CN114500009A - Network security analysis method and system applied to big data intelligence - Google Patents

Network security analysis method and system applied to big data intelligence Download PDF

Info

Publication number
CN114500009A
CN114500009A CN202210026475.2A CN202210026475A CN114500009A CN 114500009 A CN114500009 A CN 114500009A CN 202210026475 A CN202210026475 A CN 202210026475A CN 114500009 A CN114500009 A CN 114500009A
Authority
CN
China
Prior art keywords
detection result
risk detection
session
cloud
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210026475.2A
Other languages
Chinese (zh)
Other versions
CN114500009B (en
Inventor
李静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Zeao Network Technology Co ltd
Original Assignee
Huzhou Deyun Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huzhou Deyun Network Technology Co ltd filed Critical Huzhou Deyun Network Technology Co ltd
Priority to CN202210026475.2A priority Critical patent/CN114500009B/en
Publication of CN114500009A publication Critical patent/CN114500009A/en
Application granted granted Critical
Publication of CN114500009B publication Critical patent/CN114500009B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/01Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computational Linguistics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to the technical field of big data security, in particular to a network security analysis method and a system applied to big data intelligence, which can start the derivative processing of a first cloud session risk detection result through an indication type session risk detection result, can obtain the derivative risk detection result which is as complete and rich as possible even if part of information of the first cloud session risk detection result is lost, and can ensure the quality of the derivative processing so as to mine potential and hidden session risks as much as possible, thereby ensuring the credibility of cloud session risk detection and providing solid analysis basis and decision basis for network security protection.

Description

Network security analysis method and system applied to big data intelligence
Technical Field
The embodiment of the application relates to the technical field of big data and network security, in particular to a network security analysis method and system applied to big data intelligence.
Background
Network security (Network   security) means that the software and hardware of the Network system and the data information thereof are protected and not changed, damaged and leaked due to malicious/accidental problems, thereby ensuring the normal and reliable operation of the Network system. With the rapid development of big data and internet and network technology, the application range of network technology is increasingly expanded and the complexity of application environment is increasing day by day. Meanwhile, network security has become an important issue for internet and network technology applications. Meanwhile, network attack technology is also changing day by day, so that the difficulty of network security protection under a big data scene is increased dramatically.
Disclosure of Invention
In view of this, the embodiment of the present application provides a network security analysis method and system applied to big data intelligence.
According to an aspect of the present application, there is provided a network security analysis method applied to big data intelligence, including: determining a first cloud session risk detection result; determining that the first cloud session risk detection result is not lower than an indication type session risk detection result, wherein the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result; and performing supervision and derivation processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result to obtain a derivation risk detection result. By the design, the derivation processing of the first cloud session risk detection result can be started through the indication type session risk detection result, even if part of information of the first cloud session risk detection result is lost, the derivation risk detection results which are as complete and rich as possible can be obtained in view of the fact that the indication type session risk detection result is integrated, the quality of the derivation processing is guaranteed, so that potential and hidden session risks can be mined as far as possible, the reliability of cloud session risk detection can be ensured, and solid analysis basis and decision basis are provided for network security protection.
Under some possible design considerations, the determining that no less than one of the first cloud session risk detection results is an indication type session risk detection result includes: determining session risk distribution of the first cloud session risk detection result; and determining an indication type session risk detection result bound with the target cloud service interaction event and not less than one target online service behavior through the session risk distribution of the first cloud session risk detection result. By the design, different target online service behavior indication type session risk detection results can be obtained according to different session risk distributions, and indication type session risk detection results with higher reliability can be provided based on the session risk distributions.
Under some possible design ideas, the obtaining a derivative risk detection result by performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result includes: combining the current network state of the target cloud service interaction event in the first cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state; determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the target cloud service interaction event in the at least one indication type session risk detection result; and obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result. By the design, the network state of the cloud service interaction event in the indication type session risk detection result can be adjusted according to the network state of the target cloud service interaction event in the first cloud session risk detection result, so that the online business behavior bound with the target cloud service interaction event in the indication type session risk detection result can be adjusted to be the network state of the target cloud service interaction event, and when derivative processing is started, the efficiency of derivative processing can be improved.
Under some possible design considerations, the obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result includes: and changing the online business behavior corresponding to the target online business behavior in the local session risk detection result in the first cloud session risk detection result by combining the determined local session risk detection result to obtain the derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the first cloud session risk detection result to obtain the derivative risk detection result. By the design, different derivation treatment strategies can be provided, and the quality of derivation treatment can be further guaranteed.
Under some possible design ideas, the obtaining a derivative risk detection result by performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result includes: starting hotspot risk detection derivative operation on the first cloud session risk detection result to obtain a second cloud session risk detection result, wherein the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result; combining the current network state of the target cloud service interaction event in the second cloud session risk detection result, and enabling conversion processing on the at least one indication type session risk detection result to obtain a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state; determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the cloud service interaction event in the at least one indication type session risk detection result; and obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result. By the design, the accuracy of the first cloud session risk detection result can be improved through hotspot risk detection and derivation operation, the second cloud session risk detection result is obtained, conversion adjustment of the indication type session risk detection result is started according to the second cloud session risk detection result, and the accuracy of the derived risk detection result can be further improved when conversion processing and subsequent derivation processing are started because the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result.
Under some possible design considerations, the obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result includes: and changing the online business behavior corresponding to the target online business behavior in the local session risk detection result in the second cloud session risk detection result by combining the determined local session risk detection result to obtain the derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the second cloud session risk detection result to obtain the derivative risk detection result. By the design, different derivation treatment strategies can be provided, and the quality of derivation treatment can be further guaranteed.
Under some possible design considerations, the method further comprises: and starting authentication authority analysis by combining the derived risk detection result, and determining authentication authority information bound with the cloud service interaction event. Due to the design, compared with the first cloud session risk detection result, the derived risk detection result can obviously improve the precision and has multi-dimensional local information, the authentication authority analysis is started based on the derived risk detection result, and the analysis result can be timely and accurately obtained.
Under some possible design ideas, a first machine learning model enables the first cloud session risk detection result to enable hotspot risk detection derivative operation to obtain a second cloud session risk detection result, and the method further includes a step of debugging the first machine learning model, which includes: determining a first debugging type session risk detection result set, wherein the first debugging type session risk detection result set covers a plurality of first debugging type session risk detection results and first annotation information corresponding to the first debugging type session risk detection results; transmitting not less than one first debugging type session risk detection result in the first debugging type session risk detection result set to the first machine learning model to start the hotspot risk detection derivation operation, so as to obtain a test type hotspot risk detection result corresponding to the first debugging type session risk detection result; respectively transmitting the test type hot spot risk detection results to a first detection disturbance layer, a first description analysis layer and a first detection result disassembly layer to obtain a distinguishing condition, a description analysis condition and a detection result disassembly condition aiming at the test type hot spot risk detection results; and obtaining a first model expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type hot spot risk detection result, and feeding back and optimizing the model variable of the first machine learning model through the first model expected deviation until the first model expected deviation accords with a first debugging index. By the design, the first machine learning model can be assisted to be debugged based on the detection disturbance layer, the description analysis layer and the detection result disassembly layer, and on the basis of improving the precision of the machine learning model, the first machine learning model can also accurately analyze each local information of the cloud session risk detection result.
Under some possible design considerations, obtaining the expected deviation of the first model according to the distinguishing condition, the description analysis condition, and the detection result disassembly condition of the test type hotspot risk detection result corresponding to the first debugging type session risk detection result includes: determining a first risk content offset according to a test type hotspot risk detection result corresponding to the first debugging type session risk detection result and a first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information; obtaining a first disturbance offset according to the distinguishing condition of the test type hotspot risk detection result and the distinguishing condition of the first detection disturbance layer on the first basic cloud session risk detection result; determining a first confidence degree offset through regression operation of the test type hotspot risk detection result and the first basic cloud session risk detection result; obtaining a first global hotspot distribution deviation according to the description and analysis condition of the test type hotspot risk detection result and a first basic label in the first annotation information; obtaining a first disassembly offset according to a detection result disassembly condition of the test type hot spot risk detection result and a first basic disassembly condition corresponding to a first debugging example in the first annotation information; and combining the integration results of the first disturbance offset, the first risk content offset, the first confidence coefficient offset, the first global hot spot distribution offset and the first dismantling offset to obtain the expected offset of the first model. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, the supervised derivation process is enabled by a second machine learning model to obtain the derived risk detection result, and the method further comprises a step of debugging the second machine learning model, which comprises: determining a second debugging type session risk detection result set, wherein the second debugging type session risk detection result set comprises a second debugging type session risk detection result, an indication type debugging type session risk detection result corresponding to the second debugging type session risk detection result and second annotation information; converting the indication type debugging type session risk detection result by combining the second debugging type session risk detection result to obtain a debugging mapping session risk detection result, transmitting the debugging mapping session risk detection result and the second debugging type session risk detection result into the second machine learning model, and starting supervision derivation processing on the second debugging type session risk detection result to obtain a test type derivation risk detection result of the second debugging type session risk detection result; respectively transmitting the test type derived risk detection results to a second detection disturbance layer, a second description analysis layer and a second detection result dismantling layer to obtain a distinguishing condition, a description analysis condition and a detection result dismantling condition aiming at the test type derived risk detection results; and obtaining a second model expected deviation of the second machine learning model according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type derived risk detection result, and feeding back and optimizing the model variable of the second machine learning model through the second model expected deviation until a second debugging index is met. By the design, the second machine learning model can be assisted to debug based on the detection disturbance layer, the description analysis layer and the detection result disassembly layer, and on the basis of improving the precision of the machine learning model, accurate analysis of each local information of the cloud session risk detection result by the second machine learning model can also be realized.
