CN113946819A - Online payment information intrusion detection method based on cloud computing and server - Google Patents

Online payment information intrusion detection method based on cloud computing and server Download PDF

Info

Publication number
CN113946819A
CN113946819A CN202111218018.5A CN202111218018A CN113946819A CN 113946819 A CN113946819 A CN 113946819A CN 202111218018 A CN202111218018 A CN 202111218018A CN 113946819 A CN113946819 A CN 113946819A
Authority
CN
China
Prior art keywords
cloud payment
service interaction
payment session
interaction event
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111218018.5A
Other languages
Chinese (zh)
Inventor
张洪明
肖成龙
陈汝森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Honghui Information Technology Co ltd
Original Assignee
Guangzhou Honghui Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Honghui Information Technology Co ltd filed Critical Guangzhou Honghui Information Technology Co ltd
Priority to CN202111218018.5A priority Critical patent/CN113946819A/en
Publication of CN113946819A publication Critical patent/CN113946819A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to the technical field of cloud computing and online payment, in particular to an online payment information intrusion detection method and a server based on cloud computing, wherein service interaction events are distinguished, identified and analyzed for cloud payment sessions and associated cloud payment sessions which trigger intrusion detection conditions, so that disturbance service interaction events corresponding to the associated cloud payment sessions are eliminated before information intrusion detection is carried out on the cloud payment sessions which trigger the intrusion detection conditions, the possibility that the associated cloud payment sessions are wrongly identified as the cloud payment sessions which trigger the intrusion detection conditions is reduced to a certain extent, and in cloud payment session records which are mixed with various cloud payment session scenes, the accuracy and the reliability of information intrusion detection on the cloud payment sessions which trigger the intrusion detection conditions are improved as much as possible.

