-01 2020-04-07 数地科技(北京)有限公司 Domain event map construction method and device fusing multi-class affairs and entity knowledge
CN111753100A (en) * 2020-06-30 2020-10-09 广州小鹏车联网科技有限公司 Knowledge graph generation method and server for vehicle-mounted application
US20200334715A1 (en) * 2016-10-17 2020-10-22 Singapore Telecommunications, Ltd. Knowledge Model for Personalization and Location Services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1539113A (en) * 2001-06-08 2004-10-20 �������Զ�������ƹ�˾ Representing design of sub-module in hierarchical integrated circuit design and analysis system
US20200334715A1 (en) * 2016-10-17 2020-10-22 Singapore Telecommunications, Ltd. Knowledge Model for Personalization and Location Services
CN108959433A (en) * 2018-06-11 2018-12-07 北京大学 A kind of method and system extracting knowledge mapping and question and answer from software project data
CN110968700A (en) * 2019-11-01 2020-04-07 数地科技(北京)有限公司 Domain event map construction method and device fusing multi-class affairs and entity knowledge
CN111753100A (en) * 2020-06-30 2020-10-09 广州小鹏车联网科技有限公司 Knowledge graph generation method and server for vehicle-mounted application

Also Published As

Publication number Publication date
CN112395431B (en) 2021-04-30

Similar Documents

Publication Publication Date Title
Strohbach et al. Towards a big data analytics framework for IoT and smart city applications
JP4720853B2 (en) Information processing apparatus, information processing method, and program
EP3267377A1 (en) Identifying network security risks
US20140236664A1 (en) Apparatus, systems and methods for dynamic on-demand context sensitive cluster analysis
CN112311571B (en) Network topology generation method and device, electronic equipment and non-transitory storage medium
Liu et al. EgoNetCloud: Event-based egocentric dynamic network visualization
Jin et al. Robust detection of link communities in large social networks by exploiting link semantics
EP3482301A1 (en) Collecting user information from computer systems
WO2014000435A1 (en) Method and system for excavating topic core circle in social network
CN114399006A (en) Multi-source abnormal composition image data fusion method and system based on super-calculation
Sun et al. Socialwave: visual analysis of spatio-temporal diffusion of information on social media
KR20220041704A (en) Multi-model training method and device based on feature extraction, an electronic device, and a medium
Cheng et al. Mining research trends with anomaly detection models: the case of social computing research
Rani et al. A survey of tools for social network analysis
EP3493076A1 (en) Cognitive decision system for security and log analysis using associative memory mapping in graph database
Hao et al. FCA-based θ-iceberg core decomposition in graphs
US20170169095A1 (en) Method and system for mapping notable entities to their social profiles
CN112395431B (en) Method for constructing behavior model, electronic device and electronic equipment
Rani et al. Twitter streaming and analysis through R
WO2023246165A1 (en) Data asset display method and apparatus, and device and storage medium
Palsetia et al. Excavating social circles via user interests
KR101107582B1 (en) Web ontology editing and operating system
US10432700B2 (en) Conversation connected visualization of items based on a user created list
Jiang et al. Efficiency improvements in social network communication via MapReduce
CN112383575B (en) Method, electronic device and electronic equipment for information security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant