CN114218568A - Big data attack processing method and system applied to cloud service - Google Patents

Big data attack processing method and system applied to cloud service Download PDF

Info

Publication number
CN114218568A
CN114218568A CN202111502860.1A CN202111502860A CN114218568A CN 114218568 A CN114218568 A CN 114218568A CN 202111502860 A CN202111502860 A CN 202111502860A CN 114218568 A CN114218568 A CN 114218568A
Authority
CN
China
Prior art keywords
attack
intention
knowledge graph
cloud service
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111502860.1A
Other languages
Chinese (zh)
Other versions
CN114218568B (en
Inventor
徐志全
张红艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Jikuai Technology Co ltd
Original Assignee
Pingxiang Shengmai Internet Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pingxiang Shengmai Internet Technology Co ltd filed Critical Pingxiang Shengmai Internet Technology Co ltd
Priority to CN202111502860.1A priority Critical patent/CN114218568B/en
Publication of CN114218568A publication Critical patent/CN114218568A/en
Application granted granted Critical
Publication of CN114218568B publication Critical patent/CN114218568B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/10Machine learning using kernel methods, e.g. support vector machines [SVM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Virology (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application relates to the technical field of cloud services and big data, in particular to a big data attack processing method and system applied to cloud services, which can determine user operation behavior information of a target smart cloud service item in a relatively low first characteristic identification degree interval; carrying out attack behavior intention mining on the user operation behavior information to obtain a user attack behavior intention; attack intention knowledge graph optimization is carried out on the attack behavior intention of the user to obtain an optimized attack intention knowledge graph, so that the attack intention knowledge graph which is as rich and complete as possible under the condition of high feature recognition degree is obtained through the optimization of the operation behavior of the user under the condition of low feature recognition degree, the optimization quality of the attack intention knowledge graph is guaranteed to a certain extent, accurate and reliable big data attack analysis and identification can be realized through the optimized attack intention knowledge graph, and accurate and reliable analysis basis is provided for subsequent attack protection.

Description

Big data attack processing method and system applied to cloud service
Technical Field
The embodiment of the application relates to the technical field of cloud services and big data, in particular to a big data attack processing method and system applied to cloud services.
Background
Under cloud service and big data environment, the data business requirements of various industries and fields are changing, and a new complete chain is formed from data acquisition, data integration, data extraction, data mining to data release. With further centralization of big data and explosive growth of data volumes, securing data in the industry chain becomes more difficult. Meanwhile, the distributed, cooperative and open processing of the data also increases the risks of data leakage and attack, and in the application process of the big data, the fresh technology can realize accurate and reliable big data attack analysis and identification.
Disclosure of Invention
In view of this, the embodiment of the present application provides a big data attack processing method and system applied to cloud services.
In a first aspect, an embodiment of the present application provides a big data attack processing method applied to a cloud service, where the big data attack processing method is applied to a big data attack processing system, and the method at least includes: determining user operation behavior information of a target smart cloud service project, wherein the user operation behavior information aims at reflecting the feature recognition degree updating condition of the target smart cloud service project in a first feature recognition degree interval; and carrying out attack behavior intention mining on the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item, and carrying out attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, wherein the feature recognition degree of the optimized attack intention knowledge graph is located in a second feature recognition degree interval, and the second feature recognition degree interval is larger than the first feature recognition degree interval.
In a second aspect, an embodiment of the present application further provides a big data attack processing system, including a processor, a network module, and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
Compared with the prior art, the big data attack processing method and system applied to the cloud service provided by the embodiment of the application have the following technical effects: in the embodiment of the application, the user operation behavior information of the target smart cloud service item in a relatively low first characteristic identification degree interval can be determined; carrying out attack behavior intention mining on the user operation behavior information to obtain a user attack behavior intention; attack intention knowledge graph optimization is carried out on the attack behavior intention of the user, an optimized attack intention knowledge graph of the target smart cloud service item in a relatively high second feature recognition degree interval is obtained, the attack intention knowledge graph which is as rich and complete as possible under the condition of high feature recognition degree is obtained through the user operation behavior optimization under the condition of low feature recognition degree, the optimization quality of the attack intention knowledge graph is guaranteed to a certain extent, accurate and reliable big data attack analysis and identification can be achieved through the optimized attack intention knowledge graph, and accurate and reliable analysis basis is provided for subsequent attack protection.
Drawings
Fig. 1 is a block diagram illustrating a big data attack processing system according to an embodiment of the present disclosure. Fig. 2 is a flowchart of a big data attack processing method applied to a cloud service according to an embodiment of the present disclosure. Fig. 3 is a block diagram of a big data attack processing apparatus applied to a cloud service according to an embodiment of the present disclosure.
Detailed Description
Fig. 1 shows a block diagram of a big data attack processing system 10 according to an embodiment of the present application. The big data attack processing system 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the big data attack processing system 10 includes: the system comprises a memory 11, a processor 12, a network module 13 and a big data attack processing device 20 applied to cloud services. An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running. Fig. 2 shows a flowchart of a big data attack processing method applied to a cloud service according to an embodiment of the present application. The method steps defined by the flow related to the method are applied to the big data attack processing system 10 and can be realized by the processor 12, and the method comprises the technical scheme recorded by step11-step 13.
step11, determining user operation behavior information of the target smart cloud service item, wherein the user operation behavior information is intended to reflect the feature recognition degree updating condition of the target smart cloud service item in the first feature recognition degree interval.
step12, performing attack behavior intention mining on the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item.
step13, conducting attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, wherein the feature recognition degree of the optimized attack intention knowledge graph is located in a second feature recognition degree interval, and the second feature recognition degree interval is larger than the first feature recognition degree interval.
In an independently implementable embodiment, the target smart cloud service item may be a business scenario including a smart cloud service item for online payment, group purchase business, government and enterprise business, and the like. Under the condition that the target smart cloud service item is possibly in a low feature recognition degree, the attack intention knowledge graph of the target smart cloud service item acquired through the item operation terminal (such as an item recognition module or an information acquisition thread) is not sufficient in recognition degree, and the integrity of the attack intention knowledge graph is relatively poor. In the above case, for step11, the user operation behavior information of the target smart cloud service item is determined in the first feature recognition degree interval corresponding to the low feature recognition degree condition through the user operation behavior acquisition terminal (for example, the user operation behavior acquisition thread), and the user operation behavior information is intended to reflect the feature recognition degree update condition of the target smart cloud service item in the first feature recognition degree interval. The method and the device do not limit the real value of the first characteristic identification degree interval too much.
It can be understood that attack intention mining (such as feature extraction) on the user operation behavior information described in step12 to obtain the first user attack intention of the target smart cloud service item can be described in the following relevant contents. In an embodiment of the present application, the first user attack intention at least covers information representing a transaction distribution of the target smart cloud service item. For example: the attack behavior intention of the user operation behavior information is extracted through a big data attack analysis model (such as a convolutional neural network), the big data attack analysis model can comprise a plurality of information extraction units (such as convolutional layers), a plurality of information optimization units (such as residual layers) and the like, and the model architecture of the big data attack analysis model is not limited by the application.
It can be understood that, for the attack intention knowledge graph optimization of the first user attack behavior intention described in step13 to obtain the optimized attack intention knowledge graph of the target smart cloud service item, the following relevant contents can be illustrated. In the embodiment of the present application, the optimized attack intention knowledge graph may be, for example, a visual knowledge base, and the feature recognition degree of the optimized attack intention knowledge graph is within a second feature recognition degree interval corresponding to a high feature recognition degree condition, where the second feature recognition degree interval is greater than the first feature recognition degree interval.
In the embodiment of the application, the attack intention knowledge graph optimization can be carried out on the first user attack behavior intention through a transposition attack analysis model (such as an deconvolution neural network). Further, the transposed attack analysis model may include a plurality of transposed information extraction units (e.g., deconvolution layers), a plurality of information optimization units, an information extraction unit, and the like, and the present application does not limit the true value of the second feature recognition interval and the model architecture of the transposed attack analysis model.
In conclusion, the user operation behavior information of the target smart cloud service item in the relatively low first feature recognition degree interval can be determined; carrying out attack behavior intention mining on the user operation behavior information to obtain a user attack behavior intention; attack intention knowledge graph optimization is carried out on the attack behavior intention of the user, an optimized attack intention knowledge graph of the target smart cloud service item in a relatively high second feature recognition degree interval is obtained, the attack intention knowledge graph which is as rich and complete as possible under the condition of high feature recognition degree is obtained through the user operation behavior optimization under the condition of low feature recognition degree, the optimization quality of the attack intention knowledge graph is guaranteed to a certain extent, accurate and reliable big data attack analysis and identification can be achieved through the optimized attack intention knowledge graph, and accurate and reliable analysis basis is provided for subsequent attack protection.
In an independently implemented embodiment, the attack intention knowledge graph optimization of the first user attack behavior intention recorded by step13 to obtain the optimized attack intention knowledge graph of the target smart cloud service item may exemplarily include the technical solutions recorded by step131-step 133.
step131, according to the disturbance data of the first user behavior and the attack behavior intention of the first user, performing local significance processing on the attack behavior intention of the first user to obtain an attack behavior intention of a second user.
step132, splicing the first user attack behavior intention with the second user attack behavior intention to obtain an attack behavior intention splicing result.
step133, performing attack intention knowledge graph optimization on the attack behavior intention splicing result to obtain an optimized attack intention knowledge graph of the target smart cloud service item.
For example, the user operation behavior information determined under the condition of low feature recognition degree may have more user behavior disturbance influence and partial transaction distribution information is poor. Under the condition, the first user attack behavior intention can be optimized, and more information with higher attention can be restored conveniently.
In the embodiment of the application, any first user behavior disturbance data (such as noise data) can be set, and redundant disturbance threads are added to the first user attack behavior intention according to the first user behavior disturbance data. And importing the first user attack behavior intention added with the disturbance thread into a local significance processing submodel for local significance processing to obtain a second user attack behavior intention. The local saliency processing sub-model may be resnet, and includes an information extraction unit and a plurality of information optimization units. The method and the device for determining the first user behavior disturbance data and the actual model architecture of the local significance processing sub-model are not limited.
It can be understood that the first user attack behavior intention and the second user attack behavior intention can be spliced (for example, fused) to obtain an attack behavior intention splicing result (for example, a fusion characteristic); and importing the splicing result of the attack behavior intention into the transposed attack analysis model to optimize the attack intention knowledge graph to obtain the optimized attack intention knowledge graph of the target smart cloud service item. Therefore, the local information in the first user attack behavior intention can be obviously improved, and the quality of the optimized attack intention knowledge graph is further improved.
In an independently implementable embodiment, the big data attack processing method applied to the cloud service according to the embodiment of the present application can be implemented by a knowledge base analysis model, the knowledge base analysis model at least includes a first attack behavior intention mining submodel and an attack intention knowledge graph optimizing submodel, and the first attack behavior intention mining submodel is used for performing attack behavior intention mining on the user operation behavior information, for example, is a big data attack analysis model; and the attack intention knowledge graph optimization sub-model is used for carrying out attack intention knowledge graph optimization on the first user attack behavior intention, such as a transposed attack analysis model. The knowledge base analysis model can adopt other types of networks or models, and can be set according to real requirements in actual implementation, which is not limited in the application. The knowledge base analysis model may be debugged prior to applying the knowledge base analysis model.
On the basis of the above, the big data attack processing method applied to the cloud service according to the embodiment of the present application may further include: and debugging the knowledge base analysis model according to a specified model debugging set, wherein the model debugging set comprises first example user operation behavior information of a plurality of first example smart cloud service items, second example user operation behavior information of a plurality of second example smart cloud service items and example attack intention knowledge maps corresponding to the example smart cloud service items.
In an embodiment of the present application, the first example user operation behavior information is determined within a third feature recognition interval, the second example user operation behavior information is determined within a fourth feature recognition interval, the example attack intention knowledge graph corresponding to the example smart cloud service item is determined within the fourth feature recognition interval, and the fourth feature recognition interval is greater than the third feature recognition interval.
For example, a model debugging set may be preset, and the model debugging set includes a plurality of example smart cloud service items, such as: and smart cloud service items such as online payment, group purchase business, government and enterprise business and the like. Example smart cloud services can be divided into smart cloud services corresponding to low feature recognition (referred to as a first example smart cloud service) and smart cloud services corresponding to normal feature recognition (referred to as a second example smart cloud service). Each first example smart cloud service item comprises first example user operation behavior information; each second example smart cloud service item includes second example user operation behavior information and an example attack intention knowledge graph corresponding to the example smart cloud service item. The first example smart cloud service item and the second example smart cloud service item may be the same or different smart cloud service items, which is not limited in this application.
In an independently implemented embodiment, when the first example smart cloud service item is located in the third feature recognition degree interval corresponding to the low feature recognition degree condition, the feature recognition degree updating condition of the first example smart cloud service item may be determined by the user operation behavior obtaining terminal (e.g., the user operation behavior collecting thread), so as to obtain the first example user operation behavior information, so as to be used as the import of the knowledge base analysis model. The first example user operational behavior information includes information reflecting a global event distribution of the first example smart cloud service. The third feature recognition degree interval may be the same as or different from the first feature recognition degree interval, and the present application does not limit this.
It is understood that the first example user action information in the case of low feature recognition includes information reflecting the global event distribution of the first example smart cloud service item, but does not include significance information (e.g., feature recognition information of attack intention knowledge graph). In the above case, the user operation behavior information of the second example smart cloud service item (which may be referred to as second example user operation behavior information) in the case of high feature recognition may be imported, so as to learn the significance information in the second example user operation behavior information through the knowledge base analysis model.
It can be understood that when the second example smart cloud service item is located in the fourth feature recognition degree interval corresponding to the high feature recognition degree condition, the feature recognition degree updating condition of the second example smart cloud service item can be determined through the user operation behavior acquisition terminal, and the second example user operation behavior information is obtained. The fourth feature recognition degree interval is larger than the third feature recognition degree interval. The fourth feature recognition degree interval may be the same as or different from the second feature recognition degree interval, which is not limited in the present application. The determination method of the first example user operation behavior information of the first example smart cloud service item and the second example user operation behavior information of the second example smart cloud service item may be similar to the determination idea of the user operation behavior information of the target smart cloud service item, and will not be further described herein.
In addition, for the first example smart cloud service item under the condition of low feature recognition degree, the integrity of the attack intention knowledge graph of the target smart cloud service item acquired through the item operation terminal is relatively poor and cannot be used as the annotation information. In the above case, a knowledge graph of example attack intention corresponding to the example smart cloud service item of the second example smart cloud service item with high feature recognition may be imported as the annotation information of the knowledge base analysis model. An example attack intention knowledge graph corresponding to the example smart cloud service item can be determined within a fourth feature recognition degree interval corresponding to a high feature recognition degree condition through an item operation terminal (such as an information acquisition thread). Therefore, the debugging effect of the knowledge base analysis model can be improved.
In an independently implementable embodiment, the knowledge base analysis model further comprises a support vector machine, and the step of debugging the knowledge base analysis model according to a specified model debugging set can exemplarily comprise the contents recorded by step201-step 203.
step201, importing the first example user operation behavior information of the first example smart cloud service item and the second example user operation behavior information of the second example smart cloud service item into the first attack behavior intention mining submodel respectively to obtain the first example user attack behavior intention and the second example user attack behavior intention.
step202, importing the first example user attack behavior intention and the second example user attack behavior intention into the support vector machine respectively to obtain a first type analysis situation and a second type analysis situation.
step203, debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the second category analysis condition.
For example, a support vector machine (e.g., an authentication network) in the knowledge base analysis model is used to classify the content derived from the first attack behavior intention mining submodel. It is simply understood that the first aggression intention mining submodel (e.g., the feature extraction network) can be debugged by adopting a robustness enhancement policy (e.g., a countermeasure policy) to enable the first aggression intention mining submodel to learn common description information between the first example user operation behavior information under the condition of low feature recognition degree and the second example user operation behavior information under the condition of high feature recognition degree.
In the embodiment of the application, the first example user operation behavior information of the first example smart cloud service item (such as a sample item) and the second example user operation behavior information of the second example smart cloud service item can be respectively imported into the first attack behavior intention mining submodel for processing, and the first example user attack behavior intention and the second example user attack behavior intention are derived; respectively importing the attack behavior intention of the first example user and the attack behavior intention of the second example user into a support vector machine to obtain a first type analysis condition (such as an identification result) and a second type analysis condition; and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the second category analysis condition.
It is understood that in the course of debugging with the robustness enhancing strategy, the first attack behavior intent mining submodel tends to obscure the first example user attack behavior intent and the second example user attack behavior intent, the support vector machine tends to recognize the first example user attack behavior intent and the second example user attack behavior intent, and through the above-mentioned countertraining, the first attack behavior intention mining submodel can be prompted to extract the common intention description between the behavior intention description under the condition of high characteristic identification degree and the behavior intention description under the condition of low characteristic identification degree, the attack behavior intention of the first example user under the condition of low feature recognition degree has the global characteristic of the user operation behavior information under the condition of high feature recognition degree, and the attack behavior intention of the second example user under the condition of high feature recognition degree has the global characteristic of the user operation behavior information under the condition of low feature recognition degree. In other words, through the idea of transfer learning, the first attack behavior intention mining submodel is simultaneously suitable for attack behavior intention mining of data in two different states. The selection of the cost function debugged by adopting the robustness enhancement strategy is not limited.
By the design, the first attack behavior intention mining submodel can more comprehensively and completely mine the user attack behavior intention under the condition of low characteristic recognition degree, so that the accuracy and the anti-interference degree of the first attack behavior intention mining submodel are improved, and efficient attack intention knowledge map optimization is realized by using the user operation behavior information under the condition of low characteristic recognition degree.
In an independently implementable embodiment, the step of debugging the knowledge base analysis model according to the specified model debugging set may further include the recorded contents of step301 and step302, for example.
step301, importing the attack behavior intention of the second example user into the attack intention knowledge graph optimization submodel to obtain a first optimized attack intention knowledge graph of the second example smart cloud service item.
step302, debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, after the robustness enhancement strategy is adopted for debugging, the second example user attack behavior intention mined by the first attack behavior intention mining submodel has the global characteristic of the user operation behavior information under the condition of low feature recognition, and the corresponding second example user operation behavior information has the label information (in other words, the example attack intention knowledge graph corresponding to the example smart cloud service item under the condition of high feature recognition).
In the embodiment of the application, the attack behavior intention of the second example user can be guided into the attack intention knowledge graph optimization submodel for processing, and a first optimized attack intention knowledge graph of the second example smart cloud service item is derived; according to the comparison information (such as difference information) between the first optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item, the model difference (which can be understood as network loss) of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be determined, and further the model variables of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be improved according to the model difference feedback, so that the debugging of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel is realized.
In the actual debugging process, the cycle debugging can be carried out. In other words, during each loop process, the feedback improves the model variables of the support vector machine in terms of opposing model differences (opposing network losses). And feeding back and improving model variables of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel according to model differences of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel, wherein the output of the support vector machine can still be obtained in the debugging of the current round to be used as guidance, but the variables of the support vector machine are not optimized. Thus, after multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as the set indexes). Therefore, the debugging process of the whole knowledge base analysis model can be realized, and a relatively complete knowledge base analysis model is obtained.
In an independently implementable embodiment, the knowledge base analysis model further comprises a second attack behavior intention mining submodel, and the step of debugging the knowledge base analysis model according to the specified model debugging set further comprises the recorded contents of step401-step 404.
step401, importing the second example user operation behavior information and the second user behavior disturbance data of the second example smart cloud service item into the second attack behavior intention mining sub-model to obtain a third example user attack behavior intention.
step402, the attack behavior intention of the second example user is spliced with the attack behavior intention of the third example user to obtain a splicing result of the attack behavior intention of the first example.
step403, importing the splicing result of the first example attack behavior intention into the support vector machine to obtain a third category analysis condition.
step404, debugging the knowledge base analysis model by using a robustness enhancement strategy according to the first category analysis condition and the third category analysis condition.
For example, the first example user operation behavior information may have a certain user behavior perturbation effect under the condition of low feature recognition, and the user behavior perturbation is low in the second example user operation behavior information under the condition of high feature recognition. In the above case, redundant disturbance threads may be introduced for the second example user operation behavior information, so as to improve the robustness of the model.
The knowledge base analysis model further comprises a second attack behavior intention mining submodel which comprises a plurality of information extraction units and a plurality of information optimization units, and the model architecture of the second attack behavior intention mining submodel is not limited in the application.
In the embodiment of the present application, any second user behavior disturbance data may be set, and a disturbance thread is added to the second example user operation behavior information according to the second user behavior disturbance data. Importing the operation behavior information of the second example user added with the disturbance thread into a second attack behavior intention mining submodel to mine attack behavior intention, and exporting attack behavior intention of the third example user; and splicing the attack behavior intention of the second example user with the attack behavior intention of the third example user to obtain a splicing result of the attack behavior intention of the first example. In this way, the behavior intention enhancement processing of the second example user attack behavior intention can be realized.
In the embodiment of the application, the first example attack behavior intention splicing result is imported into a support vector machine, so that a third type analysis condition can be obtained; and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the third category analysis condition. The actual flow of debugging with the robustness-enhancing strategy is not described too much. Thus, the accuracy of the first attack behavior intention mining submodel can be further improved.
In an independently implementable embodiment, the knowledge base analysis model further comprises a second attack behavior intention mining submodel, and the step of debugging the knowledge base analysis model according to the specified model debugging set further comprises the recorded contents of step501 and step 502.
step501, importing the first example attack behavior intention splicing result into the attack intention knowledge graph optimization submodel to obtain a second optimized attack intention knowledge graph of the second example smart cloud service item.
step502, debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, after the robustness enhancement strategy is adopted for debugging, the concatenation result of the first example attack behavior intention excavated by the first attack behavior intention excavation sub-model and the second attack behavior intention excavation sub-model has the global characteristic of the user operation behavior information under the condition of low feature recognition, and the corresponding second example user operation behavior information has the labeled information (in other words, the example attack intention knowledge graph corresponding to the example smart cloud service item under the condition of high feature recognition).
In the embodiment of the application, the splicing result of the first example attack behavior intention can be led into an attack intention knowledge graph optimization sub-model for processing, and a second optimized attack intention knowledge graph of a second example smart cloud service item is led out; according to the comparison content (difference) between the second optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item, the model difference of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be determined; and further, model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be improved according to the model difference feedback, so that the debugging of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel is realized.