Description

Online payment information intrusion detection method based on cloud computing and server
Technical Field
The embodiment of the application relates to the technical field of cloud computing and online payment, in particular to an online payment information intrusion detection method and a server based on cloud computing.
Background
With the development of cloud computing, various services gradually get closer to a cloud, and online payment (cloud payment) is just an example. The online payment meets the requirement of electronic commerce development, the operating environment of the online payment is realized based on the open internet, and the limitation of the traditional payment in a closed system can be broken. In addition, compared with the traditional payment mode, online payment can be carried out through the Internet at any time, so that the time and space limitation is broken, and various requirements of numerous users are met as far as possible. However, in practice, the data information security problem caused by the continuous development of online payment is also a concern.
Disclosure of Invention
In view of this, the embodiment of the present application provides an online payment information intrusion detection method and a server based on cloud computing.
The embodiment of the application provides an online payment information intrusion detection method based on cloud computing, which is applied to an information intrusion detection server, and the method comprises the following steps: receiving cloud payment session records carrying cloud payment sessions triggering intrusion detection conditions and associated cloud payment sessions; obtaining a distinguishing identifier analysis condition of each service interaction event in the cloud payment session record through a session description set corresponding to the cloud payment session record, wherein the distinguishing identifier analysis condition is used for representing a distinguishing identifier of the service interaction event; and determining a target information intrusion detection result for carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition according to the distinguishing identification analysis condition.
Under the design idea that can be independently implemented, the method further comprises the following steps: determining the cloud payment session triggering the intrusion detection condition in the cloud payment session record and/or the content of the record to be processed matched with the associated cloud payment session; decomposing the record content to be processed into a plurality of local record contents; and determining a session description set corresponding to the cloud payment session record through the significance expression corresponding to at least part of the local record contents in the local record contents.
Under an independently implementable design idea, obtaining a distinguishing identifier analysis condition of each service interaction event in the cloud payment session record through a session description set corresponding to the cloud payment session record, including: determining at least one pending service interaction event distinguishing identifier bound to each service interaction event and a detection score of each pending service interaction event distinguishing identifier, which are included in the cloud payment session record, through a session description set corresponding to the cloud payment session record; and taking the pending service interaction event distinguishing identification corresponding to the maximum detection score in the at least one pending service interaction event distinguishing identification bound by each service interaction event as the distinguishing identification analysis condition.
Under the design thought that can independently implement, through distinguish the sign analysis condition, confirm right the cloud payment conversation that triggers the intrusion detection condition carries out the target information intrusion detection result of information intrusion detection, include: determining the service interaction event attribute corresponding to the service interaction event distinguishing identifier to be determined with the maximum detection score bound by each service interaction event according to the mapping condition between the service interaction event distinguishing identifier and the service interaction event attribute; determining that each service interaction event corresponds to a target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or a disturbance service interaction event corresponding to the associated cloud payment session according to the service interaction event distinguishing identification to be determined of the maximum detection score bound to each service interaction event; and using the service interaction event attribute corresponding to the target service interaction event as the target information intrusion detection result for carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition.
Under an independently implementable design idea, determining, according to the service interaction event differentiation identifier to be determined of the maximum detection score bound to each service interaction event, that each service interaction event corresponds to a target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or a disturbance service interaction event corresponding to the associated cloud payment session, includes: determining that the corresponding service interaction event corresponds to the target service interaction event on the premise that the bound service interaction event distinguishing identifier with the maximum detection score is determined to be one of a plurality of first service interaction event distinguishing identifiers or a plurality of second service interaction event distinguishing identifiers; and on the premise of determining that the bound service interaction event distinguishing identification with the maximum detection score is the third service interaction event distinguishing identification, determining that the corresponding service interaction event corresponds to the disturbance service interaction event.
Under the design idea that can be implemented independently, the first service interaction event distinguishing identifications include: service interaction event distinguishing identifications respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; the first cloud payment session scene is a cloud payment session scene corresponding to the cloud payment session triggering the intrusion detection condition; the second service interaction event distinguishing identifications comprise: service interaction event distinguishing identifications respectively corresponding to the quantitative information; the third service interaction event distinguishing identifier comprises: the service interaction event distinguishing identifications correspond to a plurality of service interaction events included in the second cloud payment session scenes; wherein the second cloud payment session scenario is a different cloud payment session scenario than the first cloud payment session scenario.
Under an independently implementable design idea, the determining a session description set corresponding to the cloud payment session record includes: and taking the cloud payment session record as a raw material of a target intelligent thread for performing service interaction event distinguishing identification analysis on a service interaction event, and obtaining a session description set corresponding to the cloud payment session record obtained by analyzing the target intelligent thread.
Under the design idea that can be independently implemented, the method further comprises the following steps: acquiring an example cloud payment session record covering a cloud payment session corresponding to a first cloud payment session scene and a cloud payment session corresponding to at least one second cloud payment session scene; the first cloud payment session scene is a cloud payment session scene corresponding to the cloud payment session triggering the intrusion detection condition, and the second cloud payment session scene is a cloud payment session scene different from the first cloud payment session scene; and taking the example cloud payment session record as a raw material for setting an intelligent thread, and configuring the set intelligent thread by taking the service interaction event distinguishing identification key words in the example cloud payment session record as references to obtain a target intelligent thread for performing service interaction event distinguishing identification analysis on the service interaction event.
Under an independently implementable design concept, the obtaining of the example cloud payment session record covering the cloud payment session corresponding to the first cloud payment session scenario and the cloud payment session corresponding to the at least one second cloud payment session scenario includes: receiving a first to-be-determined cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scene; obtaining the derivative information of the pending cloud payment session corresponding to the at least one second cloud payment session scene; determining the example cloud payment session record from the pending cloud payment session derivative information and the first pending cloud payment session record.
Under independently implementable design considerations, obtaining an example cloud payment session record encompassing both a first cloud payment session scenario and at least one second cloud payment session scenario includes: receiving a first pending cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scene and a second pending cloud payment session record covering the cloud payment session corresponding to the at least one second cloud payment session scene; determining the example cloud payment session record from the first pending cloud payment session record and the second pending cloud payment session record.
Under independently implementable design considerations, the service interaction event distinguishing identification keywords in the example cloud payment session record include at least one of: at least one of a plurality of first service interaction event distinguishing identification keywords respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; at least one of a plurality of second service interaction event distinguishing identification keywords respectively corresponding to the plurality of quantitative information; and the same third service interaction event distinguishing identification key words corresponding to the plurality of service interaction events included in the plurality of second cloud payment session scenes.
Under an independently implementable design idea, the cloud payment session triggering the intrusion detection condition comprises a cloud payment session corresponding to a first cloud payment session scene, and the first cloud payment session scene is a cloud payment session scene corresponding to a cross-border payment project; the cloud payment session record covers a cloud payment session record of a target verification item required when the cross-border payment item is activated; the obtaining of the resolution condition of the distinguishing identifier of each service interaction event in the cloud payment session record through the session description set corresponding to the cloud payment session record includes: determining that each service interaction event in the cloud payment session record of the target verification item corresponds to a target service interaction event corresponding to the first cloud payment session scene or belongs to a disturbance service interaction event corresponding to an associated cloud payment session through a session description set corresponding to the cloud payment session record of the target verification item; the determining of the target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering the intrusion detection condition includes: determining a target information intrusion detection result for carrying out information intrusion detection on the target service interaction event in the cloud payment session record of the target verification item; the method further comprises the following steps: and starting the cross-border payment item according to the target information intrusion detection result.
The embodiment of the application also provides an information intrusion detection server, which comprises a processor, a network module and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
In the embodiment of the application, for the cloud payment session record which covers the cloud payment session triggering the intrusion detection condition and the associated cloud payment session together, service interaction event distinguishing identification analysis can be performed on each service interaction event in the cloud payment session record, so that based on distinguishing identification analysis conditions, the service interaction event corresponding to the cloud payment session triggering the intrusion detection condition and the disturbing service interaction event corresponding to the associated cloud payment session are determined in the cloud payment session record comprising multiple scenes, the disturbing service interaction event is removed, information intrusion detection is performed on the service interaction event corresponding to the cloud payment session triggering the intrusion detection condition, and a target information intrusion detection result is obtained.
The method and the device have the advantages that service interaction events are distinguished, identified and analyzed for the cloud payment session and the associated cloud payment session which trigger the intrusion detection condition, so that disturbance service interaction events corresponding to the associated cloud payment session are eliminated before information intrusion detection is carried out on the cloud payment session which triggers the intrusion detection condition, the possibility that the associated cloud payment session is mistakenly determined as the cloud payment session which triggers the intrusion detection condition is reduced to a certain extent, and in cloud payment session records which are mixed with various cloud payment session scenes, the accuracy and the reliability of information intrusion detection on the cloud payment session which triggers the intrusion detection condition are improved as much as possible.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a schematic block diagram of an information intrusion detection server according to an embodiment of the present disclosure.
Fig. 2 is a flowchart of an online payment information intrusion detection method based on cloud computing according to an embodiment of the present application.
Fig. 3 is a block diagram of an online payment information intrusion detection device based on cloud computing according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Fig. 1 is a block diagram illustrating an information intrusion detection server 10 according to an embodiment of the present application. The information intrusion detection server 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the information intrusion detection server 10 includes: the system comprises a memory 11, a processor 12, a network module 13 and a cloud computing-based online payment information intrusion detection device 20.
The memory 11, the processor 12 and the network module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a cloud-computing-based online payment information intrusion detection device 20, the cloud-computing-based online payment information intrusion detection device 20 includes at least one software function module which can be stored in the memory 11 in a form of software or firmware (firmware), and the processor 12 executes various function applications and data processing by operating the software programs and modules stored in the memory 11, for example, the cloud-computing-based online payment information intrusion detection device 20 in the embodiment of the present application, that is, implements the cloud-computing-based online payment information intrusion detection method in the embodiment of the present application.
The Memory 11 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 11 is used for storing a program, and the processor 12 executes the program after receiving an execution instruction.
The processor 12 may be an integrated circuit chip having data processing capabilities. The Processor 12 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 13 is used for establishing communication connection between the information intrusion detection server 10 and other communication terminal devices through a network, and implementing transceiving operation of network signals and data. The network signal may include a wireless signal or a wired signal.
It is to be understood that the configuration shown in fig. 1 is merely illustrative, and that the information intrusion detection server 10 may include more or fewer components than shown in fig. 1, or may have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 2 shows a flowchart of online payment information intrusion detection based on cloud computing according to an embodiment of the present application. The method steps defined by the flow related to the method are applied to the information intrusion detection server 10 and can be realized by the processor 12, and the method comprises the following relevant contents.
For STEP101, a cloud payment session record carrying a cloud payment session and an associated cloud payment session that trigger an intrusion detection condition is received.
In the embodiment of the application, cloud payment session records carrying the cloud payment sessions triggering the intrusion detection conditions can be received through session acquisition threads configured in different payment service security scenes. The different payment service security scenarios include, but are not limited to, a transaction subject intrusion detection scenario, a transaction behavior intrusion detection scenario, a payment object intrusion detection scenario, and the like. Correspondingly, the acquired cloud payment session record may include, but is not limited to, a transaction theme session, a transaction behavior session, a payment object session, and the like corresponding to the first cloud payment session scene corresponding to the cloud payment session triggering the intrusion detection condition. In addition, in the embodiment of the present application, the obtained cloud payment session records also include cloud payment session content corresponding to a second cloud payment session scenario corresponding to the associated cloud payment session, where the second cloud payment session scenario includes, but is not limited to, a cloud payment session scenario different from the first cloud payment session scenario.
In an embodiment of the present application, the cloud payment session content corresponding to the second cloud payment session scenario may be consistent with, at least partially consistent with, or completely inconsistent with the cloud payment session content corresponding to the first cloud payment session scenario.
For example, the first cloud payment session scene is a local payment scene, the second cloud payment session scene is a cross-border payment scene, and the acquired cloud payment session records include transaction subjects corresponding to the local payment scene and the same transaction subject contents corresponding to the cross-border payment scene. For another example, the first cloud payment session scene is a local payment scene, the second cloud payment session scene is a remote payment scene, and the acquired cloud payment session record includes payment object session content corresponding to the local payment scene and also includes part of content in the payment object session corresponding to the remote payment scene. For another example, the first cloud payment session scene is a cross-border payment scene, the second cloud payment session scene is a remote payment scene, and the acquired cloud payment session record includes cloud payment session content corresponding to the local payment scene and also includes completely different cloud payment session content corresponding to the remote payment scene.
In the embodiment of the present application, the session layer related to the cloud payment session includes multiple layers, such as session behavior, session intent, session content, and the like, and the embodiment of the present application is not limited.
For STEP102, a distinguishing identifier resolution condition of each service interaction event in the cloud payment session record is obtained through a session description set corresponding to the cloud payment session record.
In this embodiment of the present application, the number of session description sets corresponding to a cloud payment session record may be one or several (multiple), and each session description set (for example, may be understood as a feature set) may be composed of at least part of a saliency expression (for example, feature information or a feature vector) included in a cloud payment session in the cloud payment session record that triggers an intrusion detection condition and/or a content of a to-be-processed record matched by an associated cloud payment session.
The to-be-processed recorded content is the recorded content which is determined in the cloud payment session record and possibly matched with the cloud payment session and/or the associated cloud payment session which trigger the intrusion detection condition. The to-be-processed recorded content can be decomposed into a plurality of partial recorded contents again, at least part of significance expressions included in the to-be-processed recorded content can be composed of significance expressions corresponding to at least part of the partial recorded contents, and the significance expressions corresponding to at least part of the partial recorded contents refer to all the significance expressions corresponding to at least part of the partial recorded contents. For example, the plurality of partial recording contents include a partial recording content _1, a partial recording content _2, and a partial recording content _3, and at least a part of the saliency expression included in the to-be-processed recording content may be composed of all the saliency expressions of the partial recording content _1 and the partial recording content _ 2.
In this embodiment of the application, further, a distinguishing identifier parsing condition for each service interaction event in the cloud payment session record may be determined according to the session description set corresponding to the cloud payment session record. The distinguishing mark resolving condition can be used for characterizing the service interaction event distinguishing mark (such as a service interaction event category).
In the embodiment of the application, for each service interaction event included in the first cloud payment session scenario, a corresponding first service interaction event distinguishing identifier may be determined in advance, for each quantized information, a corresponding second service interaction event distinguishing identifier may be determined, and meanwhile, for a plurality of second cloud payment session scenarios including all service interaction events, the same third service interaction event distinguishing identifier may be determined. The first cloud payment session scenario may be a cloud payment session scenario corresponding to a cloud payment session that triggers an intrusion detection condition, each service interaction event included in the first cloud payment session scenario may refer to each interaction message feature and each service feature corresponding to the first cloud payment session scenario, and the second cloud payment session scenario is a cloud payment session scenario different from the first cloud payment session scenario.
For example, if the first cloud payment session scenario is a cross-border payment scenario, each interaction message and each business service may correspond to a first service interaction event differentiation identifier. The quantitative information (such as numerical information) corresponds to a second service interaction event distinguishing identifier respectively. The second cloud payment session scenario is any cloud payment session scenario except for the cross-border payment scenario, and the assumption may include a different place payment scenario, a local payment scenario, and the like, and all service interaction events included in all the second cloud payment session scenarios correspond to the same third service interaction event distinguishing identifier.
For STEP103, determining a target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering the intrusion detection condition according to the distinguishing identifier analysis condition.