Under some possible design considerations, obtaining a second model expected offset of the second machine learning model according to a distinguishing condition, a description analysis condition, and a detection result disassembly condition of a test-type derived risk detection result corresponding to the debugging-type session risk detection result includes: obtaining a first expected deviation and a second expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembly condition of the test type derivative risk detection result corresponding to the second debugging type session risk detection result; and obtaining the expected offset of the second model through the integrated result of the first expected offset and the second expected offset. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, obtaining a first expected offset through a distinguishing condition, a description analysis condition and a detection result disassembly condition of a test type derived risk detection result corresponding to the debugging type session risk detection result, including: determining a second risk content offset according to a test type derived risk detection result corresponding to the second debugging type session risk detection result and a second basic cloud session risk detection result corresponding to the second debugging type session risk detection result in the second annotation information; obtaining a second disturbance offset according to the distinguishing condition of the test type derived risk detection result and the distinguishing condition of the second detection disturbance layer on the second basic cloud session risk detection result; determining a second confidence offset by regression operation of the test-type derived risk detection result and the second base cloud session risk detection result; obtaining a second global hotspot distribution deviation according to the description and analysis condition of the test type derived risk detection result and a second basic label in the second annotation information; obtaining a second disassembly offset according to the disassembly condition of the detection result of the test-type derived risk detection result and the second basic disassembly condition in the second annotation information; and combining the integration results of the second disturbance offset, the second risk content offset, the second confidence coefficient offset, the second global hot spot distribution offset and the second dismantling offset to obtain the first expected offset. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, obtaining a second expected offset through the distinguishing condition, the description analysis condition and the detection result disassembly condition of the test type derived risk detection result corresponding to the debugging type session risk detection result, including: determining the online business behavior local conversation risk detection result not lower than one online business behavior in the test type derived risk detection result, and respectively transmitting the online business behavior local conversation risk detection result not lower than one online business behavior to a detection disturbance layer, a description analysis layer and a detection result disassembly layer to obtain the distinguishing condition, the description analysis condition and the detection result disassembly condition of the online business behavior local conversation risk detection result not lower than one online business behavior; determining a third disturbance offset of the at least one online service behavior according to the distinguishing condition of the online service behavior local session risk detection result of the at least one online service behavior and the distinguishing condition of the second detection disturbance layer on the online service behavior local session risk detection result of the at least one online service behavior in the second basic cloud session risk detection result; obtaining a third global hotspot distribution deviation of the online business behavior not lower than one by the description and analysis condition of the online business behavior not lower than one local session risk detection result of the online business behavior not lower than one and the basic label of the online business behavior not lower than one in the second annotation information; obtaining a third disassembly offset of the at least one online business behavior according to the detection result disassembly condition of the online business behavior local conversation risk detection result of the at least one online business behavior and the basic disassembly condition of the at least one online business behavior in the second annotation information; and combining the integration result of the third disturbance offset, the third global hot spot distribution offset and the third dismantling offset of the at least one online business behavior to obtain a second expected offset of the machine learning model. By the design, the performance evaluation of the machine learning model can be further improved based on the characteristic deviation of each online business behavior.
According to another aspect of the present application, there is also provided a network security analysis system, including a processor, a network module, and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
Compared with the prior art, the network security analysis method and the network security analysis system applied to big data intelligence provided by the embodiment of the application have the following technical effects: the method can start the derivation processing of the first cloud session risk detection result by combining with not less than one indication type session risk detection result, the accuracy of the obtained derivation risk detection result is improved relative to the first cloud session risk detection result because the indication type session risk detection result comprises the local description information of the first cloud session risk detection result, even if part of information is lost in the first cloud session risk detection result, the accurate derivation risk detection result can be generated by integrating the indication type session risk detection result, in other words, the method can quickly start the derivation processing of the cloud session risk detection result by combining with a plurality of indication type session risk detection results to obtain the cloud session risk detection result with higher quality.
Drawings
Fig. 1 is a flowchart of a network security analysis method applied to big data intelligence according to an embodiment of the present disclosure.
Detailed Description
The network security analysis system 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the network security analysis system 10 includes: memory 11, processor 12, network module 13 and network security analysis device 20 for big data intelligence.
The memory 11, the processor 12 and the network module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a network security analysis device 20 applied to big data intelligence, the network security analysis device 20 applied to big data intelligence comprises at least one software function module which can be stored in the memory 11 in the form of software or firmware (firmware), and the processor 12 executes various function applications and data processing by running software programs and modules stored in the memory 11, such as the network security analysis device 20 applied to big data intelligence in the embodiment of the present application, so as to implement the network security analysis method applied to big data intelligence in the embodiment of the present application.
The Memory 11 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 11 is used for storing a program, and the processor 12 executes the program after receiving an execution instruction.
The processor 12 may be an integrated circuit chip having data processing capabilities. The Processor 12 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 13 is used for establishing communication connection between the network security analysis system 10 and other communication terminal devices through a network, and implementing transceiving operation of network signals and data. The network signal may include a wireless signal or a wired signal.
It will be appreciated that the configuration shown in FIG. 1 is merely illustrative, and that network security analysis system 10 may include more or fewer components than shown in FIG. 1, or may have a different configuration than shown in FIG. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 1 shows a flowchart of a network security analysis method applied to big data intelligence provided by an embodiment of the present application. The method steps defined by the related procedures of the method are applied to the network security analysis system 10 and can be realized by the processor 12, and the method comprises the technical scheme recorded in the following steps 10-Step 30.
And Step10, determining a first cloud session risk detection result.
In the embodiment of the application, the first cloud session risk detection result can be understood as the to-be-processed cloud session risk detection result, and the cloud service interaction event corresponding to the to-be-processed cloud session risk detection result, that is, the first cloud session risk detection result, can be obtained first. In addition, the first cloud session risk detection result may include target cloud service interaction events of target categories, such as: the target cloud service interaction event in the embodiment of the application can be a government-enterprise cloud service interaction event, namely, derivative processing of a government-enterprise cloud session risk detection result can be achieved through the embodiment of the application, and therefore network security threats in the first cloud session risk detection result can be conveniently analyzed.
And Step20, determining that the first cloud session risk detection result is not lower than an indication type session risk detection result, wherein the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result.
In this embodiment of the application, the first cloud session risk detection result may be set with not less than one corresponding indication type session risk detection result. The indicated type session risk detection result carries indicated type big data (guidance information or prompt information) of the target cloud service interaction event in the first cloud session risk detection result, such as: and indicating type big data of not less than one target online business behavior of the target cloud service interaction event can be included. If the target cloud service interaction event is a government-enterprise event, the indication type session risk detection result may include a cloud session risk detection result of not less than one online business behavior of the network threat bound to the authentication authority of the target cloud service interaction event. In addition, the indication type session risk detection result in the embodiment of the application is a cloud session risk detection result with high feature recognition degree, so that the precision and accuracy of the derived risk detection result can be improved.
In some possible embodiments, the indication type session risk detection result bound with the first cloud session risk detection result may be directly received from the third party, or the indication type session risk detection result may be obtained according to the obtained session risk distribution about the target cloud service interaction event. The session risk distribution may include not less than one group of significant contents of the target cloud service interaction event, for example, when the target cloud service interaction event is a government-enterprise cloud service interaction event, the session risk distribution may include: the significance content (which may be understood as feature information) of the administrative enterprise cloud service interaction event not lower than a set of target online business behaviors, or the session risk distribution may also directly include a global session risk distribution of the target cloud service interaction event in the first cloud session risk detection result, for example, the session risk distribution of the cloud service interaction event of which the target cloud service interaction event is a certain known authentication right. Through session risk distribution, a similar cloud session risk detection result of a target cloud service interaction event of the first cloud session risk detection result, which is not lower than one target online service behavior, or a cloud session risk detection result including a cloud service interaction event the same as the cloud service interaction event in the first cloud session risk detection result can be determined, and the obtained various similar cloud session risk detection results or the cloud session risk detection results including the same cloud service interaction event can be used as indication type session risk detection results.
And Step30, performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result to obtain a derivative risk detection result.
In the embodiment of the application, after not less than one indication type session risk detection result corresponding to the first cloud session risk detection result is obtained, the derivative processing of the first cloud session risk detection result can be started by combining the obtained not less than one cloud session risk detection result. Because the indication type session risk detection result includes the indication type big data (which can be understood as the guiding information) of the target cloud service interaction event not less than one target online service behavior in the first cloud session risk detection result, the first cloud session risk detection result can be processed according to the indication type big data supervision derivation. And even if the first cloud session risk detection result is the cloud session risk detection result with certain information defect, a more accurate derivative risk detection result can be derived by combining the indication type big data. (where the derivation of the results for risk detection is understood to be an extension or enrichment of the results for risk derivation)
Under some possible design ideas, the indication type session risk detection result of the corresponding target online service behavior can be directly changed into the first cloud session risk detection result, and a derivative risk detection result is obtained. For example, when the indication type session risk detection result includes the indication type session risk detection result of the qualification handling branch, the indication type session risk detection result of the qualification handling branch may be changed to the first cloud session risk detection result, and when the indication type session risk detection result includes the indication type session risk detection result of the qualification handling branch, the indication type session risk detection result of the qualification handling branch may be changed to the first cloud session risk detection result. According to the method, the corresponding indication type session risk detection result can be directly changed into the first cloud session risk detection result, and the cloud session risk detection result is derived. The indication type big data of the indication type session risk detection results can be conveniently counted into the first cloud session risk detection result, derivative processing of the first cloud session risk detection result is achieved, and the obtained derivative risk detection result is also the cloud session risk detection result with high quality as the indication type session risk detection result is the cloud session risk detection result with high quality.
Under some possible design ideas, the derived risk detection result can be obtained based on the potential feature mining operation of the indication type session risk detection result and the first cloud session risk detection result.
Under some possible design ideas, the network state of the cloud service interaction event of the indication type session risk detection result of the target cloud service interaction event in the obtained first cloud session risk detection result may be different from the network state of the target cloud service interaction event in the first cloud session risk detection result, and at this time, each indication type session risk detection result needs to be paired with the first cloud session risk detection result. The network state of the cloud service interaction event in the indication type session risk detection result is adjusted to be consistent with the network state of the target cloud service interaction event in the first cloud session risk detection result, and then the derivation processing of the first cloud session risk detection result is started by combining the indication type session risk detection result after the network state is adjusted, so that the accuracy of the obtained derived risk detection result can be improved through the process.
Therefore, the embodiment of the application can quickly realize the derivation processing of the first cloud session risk detection result based on the first cloud session risk detection result and not less than one indication type session risk detection result, the obtained derivation risk detection result can be counted to the indication type big data of each indication type session risk detection result, and meanwhile, the quality can be improved to a certain extent.
It is to be understood that the embodiments of the present application will be described in detail with reference to the following examples.
For an independently implementable embodiment, the session risk detection results recorded at Step20 that determine not less than one indication type of the first cloud session risk detection result may illustratively include the content described at Step21 and Step 22.
And Step21, determining the session risk distribution of the first cloud session risk detection result.
In this embodiment of the application, the session risk distribution of the first cloud session risk detection result may include the significance content (or feature session risk distribution, feature map) of the target cloud service interaction event in the first cloud session risk detection result, which is not lower than one target online business behavior. Such as: on the premise that the target cloud service interaction event is a government and enterprise service interaction event, the session risk distribution may include: and the target cloud service interaction event is not lower than the significance content of the set of target online business behaviors. Or, the session risk distribution may also include authentication authority information of the cloud service interaction event in the first cloud session risk detection result, and the authentication authority information may include information for determining authentication authority of the cloud service interaction event. The above description is only an exemplary description of the session risk distribution, and is not limited to the session risk distribution of the present application, and other information related to the cloud service interaction event may be used as the session risk distribution.
Under some possible design considerations, the method for determining the risk distribution of the conversation may include at least one of the following methods: receiving a session risk distribution input by a third party and/or receiving a cloud session risk detection result with annotation information (the part annotated by the annotation information is a target online business behavior bound with a target cloud service interaction event in the first cloud session risk detection result). In other embodiments, the session risk distribution may also be received in other manners, which is not further limited in this application.
And Step22, determining an indication type session risk detection result bound with the target online business behavior of the cloud service interaction event by the session risk distribution of the first cloud session risk detection result.
In the embodiment of the application, after the session risk distribution is obtained, the indication type session risk detection result bound with the cloud service interaction event in the first cloud session risk detection result can be determined according to the session risk distribution. When the session risk distribution carries the session risk distribution of the cloud service interaction event which is not lower than one target online business behavior, the bound indication type session risk detection result can be determined based on the session risk distribution of each target online business behavior. The information set can comprise not less than one cloud session risk detection result of multiple cloud service interaction events, so that corresponding indication type session risk detection results can be conveniently determined based on session risk distribution.
Under some possible design considerations, the session risk distribution may also include authentication authority information about the cloud service interaction event _1 in the first cloud session risk detection result, and at this time, the cloud session risk detection result bound to the authentication authority information may be selected from the information set based on the authentication authority information as an indication type session risk detection result.
Therefore, an indication type session risk detection result bound with the target online business behavior of the cloud service interaction event in the first cloud session risk detection result can be determined based on the session risk distribution, and the accuracy of the determined cloud session risk detection result can be improved by performing derivation processing on the cloud session risk detection result in combination with the indication type session risk detection result.
It can be understood that after the indication type session risk detection result is obtained, a derivative processing process of the cloud session risk detection result can be started according to the indication type session risk detection result, except that the indication type session risk detection result can be directly changed to a corresponding target online business behavior of the first cloud session risk detection result, in addition, the embodiment of the present application can start change or flip processing after the conversion processing is started on the indication type session risk detection result, and further obtain the derivative risk detection result.
For an independently implementable embodiment, Step30 records that the first cloud session risk detection result is subjected to supervised derivative processing by not less than one indicating type session risk detection result of the first cloud session risk detection result to obtain a derivative risk detection result, which may exemplarily include the content recorded in Step31-Step 33.
And Step31, combining the current network state of the target cloud service interaction event in the first cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state.
In this embodiment of the application, since the network state of the cloud service interaction event of the obtained indication type session risk detection result about the cloud service interaction event in the first cloud session risk detection result may be different from the network state of the cloud service interaction event in the first cloud session risk detection result, at this time, each indication type session risk detection result needs to be paired with the first cloud session risk detection result, that is, the network state of the cloud service interaction event in the indication type session risk detection result is the same as the network state of the target cloud service interaction event in the first cloud session risk detection result.
The embodiment of the application can start conversion processing on the indication type session risk detection result by combining a conversion processing method, and the network state of the cloud service interaction event in the indication type session risk detection result (which can be understood as a mapping session risk detection result) after the conversion processing is the same as the network state of the target cloud service interaction event in the first cloud session risk detection result.
In this way, not less than one mapping session risk detection result (one mapping session risk detection result is obtained after each indication type session risk detection result is subjected to mapping processing) with the same network state as that in the first cloud session risk detection result can be obtained, and the mapping session risk detection result and the first cloud session risk detection result are paired.
Step32, determining a local session risk detection result of the at least one target online business behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online business behavior bound with the target cloud service interaction event in the at least one indication type session risk detection result;
in this embodiment of the application, since the obtained indication type session risk detection result is a cloud session risk detection result bound to at least one target online service behavior in the first cloud session risk detection result, after mapping session risk detection results corresponding to the indication type session risk detection results are obtained through conversion processing, a local session risk detection result of the indication type online service behavior may be determined from the mapping session risk detection results based on the indication type online service behavior (the target online service behavior bound to the cloud service interaction event) corresponding to each indication type session risk detection result, and the local session risk detection result of the target online service behavior bound to the cloud service interaction event in the first cloud session risk detection result is split from the mapping session risk detection results. For example, when a target online service behavior bound to a cloud service interaction event in an indication type session risk detection result is image-text verification, a local session risk detection result of the image-text verification online service behavior can be determined from a mapping session risk detection result corresponding to the indication type session risk detection result. Therefore, the local session risk detection result bound with the online business behavior of the cloud service interaction event in the first cloud session risk detection result can be obtained.
Step33, obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result.
In the embodiment of the application, after the local session risk detection result of the target cloud service interaction event not less than one target online service behavior is obtained, the obtained local session risk detection result and the first cloud session risk detection result may be combined to perform derivative processing on the cloud session risk detection result, so as to obtain a derivative risk detection result.
Under some possible design ideas, each local session risk detection result can be bound with not less than one target online business behavior in the cloud service interaction event of the first cloud session risk detection result, the cloud session risk detection result of the online business behavior bound in the local session risk detection result can be changed to the corresponding online business behavior in the first cloud session risk detection result, for example, when the image-text verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the image-text verification in the local session risk detection result can be changed to the image-text verification online business behavior in the first cloud session risk detection result, and when the password verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the password verification in the local session risk detection result can be changed to the first cloud session risk detection result The online business behavior is verified through the images and the texts, the cloud session risk detection result of the online business behavior bound with the cloud service interaction event in the determined local session risk detection result can be combined with the cloud session risk detection result to change the corresponding online business behavior in the first cloud session risk detection result based on similar thinking, and finally, a derivative risk detection result can be obtained.
Or, under some possible design ideas, the derived risk detection result may also be obtained through potential feature mining operations of the local session risk detection result and the first cloud session risk detection result.
It can be understood that each local session risk detection result and the first cloud session risk detection result may be transmitted to the RNN, at least one potential feature mining operation is enabled, feature integration of the cloud session risk detection results is realized, and finally, an integrated description content is obtained, based on which a derivative risk detection result corresponding to the integrated description content may be obtained. Therefore, the feature recognition degree of the first cloud session risk detection result can be improved, and meanwhile, an accurate derived risk detection result is obtained.
In other embodiments of the present application, in order to further improve the accuracy and quality of the cloud session risk detection result of the derivative risk detection result, a hotspot risk detection derivative operation may be performed on the first cloud session risk detection result to obtain a second cloud session risk detection result with higher feature recognition degree than the first cloud session risk detection result, and the cloud session risk detection result is enabled to perform derivative processing by combining the second cloud session risk detection result to obtain the derivative risk detection result.
Based on this, the supervised derivative processing is performed on the first cloud session risk detection result through the session risk detection result recorded at Step30, which is not lower than one indication type session risk detection result of the first cloud session risk detection result, so as to obtain a derivative risk detection result, which may further include the contents described at Step301-Step 304.
Step301, starting hotspot risk detection derivative operation on the first cloud session risk detection result to obtain a second cloud session risk detection result, wherein the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result.
In the embodiment of the application, on the premise that the first cloud session risk detection result is obtained, hotspot risk detection derivative operation can be started on the first cloud session risk detection result, so that the second cloud session risk detection result with higher feature recognition degree is obtained. And the hotspot risk detection deriving operation can derive the cloud session risk detection result with higher feature recognition degree through the cloud session risk detection result or the cloud session risk detection result set with relatively lower feature recognition degree. The cloud session risk detection result with the higher feature recognition degree represents that the cloud session risk detection result has more local description information and more accurate detection labels.
It is to be appreciated that enabling the hotspot risk detection derivative operations may include: the method comprises the steps of starting up sampling processing on a first cloud session risk detection result to improve accuracy of the cloud session risk detection result, starting at least one time of potential feature mining operation (which can be understood as moving average processing) on the cloud session risk detection result obtained through up sampling to obtain a cloud session risk detection result after hotspot risk detection derivative operation, namely a second cloud session risk detection result.
Step302, combining the current network state of the target cloud service interaction event in the second cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state.
In this embodiment of the application, Step31 is synchronized, because the second cloud session risk detection result is a cloud session risk detection result whose feature recognition degree is improved relative to the first cloud session risk detection result, and a network state of a target cloud service interaction event in the second cloud session risk detection result may also be different from a network state of an indication type session risk detection result, before derivative processing is started, the indication type session risk detection result may be converted and adjusted according to the network state of the target cloud service interaction event in the second cloud session risk detection result, so as to obtain a mapping session risk detection result the same as the network state of the target cloud service interaction event in the second cloud session risk detection result.
And Step303, determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the cloud service interaction event in the at least one indication type session risk detection result.
In this embodiment, as in Step32, since the obtained indication type session risk detection result is a cloud session risk detection result bound to at least one target online service behavior in the second cloud session risk detection result, after the mapping session risk detection results corresponding to the indication type session risk detection results are obtained through conversion processing, the local session risk detection result of the indication type online service behavior may be determined from the mapping session risk detection results based on the indication type online service behavior corresponding to each indication type session risk detection result (the target online service behavior bound to the cloud service interaction event), that is, the local session risk detection result of the target online service behavior bound to the cloud service interaction event in the first cloud session risk detection result is split from the mapping session risk detection results.
And Step304, obtaining the derived risk detection result based on the determined local conversation risk detection result and the second cloud conversation risk detection result.
In the embodiment of the application, after the local session risk detection result of the target cloud service interaction event not less than one target online service behavior is obtained, cloud session risk detection result derivation processing can be performed by combining the obtained local session risk detection result and the second cloud session risk detection result to obtain a derived risk detection result.
Under some possible design ideas, each local session risk detection result can be bound with not less than one target online business behavior in the cloud service interaction event of the second cloud session risk detection result, the cloud session risk detection result of the online business behavior bound in the local session risk detection result can be changed to the corresponding online business behavior in the second cloud session risk detection result, for example, when the image-text verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the image-text verification in the local session risk detection result can be changed to the image-text verification online business behavior in the first cloud session risk detection result, and when the password verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the password verification in the local session risk detection result can be changed to the second cloud session risk detection result The online business behavior is verified through the images and the texts, the cloud session risk detection result of the online business behavior bound with the cloud service interaction event in the determined local session risk detection result can be combined with the cloud session risk detection result to change the corresponding online business behavior in the second cloud session risk detection result based on similar thinking, and finally, a derivative risk detection result can be obtained.
Or, under some possible design ideas, the derived risk detection result may also be obtained through potential feature mining operations of the local session risk detection result and the second cloud session risk detection result. The local session risk detection results and the second cloud session risk detection result can be transmitted to the RNN, at least one potential feature mining operation is started, feature integration of the cloud session risk detection results is achieved, integration description content is obtained finally, and derivative risk detection results corresponding to the integration description content can be obtained based on the integration description content. Therefore, the feature recognition degree of the first cloud session risk detection result can be further improved through hotspot risk detection derivative operation, and meanwhile, a more accurate derivative risk detection result is obtained.
In the embodiment of the application, after the derived risk detection result of the first cloud session risk detection result is obtained, the authentication authority analysis of the cloud service interaction event in the cloud session risk detection result can be started by combining the derived risk detection result. The authentication authority information of a plurality of cloud service interaction events can be contained in the authentication authority information set, and the accuracy of the obtained authentication authority information is relatively improved due to the fact that the derived risk detection result is high in quality such as feature identification degree and quality.
For an independently implementable embodiment, a first cloud session risk detection result1 may be determined, the feature recognition degree of the first cloud session risk detection result1 is low, and the first cloud session risk detection result1 is introduced into a machine learning model network _ a to enable a hotspot risk detection derivative operation, so as to obtain a second cloud session risk detection result 2. After obtaining the second cloud session risk detection result2, a derivation process of the cloud session risk detection result may be implemented based on the second cloud session risk detection result. The indication type session risk detection result3 of the first cloud session risk detection result may be obtained, for example, each indication type session risk detection result3 may be obtained based on the session risk distribution of the first cloud session risk detection result1, and each mapping session risk detection result4 is obtained by enabling conversion processing on the indication type session risk detection result3 according to the network state of the cloud service interaction event in the second cloud session risk detection result 2. And then, according to the online service behavior corresponding to the indication type session risk detection result, a local session risk detection result5 of the corresponding online service behavior can be determined from the mapping session risk detection result.
Further, derived risk detection results are obtained according to the local session risk detection results result5 and the second cloud session risk detection result2, wherein potential feature mining operations can be enabled for the local session risk detection results result5 and the second cloud session risk detection results result2 to obtain integrated description content, and the final derived risk detection result6 is obtained based on the integrated description content.
For a stand-alone embodiment, the process of debugging a machine learning model may illustratively include the description of Step51-Step 54.
Step51, determining a first debugging type session risk detection result set, wherein the first debugging type session risk detection result set covers a plurality of first debugging type session risk detection results and first annotation information corresponding to the first debugging type session risk detection results.
Under some possible design ideas, the debugging type session risk detection result set can cover a plurality of first debugging type session risk detection results, and the plurality of first debugging type session risk detection results can be cloud session risk detection results with low feature recognition degrees. Correspondingly, the first debug-type session risk detection result set may further include annotation information (which may be understood as supervision information) corresponding to each first debug-type session risk detection result, and the first annotation information in the embodiment of the present application may be determined according to the model variable of the cost. Such as: a first basic cloud session risk detection result (a cloud session risk detection result with higher quality or a standard cloud session risk detection result) corresponding to the first debug type session risk detection result, and a first basic label (a standard feature) of the first basic cloud session risk detection result may be included.
Step52, transmitting not less than one first debugging type session risk detection result in the first debugging type session risk detection result set to the first machine learning model to enable the hot spot risk detection derivation operation, and obtaining a testing type hot spot risk detection result corresponding to the first debugging type session risk detection result.
In this embodiment of the application, when the first machine learning model is debugged, the cloud session risk detection results in the first debug type session risk detection result set may be transmitted to the first machine learning model together, or may be transmitted to the first machine learning model one by one, so as to obtain the test type hotspot risk detection results after the hotspot risk detection derivative operation corresponding to each first debug type session risk detection result, respectively.
Step53, inputting the test type hot spot risk detection result into a first detection disturbance layer, a first description analysis layer and a first detection result disassembly layer respectively, and obtaining the distinguishing situation, the description analysis situation and the detection result disassembly situation of the test type hot spot risk detection result corresponding to the first debugging type session risk detection result.
In the embodiment of the application, the debugging of the first machine learning model can be realized by combining a detection disturbance layer (a countering neural network), a description analysis layer (a feature extraction network) and a detection result disassembly layer (a segmentation network). Wherein the information derivation layer (generator) corresponds to the first machine learning model of the embodiments of the present application. The first machine learning model of the information derivation layer as the network part enabling the hotspot risk detection derivation operation is taken as an example for explanation.
And transmitting the test type hot spot risk detection result output by the information export layer into a detection disturbance layer, a description analysis layer and a detection result disassembly layer, and obtaining a distinguishing condition (which can be understood as a distinguishing result), a description analysis condition (which can be understood as a feature identification result) and a detection result disassembly condition aiming at the test type hot spot risk detection result corresponding to the debugging type session risk detection result. The distinguishing condition represents whether the first detection disturbance layer can analyze the actual conditions of the test type hotspot risk detection result and the marked cloud session risk detection result, the description analysis condition comprises the distribution analysis condition of an obvious operation link, and the detection result disassembly condition comprises information labels corresponding to all online business behaviors of the cloud service interaction event.
And Step54, obtaining a first model expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type hot spot risk detection result, and feeding back and optimizing the model variables of the first machine learning model through the first model expected deviation until the first model expected deviation meets a first debugging index.
In this embodiment of the application, the first debugging index (which may be understood as a training requirement) is that the expected deviation (which may be understood as a network loss) of the first model is smaller than or the first deviation quantization result, that is, when the obtained expected deviation of the first model is smaller than the first deviation quantization result, the debugging of the first machine learning model can be terminated, and at this time, the obtained machine learning model has higher hot-spot risk detection derivation operation accuracy. The first offset quantization result may be a value smaller than 1, for example, may be 0.5, and the embodiment of the present application is not limited further.
Under some possible design ideas, a disturbance offset (which can be understood as a countermeasure loss) can be obtained according to a distinguishing condition of a test type hot spot risk detection result, a disassembly offset (which can be understood as a disassembly loss) can be obtained according to a disassembly condition of the detection result, a global hot spot distribution offset (which can be understood as a visual map loss) can be obtained according to an obtained description analysis condition, and a corresponding risk content offset (which can be understood as a risk content loss) and a processed confidence offset (which can be understood as a weight loss) can be obtained according to an obtained test type hot spot risk detection result.
In an actual implementation process, a first disturbance offset may be obtained according to a distinguishing condition of the test type hotspot risk detection result and a distinguishing condition of a first detection disturbance layer on a first basic cloud session risk detection result in the first annotation information. The first disturbance offset may be determined by combining a distinguishing condition of a test type hotspot risk detection result corresponding to each first debugging type session risk detection result in the first debugging type session risk detection result set and a distinguishing condition of a first detection disturbance layer to a first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information.
In addition, the first risk content offset may be determined according to the test type hotspot risk detection result corresponding to the first debugging type session risk detection result and the first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information. Further, a first confidence offset may be determined by a regression operation of the test-type hotspot risk detection result and the first base cloud session risk detection result. And obtaining a first confidence coefficient offset corresponding to the test type hot spot risk detection result through the confidence coefficient offset. In addition, a first global hotspot distribution deviation is obtained through the description and analysis condition of the test type hotspot risk detection result corresponding to the debugging type session risk detection result and the first basic tag in the first annotation information. In addition, a first disassembly offset is obtained according to a detection result disassembly condition of the test type hotspot risk detection result corresponding to the debugging type session risk detection result and a first basis disassembly condition in the first annotation information.
It is understood that the specific formula of the above offset can be flexibly adjusted according to actual situations, and the application is not limited and developed in detail.