During the actual debugging process, the cycle debugging can be carried out as well. In other words, during each loop process, the model variables of the improved support vector machine are fed back according to the confrontation model difference; and feeding back and improving model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel according to model differences of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel, wherein derived information of the support vector machine can still be obtained in the current debugging process to serve as guidance, but variables of the support vector machine are not optimized. In this way, by performing the loop processing for a plurality of times, the debugged knowledge base analysis model can be obtained while conforming to the debugging index (for example, the setting index). Therefore, the debugging process of the whole knowledge base analysis model can be realized, and the relatively complete knowledge base analysis model is obtained.
In an independently implementable embodiment, the knowledge base analysis model further comprises a local saliency processing sub-model, and the step of debugging the knowledge base analysis model according to a specified model debugging set can further comprise the recorded contents of step601-step 604.
step601, importing the second example user attack behavior intention and the third user behavior disturbance data into the local significance processing sub-model to obtain a fourth example user attack behavior intention.
step602, concatenating the attack behavior intention of the second example user with the attack behavior intention of the fourth example user to obtain a concatenation result of the attack behavior intention of the second example.
step603, importing the second example attack behavior intention splicing result into the attack intention knowledge graph optimization sub-model to obtain a third optimized attack intention knowledge graph of the second example smart cloud service item.
step604, debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph, the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item of the second example smart cloud service item.
For example, the local saliency processing sub-model may be introduced to perform local saliency processing on the attack behavior intention of the user, so as to restore more local information (e.g., local event distribution information) corresponding to the attack intention knowledge graph. The local saliency processing sub-model may be, for example, resnet, and includes an information extraction unit and a plurality of information optimization units, and the present application does not limit the model architecture of the local saliency processing sub-model.
In an independently implementable embodiment, the second exemplary user attack behavior intent may be directly used for local saliency processing without importing a second attack behavior intent mining submodel. Any third user behavior disturbance data may be set, and a disturbance thread (such as a disturbance channel) may be added to the second example user attack behavior intention according to the third user behavior disturbance data. Importing the attack behavior intention of the second example user added with the disturbance thread into the local significance processing submodel for processing to obtain the attack behavior intention of the fourth example user; splicing the attack behavior intention of the second example user with the attack behavior intention of the fourth example user to obtain a splicing result of the attack behavior intention of the second example; and importing the splicing result of the second example attack behavior intention into the attack intention knowledge graph optimization submodel to obtain a third optimized attack intention knowledge graph of the second example smart cloud service item.
In an embodiment of the application, the knowledge base analysis model is debugged according to the first optimized attack intention knowledge graph, the third optimized attack intention knowledge graph of the example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
According to the comparison content (difference) between the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the first cost of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be determined; according to the comparison content (difference) between the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project and the comparison content (difference) between the first optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the second cost of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be determined. The second cost can ensure that the quality of the third optimized attack intention knowledge graph after the local significance processing is introduced is higher than that of the first optimized attack intention knowledge graph when the local significance processing is not introduced, and the local significance processing sub-model can meet the actual requirement.
For example, the global model performance evaluation of the first attack behavior intention mining submodel, the local saliency processing submodel, and the attack intention knowledge graph optimization submodel may be determined according to the first cost and the second cost, such as: determining a global processing result of the first cost and the second cost as a global model performance evaluation (such as overall loss); and further, model variables of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be improved according to the performance evaluation feedback of the global model, and debugging of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel is achieved.
During the actual debugging process, the cycle debugging can be carried out as well. In other words, in the process of each cycle processing, a robustness enhancement strategy is adopted to debug the support vector machine; and then debugging the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel, wherein the derived information of the support vector machine is used as guidance, but the variable of the support vector machine is not optimized. After multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as set indexes). Therefore, local significance processing of the optimized attack intention knowledge graph can be achieved, and the quality of the optimized attack intention knowledge graph obtained by the debugged knowledge base analysis model is further improved.
In an independently implementable embodiment, the step of debugging the knowledge base analysis model according to the specified model debugging set may further include contents recorded by step701-step 704.
step701, importing the splicing result of the first example attack behavior intention and fourth user behavior disturbance data into the local significance processing sub-model to obtain a fifth example user attack behavior intention.
step702, concatenating the first example attack behavior intention concatenation result and the fifth example user attack behavior intention concatenation result to obtain a third example attack behavior intention concatenation result.
step703, importing the third example attack behavior intention splicing result into the attack intention knowledge graph optimization sub-model to obtain a fourth optimized attack intention knowledge graph of the second example smart cloud service item.
step704, debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, on the basis that the second attack behavior intention mining submodel is imported, the local significance processing can be carried out through the splicing result of the first example attack behavior intention. Any fourth user behavior disturbance data can be set, and a disturbance thread can be added to the splicing result of the first example attack behavior intention according to the fourth user behavior disturbance data. Importing the splicing result of the attack behavior intention of the first example after the disturbance thread is added into a local significance processing submodel for processing to obtain the attack behavior intention of the fifth example user; splicing the splicing result of the first example attack behavior intention with the splicing result of the attack behavior intention of the fifth example user to obtain a splicing result of the third example attack behavior intention; and importing the splicing result of the attack intention of the third example into the attack intention knowledge graph optimization submodel to obtain a fourth optimized attack intention knowledge graph of the smart cloud service item of the second example.
In an independently implementable embodiment, a knowledge base analysis model is adapted according to the second optimized attack intention knowledge-graph of the second example smart cloud service item, the fourth optimized attack intention knowledge-graph and the example attack intention knowledge-graph corresponding to the example smart cloud service item. This step may include the content recorded by step801-step 803.
step801, determining global model performance evaluation of the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item.
step802, determining the performance change data of the knowledge base analysis model according to the global model performance evaluation.
step803, according to the performance change data, improving the model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel, wherein the performance change data of the local significance processing submodel is not transmitted to the second attack behavior intention mining submodel.
For example, according to the comparison content (difference) between the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the third cost of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined; according to the comparison content (difference) between the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project and the comparison content (difference) between the second optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the fourth cost of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined. The fourth cost can ensure that the quality of the fourth optimized attack intention knowledge graph after the local significance processing is introduced is superior to that of the second optimized attack intention knowledge graph without the local significance processing, and the local significance processing submodel can meet the actual requirement.
In the embodiment of the application, the global model performance evaluation of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined according to the third cost and the fourth cost, for example, the global processing result of the third cost and the fourth cost is determined as the global model performance evaluation; according to the performance evaluation of the global model, the performance change data of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel can be determined, furthermore, the performance change data can be fed back and transmitted in the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimizing submodel, therefore, model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel are improved, and debugging of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel is achieved.
In the embodiment of the application, because disturbance threads are added to the introduction of the second attack behavior intention mining submodel and the local significance processing submodel, in order to avoid interference with a debugging result in an early debugging stage, when transmission performance change data (such as gradient information) is fed back, change characteristic transmission (such as gradient transmission) is stopped between the local significance processing submodel and the second attack behavior intention mining submodel, so that mutual interference between the local significance processing submodel and the second attack behavior intention mining submodel is avoided, and the stability of the models is guaranteed.
During the actual debugging process, the cycle debugging can be carried out as well. In other words, in the process of each loop processing, the robustness enhancement strategy is adopted to debug the support vector machine. And then debugging the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel, wherein the output of the support vector machine is used as a guide, but the variable of the support vector machine is not optimized. After multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as set indexes). Therefore, local significance processing of the optimized attack intention knowledge graph can be achieved, and the quality of the optimized attack intention knowledge graph obtained by the debugged knowledge base analysis model is further improved.
According to the big data attack processing method applied to the cloud service, the migration learning method is combined with the user operation behavior acquisition thread, attack intention knowledge graph optimization is carried out by using user operation behavior information under the condition of low feature recognition degree, the attack intention knowledge graph which is as rich and complete as possible under the condition of high feature recognition degree is obtained, the quality of the attack intention knowledge graph optimization is guaranteed to a certain extent, and therefore accurate and reliable big data attack analysis and identification can be achieved through the optimized attack intention knowledge graph, and accurate and reliable analysis basis is provided for subsequent attack protection.
On the basis of the above contents, under some design ideas which can be independently implemented, after obtaining the optimized attack intention knowledge graph of the target smart cloud service item, the method can further include the following contents: determining an intelligent service session log with privacy information stealing risk according to the optimized attack intention knowledge graph; and determining privacy threat information in the intelligent service session log with the risk of stealing the privacy information by means of session activity interest mining processing.
In the embodiment of the application, the corresponding intelligent service session log with the privacy information stealing risk can be determined through the attribute tags corresponding to the key map nodes in the optimized attack intention knowledge graph. Based on this, determining privacy threat information in the intelligent service session log with privacy information stealing risk by means of session activity interest mining processing can be achieved through the following implementation mode.
Step 101, performing session activity interest mining on the intelligent service session log with the risk of privacy information stealing to obtain abnormal activity interest description features 1 in a plurality of service states.
102, updating the interest description attributes based on the abnormal activity interest description feature1 to obtain an abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state; the interest description attributes of the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in different business states are consistent.
And 103, updating the interest description attributes of the abnormal activity interest description feature2 in each service state one by one to obtain an abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, wherein the quantitative analysis result of the stage level index of the abnormal activity interest description feature3 in each service state is matched with the set quantitative analysis result.
And step 104, determining privacy threat information in the intelligent service session log with privacy information stealing risk based on the abnormal activity interest description feature 3.
Implementing the technical solutions recorded in steps 101 to 104, based on executing interest description attribute update on the abnormal activity interest description feature1, obtaining the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state, and updating the stage level index of the abnormal activity interest description feature2 in each service state, so that the obtained stage level index of the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state has quantitative correlation, and further based on the different abnormal activity interest description features 3 in the stage level (different stage levels are used to reflect different points of interest of privacy threats, and further privacy threat characteristics under different points of interest are obtained), determining privacy threat information in the intelligent service session log with privacy information stealing risk, and implementing an intelligent service log with privacy information stealing risk based on initial session distribution, the privacy threat information of the intelligent service session log with the privacy information stealing risk is determined, and in view of the fact that the session distribution structure of the intelligent service session log with the privacy information stealing risk does not need to be modified, the software and hardware resource overhead of the privacy threat information detection is reduced while the privacy threat information detection precision is guaranteed, and the privacy threat detection efficiency is improved to a certain extent.