In the embodiment of the application, based on the resolution condition of the distinguishing identifier, a target service interaction event corresponding to the cloud payment session belonging to the condition for triggering intrusion detection and a disturbance service interaction event belonging to the associated cloud payment session can be determined, the disturbance service interaction event can be removed, and finally, only the service interaction event attribute of the target service interaction event corresponding to the cloud payment session belonging to the condition for triggering intrusion detection is obtained, so that the target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering intrusion detection is obtained.
Further, the service interaction event attribute of the target service interaction event includes, but is not limited to, an operation intention, an action intention or a conversation intention of a service interaction party, further, the related intention may further include a potential intention, such as the potential intention 1 is "information stealing", the potential intention 2 is "data tampering", the potential intention 3 is "trojan planting", and the like, and accordingly, the target information intrusion detection result may include various interaction intentions corresponding to the service interaction event attribute, so as to ensure the integrity and accuracy of the target information intrusion detection result.
Based on the technical scheme, for the cloud payment session record which covers the cloud payment session triggering the intrusion detection condition and the associated cloud payment session together, service interaction event distinguishing identification analysis can be carried out on each service interaction event in the cloud payment session record, so that based on distinguishing identification analysis conditions, the service interaction event corresponding to the cloud payment session triggering the intrusion detection condition and the disturbing service interaction event corresponding to the associated cloud payment session are determined in the cloud payment session records comprising various scenes, the disturbing service interaction event is removed, and information intrusion detection is carried out on the service interaction event corresponding to the cloud payment session triggering the intrusion detection condition, so that a target information intrusion detection result is obtained. The method and the device have the advantages that service interaction events are distinguished, identified and analyzed for the cloud payment session and the associated cloud payment session which trigger the intrusion detection condition, so that disturbance service interaction events corresponding to the associated cloud payment session are eliminated before information intrusion detection is carried out on the cloud payment session which triggers the intrusion detection condition, the possibility that the associated cloud payment session is mistakenly determined as the cloud payment session which triggers the intrusion detection condition is reduced to a certain extent, and in cloud payment session records which are mixed with various cloud payment session scenes, the accuracy and the reliability of information intrusion detection on the cloud payment session which triggers the intrusion detection condition are improved as much as possible.
In some independently implementable embodiments, the method may further include STEPs 104 to 106.
For STEP104, determining the cloud payment session triggering the intrusion detection condition in the cloud payment session record and/or the pending record content matched by the associated cloud payment session. The to-be-processed recorded content is the cloud payment session which is determined in the cloud payment session record and triggers the intrusion detection condition and/or the recorded content which is possibly matched with the associated cloud payment session. In one possible example, an AI intelligence model may be employed to determine the cloud payment session in the cloud payment session record that triggered the intrusion detection condition and/or the pending record content that the associated cloud payment session may match.
For STEP105, the to-be-processed record content is broken down into several local record contents. In the embodiment of the application, after the cloud payment session triggering the intrusion detection condition and/or the to-be-processed record content matched with the associated cloud payment session are determined, the to-be-processed record content can be disassembled into a plurality of local record contents, and the information amount of each local record content can be the same or different. In one possible example, the to-be-processed recording contents may be uniformly decomposed according to a set number, so as to obtain a plurality of local recording contents with the same information amount, for example, the to-be-processed recording contents may be decomposed into 3 sets of local recording contents with the same information amount. In another possible example, the to-be-processed recording content may be decomposed according to the same set information amount, so as to obtain K local recording contents with the same information amount, or (K-1) local recording contents with the same information amount and one local recording content with an information amount different from that of the other local recording contents may be obtained, for example, the obtained local recording contents content _1 to local recording content _3 information amounts are the same, and the information amount of the local recording content _4 is different from that of the other three local recording contents. In another example, the recording content to be processed may be decomposed according to a set order of several different information amounts, for example, 6 local recording contents with different information amounts may be obtained.
For STEP106, a session description set corresponding to the cloud payment session record is determined through the saliency corresponding to at least part of the local record contents in the local record contents.
In the embodiment of the application, based on the visual description information (such as the feature map) corresponding to the cloud payment session record, the saliency expression corresponding to each local record content included in the to-be-processed record content can be determined. And obtaining a session description set corresponding to the cloud payment session record based on the significance expression corresponding to at least part of the local record contents, namely according to the total significance expression corresponding to part or all of the local record contents in the local record contents. In one possible example, the total saliency corresponding to each local record content may correspond to one session description set, or the total saliency corresponding to several local record contents may correspond to one session description set, or the total saliency corresponding to each local record content may correspond to several session description sets. This is not a limitation of the present application. In another possible example, the order in which each local record content is added to the cloud payment session record may be determined first, in the order in which the cloud payment session is generated, e.g., from first to last. Further, after the session description sets are determined according to the significance expressions corresponding to at least part of the partial record contents, the session description sets are sequentially sorted according to the sequence of the corresponding partial record contents appearing in the cloud payment session record, for example, the session description set corresponding to the earliest partial record content added to the cloud payment session record is arranged at the first position, the session description set corresponding to the latest partial record content added to the cloud payment session record is arranged at the last position, and the session description set corresponding to the cloud payment session record is obtained after the plurality of session description sets are sequentially sorted.
For example, in the order from first to last, the pending record content is broken down into local record content _1, local record content _2 and local record content _3, at least part of the record content includes local record content _2 and local record content _3, where the local record content _2 corresponds to session description set description _2 and session description set description _3, and the local record content _3 corresponds to session description set description _4, and then the session description set corresponding to the sorted cloud payment session record is session description set description _2, session description set description _3 and session description set description _ 4. In another example, the saliency expressions corresponding to at least part of the local record content may be subjected to feature reduction and the like to obtain a corresponding session description set. Through feature simplification, the significance expression corresponding to the part with high feature significance in each local record content can be selected to determine the session description set, the accuracy of the obtained session description set is ensured, meanwhile, the efficiency of determining the session description set corresponding to the cloud payment session record can be improved, and the efficiency of carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition is further improved.
In the embodiment of the application, after the session description set corresponding to the cloud payment session record is determined, the STEP102 is executed, and a distinguishing identifier resolution condition for performing service interaction event distinguishing identifier resolution on each service interaction event in the cloud payment session record is determined through the session description set corresponding to the cloud payment session record.
In the above embodiment, the cloud payment session triggering the intrusion detection condition in the cloud payment session record and/or the to-be-processed record content matched with the associated cloud payment session may be decomposed into a plurality of local record contents, and the session description set corresponding to the cloud payment session record may be determined by the saliency corresponding to all or part of the local record contents of the plurality of local record contents. And then determining the distinguishing identifier analysis condition for carrying out service interaction event distinguishing identifier analysis on each service interaction event in the cloud payment session record based on the session description set corresponding to the cloud payment session record, so that the distinguishing identifier analysis efficiency can be improved, and unnecessary resource overhead can be reduced.
In some independently implementable embodiments, STEP102 can include STEP1021 and STEP 1022.
For STEP1021, determining, through a session description set corresponding to the cloud payment session record, at least one pending service interaction event differentiation identifier bound to each service interaction event included in the cloud payment session record and a detection score of each pending service interaction event differentiation identifier.
In one possible example, a session description set corresponding to a cloud payment session record may be used as a raw material of a difference analysis unit (such as a classifier), and a difference analysis recognition result obtained by the difference analysis unit is obtained, where the difference analysis recognition result includes, but is not limited to, at least one pending service interaction event differentiation identifier bound to each service interaction event included in the cloud payment session record, and a detection score corresponding to each pending service interaction event differentiation identifier, that is, a quantitative probability that each service interaction event belongs to the pending service interaction event differentiation identifier.
For example, the cloud payment session record includes 2 service interaction events, the first service interaction event corresponds to 2 pending service interaction event differentiation identifiers, and the second service interaction event corresponds to 3 pending service interaction event differentiation identifiers. The quantization probability that the first service interaction event belongs to the to-be-determined service interaction event differentiation identifier tag _1 is Pa, that is, the detection score corresponding to the to-be-determined service interaction event differentiation identifier tag _1 is Pa, and the quantization probability that the first service interaction event belongs to the to-be-determined service interaction event differentiation identifier tag _2 is Pb, that is, the detection score corresponding to the to-be-determined service interaction event differentiation identifier tag _2 is Pb. The quantization probabilities of the second service interaction event belonging to the pending service interaction event differentiation identifier tag _3, the pending service interaction event differentiation identifier tag _4 and the pending service interaction event differentiation identifier tag _5 are Pc, Pd and Pe, respectively, that is, the detection scores of the pending service interaction event differentiation identifier tag _3, the pending service interaction event differentiation identifier tag _4 and the pending service interaction event differentiation identifier tag _5 are Pc, Pd and Pe, respectively.
For STEP1022, a pending service interaction event differentiation identifier corresponding to a maximum detection score in the at least one pending service interaction event differentiation identifier bound to each service interaction event is used as the resolution condition of the differentiation identifier.
In the embodiment of the application, in order to facilitate subsequent determination of a target information intrusion detection result, a pending service interaction event differentiation identifier corresponding to a maximum detection score in at least one pending service interaction event differentiation identifier bound to each service interaction event may be used as a differentiation identifier analysis condition.
For example, a certain service interaction event included in the cloud payment session record corresponds to 2 pending service interaction event differentiation identifiers. The detection score of the service interaction event belonging to the pending service interaction event differentiation identifier tag _1 is Pa, the detection score of the service interaction event belonging to the pending service interaction event differentiation identifier tag _2 is Pb, and Pa is greater than Pb, so that the pending service interaction event differentiation identifier tag _1 can be used as the differentiation identifier analysis condition corresponding to the service interaction event.
In the above embodiment, the pending service interaction event differentiation identifier possibly bound to each service interaction event included in the cloud payment session record and the detection score of each pending service interaction event differentiation identifier may be determined based on the session description set corresponding to the cloud payment session record, so that the pending service interaction event differentiation identifier corresponding to the maximum detection score in the pending service interaction event differentiation identifiers is used as a differentiation identifier resolution condition for performing service interaction event differentiation identifier resolution on the service interaction event, and subsequently, based on the differentiation identifier resolution condition, the target service interaction event belonging to the cloud payment session triggering the intrusion detection condition and the disturbance service interaction event belonging to the associated cloud payment session may be determined, so as to eliminate the disturbance service interaction event, thereby improving the efficiency of the cloud payment session record including multiple cloud payment session scenes, and the accuracy of information intrusion detection is carried out aiming at the cloud payment session triggering the intrusion detection condition.
In some independently implementable embodiments, STEP103 can include STEP1031 and STEP 1033.
For STEP1031, according to the mapping condition between the service interaction event differentiation identifier and the service interaction event attribute, determining the service interaction event attribute corresponding to the service interaction event differentiation identifier to be determined with the maximum detection score bound to each service interaction event.
In the embodiment of the present application, different service interaction event differentiation identifiers and corresponding service interaction event attributes are set in advance, for example, the service interaction event attribute corresponding to the service interaction event differentiation identifier tag _1 is "intent _ a", the service interaction event attribute corresponding to the service interaction event differentiation identifier tag _2 is "intent _ b", and the like. The service interaction event attribute corresponding to the service interaction event to be determined with the maximum detection score bound to each service interaction event may be determined based on the previously determined resolution condition of the differential identifier and the mapping condition (corresponding relationship).
In the embodiment of the application, each service interaction event included in the first cloud payment session scenario corresponds to a different first service interaction event differentiation identifier, and each first service interaction event differentiation identifier corresponds to a different service interaction event attribute. The different quantization information corresponds to different second service interaction event differentiation identifiers, and the second service interaction event differentiation identifiers also correspond to different service interaction event attributes, such as service interaction event attributes "intent _ 0", "intent _ 1", and the like. For example, the multiple second cloud payment session scenarios include all service interaction events corresponding to a third service interaction event differentiation identifier, and the third service interaction event differentiation identifier may correspond to the same individual service interaction event attribute, for example, the multiple second cloud payment session scenarios include a different place payment scenario, a local payment scenario, and the like, all service interaction events included in the second cloud payment session scenarios may all correspond to a third service interaction event differentiation identifier, and assuming that the service interaction event differentiation identifier tag _35 is a service interaction event differentiation identifier tag _35, the service interaction event differentiation identifier tag _35 may correspond to the same service interaction event attribute, for example, all service interaction event attributes "Trojan implantation intentions" corresponding to different place payment scenarios.
It can be understood that the first cloud payment session scenario is a cloud payment session scenario corresponding to a cloud payment session that triggers an intrusion detection condition, and associated cloud payment session scenarios other than the first cloud payment session scenario may all be regarded as second cloud payment session scenarios. In the embodiment of the application, according to the mapping condition, the service interaction event attribute corresponding to the service interaction event distinguishing identifier to be determined with the maximum detection score bound to each service interaction event can be determined.
For example, the cloud payment session record includes 4 service interaction events, the service interaction event distinguishing identifiers of the maximum detection scores bound to each service interaction event are tag _1, tag _2, tag _3 and tag _35 in sequence, and according to the mapping condition, the corresponding service interaction event attributes can be determined to be intent _ a, intent _ b, intent _ c and Trojan implantation intent in sequence.
For STEP1032, according to the service interaction event differentiation identifier to be determined of the maximum detection score bound to each service interaction event, determining that each service interaction event corresponds to a target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or a disturbance service interaction event corresponding to the associated cloud payment session.
In this embodiment of the application, if it is determined that the service interaction event differentiation identifier with the maximum detection score bound to a certain service interaction event is one of the first service interaction event differentiation identifiers or the second service interaction event differentiation identifiers, it may be determined that the service interaction event corresponds to the target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition. Wherein, the first service interaction event distinguishing identifiers comprise: service interaction event distinguishing identifiers respectively corresponding to a plurality of service interaction events included in a first cloud payment session scene, wherein the first cloud payment session scene is a cloud payment session scene corresponding to a cloud payment session triggering an intrusion detection condition, and the second service interaction event distinguishing identifiers comprise: and service interaction event distinguishing identifications respectively corresponding to the quantitative information. If the service interaction event distinguishing identifier to be determined of the maximum detection score bound by a certain service interaction event is determined to be the third service interaction event distinguishing identifier, the service interaction event can be determined to correspond to the disturbance service interaction event corresponding to the associated cloud payment session.
For example, the first cloud payment session scenario is a cross-border payment scenario, the first service interaction event differentiation identifiers include service interaction event differentiation identifiers tag _1 to tag _49, the second service interaction event differentiation identifiers corresponding to the quantization information include service interaction event differentiation identifiers tag _50 to tag _59, the third service interaction event differentiation identifier includes service interaction event differentiation identifiers tag _35, the cloud payment session record includes 4 service interaction events, the service interaction event differentiation identifiers to be determined of the maximum detection scores bound to each service interaction event are tag _1, tag _2, tag _3 and tag _35 in sequence, and then it can be determined that the first 3 service interaction events belong to target service interaction events, and the last service interaction event belongs to a disturbance service interaction event.
For STEP1033, the service interaction event attribute corresponding to the target service interaction event is used as the target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering the intrusion detection condition.
The determined cloud payment session record comprises service interaction event attributes corresponding to 4 service interaction events, namely intent _ a, intent _ b, intent _ c and Trojan implantation intents, in sequence, wherein the last service interaction event belongs to a disturbance service interaction event, the service interaction event attribute corresponding to the disturbance service interaction event can be removed, only the service interaction event attribute corresponding to the target service interaction event is reserved, and therefore a target information intrusion detection result is obtained, for example, the obtained target information intrusion detection result is 'intent _ a, intent _ b and intent _ c'.
In one possible example, a set function process may be called, and the service interaction event attribute corresponding to the disturbance service interaction event is removed, so as to obtain the service interaction event attribute corresponding to the target service interaction event. The set function process may be a function process deployed in advance for cleaning the attribute of the specified service interaction event. For example, the service interaction event attribute is designated as "Trojan implantation intention", and the set function process may clean the service interaction event attribute "Trojan implantation intention", so as to obtain the service interaction event attribute of the target service interaction event corresponding to the cloud payment session that triggers the intrusion detection condition.