The first model expected offset of the first machine learning model can be obtained through the method, when the first model expected offset is larger than the first offset quantization result, the first model expected offset is determined to be not in line with the first debugging index, at this time, a model variable of the first machine learning model, such as a moving average model variable, can be optimized reversely, the hot spot risk detection operation is continuously started on the debugging type session risk detection result set through the first machine learning model for adjusting the model variable until the obtained first model expected offset is smaller than or equal to the first offset quantization result, the first model expected offset can be determined to be in line with the first debugging index, and the debugging of the machine learning model is terminated.
It is understood that, in the embodiment of the present application, the debugging process for the first machine learning model may also enable a cloud session risk detection derivation process of Step30 through a second machine learning model, such as: the second machine learning model may be an RNN.
For a separately implementable embodiment, the process of debugging the second machine learning model may include the content recorded at Step61-Step 64.
Step61, determining a second debugging type session risk detection result set, wherein the second debugging type session risk detection result set covers a plurality of second debugging type session risk detection results, indication type debugging type session risk detection results corresponding to the second debugging type session risk detection results and second annotation information.
Under some possible design ideas, the second debugging type session risk detection result in the second debugging type session risk detection result set may be a test type hotspot risk detection result expected to be formed by the first machine learning model, or may also be a cloud session risk detection result with relatively low feature recognition degree obtained through other manners, or may also be a cloud session risk detection result after an interference factor is applied, which is not further limited by the present application.
For example, when debugging of the second machine learning model is enabled, not less than one instruction type debugging type session risk detection result may be set for each debugging type session risk detection result, where the instruction type debugging type session risk detection result includes instruction type big data of a corresponding second debugging type session risk detection result, such as: and not less than a cloud session risk detection result of an online business behavior. The indication type debugging type session risk detection result is also a cloud session risk detection result with high feature recognition degree and accuracy. Each second debugging type session risk detection result may include different numbers of indication type debugging type session risk detection results, and the indication type online service behaviors corresponding to the indication type debugging type session risk detection results may also be different, which is not further limited in this application.
It can be understood that the second annotation information may also be determined according to a model variable of the cost, and may include a second base cloud session risk detection result (an accurate cloud session risk detection result) corresponding to the second debug type session risk detection result, a second base tag (an actual analytic feature of distribution of each significant operation link) of the second base cloud session risk detection result, a second base disassembly condition (an actual disassembly condition of each online business behavior), and may also include a differentiation condition of each online business behavior in the second base cloud session risk detection result (a differentiation condition of detecting output of a disturbance layer), a description analytic condition, a disassembly condition, and the like. When the second debugging type session risk detection result is the testing type hotspot risk detection result output by the first machine learning model, the first basic cloud session risk detection result is the same as the second basic cloud session risk detection result, the first basic disassembly condition is the same as the second basic disassembly condition, and the first basic label result is the same as the second basic label result.
Step62, converting the indication type debugging type session risk detection result by combining a second debugging type session risk detection result to obtain a debugging mapping session risk detection result, transmitting the debugging mapping session risk detection result and the second debugging type session risk detection result into the second machine learning model, and starting supervision derivation processing (which can be understood as derivation extension operation based on labels, indications or reminding information) on the second debugging type session risk detection result to obtain a test type derivation risk detection result of the second debugging type session risk detection result.
In this embodiment of the application, each second debugging type session risk detection result may have a corresponding no less than one indication type session risk detection result, and the network state of the cloud service interaction event in the second debugging type session risk detection result may enable conversion processing on the indication type debugging type session risk detection result to obtain no less than one debugging mapping session risk detection result. The second machine learning model may be used to obtain a corresponding test-type derived risk detection result by transmitting not less than one debug mapping session risk detection result and the second debug type session risk detection result corresponding to the second debug type session risk detection result to the second machine learning model.
Step63, respectively transmitting the test type derived risk detection results corresponding to the debugging type session risk detection results to a second detection disturbance layer, a second description analysis layer and a second detection result dismantling layer, and obtaining the distinguishing condition, the description analysis condition and the detection result dismantling condition of the test type derived risk detection results corresponding to the second debugging type session risk detection results.
In this embodiment of the application, the second machine learning model may be debugged by using the structure described above, at this time, the information derivation layer may represent the second machine learning model, and the test-type derived risk detection results corresponding to the second debugging-type session risk detection results may also be respectively transmitted to the detection perturbation layer, the description analysis layer, and the detection result disassembly layer, so as to obtain a distinguishing situation, a description analysis situation, and a detection result disassembly situation for the test-type derived risk detection results. The distinguishing condition represents an actual condition distinguishing condition between the test type derived risk detection result and the basic cloud session risk detection result, the description analysis condition comprises a distribution analysis condition of a significant operation link in the test type derived risk detection result, and the detection result disassembly condition comprises a disassembly condition of information labels corresponding to all online business behaviors of the cloud service interaction event in the test type derived risk detection result.
Step64, obtaining a second model expected deviation of the second machine learning model according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type derived risk detection result corresponding to the second debugging type session risk detection result, and feeding back and optimizing the model variable of the second machine learning model through the second model expected deviation until the second debugging index is met.
Under some possible design considerations, the expected second model offset may be an integration result of the first expected offset and the second expected offset, so that the first expected offset and the second expected offset can be obtained through a distinguishing condition, a description analysis condition and a detection result disassembly condition of the test-type derived risk detection result corresponding to the debugging-type session risk detection result, and the expected second model offset can be obtained through an integration result of the first expected offset and the second expected offset. The first expected offset may be an integration result of a perturbation offset, a risk content offset, a confidence offset, a disassembly offset, and a global hotspot distribution offset based on the test-type derived risk detection result.
Similarly, in the same manner as the determination of the first disturbance offset, in combination with the disturbance offset, a second disturbance offset may be obtained by distinguishing the test-type derived risk detection result from the detection disturbance layer and distinguishing the second basic cloud session risk detection result from the second annotation information; determining a second risk content offset by using a test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic cloud session risk detection result corresponding to the second debugging-type session risk detection result in the same manner as the determination of the first risk content offset in combination with the risk content offset; determining a second confidence coefficient offset by regression operation of a test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic cloud session risk detection result in the same manner as the determination of the first confidence coefficient offset in combination with the confidence coefficient offset; the determination method is the same as the determination method of the first global hotspot distribution offset, and a second global hotspot distribution offset can be obtained through the description analysis condition of the test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic tag in the second annotation information by combining the global hotspot distribution offset; in the same way as the first disassembly offset, in combination with the disassembly offset, a second disassembly offset can be obtained through a detection result disassembly condition of a test-type derived risk detection result corresponding to the second debug-type session risk detection result and a second basis disassembly condition in the second annotation information; and combining the integration results of the second disturbance offset, the second risk content offset, the second confidence coefficient offset, the second global hot spot distribution offset and the second dismantling offset to obtain the first expected offset.
Further, the method of determining a second desired offset for a second machine learning model may include: determining an online business behavior local conversation risk detection result corresponding to not less than one online business behavior in the test type derived risk detection result, and respectively transmitting the online business behavior local conversation risk detection result not less than one online business behavior to a detection disturbance layer, a description analysis layer and a detection result disassembly layer to obtain the distinguishing condition, the description analysis condition and the detection result disassembly condition of the online business behavior local conversation risk detection result not less than one online business behavior; determining a third disturbance offset of the online business behavior not lower than one according to the distinguishing condition of the online business behavior local session risk detection result not lower than one and the distinguishing condition of the second detection disturbance layer on the online business behavior local session risk detection result not lower than one in the second basic cloud session risk detection result corresponding to the second debugging type session risk detection result; obtaining a third global hotspot distribution deviation of the online business behavior not lower than one through the description and analysis condition of the online business behavior local session risk detection result not lower than one online business behavior and the basic label corresponding to the online business behavior in the second annotation information; obtaining a third disassembly offset of the online business behavior not lower than one according to the detection result disassembly condition of the online business behavior not lower than one local conversation risk detection result of the online business behavior and the basic disassembly condition of the online business behavior not lower than one in the second annotation information; and combining the integration result of the third disturbance offset, the third global hot spot distribution offset and the third dismantling offset of the at least one online business behavior to obtain a second expected offset of the machine learning model.
As with the method for determining the offset, a second expected offset of each online business behavior may be determined by combining the integrated result of the third disturbance offset, the third risk content offset, and the third confidence offset of the local session risk detection result of each online business behavior in the test-type derived risk detection result.
The second model expected offset of the second machine learning model can be obtained through the method, when the second model expected offset is larger than the second offset quantization result, the second model expected offset is determined to be not in accordance with the second debugging index, at this time, a model variable of the second machine learning model, such as a moving average model variable, can be optimized reversely, the second machine learning model for adjusting the model variable continues to enable the hot spot risk detection operation on the debugging type session risk detection result set, until the obtained second model expected offset is smaller than or equal to the second offset quantization result, the second model expected offset can be determined to be in accordance with the second debugging index, the debugging of the second machine learning model is terminated, and the obtained second machine learning model can accurately obtain the test type derivative risk detection result.
In summary, in the embodiment of the present application, a derivation process of a cloud session risk detection result with relatively low feature recognition degree may be enabled for the indication-based session risk detection result, so as to obtain an accurate derived risk detection result. The method can improve the characteristic recognition degree of the cloud session risk detection result conveniently, and obtain an accurate cloud session risk detection result.
Based on the same inventive concept, there is also provided a network security analysis apparatus 20 applied to big data intelligence, which is applied to a network security analysis system 10, and the apparatus includes:
the detection result acquisition module 21 is configured to determine a first cloud session risk detection result;
the detection result comparison module 22 is configured to determine that at least one of the first cloud session risk detection results is an indication type session risk detection result, where the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result;