The technical solutions described in steps 101 to 104 can be specifically explained by the following descriptions.
It can be understood that, for the intelligent business session log with privacy information stealing risk described in step 101, session activity interest mining is performed to obtain the abnormal activity interest description feature1 in multiple business states.
In the embodiment of the present application, the abnormal activity interest description feature1 in the first business state is obtained by performing session activity interest mining on an intelligent business session log with a risk of stealing privacy information, and the abnormal activity interest description feature1 in the latter business state of the abnormal activity interest description features 1 in the two associated business states is obtained by performing session activity interest mining on the abnormal activity interest description feature1 in the former business state of the abnormal activity interest description features 1 in the two associated business states.
It is understood that the determination of the existence of the risk of stealing the privacy information may be implemented according to a preset rule, such as a time period condition or a service type condition. Therefore, the intelligent service session log with the risk of stealing private information can be understood as the intelligent service session log to be processed, and the session log can be log text or image-text information of streaming record. Further, conversational interaction interest mining may be understood as feature extraction (corresponding to the extraction of abnormal activity interest descriptions).
In the embodiment of the application, when session activity interest mining is performed on the intelligent service session logs with the risk of stealing privacy information to obtain abnormal activity interest description features 1 in a plurality of service states, session activity interest mining is performed on the intelligent service session logs with the risk of stealing privacy information through a first AI machine learning model (such as a CNN) in the plurality of service states to obtain abnormal activity interest description features 1 derived from the first AI machine learning model in each service state. Further, the machine learning model formed by the first AI machine learning models in multiple service states may be understood as one of the machine learning models for detecting privacy threat information included in an intelligent service session log with a risk of privacy information theft, and in actual implementation, the machine learning model for detecting the privacy threat information included in the intelligent service session log to be detected may be divided (split or divided) into AI machine learning models of multiple processes (multiple stages), and the AI machine learning model of each process corresponds to the first AI machine learning model in one service state. The structure of the first AI machine learning model in multiple service states may be set according to real service requirements, and this embodiment of the present application is not described herein further.
For example, if the first AI machine learning models in the multiple service states include a first AI machine learning model in a first service state, a first AI machine learning model in a second service state, and a first AI machine learning model in a third service state, the first AI machine learning model in the first service state may perform interest feature analysis on an intelligent service session log with a risk of privacy information stealing to obtain an abnormal activity interest description feature1 derived by the first AI machine learning model in the first service state; transmitting the abnormal activity interest description feature1 derived by the first AI machine learning model in the first service state to the first AI machine learning model in the second service state, and performing interest feature analysis on the obtained abnormal activity interest description feature1 by the first AI machine learning model in the second service state to obtain an abnormal activity interest description feature1 derived by the first AI machine learning model in the second service state; and then, the abnormal activity interest description feature1 derived by the first AI machine learning model in the second service state is transmitted to the first AI machine learning model in the third service state, and the first AI machine learning model in the third service state performs interest feature analysis on the obtained abnormal activity interest description feature1 to obtain the abnormal activity interest description feature1 derived by the first AI machine learning model in the third service state, and further obtain the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state. The abnormal activity interest description feature1 derived by the first AI machine learning model in the first business state is subjected to less interest feature analysis times, so that the abnormal activity interest description feature1 derived by the first AI machine learning model in the first business state has richer local description and less global description; and the number of times of interest feature analysis of the abnormal activity interest description feature1 derived by the first AI machine learning model in the third business state is large, so that the abnormal activity interest description feature1 derived by the first AI machine learning model in the third business state has a large global description (i.e. the description content related to privacy threat information contained in the abnormal activity interest description feature1 is rich) and a poor local description.
In the embodiment of the application, the intelligent service session log with the risk of stealing the privacy information may be any intelligent service session log covering privacy threat information. The duration of the intelligent service session log with the risk of stealing private information may be a random duration, for example: the duration of the intelligent service session log with the risk of stealing the private information can be 15min, 25min and the like. In practical implementation, the detection duration period of the intelligent service session log can be determined based on the first AI machine learning model in a plurality of service states, and when the duration period of the intelligent service session log with the risk of stealing privacy information exceeds the detection duration period of the intelligent service session log, the intelligent service session log with the risk of stealing privacy information can be divided into a plurality of intelligent service session logs, so that the duration period of each divided intelligent service session log is consistent with the detection duration period of the intelligent service session log. Such as: if the duration of the intelligent service session log with the risk of stealing the privacy information is 1.5 hours, and the determined duration of the intelligent service session log is 15min, the intelligent service session log with the risk of stealing the privacy information can be divided into 6 intelligent service session logs with the duration of 15min, a first AI machine learning model in a plurality of service states respectively executes session activity interest mining on each intelligent service session log with the duration of 15min, the privacy threat information corresponding to each intelligent service session log with the duration of 15min is determined, and then the privacy threat information of the intelligent service session log with the risk of stealing the privacy information is obtained.
In the embodiment of the present application, the abnormal activity interest description feature1 may include four levels of interest description attributes (e.g., parameter information). For example, if the first AI machine learning model in the multiple service states is an AI machine learning model in three layers (which may also be a convolutional neural network), an abnormal activity interest description feature1 of the intelligent service session log with a risk of stealing privacy information may be obtained, where the abnormal activity interest description feature1 may include interest description attributes in four layers; if the first AI machine learning models in the multiple service states are AI machine learning models in two layers, session activity interest mining can be executed through the first AI machine learning models in the multiple service states to obtain abnormal activity interest descriptions corresponding to each group of session events in the intelligent service session log with the risk of stealing privacy information, and the abnormal activity interest descriptions of each group of session event keywords in the obtained intelligent service session log with the risk of stealing privacy information are integrated according to a staged layer to obtain abnormal activity interest description feature1 corresponding to the intelligent service session log with the risk of stealing privacy information.
It can be understood that, for the step 102, based on performing the interest description attribute update on the abnormal activity interest description feature1, the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each business state is obtained.
For example, the interest description attribute of the abnormal activity interest description feature1 in the first business state, the interest description attribute of the abnormal activity interest description feature1 in the second business state, and the interest description attribute of the abnormal activity interest description feature1 in the third business state are updated to be the same.
For an independently implementable technical solution, the updating of the interest description attribute recorded in step 102 based on the abnormal activity interest description 1 is performed to obtain the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each business state, which may exemplarily include the following contents: determining an abnormal activity interest description feature1 with the least quantization constraint in the interest description attributes corresponding to the abnormal activity interest description feature1 in each service state, updating the remaining abnormal activity interest descriptions feature1 except the abnormal activity interest description feature1 with the least quantization constraint into an abnormal activity interest description with the same interest description attribute as the abnormal activity interest description feature1 with the least quantization constraint, and taking the abnormal activity interest description feature1 with the least quantization constraint and the updated abnormal activity interest description with the same interest description attribute as the abnormal activity interest description feature 38964 as the abnormal activity interest description feature1 with the least quantization constraint; or, the abnormal activity interest description feature1 in each business state is updated to be the abnormal activity interest description under the set interest description attribute, and the abnormal activity interest description under the set interest description attribute is taken as the abnormal activity interest description feature 2.
In this embodiment of the application, if the abnormal activity interest description feature1 in the multiple service states includes the abnormal activity interest description feature1 in the first service state, the abnormal activity interest description feature1 in the second service state, and the abnormal activity interest description feature1 in the third service state, then the abnormal activity interest description feature1 in the first service state, the abnormal activity interest description feature1 in the second service state, and the abnormal activity interest description feature1 in the third service state, where the abnormal activity interest description feature1 with the least quantization constraint is determined, then the least quantization constraint is determined in the interest description attributes corresponding to the abnormal activity interest description feature1 in the third service state, and then the interest description attributes of the abnormal activity interest description feature1 in the first service state and the abnormal activity interest description feature1 in the second service state are updated, so that the updated interest description attributes of the abnormal activity interest description features 2 in each service state are updated to make the updated interest description attributes of the abnormal activity description features 2 in each service state mutually update There is consistency between.
Or, determining a set interest description attribute, updating the abnormal activity interest description feature1 in each service state to the abnormal activity interest description under the set interest description attribute, and taking the abnormal activity interest description under the set interest description attribute as the abnormal activity interest description feature 2. It can be understood that the quantization constraint in the interest description attribute is set to be not greater than the interest description attribute of the abnormal activity interest description feature1 with the least quantization constraint in the interest description attribute corresponding to the abnormal activity interest description feature1 derived by the first AI machine learning model in each business state.
By the design, the first abnormal activity interest description feature1 in each service state is updated to be less quantization constraint, and when the privacy threat information covered in the intelligent service session log with the risk of privacy information stealing is detected, the software and hardware resource overhead of privacy threat information detection can be reduced, so that the efficiency of privacy threat detection is improved to a certain extent.
For an independently implementable technical solution, the performing, in step 101, session activity interest mining on the intelligent business session log with the risk of privacy information theft to obtain an abnormal activity interest description feature1 in a plurality of business states may exemplarily include: and performing session activity interest mining on the intelligent service session logs with privacy information stealing risks through the first AI machine learning models in the plurality of service states to obtain abnormal activity interest description feature1 derived by the first AI machine learning model in each service state.
On the basis of the above, the updating of the interest description attribute recorded in step 102 based on the abnormal activity interest description feature1 is performed to obtain the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state, which may exemplarily include the technical solutions recorded in step201 and step 202.
Step201, determining model variable data of a second AI machine learning model corresponding to the first AI machine learning model in each service state according to the determined updated interest description attribute and the interest description attribute of the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state.
Step202, performing interest feature analysis on the abnormal activity interest description feature1 derived from the first AI machine learning model corresponding to the second AI machine learning model in the service state in combination with the second AI machine learning model in each service state covering the determined model variable data, to obtain the abnormal activity interest description feature2 derived from the second AI machine learning model in the service state.