Based on the content, based on the resolution condition of the distinguishing identifier, each service interaction event in the cloud payment session record is determined to correspond to the target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or to correspond to the disturbance service interaction event corresponding to the associated cloud payment session, so that the service interaction event attribute corresponding to the disturbance service interaction event can be eliminated, only the service interaction event attribute of the target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition is reserved, the target information intrusion detection result for carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition is obtained, and the accuracy and reliability of carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition in the cloud payment session records of various cloud payment session scenes with different types of cloud payment scenes are improved.
In some embodiments that can be implemented independently, for the STEP102, the cloud payment session record may be directly used as a raw material of the target intelligent thread, and a session description set corresponding to the cloud payment session record obtained by analyzing by the target intelligent thread is obtained. The target intelligent thread is an intelligent thread used for carrying out service interaction event distinguishing identification analysis on the service interaction events. In the embodiment of the application, the target intelligent thread is obtained based on the configuration of the set intelligent thread, and a corresponding session description set can be determined from the cloud payment session record. The setting intelligent thread includes, but is not limited to, a neural network model.
In the above embodiment, the cloud payment session record may be used as a raw material of a target intelligent thread for performing service interaction event differentiation identifier analysis on the service interaction event, so as to obtain a session description set corresponding to the cloud payment session record obtained by the analysis of the target intelligent thread, and subsequently, the service interaction event differentiation identifier corresponding to each service interaction event included in the cloud payment session record is determined based on the session description set corresponding to the cloud payment session record, so that information intrusion detection may be performed on the cloud payment session triggering the intrusion detection condition in the cloud payment session record, and accuracy and reliability of information intrusion detection on the cloud payment session triggering the intrusion detection condition are improved.
In some independently implementable embodiments, the above method may further include the following.
For STEP1001, an example cloud payment session record is obtained that encompasses both a cloud payment session corresponding to the first cloud payment session scenario and a cloud payment session corresponding to the second cloud payment session scenario. In an embodiment of the present application, the example cloud payment session record may be obtained directly from the example record storage space.
For STEP1002, the example cloud payment session record is used as a raw material for setting an intelligent thread, and the set intelligent thread is configured by taking the service interaction event distinguishing identification keyword in the example cloud payment session record as a reference, so as to obtain a target intelligent thread for performing service interaction event distinguishing identification analysis on the service interaction event.
In an embodiment of the present application, the service interaction event distinguishing identification keyword in the example cloud payment session record includes at least one of: at least one of a plurality of first service interaction event distinguishing identification keywords respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; at least one of a plurality of second service interaction event distinguishing identification keywords respectively corresponding to the plurality of quantitative information; the same third service interaction event distinguishing identification key words corresponding to the plurality of service interaction events included in the plurality of second cloud payment session scenes.
In the embodiment of the application, the service interaction event distinguishing identification included in the intelligent thread output example cloud payment session record is set, the thread quality evaluation is determined according to the output result of the set intelligent thread and the comparison result of the service interaction event distinguishing identification key words in the example cloud payment session record, and the set intelligent thread is circularly configured in a thread variable feedback mode so as to obtain the target intelligent thread.
In the embodiment, an example cloud payment session record covering a cloud payment session corresponding to a first cloud payment session scene and a cloud payment session corresponding to at least one second cloud payment session scene can be obtained, the example cloud payment session record includes a plurality of service interaction event distinguishing identification keywords, a target intelligent thread for performing service interaction event distinguishing identification analysis on a service interaction event is obtained through configuration of a set intelligent thread, and thread precision and anti-interference performance of the target intelligent thread are improved.
In some independently implementable embodiments, to ensure the accuracy and immunity of the target intelligent thread, the example cloud payment session records may be derived in any one or a combination of the following ways, given that the number of example cloud payment session records may be small.
For the first approach, a sample cloud payment session record is generated based on a first pending cloud payment session record covering a cloud payment session corresponding to the first cloud payment session scenario and pending cloud payment session derivative information corresponding to the second cloud payment session scenario.
In some embodiments, STEP1001 may include the following STEPs 201 to 203.
For STEP201, a first to-be-determined cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scenario is received.
In the embodiment of the application, a first to-be-determined cloud payment session record including only a cloud payment session corresponding to a first cloud payment session scene may be obtained. The first cloud payment session scenario is a cloud payment session scenario corresponding to a cloud payment session triggering an intrusion detection condition, for example, if the cloud payment session triggering the intrusion detection condition is a cross-border payment scenario, the first cloud payment session scenario is the cross-border payment scenario, and if the cloud payment session triggering the intrusion detection condition is a local payment scenario, the first cloud payment session scenario may be understood as the local payment scenario.
For STEP202, pending cloud payment session derivative information corresponding to the at least one second cloud payment session scenario is obtained. The pending cloud payment session derivative information is example derivative information corresponding to at least one second cloud payment session scene, where the second cloud payment session scene is a cloud payment session scene different from the first cloud payment session scene, for example, the first cloud payment session scene is a local payment scene, and then a remote payment scene except the local payment scene and the like can be used as the second cloud payment session scene.
The pending cloud payment session derivative information includes, but is not limited to, a plurality of service interaction events and a plurality of service interaction event sets composed of the service interaction events, and in addition, the pending cloud payment session derivative information may also include a plurality of session information having business connection.
For STEP203, the example cloud payment session record is determined from the pending cloud payment session derivative information and the first pending cloud payment session record.
In the embodiment of the application, the value information and the auxiliary information included in the first pending cloud payment session record can be obtained respectively, the value information included in the pending cloud payment session derivative information and the value information included in the first pending cloud payment session record are combined to obtain the value information of the example cloud payment session record, and the auxiliary information included in the first pending cloud payment session record is used as the auxiliary information of the example cloud payment session record, so that the example cloud payment session record is generated.
The value information comprises the cloud payment session corresponding to the first cloud payment session scene, and the combination of the value information and the derivative information of the pending cloud payment session comprises but is not limited to the situation that under the condition that the cloud payment session content of the value information and the derivative information of the pending cloud payment session is not repeated, the cloud payment session content of the two parts corresponds to different distributions.
For the second way, a first pending cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scene and a second pending cloud payment session record covering the cloud payment session corresponding to the second cloud payment session scene are received, so as to generate an example cloud payment session record.
In some embodiments, STEP1001 may include the following STEPs 301 to 302.
For STEP301, a first pending cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scenario and a second pending cloud payment session record covering a cloud payment session corresponding to the at least one second cloud payment session scenario are received.
For STEP302, the example cloud payment session record is determined from the first pending cloud payment session record and the second pending cloud payment session record.
In the embodiment of the application, the value information included in the first pending cloud payment session record and the value information included in the second pending cloud payment session record can be obtained respectively, and the value information corresponding to the sample cloud payment session record is obtained after the two value information are combined. The value information comprises cloud payment sessions corresponding to a first cloud payment session scene or a second cloud payment session scene, and the combination of the two value information comprises but is not limited to enabling the two parts of cloud payment session contents to correspond to different distribution areas under the condition that the two parts of cloud payment session contents are not repeated. The auxiliary information included in the first pending cloud payment session record or the auxiliary information included in the second pending cloud payment session record may be used as the auxiliary information corresponding to the example cloud payment session record, or the non-critical information may be set as the auxiliary information corresponding to the example cloud payment session record. If the number of the preset non-key information is small, a part of non-key information can be arbitrarily extracted from a previous non-key information storage space, or if no non-key information storage space exists, random combination can be carried out on different record contents of the existing non-key information to obtain a plurality of non-key information, so that the richness of the finally obtained example cloud payment session record is ensured. In an embodiment of the application, after determining the value information and the auxiliary information of the sample cloud payment session record, the sample cloud payment session record may be generated.
In the embodiment, the example cloud payment session record covering the cloud payment session corresponding to the first cloud payment session scene and the cloud payment session corresponding to the at least one second cloud payment session scene can be obtained, so that the problem of difficulty in obtaining the example cloud payment session record is solved, and the target intelligent thread precision and the anti-interference performance can be improved subsequently.
In some embodiments, which can be implemented independently, the first cloud payment session scenario is a local payment scenario, the second cloud payment session scenario is a cross-border payment scenario, and the payment service security scenario is a sea panning scenario. After the cloud payment session record of the transaction behavior content including the local payment scene, the quantitative information and the cross-border payment scene is collected, information intrusion detection needs to be performed on the local payment scene and the quantitative information. The transaction behavior content corresponding to the local payment scene and the quantitative information may belong to a cloud payment session triggering an intrusion detection condition, and the transaction behavior content corresponding to the cross-border payment scene belongs to an associated cloud payment session.
In the embodiment of the application, the collected transaction behavior cloud payment session record can be used as a raw material of a target intelligent thread, a session description set which is obtained by analyzing the target intelligent thread and corresponds to the cloud payment session record is obtained, the session description set is further used as a raw material of a difference analysis unit, and at least one pending service interaction event distinguishing identifier to which each service interaction event belongs and a detection score corresponding to each pending service interaction event distinguishing identifier included in the cloud payment session record are determined through the difference analysis unit.
And based on the result obtained by the analysis of the difference analysis unit, taking the undetermined service interaction event distinguishing identification corresponding to the maximum detection score in the at least one undetermined service interaction event distinguishing identification of each service interaction event as a distinguishing identification analysis condition for carrying out service interaction event distinguishing identification analysis on each service interaction event in the cloud payment session record. Further, according to the mapping situation between the service interaction event distinguishing mark and the service interaction event attribute, determining the service interaction event attribute corresponding to the pending service interaction event distinguishing identification corresponding to the maximum detection score bound by each service interaction event, determining a target service interaction event belonging to a local payment scene or quantitative information according to the service interaction event distinguishing identification to be determined of the maximum detection score bound to each service interaction event, and after the disturbance service interaction event belonging to the cross-border payment scene, from the service interaction event attributes, and eliminating the service interaction event attribute corresponding to the disturbance service interaction event to obtain a service interaction event attribute corresponding to the local payment scene and the quantitative information, and finally obtaining a target information intrusion detection result for carrying out information intrusion detection on the local payment scene and the quantitative information in the cloud payment session record.
In the payment service security scenario provided by the application, the cloud payment session record simultaneously includes a cloud payment session record of transaction behaviors of a local payment scenario, quantitative information, and a cross-border payment scenario, a target intelligent thread first determines to-be-processed record contents matched with the local payment scenario, the quantitative information, and/or the cross-border payment scenario, assuming that 2 to-be-processed record contents are obtained, taking the parsing of the to-be-processed record content substance _1 into 16 local record contents as an example (in the present application, 16 are taken as an example for an exemplary illustration, the number of session description sets obtained in practical application may be less than 16 or greater than 16), each local record content may correspond to obtain one session description set, and similarly, regarding to-be-processed record content substance _2, at least one session description set may also be obtained, and a combination of session description sets corresponding to all local record contents obtained by parsing of two to-be-processed local record contents respectively, as a session description set corresponding to the cloud payment session record.
After a session description set corresponding to the cloud payment session record and obtained by analyzing the target intelligent thread is obtained, at least one to-be-determined service interaction event distinguishing identifier corresponding to each service interaction event included in the cloud payment session record and a detection score corresponding to each to-be-determined service interaction event distinguishing identifier can be obtained through a difference analysis unit. In the embodiment of the application, the to-be-determined service interaction event distinguishing identifier with the largest detection score can be used as a distinguishing identifier analysis condition.
Further, a target service interaction event belonging to a local payment scene and quantitative information and a disturbance service interaction event belonging to a cross-border payment scene can be determined according to the resolution condition of the distinguishing identifier, the service interaction event attribute corresponding to the target service interaction event is used as a target information intrusion detection result, the transaction behaviors of the financial service environment which enters and exits the sea and is selected from the local payment scene, the quantitative information and the cross-border payment scene are corresponded, and the intrusion detection result of information intrusion detection is carried out aiming at the local payment scene and the quantitative information.
In the embodiment of the application, the target intelligent thread can be obtained after the set intelligent thread is configured.
In the process of configuring the target intelligent thread, the paradigm cloud payment session record can be obtained through the existing first to-be-determined cloud payment session record comprising the local payment scene cloud payment session and the cross-border payment scene derivative information. Or a first pending cloud payment session record including only local payment scenario cloud payment sessions and a second pending cloud payment session record including only cross-border payment scenario cloud payment sessions may be obtained independently, and an example cloud payment session record may be generated based on the first pending cloud payment session record and the second pending cloud payment session record.
The method comprises the steps of taking an example cloud payment session record as a raw material for setting an intelligent thread, and taking a plurality of service interaction event keywords in the example cloud payment session record as references to obtain a required target intelligent thread through a reference configuration mode (such as supervised training). Wherein the service interaction event distinguishing identification keywords in the example cloud payment session record include at least one of: at least one of a plurality of first service interaction event distinguishing identification keywords respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; at least one of a plurality of second service interaction event distinguishing identification keywords respectively corresponding to the plurality of quantitative information; the multiple second cloud payment session scenes comprise the same third service interaction event distinguishing identification keywords corresponding to the multiple service interaction events, namely the same third service interaction event keywords corresponding to the cross-border payment scene.
In the embodiment, a large amount of example configuration information can be obtained, the requirement on the configuration precision of the set intelligent thread is met, the anti-interference performance of the target intelligent thread is improved, and the use requirement can be met as much as possible.
In some embodiments that can be implemented independently, the information intrusion detection scheme provided by the present application may be used in scenarios such as transaction subject information intrusion detection, payment object session risk detection, and the above-mentioned transaction behavior threat identification. In the embodiment of the application, the information intrusion detection scheme can also be used for starting a cross-border payment item.
In the embodiment of the application, the service end can upload the cloud payment session records of the target verification items, the cross-border payment item system can firstly determine a session description set corresponding to the cloud payment session record of each target verification item according to the information intrusion detection scheme provided by the application, and further determine that each service interaction event in the cloud payment session records of the target verification items belongs to a target service interaction event corresponding to a first cloud payment session scene or belongs to a disturbance service interaction event corresponding to an associated cloud payment session except the first cloud payment session scene based on the session description set. And eliminating the disturbance service interaction event in the cloud payment session record of the target verification item, and carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition in the cloud payment session record of the target verification item, thereby obtaining a target information intrusion detection result. The cloud payment session triggering the intrusion detection condition comprises a cloud payment session corresponding to a first cloud payment session scene, wherein the first cloud payment session scene is a cloud payment session scene corresponding to a cross-border payment project.
For example, the cross-border payment item is started by adopting a cross-border payment scene, the cross-border payment item system can determine that each service interaction event belongs to the cross-border payment scene or a disturbance service interaction event corresponding to a related cloud payment session in a cloud payment session record of a target verification item uploaded by a service terminal, and after the disturbance service interaction event is removed, information intrusion detection is performed on the cross-border payment scene in the cloud payment session record of the target verification item, so that a target information intrusion detection result is obtained. Further, the cross-border payment item system can start the cross-border payment item based on the target information intrusion detection result. For example, the cross-border payment item system verifies that the service end meets various requests for starting cross-border payment items based on target information intrusion detection results, and automatically starts cross-border payment items for the service end. In the embodiment, the disturbance service interaction event corresponding to the associated cloud payment session can be removed from the cloud payment session record of the target verification item required when the cross-border payment item is activated, and the information intrusion detection is performed on the cloud payment session corresponding to the cross-border payment item in the cloud payment session record of the target verification item, so that the starting safety of the cross-border payment item is improved.
For some independently implementable embodiments, after determining a target information intrusion detection result for information intrusion detection on the cloud payment session triggering the intrusion detection condition, the method further comprises: on the premise that the target information intrusion detection result is matched with the data threat tag, carrying out threat intention analysis based on the financial service big data to be processed to obtain a threat intention analysis condition; and carrying out big data protection processing according to the analysis condition of the threat intention.
In the embodiment of the application, the data threat tag can be preset, and the target information intrusion detection result matched with the data threat tag can be obtained by extracting keywords from the target information intrusion detection result and then performing semantic analysis and comparison on the extracted keywords and the data threat tag.
For some independently implementable embodiments, the threat intent resolution condition obtained by performing threat intent resolution based on the financial service big data to be processed can be implemented by the following implementation modes: according to the big data of the financial service to be processed carrying the target online financial service event, obtaining a significant business expression corresponding to the big data of the financial service to be processed; obtaining a plurality of abnormal behavior characteristics, wherein the plurality of abnormal behavior characteristics comprise abnormal behavior characteristics corresponding to each reference service interaction state in at least two reference service interaction states; and analyzing the threat intention of the target online financial service event in the financial service big data to be processed according to the significant service expression and the abnormal behavior characteristics to obtain a threat intention analysis condition.
For some independently implementable embodiments, further description of the threat intent resolution case by performing threat intent resolution based on the financial transaction big data to be processed may include the following.
And 110, obtaining a significance service expression corresponding to the financial service big data to be processed according to the financial service big data to be processed carrying the target online financial service event.
In the embodiment of the application, firstly, the financial business big data to be processed carrying the target online financial service event needs to be obtained, and then key information mining (feature mining) is carried out on the financial business big data to be processed to obtain the significance business expression.
The financial service big data to be processed may be collected by a data collection module on the information intrusion detection server implementing the internet finance-based big data protection processing method according to the embodiment of the present application, and may be collected by a separately arranged data collection terminal, and then the data collection terminal uploads the collected financial service big data to be processed to the information intrusion detection server implementing the internet finance-based big data protection processing method according to the embodiment of the present application.
When the significance service expression is mined, the significance service expression suitable for threat intention analysis can be mined by the following debugging-completed key information mining threads, so that the quality of subsequently selected target abnormal behavior characteristics can be improved conveniently, and the accuracy and the reliability of the threat intention analysis are improved.
In the embodiment of the present application, the financial service may relate to block chain financial fusion, cross-border financial, and the like, and the online financial service event includes a service session event, an identity verification event, a service subject matter communication event, and the like, which is not limited in the embodiment of the present application.
Step 120, obtaining a plurality of abnormal behavior characteristics, where the plurality of abnormal behavior characteristics include an abnormal behavior characteristic corresponding to each reference service interaction state in at least two reference service interaction states.
In an actual application process, in order to improve the flexibility of adapting the internet finance-based big data protection processing method to a new service interaction process and improve the accuracy and reliability of threat intent resolution in the new service interaction process, the abnormal behavior feature herein includes a first abnormal behavior feature obtained by optimizing a first debugging paradigm in a first service interaction process (i.e., the new service interaction process).
In order to ensure the resolution accuracy and reliability of the threat intention of the historical service interaction process (i.e. the actual application service interaction process and the second service interaction process described below), the abnormal behavior characteristics further include second abnormal behavior characteristics obtained through optimization of a second debugging paradigm in the second service interaction process.
Further, in order to reduce the overhead of preprocessing resources of the first debugging case in the new service interaction process, the first abnormal behavior characteristic corresponding to the new service interaction process is debugged by fewer debugging cases in the new service interaction process. In addition, in order to ensure accuracy and reliability of resolution of the threat intentions in the historical service interaction process and improve accuracy and reliability of resolution of the threat intentions in the new service interaction process, the second abnormal behavior features comprise a plurality of second abnormal behavior features which are respectively corresponding to each reference service interaction state and are used for describing the concerned level.
In the embodiment of the application, the abnormal behavior feature may be feature information corresponding to a behavior event with a risk of data security threat, such as feature information of frequent login, non-habitual operation, key inscription word conversation, and the like.
In practical implementation, the first abnormal behavior feature may be determined by: acquiring a plurality of groups of first example financial service big data which are collected in the first service interaction process and respectively correspond to each reference service interaction state; and for each reference service interaction state, respectively mining significant service expressions from multiple groups of first example financial service big data corresponding to the reference service interaction state through a key information mining thread, and determining a first abnormal behavior characteristic corresponding to the reference service interaction state according to the significant service expressions obtained by mining. Specifically, the overall analysis result of the extracted significant service expression may be used as the first abnormal behavior feature corresponding to the reference service interaction state.
And each reference service interaction state obtains a first abnormal behavior characteristic, the first abnormal behavior characteristic is matched with a new service interaction process, the first abnormal behavior characteristic is added into the second abnormal behavior characteristic, the adaptation flexibility of the service interaction process can be improved through the abnormal behavior characteristics in the two service interaction processes, and the analysis accuracy and the reliability in the new service interaction process are improved. In addition, each reference service interaction state only obtains one first abnormal behavior feature, so that the number of first example financial service big data required by each reference service interaction state is small, the pre-processing resource overhead can be effectively saved, and the efficient debugging of the abnormal behavior features is realized.
The further step of determining the first abnormal behavior feature may comprise, for example, a specification of the abnormal behavior feature debugging process during a new service interaction.
In practical implementation, the second abnormal behavior feature may be implemented by: acquiring second example financial service big data corresponding to each reference service interaction state and a plurality of default abnormal behavior characteristics on a description concern level corresponding to each reference service interaction state, which are collected in the second service interaction process; excavating significant business expressions in the second example financial business big data through a key information mining thread to be debugged to obtain an example business description; determining second quantitative commonality information between the exemplary traffic description and each default anomalous behavior feature; and determining second abnormal behavior characteristics corresponding to each default abnormal behavior characteristic according to the obtained second quantitative commonality information.
In the embodiment of the present application, the quantitative commonality information may be understood as similarity information. The determining of the second abnormal behavior feature corresponding to each default abnormal behavior feature according to the obtained second quantitative commonality information may specifically be implemented as follows: for each reference service interaction state, determining the service interaction state of the second example financial service big data as the quantized possibility data of the reference service interaction state according to a plurality of second quantized common information corresponding to the reference service interaction state; generating a first evaluation index according to the quantitative possibility data corresponding to each reference service interaction state; and determining second abnormal behavior characteristics corresponding to each default abnormal behavior characteristic according to the first evaluation index corresponding to each second example financial business big data. In the embodiment of the present application, the evaluation index may be understood as a loss function.
In order to improve the debugging precision of the abnormal behavior features, abnormal behavior feature definitions may be set, where the abnormal behavior feature definitions may specifically include a limiting condition (i.e., a second evaluation index) in the same service interaction state and/or a limiting condition (i.e., a third evaluation index) in a different service interaction state, and then the second abnormal behavior feature corresponding to each default abnormal behavior feature is determined through the first evaluation index and the abnormal behavior feature definitions.
In the embodiment of the present application, the second evaluation index may be determined by: for each reference service interaction state, determining third quantitative commonality information between every two default abnormal behavior characteristics in the reference service interaction state; and generating a second evaluation index according to the third quantitative commonality information and the first quantitative commonality judgment value corresponding to each reference service interaction state.
In the embodiment of the present application, the third evaluation index may be determined by: for each reference service interaction state, selecting the largest third quantization commonality information from the third quantization commonality information corresponding to the reference service interaction state; determining minimum quantitative commonality information among default abnormal behavior characteristics of different reference service interaction states; and generating a third evaluation index according to the maximum third quantization commonality information, the minimum quantization commonality information and the second quantization commonality judgment value.
In the actual implementation process, in order to enable the key information mining thread to adapt to threat intent analysis, the exemplary service description can be mined through the key information mining thread to be debugged, so that the key information mining thread is debugged while the default abnormal behavior feature is debugged through the first evaluation index, the second evaluation index and the third evaluation index, the debugged key information mining thread is obtained while the debugged second abnormal behavior feature is obtained, the key information mining thread can mine the significant service expression suitable for the threat intent analysis, the quality of the subsequently selected target abnormal behavior feature is convenient to improve, and the accuracy and the reliability of the threat intent analysis are improved.
Further mining implementations of the exemplary business descriptions may be implemented in the following relevant contexts, and further determination of the second anomalous behavior characteristic may be implemented in the following relevant contexts.
Step 130, according to the significant business expression and the abnormal behavior characteristics, carrying out threat intention analysis on the target online financial service event in the financial business big data to be processed to obtain a threat intention analysis condition.
In practical implementation, the threat intent resolution may be performed by: determining first quantitative common information between the significant service expression and each abnormal behavior feature under each reference service interaction state one by one; and positioning a target business interaction state to which the target online financial service event belongs from the plurality of reference business interaction states according to the determined first quantitative commonality information, and taking the target business interaction state as the threat intention analysis condition. In this embodiment of the application, taking the target service interaction state as the threat intent resolution case may be understood as determining a state tag or a state topic in the target service interaction state as a threat intent resolution case, where, for example, the state tag is "frequently logged in", then the threat intent resolution case may be understood as "frequently logged in, and there may be an intrusion intent threat", and, for example, the state tag is "conversation is performed in an emergency area", then the threat intent resolution case may be understood as "conversation is performed in an emergency area, and there may be an information theft intent threat"
For some independently implementable technical solutions, the locating, according to the determined first quantitative commonality information, a target business interaction state to which the target online financial service event belongs from the plurality of reference business interaction states, and taking the target business interaction state as the threat intent resolution case, may further include: for each reference service interaction state, performing global processing (such as weighted summation) on a plurality of first quantized commonality information corresponding to the reference service interaction state to obtain the quantized possibility that the financial service big data to be processed is the reference service interaction state; reference business interaction states herein include risk threat intent and non-threat intent; and determining the target business interaction state of the target online financial service event according to the quantization possibility corresponding to each reference business interaction state, and obtaining the analysis condition of analyzing the business interaction threat intention of the target online financial service event. For some examples, the reference business interaction state corresponding to the greater quantitative likelihood is taken as the target business interaction state of the target online financial service event in the financial business big data to be processed.
Therefore, the target business interaction state to which the target online financial service event belongs can be accurately positioned from the reference business interaction state through quantitative common information between the significant business expression and each abnormal behavior characteristic, and the accurate and reliable threat intention analysis condition is obtained.
The number of the abnormal behavior features has obvious correlation to the accuracy and the reliability of the analysis of the service interaction threat intention, so that after the second abnormal behavior feature which is debugged in the second service interaction process is obtained, the obtained second abnormal behavior feature can be selected to improve the accuracy and the reliability of the analysis of the threat intention. The target abnormal behavior feature can be further selected from the second abnormal behavior features through the following steps: excavating significant service expression in the second example financial service big data through a key information mining thread for completing debugging to obtain target service attention content; and for each reference service interaction state, positioning target abnormal behavior characteristics from second abnormal behavior characteristics corresponding to the reference service interaction state according to target service attention contents of second example financial service big data corresponding to the reference service interaction state.
After the target abnormal behavior characteristics are obtained, the threat intention analysis can be carried out through the following steps: and analyzing the threat intention of the target online financial service event in the financial service big data to be processed according to the significant service expression, the first abnormal behavior characteristic and the target abnormal behavior characteristic to obtain a threat intention analysis condition.
Viewed from some examples, the locating the target abnormal behavior feature from the second abnormal behavior feature according to the target business attention content of the second example financial business big data may include: for each reference service interaction state, determining fourth quantitative commonality information between each second abnormal behavior characteristic corresponding to the reference service interaction state and each target service attention content corresponding to the reference service interaction state one by one; determining operation habit risk data corresponding to each second abnormal behavior feature one by one according to the fourth quantitative commonality information and a third quantitative commonality judgment value corresponding to the reference service interaction state; and according to the operation habit risk data corresponding to each second abnormal behavior characteristic, positioning the target abnormal behavior characteristic corresponding to the reference service interaction state from the second abnormal behavior characteristics corresponding to the reference service interaction state.
The above locating the target abnormal behavior feature from the second abnormal behavior features according to the operation habit risk data corresponding to each second abnormal behavior feature may further include: and regarding each reference service interaction state, taking the second abnormal behavior characteristic corresponding to the maximum operation habit risk data in the reference service interaction state as the target abnormal behavior characteristic corresponding to the reference service interaction state.
After a target abnormal behavior feature is located, a second abnormal behavior feature corresponding to the maximum operation habit risk data needs to be filtered, so that in the next locating process, the second abnormal behavior feature except for the maximum operation habit risk data in the second abnormal behavior feature can be located; filtering the target service attention content of which fourth quantitative commonality information with the target abnormal behavior characteristics is larger than the third quantitative commonality judgment value; and then, for each reference service interaction state, determining fourth quantitative common information between each second abnormal behavior feature corresponding to the reference service interaction state and each target service attention content corresponding to the reference service interaction state one by one so as to locate the next target abnormal behavior feature.
The above-mentioned locating a target abnormal behavior feature in each round, and the requirement for repeatedly handling termination may include: for each reference service interaction state, on the premise that the maximum operation habit risk data (for example, the operation habit risk can be represented by a risk level value) corresponding to the reference service interaction state is equal to 0, or the number of the second abnormal behavior features corresponding to the reference service interaction state is equal to 0.
The step of determining the location of the target abnormal behavior feature can be referred to the following related contents. According to the above contents, the abnormal behavior feature has a significant contribution in improving the resolution accuracy and the reliability, and the debugging process of the abnormal behavior feature is explained first by using other embodiments, and then the relevant contents of the abnormal behavior feature in the analysis of the service interaction threat intention are explained.
The application scenario of the service interaction threat intention analysis is wide, so that the service interaction process has many changes, in order to improve the service interaction process matching flexibility of the abnormal behavior characteristics obtained through optimization and reduce the preprocessing resource overhead of a new service interaction process debugging paradigm, the application debugs the abnormal behavior characteristics corresponding to the new service interaction process through fewer debugging paradigms in the new service interaction process, and debugs the debugging paradigms in more historical service interaction processes (such as the actual application service interaction process) to obtain a plurality of abnormal behavior characteristics corresponding to the actual application service interaction process, so that the accuracy and the reliability of the service interaction threat intention analysis in the new service interaction process can be improved on the basis of reducing the preprocessing resource overhead in the new service interaction process.
For some examples, the debugging of the abnormal behavior signature includes the following four periods.
A first period, a key information mining period. And obtaining more debugging cases in the actual application service interaction process, wherein each debugging case comprises the example financial business big data and the reference business interaction state to which the example financial business big data belongs. Reference business interaction states herein may include risk threat intent and non-threat intent. The reference business interaction state to which the example financial business big data belongs may be annotated in advance. After the debugging paradigm is obtained, the significant business expression of each group of the financial business big data is mined through the key information mining unit to be debugged, and an exemplary business description is obtained. For some examples, the example financial transaction big data may be financial transaction big data paired with stored reference digital financial transaction big data, and the reference digital financial transaction big data is stored in advance during service interaction of digital finance. After the example financial business big data is matched with the reference digital financial business big data, the threat intention information analysis is carried out on the example online financial service event in the example financial business big data. The matching completion of the example financial business big data and the stored reference digital financial business big data indicates that the example online financial service event in the example financial business big data meets the threat intention detection requirement, in this case, the threat intention information analysis needs to be carried out on the example financial business big data, and in order to save the operation overhead consumed by the threat intention analysis, when the example online financial service event in the example financial business big data does not meet the threat intention detection requirement, the threat intention information analysis does not need to be carried out. In addition, the content is debugging content, is not real application, and does not need to perform operations such as real financial service interaction, so the example financial service big data is bound with a reference service interaction state, and can not be financial service big data matched with the reference digital financial service big data. After the sample financial service big data is obtained, the sample financial service big data can be subjected to feature compression firstly according to the performance constraint of the information intrusion detection server, the debugging timeliness requirement and the like. The key information mining unit to be debugged may be an AI intelligent model to be debugged, which can mine a multidimensional significance service expression, where the concerned aspect of the significance service expression is related to the performance of the selected key information mining unit, for example, the AI intelligent model of CNN can mine a 10-dimensional significance service expression. In practical application, a proper key information mining unit can be configured according to the requirements of the practical service interaction process on timeliness and accuracy.