and the detection result derivation module 23 is configured to perform supervised derivation processing on the first cloud session risk detection result according to at least one indication type session risk detection result of the first cloud session risk detection result to obtain a derived risk detection result.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A network security analysis method applied to big data intelligence is characterized by being applied to a network security analysis system, and the method at least comprises the following steps:
determining a first cloud session risk detection result, and determining that the first cloud session risk detection result is not lower than one indication type session risk detection result, wherein the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result;
and performing supervision and derivation processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result to obtain a derivation risk detection result.
2. The method of claim 1, wherein determining that no less than one of the first cloud session risk detection results is an indicative session risk detection result comprises:
determining session risk distribution of the first cloud session risk detection result, wherein the session risk distribution carries not less than one group of significant content of a target cloud service interaction event in the first cloud session risk detection result;
and determining an indication type session risk detection result bound with the target cloud service interaction event and not less than one target online service behavior through the session risk distribution of the first cloud session risk detection result.
3. The method according to claim 2, wherein the obtaining of the derived risk detection result by performing supervised derivation on the first cloud session risk detection result by using not less than one indicated session risk detection result of the first cloud session risk detection result comprises:
combining the current network state of the target cloud service interaction event in the first cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state;
determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the target cloud service interaction event in the at least one indication type session risk detection result;
obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result;
wherein the obtaining of the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result comprises:
and changing the online business behavior corresponding to the target online business behavior in the local session risk detection result in the first cloud session risk detection result by combining the determined local session risk detection result to obtain the derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the first cloud session risk detection result to obtain the derivative risk detection result.
4. The method according to claim 2, wherein the obtaining of the derived risk detection result by performing supervised derivation on the first cloud session risk detection result by using not less than one indicated session risk detection result of the first cloud session risk detection result comprises:
starting hotspot risk detection derivative operation on the first cloud session risk detection result to obtain a second cloud session risk detection result, wherein the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result;
combining the current network state of the target cloud service interaction event in the second cloud session risk detection result, and enabling conversion processing on the at least one indication type session risk detection result to obtain a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state;
determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the cloud service interaction event in the at least one indication type session risk detection result;
obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result;
wherein the obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result comprises:
changing an online business behavior corresponding to a target online business behavior in the local session risk detection result in the second cloud session risk detection result in combination with the determined local session risk detection result to obtain a derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the second cloud session risk detection result to obtain the derivative risk detection result;
wherein the method further comprises: and starting authentication authority analysis by combining the derived risk detection result, and determining authentication authority information bound with the cloud service interaction event.
5. The method of claim 4, wherein the hotspot risk detection derivation operation on the first cloud session risk detection result is enabled by a first machine learning model to obtain the second cloud session risk detection result, and wherein the method further comprises a step of debugging the first machine learning model, which comprises:
determining a first debugging type session risk detection result set, wherein the first debugging type session risk detection result set covers a plurality of first debugging type session risk detection results and first annotation information corresponding to the first debugging type session risk detection results;
transmitting not less than one first debugging type session risk detection result in the first debugging type session risk detection result set to the first machine learning model to start the hotspot risk detection derivative operation, and obtaining a test type hotspot risk detection result corresponding to the first debugging type session risk detection result;
respectively transmitting the test type hot spot risk detection results to a first detection disturbance layer, a first description analysis layer and a first detection result disassembly layer to obtain a distinguishing condition, a description analysis condition and a detection result disassembly condition aiming at the test type hot spot risk detection results;
and obtaining a first model expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type hot spot risk detection result, and feeding back and optimizing the model variable of the first machine learning model through the first model expected deviation until the first model expected deviation accords with a first debugging index.
6. The method according to claim 5, wherein obtaining the expected deviation of the first model according to the distinguishing condition, the description analysis condition, and the detection result disassembly condition of the test type hot spot risk detection result corresponding to the first debug type session risk detection result comprises:
determining a first risk content offset according to a test type hotspot risk detection result corresponding to the first debugging type session risk detection result and a first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information;
obtaining a first disturbance offset according to the distinguishing condition of the test type hotspot risk detection result and the distinguishing condition of the first detection disturbance layer on the first basic cloud session risk detection result;
determining a first confidence degree offset through regression operation of the test type hotspot risk detection result and the first basic cloud session risk detection result;
obtaining a first global hotspot distribution deviation according to the description and analysis condition of the test type hotspot risk detection result and a first basic label in the first annotation information;
obtaining a first disassembly offset according to a detection result disassembly condition of the test type hot spot risk detection result and a first basic disassembly condition corresponding to a first debugging example in the first annotation information;
and combining the integration results of the first disturbance offset, the first risk content offset, the first confidence coefficient offset, the first global hot spot distribution offset and the first dismantling offset to obtain the expected offset of the first model.
7. The method according to any of claims 2-4, wherein said supervised derivation process is enabled by a second machine learning model, resulting in said derived risk detection result, said method further comprising the step of commissioning said second machine learning model, comprising:
determining a second debugging type session risk detection result set, wherein the second debugging type session risk detection result set comprises a second debugging type session risk detection result, an indication type debugging type session risk detection result corresponding to the second debugging type session risk detection result and second annotation information;
converting the indication type debugging type session risk detection result by combining the second debugging type session risk detection result to obtain a debugging mapping session risk detection result, transmitting the debugging mapping session risk detection result and the second debugging type session risk detection result into the second machine learning model, and starting supervision derivation processing on the second debugging type session risk detection result to obtain a test type derivation risk detection result of the second debugging type session risk detection result;
respectively transmitting the test type derived risk detection results to a second detection disturbance layer, a second description analysis layer and a second detection result dismantling layer to obtain a distinguishing condition, a description analysis condition and a detection result dismantling condition aiming at the test type derived risk detection results;
obtaining a second model expected deviation of the second machine learning model according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type derived risk detection result, and feeding back and optimizing a model variable of the second machine learning model through the second model expected deviation until a second debugging index is met;
obtaining a second model expected offset of the second machine learning model according to a distinguishing condition, a description analysis condition and a detection result disassembly condition of a test type derived risk detection result corresponding to the debugging type session risk detection result, including:
obtaining a first expected deviation and a second expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembly condition of the test type derivative risk detection result corresponding to the second debugging type session risk detection result;
and obtaining the expected offset of the second model through the integrated result of the first expected offset and the second expected offset.
8. The method of claim 7, wherein obtaining the first expected offset according to the differentiation condition, the description resolution condition and the detection result decomposition condition of the test-type derived risk detection result corresponding to the debug-type session risk detection result comprises:
determining a second risk content offset according to a test type derived risk detection result corresponding to the second debugging type session risk detection result and a second basic cloud session risk detection result corresponding to the second debugging type session risk detection result in the second annotation information;
obtaining a second disturbance offset according to the distinguishing condition of the test type derived risk detection result and the distinguishing condition of the second detection disturbance layer on the second basic cloud session risk detection result;
determining a second confidence offset by regression operation of the test-type derived risk detection result and the second base cloud session risk detection result;
obtaining a second global hotspot distribution deviation according to the description and analysis condition of the test type derived risk detection result and a second basic label in the second annotation information;
obtaining a second disassembly offset according to the disassembly condition of the detection result of the test-type derived risk detection result and the second basic disassembly condition in the second annotation information;
and combining the integration results of the second disturbance offset, the second risk content offset, the second confidence coefficient offset, the second global hot spot distribution offset and the second dismantling offset to obtain the first expected offset.
9. The method of claim 7, wherein obtaining the second expected offset through the differentiation, description and resolution of the test-type derived risk detection result, the description and resolution of the test-type derived risk detection result corresponding to the debug-type session risk detection result comprises:
determining the online business behavior local conversation risk detection result not lower than one online business behavior in the test type derived risk detection result, and respectively transmitting the online business behavior local conversation risk detection result not lower than one online business behavior to a detection disturbance layer, a description analysis layer and a detection result disassembly layer to obtain the distinguishing condition, the description analysis condition and the detection result disassembly condition of the online business behavior local conversation risk detection result not lower than one online business behavior;
determining a third disturbance offset of the online business behavior not lower than one according to the distinguishing condition of the online business behavior local session risk detection result not lower than one and the distinguishing condition of the second detection disturbance layer on the online business behavior local session risk detection result not lower than one in the second basic cloud session risk detection result corresponding to the second debugging type session risk detection result;
obtaining a third global hotspot distribution deviation of the online business behavior not lower than one by the description and analysis condition of the online business behavior not lower than one local session risk detection result of the online business behavior not lower than one and the basic label of the online business behavior not lower than one in the second annotation information;
obtaining a third disassembly offset of the online business behavior not lower than one according to the detection result disassembly condition of the online business behavior not lower than one local conversation risk detection result of the online business behavior and the basic disassembly condition of the online business behavior not lower than one in the second annotation information;
and combining the integration result of the third disturbance offset, the third global hot spot distribution offset and the third dismantling offset of the at least one online business behavior to obtain a second expected offset of the machine learning model.
10. A network security analysis system is characterized by comprising a processor, a network module and a memory; the processor and the memory communicate through the network module, the processor reading a computer program from the memory and operating to perform the method of any of claims 1-9.
CN202210026475.2A 2022-01-11 2022-01-11 Network security analysis method and system applied to big data intelligence Active CN114500009B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210026475.2A CN114500009B (en) 2022-01-11 2022-01-11 Network security analysis method and system applied to big data intelligence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210026475.2A CN114500009B (en) 2022-01-11 2022-01-11 Network security analysis method and system applied to big data intelligence