In this embodiment, according to the determined updated interest description attribute and the interest description attribute of the abnormal activity interest description feature1 derived from the first AI machine learning model in each business state, model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the first business state, model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the second business state, and model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the third business state may be determined, respectively.
For example, the second AI machine learning model corresponding to the first AI machine learning model in the first service state and covering model variable data (for example, model parameter information) performs interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the first service state, so as to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state. And analogizing one by one, performing interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the second service state by using a second AI machine learning model covering model variable data corresponding to the first AI machine learning model in the second service state to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state. And performing interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the third service state to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state.
By means of the design, the interest feature analysis is performed on the corresponding abnormal activity interest description feature1 by determining the model variable data of the second AI machine learning model in each service state and combining the second AI machine learning model in each service state covering the determined model variable data, so that the quantitative constraint in the interest description attribute of the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state is updated to be less quantitative constraint, further, when the intelligent service session log with the risk of privacy information stealing is analyzed, the software and hardware resource overhead is reduced, and the efficiency of privacy threat detection is improved to a certain extent.
It will be appreciated that for step 103: in the embodiment of the present application, the interest description attribute of the abnormal activity interest description feature2 in each service state may be updated, and the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is obtained, so that the quantitative analysis result of the stage level index of the abnormal activity interest description feature3 in each service state is matched with the set quantitative analysis result. Wherein, the abnormal activity interest description feature3 in each business state has a stage level index (such as a time dimension value) related to its coverage. In practical implementation, the less the times of interest characteristic analysis of abnormal activity interest description is, the smaller the coverage area is, and the larger the corresponding stage level index setting is, the privacy threat information in the intelligent service session log with privacy information stealing risk can be relatively accurately determined; on the contrary, the more times of interest feature analysis of abnormal activity description, the larger the coverage area, in order to reduce software and hardware resource overhead, the less the corresponding stage level indexes, so as to reduce the software and hardware resource overhead, and reduce the software and hardware resource overhead as much as possible while ensuring the accuracy of intelligent service session log detection with privacy information stealing risk, and improve the privacy threat detection efficiency. For example, the quantitative analysis result of the stage level indicator between the abnormal activity interest description feature3 in the first business state and the abnormal activity interest description feature3 in the second business state may be set to 2: 6 or 4: 16, etc.
For an independently implementable technical solution, the step 103 may update the interest description attribute of the abnormal activity interest description 2 in each service state one by one to obtain the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, which may exemplarily include the technical solutions recorded in the steps 301 to 303.
Step301, determining the stage level indexes of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in each service state respectively based on the quantitative analysis result of the stage level indexes between the first AI machine learning models in different service states and the stage level indexes of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state.
Step302, determining model variable data of a third AI machine learning model corresponding to the first AI machine learning model in each service state according to the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in each service state and the stage level index of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state.
And step 303, performing interest feature analysis on the abnormal activity interest description feature2 corresponding to the third AI machine learning model in the service state in combination with the third AI machine learning model in each service state covering the determined model variable data to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state.
In the embodiment of the present application, the quantitative analysis result of the periodic level index between the first AI machine learning models in different service states may be set according to the real service requirement, for example: if the first AI machine learning models in the multiple service states include a first AI machine learning model in a first service state, a first AI machine learning model in a second service state, and a first AI machine learning model in a third service state, the quantitative analysis result (for example, a ratio) of the periodic level index between the first AI machine learning models in different service states may be 1: 4: 6, may be 1: 5: 10, etc. Further, if the stage level index (for example, the time dimension value) of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state is 32, the quantitative analysis result of the stage level index is 1: 4: 6, it may be determined that the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is 8, the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state is 16, and the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the third service state is 32.
In this embodiment of the application, the model variable data of the third AI machine learning model corresponding to the first AI machine learning model in each service state may be determined according to the above-mentioned related content. For example, different time-dimension intervals can be set for the third AI machine learning model in each business state, so that the stage level indexes of the abnormal activity interest description feature3 derived by the third AI machine learning model in each business state are the same as the set quantitative analysis result.
Illustratively, the third AI machine learning model covering model variable data corresponding to the first AI machine learning model in the first business state performs interest feature analysis on the corresponding abnormal activity interest description feature2 in the business state, so as to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the business state. Deducing one by one, correspondingly carrying out a third AI machine learning model covering model variable data on the first AI machine learning model in the second service state, and carrying out interest characteristic analysis on the corresponding abnormal activity interest description feature2 in the service state to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state. And carrying out interest feature analysis on the corresponding abnormal activity interest description feature2 in the service state by using a third AI machine learning model covering model variable data corresponding to the first AI machine learning model in the third service state to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state.
By modifying the stage level index of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state, the content recorded in the steps 301 to 303 is implemented, so that the stage level index of the abnormal activity interest description feature3 derived from the third AI machine learning model in each service state is matched with the set quantitative analysis result (corresponding to the modification of the focus point of the privacy threat information included in the intelligent service session log with the risk of privacy information stealing), and the abnormal activity interest description feature3 after updating the stage level index can relatively accurately identify the privacy threat information included in the intelligent service session log with the risk of privacy information stealing, thereby improving the accuracy of privacy threat detection to a certain extent.
It is to be understood that for step 104: in the embodiment of the application, the abnormal activity interest descriptions 3 corresponding to the first AI machine learning model in each service state may be connected, and the abnormal activity interest descriptions obtained after the abnormal activity interest descriptions 3 are connected are imported into the test machine learning model, so as to obtain the privacy threat information included in the intelligent service session log with the risk of privacy information stealing. If the intelligent service session log with the risk of stealing the privacy information comprises a plurality of privacy threat information, each piece of privacy threat information included in the intelligent service session log with the risk of stealing the privacy information can be obtained.
For an independently implementable technical solution, the abnormal activity interest description feature3 recorded in step 104 is used to determine privacy threat information in the intelligent business session log at risk of privacy information stealing, which may illustratively include the contents recorded in step401 and step 402.
Step401, performing connection processing on the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state to obtain an abnormal activity interest description feature4 with the connection completed.
Step402, based on the abnormal activity interest description feature4, determining privacy threat information in the intelligent service session log with privacy information stealing risk.
In the embodiment of the application, after obtaining the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, the abnormal activity interest description feature3 in each service state may be connected to obtain the abnormal activity interest description feature4 that completes the connection, and based on the abnormal activity interest description feature4, the privacy threat information in the intelligent service session log where the privacy information stealing risk exists is determined.
The contents recorded in the step401 and the step402 are implemented, and the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is subjected to connection processing, so that the obtained abnormal activity interest description feature4 can include the features of the abnormal activity interest description feature3 with different stage-level indexes, and when the privacy threat information in the intelligent service session log with the privacy information stealing risk is determined based on the abnormal activity interest description feature4, the accuracy of privacy threat detection can be improved.
For an independently implementable technical solution, the connecting processing is performed on the abnormal activity interest description 3 corresponding to the abnormal activity interest description 2 in each service state recorded in the above step401, so as to obtain the abnormal activity interest description feature4 completing the connection, which may exemplarily include the following contents: according to a preset connection mode, the abnormal activity interest description 3 corresponding to the abnormal activity interest description 2 in each service state is connected one by one to obtain transition abnormal activity interest descriptions of which the connection is completed in each round; and obtaining an abnormal activity interest description feature4 based on the transition abnormal activity interest description of each round of completed connection.
In the embodiment of the present application, a connection manner (which may be understood as a fusion sequence) of the abnormal activity interest description feature3 may be set, and the abnormal activity interest description features 3 corresponding to the abnormal activity interest description features 2 in each service state are connected one by one according to a preset connection manner, so as to obtain transition abnormal activity interest descriptions that are completed in each round.
For example, if the predetermined connection method is: if the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, and the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the third service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain the first round of transition abnormal activity interest description for completing the connection; and connecting the obtained transition abnormal activity interest description completing the connection with the abnormal activity interest description 3 corresponding to the first AI machine learning model in the third service state to obtain a second round of transition abnormal activity interest description completing the connection. The abnormal activity interest description feature4 is derived from the transitional abnormal activity interest description that can complete the connection on a per-turn basis.
It can be understood that, when the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be sampled, and the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain the transition abnormal activity interest description for which the connection is completed in the first round. In each round of connection process, reference may be made to a process of connecting the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state with the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, which is not described herein in detail in this embodiment of the present application.
For example, if the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is value1, and the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state is value2, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be first up-sampled, and the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is value 2; then, the description value of each activity interest description item in the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is integrated with the description value of the activity interest description item corresponding to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain a transition abnormal activity interest description of which the connection is completed in the first round, wherein the interest description attribute of the transition abnormal activity interest description of which the connection is completed in the first round is value 2.
For an independently implementable technical solution, an abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is used as the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the xth service state, wherein a stage level index of the abnormal activity interest description feature3 in the xth service state is greater than a stage level index of the abnormal activity interest description feature3 in the xth service state, and X is a positive integer greater than 1. According to a preset connection mode, the abnormal activity interest description features 3 corresponding to the abnormal activity interest description feature2 in each service state are connected one by one to obtain a transition abnormal activity interest description for completing connection in each round, wherein the transition abnormal activity interest description comprises one of the following design ideas.
The first design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the xth service state, the abnormal activity interest description features 3 in each service state are connected one by one to obtain the abnormal activity interest description of which the connection is completed in each round, and the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description of which the connection is completed in each round are used as the obtained transitional abnormal activity interest description.