And a second period and an abnormal behavior characteristic debugging period in the actual application service interaction process. For some examples, the reference business interaction states may include both risk threat intent and non-threat intent, where multiple abnormal behavior features are defaulted for each reference business interaction state, e.g., M abnormal behavior features are defaulted for each reference business interaction state, and the level of interest for each abnormal behavior feature may be equal to the level of interest of the mined exemplary business description. After the default abnormal behavior features are obtained, numerical level simplification processing (such as normalization processing) is performed on all default abnormal behavior features, and meanwhile numerical level simplification processing is performed on the exemplary service description mined in the first period. For a set of example financial transaction big data, a quantified commonality between the mined example transaction description and each abnormal behavior feature is determined separately. In the embodiment of the present application, it may further be that a cosine distance between the exemplary service description and each abnormal behavior feature is determined, and a quantization commonality is calculated according to an obtained cosine distance determination result. And for each reference service interaction state, carrying out global processing on a plurality of quantitative commonalities corresponding to the service interaction state to obtain the quantitative possibility that the sample financial service big data is the reference service interaction state. In addition, M abnormal behavior characteristics of debugging completion in each reference service interaction state can be obtained by debugging the first evaluation indexes corresponding to all the example financial service big data, and a key information mining unit for completing debugging can also be obtained. The key information mining unit is used for mining the significant business expression of the big data of the financial business to be processed in practical application. Based on the above, M abnormal behavior features are respectively set in each reference service interaction state, and in order to improve the debugging accuracy of the abnormal behavior features, abnormal behavior feature definitions may be set, where the abnormal behavior feature definitions specifically may include a restriction condition in the same service interaction state and a restriction condition in different service interaction states.
For the limiting conditions in the same service interaction state, in order to ensure that different abnormal behavior characteristics in the same reference service interaction state represent different behavior expressions, it may be determined that the quantitative commonality between different abnormal behavior characteristics in the same reference service interaction state is greater than a set first quantitative commonality determination value. In the actual implementation process, a second evaluation index can be established through the following steps to complete the limiting conditions under the same service interaction state: and for each reference service interaction state, determining quantitative commonalities between two default abnormal behavior characteristics in the reference service interaction state. And then generating a second evaluation index according to the quantitative commonality corresponding to each reference service interaction state and the first quantitative commonality judgment value. The quantitative commonality between the two default abnormal behavior features is specified, and the quantitative commonality can be specifically determined according to a cosine distance calculation result between the two specified default abnormal behavior features.
For the limiting conditions in different service interaction states, in order to ensure that the quantization commonality between different abnormal behavior characteristics in the same reference service interaction state is less than the quantization commonality between the abnormal behavior characteristics in the different reference service interaction states, the minimum quantization commonality between the abnormal behavior characteristics in the different reference service interaction states can be determined, and a value obtained by subtracting the maximum quantization commonality between the different abnormal behavior characteristics in the same reference service interaction state is greater than a second quantization commonality determination value. In the actual implementation process, a third evaluation index can be established through the following steps to complete the limiting conditions under different service interaction states: for each reference service interaction state, selecting the maximum quantitative commonality from the quantitative commonalities between any two default abnormal behavior characteristics in the reference service interaction state; determining the minimum quantitative commonality between any two default abnormal behavior characteristics under different reference service interaction states; and generating a third evaluation index according to the maximum quantization commonality, the minimum quantization commonality and the second quantization commonality judgment value. The maximum quantization commonality and the minimum quantization commonality can be determined according to a cosine distance calculation result between two corresponding default abnormal behavior characteristics.
It can be understood that after the above three evaluation indexes are obtained, debugging can be performed through the first evaluation index, the second evaluation index and the third evaluation index, so as to obtain a better abnormal behavior characteristic and a key information mining unit.
Due to the fact that the service interaction threatens that the intention is analyzed, the concerned layers are more, the interference situation is complex, uncertainty factors in the service interaction process are more, and the interference resistance and the stability of the related differential analysis unit are poor. The embodiment of the application is based on an AI machine learning idea, a plurality of abnormal behavior characteristics corresponding to different attention layers are set in each reference service interaction state, the number of different attention layers is effectively increased through an abnormal behavior characteristic learning method, the learning requirement of a service interaction threat intention analysis thread is improved by means of a diversity difference analysis idea, the processing quality of the service interaction threat intention analysis thread on complex contents is improved, the thread stability and the anti-interference performance are improved, therefore, the big data protection processing method based on the Internet finance can describe that the attention layers are complicated, and accurate and reliable threat intention identification can be still realized under the condition that more random conditions exist in a service interaction process.
And in the third period, an abnormal behavior characteristic intelligent selection period. The number of the abnormal behavior features has obvious correlation to the performance of the threat intention analysis thread, the interaction complexity of different reference service interaction states is greatly distinguished due to different interaction change conditions in different service interaction processes, and the number of the abnormal behavior features has strict standards, so that after the abnormal behavior features which are debugged in the actual application service interaction process are obtained, the obtained abnormal behavior features can be selected to obtain the final target abnormal behavior features. In the second period, more abnormal behavior characteristics can be obtained in different reference service interaction states, for example, each reference service interaction state obtains a plurality of abnormal behavior characteristics for completing debugging.
For some examples, the target abnormal behavior feature may be selected by the following steps.
Step 1, excavating the significant business expression of the big data of the exemplary financial business through a key information excavating unit for finishing debugging in a second period to obtain the attention content of the target business; and according to a reference business interaction state to which the example financial business big data belongs, decomposing the mined target business concern content into a description set corresponding to the reference business interaction state, for example, the example financial business big data comprises example financial business big data corresponding to a risk threat intention and example financial business big data corresponding to a non-threat intention, using all target business concern content mined from the example financial business big data corresponding to the risk threat intention as the description set corresponding to the reference business interaction state of the risk threat intention, and using all target business concern content mined from the example financial business big data corresponding to the non-threat intention as the description set corresponding to the reference business interaction state of the non-threat intention.
Further, the abnormal behavior features completing debugging in the second period are decomposed into a plurality of abnormal behavior description sets according to the reference service interaction state to which each abnormal behavior feature belongs, for example, the abnormal behavior feature corresponding to the reference service interaction state of the risk threat intention is used as one abnormal behavior description set, and the abnormal behavior feature corresponding to the reference service interaction state of the non-threat intention is used as one abnormal behavior description set. Due to the fact that the number of the sample financial service big data is large, a certain number of the sample financial service big data can be selected at will to mine the significance service expression.
It can be understood that after the target service attention content is obtained, the target service attention content is subjected to numerical simplification processing.
The related content is the target business concern content mined from the sample financial business big data corresponding to the actual application service interaction process, and the sample financial business big data used for debugging abnormal behavior characteristics is not limited in actual application, for example, other financial business big data collected in the actual application service interaction process can be used as long as the same or similar service interaction process with the sample financial business big data is satisfied. For example, the target business concern is mined from other financial business big data which is the same as or similar to the service interaction process of the above example financial business big data.
And 2, simplifying the abnormal behavior characteristics in each abnormal behavior description set in a numerical level. Then, for any abnormal behavior description set, the target abnormal behavior feature can be selected according to the following sub-steps.
And 2.1, obtaining a description set matched with the abnormal behavior description set according to the reference business interaction state corresponding to the abnormal behavior description set, for example, obtaining the description set corresponding to the risk threat intention when the reference business interaction state corresponding to the abnormal behavior description set is the risk threat intention.
And 2.2, determining quantitative commonalities between the abnormal behavior feature and the attention content of each target service in the description set obtained in the 2.1 step for any abnormal behavior feature in the abnormal behavior description set to obtain a plurality of quantitative commonalities, wherein the statistical quantitative commonalities are larger than the number of set quantitative commonalities judgment values, and the obtained number is used as the risk level corresponding to the abnormal behavior feature. And repeatedly implementing the steps until the risk level corresponding to each abnormal behavior feature in the abnormal behavior description set is obtained. The quantization commonality in the 2.2 nd step can be determined according to the calculation result of the cosine distance between the abnormal behavior feature and the target service attention content. The quantized commonality decision value in the 2.2 nd step is set according to different reference service interaction states, and the quantized commonality decision values corresponding to different reference service interaction states may be different.
2.3, selecting the abnormal behavior characteristic corresponding to the maximum risk level as a target abnormal behavior characteristic corresponding to the abnormal behavior description set; and filtering the abnormal behavior characteristics corresponding to the maximum risk level from an abnormal behavior description set, and filtering the target service attention content of which the quantitative commonality with the target abnormal behavior characteristics is greater than the quantitative commonality judgment value from the description set.
It can be understood that the risk level of the abnormal behavior feature is determined to be the maximum through the risk level calculation, and at this time, the abnormal behavior feature is filtered from the abnormal behavior description set, and meanwhile, the abnormal behavior feature is taken as the target abnormal behavior feature. According to the 2.2 nd step and the 2.3 rd step, target abnormal behavior characteristics are continuously selected, abnormal behavior characteristics are continuously filtered from the abnormal behavior description set, target service attention content is filtered from the description set until the maximum risk level of the abnormal behavior characteristics in the abnormal behavior description set is 0 or the abnormal behavior description set is empty, and the target abnormal behavior characteristics are stopped being selected from the abnormal behavior description set. All the target abnormal behavior characteristics corresponding to the abnormal behavior description set are obtained. And (3) executing the 2 nd step on each abnormal behavior description set respectively to obtain the target abnormal behavior characteristics corresponding to each abnormal behavior description set. Since the abnormal behavior description sets are divided according to the reference service interaction state, when the target abnormal behavior feature corresponding to each abnormal behavior description set is obtained, the target abnormal behavior feature corresponding to each reference service interaction state can be obtained. Thus, a plurality of target abnormal behavior characteristics on a plurality of attention levels are determined one by one for each reference service interaction state. The target abnormal behavior characteristics selected in the period are the necessary abnormal behavior characteristics of the threat intention analysis thread, and the rest abnormal behavior characteristics are determined to be ineffective and can be deleted.
The performance of the threat intent resolution thread is very relevant to the number of abnormal behavior features. For different service interaction processes, affected by the financial service interaction environment, different numbers of abnormal behavior characteristics need to be set for the threat intention analysis thread, and the numbers of the target abnormal behavior characteristics corresponding to different reference service interaction states can be the same or different. The related content intelligently selects the abnormal behavior characteristics, so that the applicability of the threat intention analysis thread in different service interaction processes is improved.
And in the fourth period, an abnormal behavior characteristic debugging period in the new service interaction process.
In practical application, due to the variability of thread interference and the variability of a service interaction process, the threat intention analysis thread needs to always deal with input information of a new concerned layer, and most of the related technologies debug the threat intention analysis thread secondarily through more new debugging paradigms so as to obtain the threat intention analysis thread with higher analysis accuracy and reliability. However, the method not only increases the pre-processing resource overhead of thread debugging, but also reduces the debugging efficiency of the threat intention analysis thread, thereby affecting the efficiency and timeliness of service interaction threat intention analysis.
For the problems, the period debugs new abnormal behavior characteristics through fewer new debugging examples, and the analysis of the service interaction threat intention is carried out by combining the target abnormal behavior characteristics obtained in the last period. For some examples, the new abnormal behavior signature may be debugged by: acquiring a plurality of groups of example financial service big data which are collected in a new service interaction process and respectively correspond to each reference service interaction state; and for each reference service interaction state, respectively mining the significance service expression from a plurality of groups of example financial service big data corresponding to the reference service interaction state, calculating the integral analysis result of the mined significance service expression, and taking the obtained integral analysis result as a new abnormal behavior characteristic corresponding to the reference service interaction state. Thus, each reference service interaction state gets a new abnormal behavior signature, which is paired with a new service interaction process. The period can be used for mining the significant business expression through a key information mining unit obtained by optimizing the second period.
The new abnormal behavior characteristics obtained in the period are combined with the target abnormal behavior characteristics obtained in the third period to analyze the service interaction threat intention, so that the analysis accuracy and the reliability of the threat intention analysis thread on the input information of a new concerned layer can be effectively improved, the analysis accuracy and the reliability of the original input information are kept, the pre-processing resource overhead can be reduced, the debugging difficulty of the threat intention analysis thread is reduced, the debugging efficiency is improved, the newly-added input information which is greatly different from the actual application service interaction process can be quickly dealt with, the applicability and the transformation capability of the threat intention analysis thread are obviously improved, and the method can be applied to different service interaction processes.
It can be understood that, through the above four periods, the abnormal behavior feature corresponding to each reference service interaction state and used for performing service interaction threat intention analysis is determined, including the target abnormal behavior feature obtained in the third period and the new abnormal behavior feature obtained in the fourth period, and the two abnormal behavior features are taken together as the target application abnormal behavior feature.
Under some design ideas which can be independently implemented, the service interaction threat intention analysis can be carried out through the following steps: excavating significant business expressions in the financial business big data to be processed through a key information excavating unit which finishes debugging, and determining the quantitative commonality of the excavated significant business expressions and the abnormal behavior characteristics of each target application in each reference business interaction state; for each reference service interaction state, carrying out global processing on a plurality of quantization commonalities corresponding to the service interaction state to obtain the quantization possibility that the financial service big data to be processed is the reference service interaction state; reference business interaction states herein include risk threat intent and non-threat intent; and determining the target business interaction state of the target online financial service event according to the quantization possibility corresponding to each reference business interaction state, and obtaining the analysis condition of analyzing the business interaction threat intention of the target online financial service event.
For some examples, the reference business interaction state corresponding to the larger quantitative probability is used as the target business interaction state of the target online financial service event in the financial business big data to be processed, for example, on the premise that the quantitative probability corresponding to the risk threat intent is 80% and the quantitative probability corresponding to the non-threat intent is 20%, the target business interaction state of the target online financial service event is the risk threat intent.
For some independently implementable technical solutions, the big data protection processing according to the threat intent resolution condition may include the following: acquiring intention item distribution of a threat intention analysis condition and reference item distribution corresponding to the intention item distribution; trend description mining is sequentially carried out on the intention distribution and the reference distribution to obtain a first threat trend description of the intention distribution and a second threat trend description of the reference distribution; analyzing the adaptation degree between the first threat trend description and the second threat trend description to obtain a local statistical result of the adaptation degree between the first threat trend description and the second threat trend description; weighting the first threat trend description and the second threat trend description based on the local statistical result of the adaptation degree to obtain a first weighted threat trend description; and performing protective measure matching processing on the first weighted threat trend description to obtain an information protective measure matching result of the intention item distribution.
In the embodiment of the application, the intention item distribution and the reference item distribution can be understood as the summary result of the intention item and the reference item, the threat trend description is used for describing the possible occurrence situation of the information threats distributed in different items, and the adaptation degree can be understood as the correlation degree.
For some independently implementable solutions, before obtaining an intent distribution of a threat intent resolution and a reference distribution corresponding to the intent distribution, the method further comprises: extracting trend key topics from the intention item distribution and the original reference item distribution in sequence to obtain a first set number of first trend key topics in the intention item distribution and a first set number of second trend key topics in the original reference item distribution; performing trend key topic binding on the first trend key topic and the second trend key topic, and determining trend key topic sets in the intention item distribution and the original reference item distribution, wherein each trend key topic set comprises a first trend key topic and a second trend key topic which correspond to each other; on the premise that the number of the trend key topic sets is not less than the set number, determining an adjustment strategy for distributing the original reference matters to the distribution of the intention matters according to the relative relation of the trend key topics in the trend key topic sets; and adjusting the original reference item distribution according to the adjustment strategy to obtain the reference item distribution. By so designing, high correlation between the reference item distribution and the intention item distribution can be ensured.
Based on the same inventive concept, there is also provided an online payment information intrusion detection device 20 based on cloud computing, which is applied to an information intrusion detection server 10, and the device includes: the event analysis module 21 is configured to receive a cloud payment session record carrying a cloud payment session triggering an intrusion detection condition and an associated cloud payment session; obtaining a distinguishing identifier analysis condition of each service interaction event in the cloud payment session record through a session description set corresponding to the cloud payment session record, wherein the distinguishing identifier analysis condition is used for representing a distinguishing identifier of the service interaction event; and the intrusion detection module 22 is configured to determine a target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering the intrusion detection condition according to the distinguishing identifier analysis condition.