Publications (2)

Publication Number Publication Date
CN114500009A true CN114500009A (en) 2022-05-13
CN114500009B CN114500009B (en) 2022-11-04

Family

ID=81509934

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210026475.2A Active CN114500009B (en) 2022-01-11 2022-01-11 Network security analysis method and system applied to big data intelligence

Country Status (1)

Country Link
CN (1) CN114500009B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080963A (en) * 2022-07-07 2022-09-20 济南开耀网络技术有限公司 Intelligent financial data protection method based on cloud computing and server

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180219891A1 (en) * 2017-02-02 2018-08-02 Aetna Inc. Individualized cybersecurity risk detection using multiple attributes
US10432605B1 (en) * 2012-03-20 2019-10-01 United Services Automobile Association (Usaa) Scalable risk-based authentication methods and systems
CN113329017A (en) * 2021-05-28 2021-08-31 江苏骏安信息测评认证有限公司 Network security risk detection system and method
CN113364881A (en) * 2021-06-25 2021-09-07 东莞市汇学汇玩教育科技有限公司 Cloud service interaction analysis method applied to big data, server and storage medium
CN113765909A (en) * 2021-09-01 2021-12-07 梁成敏 Big data detection method and system for coping with intelligent education data wind control
CN113888181A (en) * 2021-10-25 2022-01-04 支付宝(杭州)信息技术有限公司 Business processing and risk detection strategy system construction method, device and equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10432605B1 (en) * 2012-03-20 2019-10-01 United Services Automobile Association (Usaa) Scalable risk-based authentication methods and systems
US20180219891A1 (en) * 2017-02-02 2018-08-02 Aetna Inc. Individualized cybersecurity risk detection using multiple attributes
CN113329017A (en) * 2021-05-28 2021-08-31 江苏骏安信息测评认证有限公司 Network security risk detection system and method
CN113364881A (en) * 2021-06-25 2021-09-07 东莞市汇学汇玩教育科技有限公司 Cloud service interaction analysis method applied to big data, server and storage medium
CN113765909A (en) * 2021-09-01 2021-12-07 梁成敏 Big data detection method and system for coping with intelligent education data wind control
CN113888181A (en) * 2021-10-25 2022-01-04 支付宝(杭州)信息技术有限公司 Business processing and risk detection strategy system construction method, device and equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080963A (en) * 2022-07-07 2022-09-20 济南开耀网络技术有限公司 Intelligent financial data protection method based on cloud computing and server

Also Published As

Publication number Publication date
CN114500009B (en) 2022-11-04

Similar Documents

Publication Publication Date Title
Yu et al. Deescvhunter: A deep learning-based framework for smart contract vulnerability detection
CN106828362B (en) Safety testing method and device for automobile information
CN112437439B (en) Hot spot sharing method based on artificial intelligence and feature analysis and big data cloud platform
CN107330311A (en) A kind of method and apparatus of man-machine identification
CN114500009B (en) Network security analysis method and system applied to big data intelligence
CN113032792A (en) System service vulnerability detection method, system, equipment and storage medium
CN110990362A (en) Log query processing method and device, computer equipment and storage medium
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
CN115238828A (en) Chromatograph fault monitoring method and device
CN114218568A (en) Big data attack processing method and system applied to cloud service
CN111563016A (en) Log collection and analysis method and device, computer system and readable storage medium
Yu et al. Towards automatically reverse engineering vehicle diagnostic protocols
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN117254945A (en) Vulnerability tracing method and device based on automobile attack link
CN114168949B (en) Application software anomaly detection method and system applied to artificial intelligence
CN115526551A (en) Agricultural product traceability data processing method based on artificial intelligence and cloud platform
CN115203697A (en) File detection method, device and equipment and readable storage medium
CN115310087A (en) Website backdoor detection method and system based on abstract syntax tree
CN114662097A (en) CSV file injection attack detection method and device, electronic equipment and storage medium
CN114091699A (en) Power communication equipment fault diagnosis method and system
CN117077210B (en) Financial data query method and system
CN117278992B (en) Safety testing system for multi-layer unmanned aerial vehicle system
CN116383020B (en) Internet data analysis management system and method based on blockchain
CN113127603B (en) Intellectual property case source identification method, device, equipment and storage medium
CN115695032B (en) Network security detection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220606

Address after: 266000 household 602, unit 1, building 2, No. 4, Chenghai Road, Shinan District, Qingdao, Shandong Province

Applicant after: Qingdao Yijia Shiyun Computer Co.,Ltd.

Address before: 313000 No. 13, Fusheng Road, Zhili Town, Wuxing District, Huzhou City, Zhejiang Province

Applicant before: Huzhou Deyun Network Technology Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220913

Address after: No. 18-1, Shanghang Road, Shinan District, Qingdao City, Shandong Province, 266000

Applicant after: Li Jing

Address before: 266000 household 602, unit 1, building 2, No. 4, Chenghai Road, Shinan District, Qingdao, Shandong Province

Applicant before: Qingdao Yijia Shiyun Computer Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20221019

Address after: 311100 Room 302-1, Building 1, Yangfan Business Center, Liangzhu Street, Yuhang District, Hangzhou City, Zhejiang Province (self declared)

Applicant after: Hangzhou Zeao Network Technology Co.,Ltd.

Address before: No. 18-1, Shanghang Road, Shinan District, Qingdao City, Shandong Province, 266000

Applicant before: Li Jing

GR01 Patent grant
GR01 Patent grant