The second design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state, the abnormal activity interest description features 3 in each service state are connected one by one to respectively obtain abnormal activity interest descriptions of which the connection is completed in each round, and the abnormal activity interest description feature3 in the Xth service state and the abnormal activity interest description of which the connection is completed in each round are used as the interest descriptions of transitional abnormal activities.
The third design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in each service state is connected to obtain the abnormal activity interest description of each connection when the connection processing is performed from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description of each connection are subjected to interest feature analysis to obtain the connection abnormal activity interest description from the abnormal activity interest description in the first service state to the connection abnormal activity interest description in the Xth service state, the interest description attribute of the connection abnormal activity interest description in each service state is consistent with the interest description attribute of the corresponding abnormal activity interest description before interest feature analysis; according to the connection mode from the connection abnormal activity interest description in the Xth service state to the connection abnormal activity interest description in the first service state, connection processing is carried out on the connection abnormal activity interest descriptions in each service state one by one, abnormal activity interest descriptions of connection completion in each round when the connection abnormal activity interest description in the Xth service state is connected to the connection abnormal activity interest description in the first service state are obtained respectively, and the abnormal activity interest descriptions of connection completion in each round and the connection abnormal activity interest descriptions in the Xth service state are used as the obtained transition abnormal activity interest descriptions.
The fourth design idea: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in each service state is connected to obtain the abnormal activity interest description of each round of connection completion, the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description feature3 in the first service state are connected to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description of each round of connection completion is used as the obtained first transition abnormal activity interest description, and the abnormal activity interest description feature3 in each service state is connected according to the connection mode from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state, respectively obtaining abnormal activity interest description of each round of completed connection, and taking the abnormal activity interest description 3 in the Xth service state and the abnormal activity interest description in each round of completed connection when performing connection processing from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state as obtained second transition abnormal activity interest description; and taking the first transition abnormal activity interest description and the second transition abnormal activity interest description as the obtained transition abnormal activity interest description.
Based on the above, for some design ideas that can be implemented independently, after determining the privacy threat information in the intelligent service session log where there is a risk of privacy information theft, the method may further include the following: and executing corresponding privacy threat protection measures according to the privacy threat information.
Based on the above, for some design ideas that can be implemented independently, executing corresponding privacy threat protection measures according to the privacy threat information may include the following: determining target individual user information to be subjected to anonymization processing according to the privacy threat information; respectively carrying out shared use demand analysis and exclusive use demand analysis on a plurality of individual user information segments in the target individual user information to obtain a shared use demand analysis result set and an exclusive use demand analysis result set; performing first adjustment processing on the shared use requirement analysis result set through a first specified adjustment strategy to obtain a first individual user information cluster comprising shared use requirements; performing second adjustment processing on the exclusive use requirement analysis result set through a second specified adjustment strategy to obtain a second user information cluster comprising the exclusive use requirement; performing downsampling processing on the basis of the first individual user information cluster and the second individual user information cluster to obtain a target individual user information cluster matched with a target use requirement in the target individual user information; the target use requirement comprises at least one of a shared use requirement and an exclusive use requirement, and the target individual user information cluster is used for anonymizing the target individual user information; and anonymizing at least part of the target individual user information based on the target individual user information cluster. By the design, targeted information anonymization processing can be realized by considering different use requirements, so that accurate and reliable privacy threat protection is realized.
Based on the same inventive concept, there is also provided a big data attack processing apparatus 20 applied to a cloud service, which is applied to a big data attack processing system 10, and the apparatus includes:
the behavior information determining module 21 is configured to determine user operation behavior information of a target smart cloud service item, where the user operation behavior information is intended to reflect a feature recognition degree update condition of the target smart cloud service item in a first feature recognition degree interval;
the behavior intention mining module 22 is used for mining the attack behavior intention of the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item;
the knowledge graph optimization module 23 is configured to perform attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, where a feature recognition degree of the optimized attack intention knowledge graph is located in a second feature recognition degree interval, and the second feature recognition degree interval is greater than the first feature recognition degree interval.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A big data attack processing method applied to cloud service is characterized by being applied to a big data attack processing system, and the method at least comprises the following steps:
determining user operation behavior information of a target smart cloud service project, wherein the user operation behavior information aims at reflecting the feature recognition degree updating condition of the target smart cloud service project in a first feature recognition degree interval;
and carrying out attack behavior intention mining on the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item, and carrying out attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, wherein the feature recognition degree of the optimized attack intention knowledge graph is located in a second feature recognition degree interval, and the second feature recognition degree interval is larger than the first feature recognition degree interval.
2. The method of claim 1, wherein performing attack intention knowledge-graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge-graph of the target smart cloud service item comprises:
according to first user behavior disturbance data and the first user attack behavior intention, carrying out local significance processing on the first user attack behavior intention to obtain a second user attack behavior intention;
splicing the first user attack behavior intention and the second user attack behavior intention to obtain an attack behavior intention splicing result;
and carrying out attack intention knowledge graph optimization on the attack behavior intention splicing result to obtain an optimized attack intention knowledge graph of the target smart cloud service item.
3. The method of claim 1 or 2, wherein the method is implemented by a knowledge-base analysis model comprising a first attack behavior intent mining submodel for attack behavior intent mining on the user operational behavior information and an attack intent knowledge-graph optimization submodel for attack intent knowledge-graph optimization on the first user attack behavior intent, the method further comprising:
debugging the knowledge base analysis model according to a specified model debugging set, wherein the model debugging set comprises first example user operation behavior information of a plurality of first example smart cloud service items, second example user operation behavior information of a plurality of second example smart cloud service items and example attack intention knowledge maps corresponding to the example smart cloud service items;
the example user operation behavior information is determined within a third feature recognition interval, the second example user operation behavior information is determined within a fourth feature recognition interval, the example attack intention knowledge graph corresponding to the example smart cloud service item is determined within the fourth feature recognition interval, and the fourth feature recognition interval is larger than the third feature recognition interval.
4. The method of claim 3, wherein the knowledge-base analysis model further comprises a support vector machine, the debugging the knowledge-base analysis model in accordance with a specified set of model debugs comprising:
importing first example user operation behavior information of the first example smart cloud service item and second example user operation behavior information of the second example smart cloud service item into the first attack behavior intention mining sub-model respectively to obtain first example user attack behavior intention and second example user attack behavior intention;
respectively importing the first example user attack behavior intention and the second example user attack behavior intention into the support vector machine to obtain a first type analysis condition and a second type analysis condition;
and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the second category analysis condition.
5. The method of claim 4, wherein the debugging the knowledge-base analysis model in accordance with a specified set of model debugs, further comprising:
importing the attack behavior intention of the second example user into the attack intention knowledge graph optimization submodel to obtain a first optimized attack intention knowledge graph of the second example smart cloud service item;
and debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
6. The method of claim 5, wherein the knowledge-base analysis model further comprises a local saliency processing sub-model, the debugging the knowledge-base analysis model according to a specified model debugging set, further comprising:
importing the attack behavior intention of the second example user and the disturbance data of the third user behavior into the local significance processing submodel to obtain the attack behavior intention of the fourth example user;
splicing the attack behavior intention of the second example user with the attack behavior intention of the fourth example user to obtain a splicing result of the attack behavior intention of the second example;
importing the splicing result of the second example attack behavior intention into the attack intention knowledge graph optimization submodel to obtain a third optimized attack intention knowledge graph of the second example smart cloud service item;
and debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph, the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item of the second example smart cloud service item.
7. The method of claim 4, wherein the knowledge-base analysis model further comprises a second attack behavior intent mining submodel, the debugging the knowledge-base analysis model in accordance with a specified set of model debugs, further comprising:
importing second example user operation behavior information and second user behavior disturbance data of the second example smart cloud service item into the second attack behavior intention mining sub-model to obtain a third example user attack behavior intention;
splicing the attack behavior intention of the second example user with the attack behavior intention of the third example user to obtain a splicing result of the attack behavior intention of the first example;
importing the first example attack behavior intention splicing result into the support vector machine to obtain a third type analysis condition;
and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the third category analysis condition.
8. The method of claim 7, wherein the debugging the knowledge-base analysis model in accordance with a specified set of model debugs, further comprising:
importing the splicing result of the first example attack behavior intention into the attack intention knowledge graph optimization submodel to obtain a second optimized attack intention knowledge graph of the second example smart cloud service item;
and debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
9. The method of claim 8, wherein the knowledge-base analysis model further comprises a local saliency processing sub-model, the debugging the knowledge-base analysis model according to a specified model debugging set, further comprising:
importing the splicing result of the first example attack behavior intention and fourth user behavior disturbance data into the local significance processing sub-model to obtain a fifth example user attack behavior intention;
splicing the splicing result of the first example attack behavior intention with the splicing result of the attack behavior intention of the fifth example user to obtain a splicing result of the attack behavior intention of the third example;
importing the splicing result of the attack intention of the third example into the attack intention knowledge graph optimization submodel to obtain a fourth optimized attack intention knowledge graph of the smart cloud service item of the second example;
debugging the knowledge base analysis model according to a second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item;
correspondingly, the debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item includes:
determining global model performance evaluation of the knowledge base analysis model according to a second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and an example attack intention knowledge graph corresponding to the example smart cloud service item;
determining performance change data of the knowledge base analysis model according to the global model performance evaluation;
and improving the model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel according to the performance change data, wherein the performance change data of the local significance processing submodel are not transmitted to the second attack behavior intention mining submodel.
10. The big data attack processing system is characterized by comprising a processor, a network module and a memory; the processor and the memory communicate through the network module, the processor reading a computer program from the memory and operating to perform the method of any of claims 1-9.
CN202111502860.1A 2021-12-10 2021-12-10 Big data attack processing method and system applied to cloud service Active CN114218568B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111502860.1A CN114218568B (en) 2021-12-10 2021-12-10 Big data attack processing method and system applied to cloud service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111502860.1A CN114218568B (en) 2021-12-10 2021-12-10 Big data attack processing method and system applied to cloud service