Claims (10)

1. The online payment information intrusion detection method based on cloud computing is applied to an information intrusion detection server, and comprises the following steps:
receiving cloud payment session records carrying cloud payment sessions triggering intrusion detection conditions and associated cloud payment sessions; obtaining a distinguishing identifier analysis condition of each service interaction event in the cloud payment session record through a session description set corresponding to the cloud payment session record, wherein the distinguishing identifier analysis condition is used for representing a distinguishing identifier of the service interaction event;
And determining a target information intrusion detection result for carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition according to the distinguishing identification analysis condition.
2. The method of claim 1, wherein the method further comprises:
acquiring an example cloud payment session record covering a cloud payment session corresponding to a first cloud payment session scene and a cloud payment session corresponding to at least one second cloud payment session scene; the first cloud payment session scene is a cloud payment session scene corresponding to the cloud payment session triggering the intrusion detection condition, and the second cloud payment session scene is a cloud payment session scene different from the first cloud payment session scene;
and taking the example cloud payment session record as a raw material for setting an intelligent thread, and configuring the set intelligent thread by taking the service interaction event distinguishing identification key words in the example cloud payment session record as references to obtain a target intelligent thread for performing service interaction event distinguishing identification analysis on the service interaction event.
3. The method of claim 2, wherein obtaining a sample cloud payment session record that encompasses both a cloud payment session corresponding to a first cloud payment session scenario and a cloud payment session corresponding to at least one second cloud payment session scenario comprises:
Receiving a first to-be-determined cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scene;
obtaining the derivative information of the pending cloud payment session corresponding to the at least one second cloud payment session scene;
determining the example cloud payment session record from the pending cloud payment session derivative information and the first pending cloud payment session record;
wherein obtaining an example cloud payment session record encompassing both a first cloud payment session context and at least one second cloud payment session context comprises:
receiving a first pending cloud payment session record carrying a cloud payment session corresponding to the first cloud payment session scene and a second pending cloud payment session record covering the cloud payment session corresponding to the at least one second cloud payment session scene;
determining the example cloud payment session record from the first pending cloud payment session record and the second pending cloud payment session record;
wherein the service interaction event distinguishing identification keywords in the example cloud payment session record include at least one of: at least one of a plurality of first service interaction event distinguishing identification keywords respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; at least one of a plurality of second service interaction event distinguishing identification keywords respectively corresponding to the plurality of quantitative information; and the same third service interaction event distinguishing identification key words corresponding to the plurality of service interaction events included in the plurality of second cloud payment session scenes.
4. The method of claim 3, wherein the cloud payment session that triggers the intrusion detection condition comprises a cloud payment session corresponding to a first cloud payment session scenario, the first cloud payment session scenario being a cloud payment session scenario corresponding to a cross-border payment project; the cloud payment session record covers a cloud payment session record of a target verification item required when the cross-border payment item is activated;
the obtaining of the resolution condition of the distinguishing identifier of each service interaction event in the cloud payment session record through the session description set corresponding to the cloud payment session record includes:
determining that each service interaction event in the cloud payment session record of the target verification item corresponds to a target service interaction event corresponding to the first cloud payment session scene or belongs to a disturbance service interaction event corresponding to an associated cloud payment session through a session description set corresponding to the cloud payment session record of the target verification item;
the determining of the target information intrusion detection result for performing information intrusion detection on the cloud payment session triggering the intrusion detection condition includes:
determining a target information intrusion detection result for carrying out information intrusion detection on the target service interaction event in the cloud payment session record of the target verification item;
The method further comprises the following steps:
and starting the cross-border payment item according to the target information intrusion detection result.
5. The method of claim 1, wherein the method further comprises:
determining the cloud payment session triggering the intrusion detection condition in the cloud payment session record and/or the content of the record to be processed matched with the associated cloud payment session;
decomposing the record content to be processed into a plurality of local record contents;
and determining a session description set corresponding to the cloud payment session record through the significance expression corresponding to at least part of the local record contents in the local record contents.
6. The method of claim 5, wherein obtaining the resolution of the differentiated identity of each service interaction event in the cloud payment session record through the session description set corresponding to the cloud payment session record comprises:
determining at least one pending service interaction event distinguishing identifier bound to each service interaction event and a detection score of each pending service interaction event distinguishing identifier, which are included in the cloud payment session record, through a session description set corresponding to the cloud payment session record;
And taking the pending service interaction event distinguishing identification corresponding to the maximum detection score in the at least one pending service interaction event distinguishing identification bound by each service interaction event as the distinguishing identification analysis condition.
7. The method of claim 6, wherein determining a target information intrusion detection result for information intrusion detection on the cloud payment session triggering the intrusion detection condition by resolving the condition of the distinguishing identifier comprises:
determining the service interaction event attribute corresponding to the service interaction event distinguishing identifier to be determined with the maximum detection score bound by each service interaction event according to the mapping condition between the service interaction event distinguishing identifier and the service interaction event attribute;
determining that each service interaction event corresponds to a target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or a disturbance service interaction event corresponding to the associated cloud payment session according to the service interaction event distinguishing identification to be determined of the maximum detection score bound to each service interaction event;
and using the service interaction event attribute corresponding to the target service interaction event as the target information intrusion detection result for carrying out information intrusion detection on the cloud payment session triggering the intrusion detection condition.
8. The method of claim 7, wherein the determining that each service interaction event corresponds to a target service interaction event corresponding to the cloud payment session triggering the intrusion detection condition or a disturbance service interaction event corresponding to the associated cloud payment session according to the pending service interaction event distinguishing identifier with the maximum detection score bound to each service interaction event comprises:
determining that the corresponding service interaction event corresponds to the target service interaction event on the premise that the bound service interaction event distinguishing identifier with the maximum detection score is determined to be one of a plurality of first service interaction event distinguishing identifiers or a plurality of second service interaction event distinguishing identifiers;
determining that the corresponding service interaction event corresponds to the disturbance service interaction event on the premise of determining that the bound service interaction event distinguishing identifier with the maximum detection score is a third service interaction event distinguishing identifier;
wherein, the first service interaction event distinguishing identifiers comprise: service interaction event distinguishing identifications respectively corresponding to a plurality of service interaction events included in the first cloud payment session scene; the first cloud payment session scene is a cloud payment session scene corresponding to the cloud payment session triggering the intrusion detection condition; the second service interaction event distinguishing identifications comprise: service interaction event distinguishing identifications respectively corresponding to the quantitative information; the third service interaction event distinguishing identifier comprises: the service interaction event distinguishing identifications correspond to a plurality of service interaction events included in the second cloud payment session scenes; wherein the second cloud payment session scenario is a different cloud payment session scenario than the first cloud payment session scenario;
Wherein the determining a session description set corresponding to the cloud payment session record includes:
and taking the cloud payment session record as a raw material of a target intelligent thread for performing service interaction event distinguishing identification analysis on a service interaction event, and obtaining a session description set corresponding to the cloud payment session record obtained by analyzing the target intelligent thread.
9. An information intrusion detection server is characterized by comprising a processor, a network module and a memory; the processor and the memory communicate through the network module, the processor reading a computer program from the memory and operating to perform the method of any of claims 1-8.
10. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any one of claims 1-8.
CN202111218018.5A 2021-10-20 2021-10-20 Online payment information intrusion detection method based on cloud computing and server Withdrawn CN113946819A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111218018.5A CN113946819A (en) 2021-10-20 2021-10-20 Online payment information intrusion detection method based on cloud computing and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111218018.5A CN113946819A (en) 2021-10-20 2021-10-20 Online payment information intrusion detection method based on cloud computing and server