Publications (2)

Publication Number Publication Date
CN114218568A true CN114218568A (en) 2022-03-22
CN114218568B CN114218568B (en) 2022-08-23

Family

ID=80700646

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111502860.1A Active CN114218568B (en) 2021-12-10 2021-12-10 Big data attack processing method and system applied to cloud service

Country Status (1)

Country Link
CN (1) CN114218568B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080963A (en) * 2022-07-07 2022-09-20 济南开耀网络技术有限公司 Intelligent financial data protection method based on cloud computing and server
CN115344880A (en) * 2022-09-14 2022-11-15 陈诚 Information security analysis method and server applied to digital cloud
CN115484112A (en) * 2022-09-29 2022-12-16 尚庆为 Payment big data security protection method and system and cloud platform
CN116796310A (en) * 2023-06-14 2023-09-22 福州超人帮网络科技有限公司 Data attack processing method and system applied to intelligent cloud

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112953918A (en) * 2021-01-29 2021-06-11 李阳 Network attack protection method combined with big data server and big data protection equipment
CN113608882A (en) * 2021-10-11 2021-11-05 广州紫麦科技股份有限公司 Information processing method and system based on artificial intelligence and big data and cloud platform
US20210357508A1 (en) * 2020-05-15 2021-11-18 Deutsche Telekom Ag Method and a system for testing machine learning and deep learning models for robustness, and durability against adversarial bias and privacy attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210357508A1 (en) * 2020-05-15 2021-11-18 Deutsche Telekom Ag Method and a system for testing machine learning and deep learning models for robustness, and durability against adversarial bias and privacy attacks
CN112953918A (en) * 2021-01-29 2021-06-11 李阳 Network attack protection method combined with big data server and big data protection equipment
CN113608882A (en) * 2021-10-11 2021-11-05 广州紫麦科技股份有限公司 Information processing method and system based on artificial intelligence and big data and cloud platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高见等: "基于本体的网络威胁情报分析技术研究", 《计算机工程与应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080963A (en) * 2022-07-07 2022-09-20 济南开耀网络技术有限公司 Intelligent financial data protection method based on cloud computing and server
CN115344880A (en) * 2022-09-14 2022-11-15 陈诚 Information security analysis method and server applied to digital cloud
CN115344880B (en) * 2022-09-14 2023-04-07 丁跃辉 Information security analysis method and server applied to digital cloud
CN115484112A (en) * 2022-09-29 2022-12-16 尚庆为 Payment big data security protection method and system and cloud platform
CN116796310A (en) * 2023-06-14 2023-09-22 福州超人帮网络科技有限公司 Data attack processing method and system applied to intelligent cloud

Also Published As

Publication number Publication date
CN114218568B (en) 2022-08-23

Similar Documents

Publication Publication Date Title
CN114218568B (en) Big data attack processing method and system applied to cloud service
CN110929036B (en) Electric power marketing inspection management method, electric power marketing inspection management device, computer equipment and storage medium
US11915104B2 (en) Normalizing text attributes for machine learning models
CN114139210B (en) Big data security threat processing method and system based on intelligent service
CN114095273A (en) Deep learning-based internet vulnerability mining method and big data mining system
CN114500099A (en) Big data attack processing method and server for cloud service
CN114138872A (en) Big data intrusion analysis method and storage medium applied to digital finance
CN115048370B (en) Artificial intelligence processing method for big data cleaning and big data cleaning system
CN113918621A (en) Big data protection processing method based on internet finance and server
CN114707768B (en) Big data security wind control-based information processing method and server
CN113220597B (en) Test method, test device, electronic equipment and storage medium
CN115203282A (en) Intelligent enterprise user data processing method and system combined with deep learning
CN114548820B (en) Big data wind control method and server for distance education service
CN115268847A (en) Block chain intelligent contract generation method and device and electronic equipment
CN115328786A (en) Automatic testing method and device based on block chain and storage medium
CN114661998A (en) Big data processing method and system based on Internet hot topics
CN115422550A (en) Information processing method and server applied to artificial intelligence
CN115801306A (en) Data processing method and server applied to artificial intelligence
CN114691882A (en) Multi-source data real-time calculation method and device, storage medium and equipment
CN114300146A (en) User information safety processing method and system applied to intelligent medical treatment
CN115454473A (en) Data processing method based on deep learning vulnerability decision and information security system
CN116756298B (en) Cloud database-oriented AI session information optimization method and big data optimization server
CN115563657B (en) Data information security processing method, system and cloud platform
CN111881128B (en) Big data regression verification method and big data regression verification device
CN114022049B (en) Intelligent service information risk processing method and system based on cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220527

Address after: 733000 No. 24, group 2, chener village, Hongxiang Town, Liangzhou District, Wuwei City, Gansu Province

Applicant after: Xu Zhiquan

Address before: 337000 room 1811, block B, Holiday Plaza, No. 1, Wenhua Road, houbu street, Anyuan District, Pingxiang City, Jiangxi Province

Applicant before: Pingxiang Shengmai Internet Technology Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220803

Address after: Room 701, No. 65, Chengyi North Street, Phase III, Software Park, Torch High-tech Zone, Xiamen, Fujian 361000

Applicant after: Xiamen jikuai Technology Co.,Ltd.

Address before: 733000 No. 24, group 2, chener village, Hongxiang Town, Liangzhou District, Wuwei City, Gansu Province

Applicant before: Xu Zhiquan

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A big data attack processing method and system applied to cloud services

Granted publication date: 20220823

Pledgee: Agricultural Bank of China Limited Xiamen Pilot Free Trade Zone Branch

Pledgor: Xiamen jikuai Technology Co.,Ltd.

Registration number: Y2024980005198

PE01 Entry into force of the registration of the contract for pledge of patent right