Publications (1)

Publication Number Publication Date
CN113946819A true CN113946819A (en) 2022-01-18

Family

ID=79331523

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111218018.5A Withdrawn CN113946819A (en) 2021-10-20 2021-10-20 Online payment information intrusion detection method based on cloud computing and server

Country Status (1)

Country Link
CN (1) CN113946819A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567495A (en) * 2022-03-04 2022-05-31 鹰潭市吉海智能科技有限公司 Network attack analysis method applied to cloud computing and server

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114567495A (en) * 2022-03-04 2022-05-31 鹰潭市吉海智能科技有限公司 Network attack analysis method applied to cloud computing and server

Similar Documents

Publication Publication Date Title
CN113706177B (en) Threat identification method based on big data security and data security server
CN110177108B (en) Abnormal behavior detection method, device and verification system
CN113706149A (en) Big data wind control processing method and system for dealing with online payment data threat
CN113918621A (en) Big data protection processing method based on internet finance and server
CN112329811A (en) Abnormal account identification method and device, computer equipment and storage medium
CN114139209B (en) Information anti-theft method and system applied to big data of business user
CN113949577A (en) Data attack analysis method applied to cloud service and server
CN114154995B (en) Abnormal payment data analysis method and system applied to big data wind control
CN114138872A (en) Big data intrusion analysis method and storage medium applied to digital finance
CN115174231A (en) AI-Knowledge-Base-based network fraud analysis method and server
CN113468520A (en) Data intrusion detection method applied to block chain service and big data server
CN113515606A (en) Big data processing method based on intelligent medical safety and intelligent medical AI system
CN114693192A (en) Wind control decision method and device, computer equipment and storage medium
CN113486983A (en) Big data office information analysis method and system for anti-fraud processing
CN114500099A (en) Big data attack processing method and server for cloud service
CN114547254A (en) Risk identification method based on big data topic analysis and server
CN114329455B (en) User abnormal behavior detection method and device based on heterogeneous graph embedding
CN114417405A (en) Privacy service data analysis method based on artificial intelligence and server
CN113946819A (en) Online payment information intrusion detection method based on cloud computing and server
CN113434857A (en) User behavior safety analysis method and system applying deep learning
CN111917848A (en) Data processing method based on edge computing and cloud computing cooperation and cloud server
CN115314268B (en) Malicious encryption traffic detection method and system based on traffic fingerprint and behavior
CN114841705B (en) Anti-fraud monitoring method based on scene recognition
CN115439928A (en) Operation behavior identification method and device
CN114648388A (en) Big data analysis method and system for dealing with personalized service customization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20220118

WW01 Invention patent application withdrawn after publication