Disclosure of Invention
In view of this, the embodiment of the present application provides a network security analysis method and system applied to big data intelligence.
According to an aspect of the present application, there is provided a network security analysis method applied to big data intelligence, including: determining a first cloud session risk detection result; determining that the first cloud session risk detection result is not lower than an indication type session risk detection result, wherein the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result; and performing supervision and derivation processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result to obtain a derivation risk detection result. By the design, the derivation processing of the first cloud session risk detection result can be started through the indication type session risk detection result, even if part of information of the first cloud session risk detection result is lost, the derivation risk detection results which are as complete and rich as possible can be obtained in view of the fact that the indication type session risk detection result is integrated, the quality of the derivation processing is guaranteed, so that potential and hidden session risks can be mined as far as possible, the reliability of cloud session risk detection can be ensured, and solid analysis basis and decision basis are provided for network security protection.
Under some possible design considerations, the determining that no less than one of the first cloud session risk detection results is an indication type session risk detection result includes: determining session risk distribution of the first cloud session risk detection result; and determining an indication type session risk detection result bound with the target cloud service interaction event and not less than one target online service behavior through the session risk distribution of the first cloud session risk detection result. By the design, different target online service behavior indication type session risk detection results can be obtained according to different session risk distributions, and indication type session risk detection results with higher reliability can be provided based on the session risk distributions.
Under some possible design ideas, the obtaining a derivative risk detection result by performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result includes: combining the current network state of the target cloud service interaction event in the first cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state; determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the target cloud service interaction event in the at least one indication type session risk detection result; and obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result. By the design, the network state of the cloud service interaction event in the indication type session risk detection result can be adjusted according to the network state of the target cloud service interaction event in the first cloud session risk detection result, so that the online business behavior bound with the target cloud service interaction event in the indication type session risk detection result can be adjusted to be the network state of the target cloud service interaction event, and when derivative processing is started, the efficiency of derivative processing can be improved.
Under some possible design considerations, the obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result includes: and changing the online business behavior corresponding to the target online business behavior in the local session risk detection result in the first cloud session risk detection result by combining the determined local session risk detection result to obtain the derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the first cloud session risk detection result to obtain the derivative risk detection result. By the design, different derivation treatment strategies can be provided, and the quality of derivation treatment can be further guaranteed.
Under some possible design ideas, the obtaining a derivative risk detection result by performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result includes: starting hotspot risk detection derivative operation on the first cloud session risk detection result to obtain a second cloud session risk detection result, wherein the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result; combining the current network state of the target cloud service interaction event in the second cloud session risk detection result, and enabling conversion processing on the at least one indication type session risk detection result to obtain a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state; determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the cloud service interaction event in the at least one indication type session risk detection result; and obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result. By the design, the accuracy of the first cloud session risk detection result can be improved through hotspot risk detection and derivation operation, the second cloud session risk detection result is obtained, conversion adjustment of the indication type session risk detection result is started according to the second cloud session risk detection result, and the accuracy of the derived risk detection result can be further improved when conversion processing and subsequent derivation processing are started because the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result.
Under some possible design considerations, the obtaining the derived risk detection result based on the determined local session risk detection result and the second cloud session risk detection result includes: and changing the online business behavior corresponding to the target online business behavior in the local session risk detection result in the second cloud session risk detection result by combining the determined local session risk detection result to obtain the derivative risk detection result, or performing potential feature mining operation on the local session risk detection result and the second cloud session risk detection result to obtain the derivative risk detection result. By the design, different derivation treatment strategies can be provided, and the quality of derivation treatment can be further guaranteed.
Under some possible design considerations, the method further comprises: and starting authentication authority analysis by combining the derived risk detection result, and determining authentication authority information bound with the cloud service interaction event. Due to the design, compared with the first cloud session risk detection result, the derived risk detection result can obviously improve the precision and has multi-dimensional local information, the authentication authority analysis is started based on the derived risk detection result, and the analysis result can be timely and accurately obtained.
Under some possible design ideas, a first machine learning model enables the first cloud session risk detection result to enable hotspot risk detection derivative operation to obtain a second cloud session risk detection result, and the method further includes a step of debugging the first machine learning model, which includes: determining a first debugging type session risk detection result set, wherein the first debugging type session risk detection result set covers a plurality of first debugging type session risk detection results and first annotation information corresponding to the first debugging type session risk detection results; transmitting not less than one first debugging type session risk detection result in the first debugging type session risk detection result set to the first machine learning model to start the hotspot risk detection derivation operation, so as to obtain a test type hotspot risk detection result corresponding to the first debugging type session risk detection result; respectively transmitting the test type hot spot risk detection results to a first detection disturbance layer, a first description analysis layer and a first detection result disassembly layer to obtain a distinguishing condition, a description analysis condition and a detection result disassembly condition aiming at the test type hot spot risk detection results; and obtaining a first model expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type hot spot risk detection result, and feeding back and optimizing the model variable of the first machine learning model through the first model expected deviation until the first model expected deviation accords with a first debugging index. By the design, the first machine learning model can be assisted to be debugged based on the detection disturbance layer, the description analysis layer and the detection result disassembly layer, and on the basis of improving the precision of the machine learning model, the first machine learning model can also accurately analyze each local information of the cloud session risk detection result.
Under some possible design considerations, obtaining the expected deviation of the first model according to the distinguishing condition, the description analysis condition, and the detection result disassembly condition of the test type hotspot risk detection result corresponding to the first debugging type session risk detection result includes: determining a first risk content offset according to a test type hotspot risk detection result corresponding to the first debugging type session risk detection result and a first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information; obtaining a first disturbance offset according to the distinguishing condition of the test type hotspot risk detection result and the distinguishing condition of the first detection disturbance layer on the first basic cloud session risk detection result; determining a first confidence degree offset through regression operation of the test type hotspot risk detection result and the first basic cloud session risk detection result; obtaining a first global hotspot distribution deviation according to the description and analysis condition of the test type hotspot risk detection result and a first basic label in the first annotation information; obtaining a first disassembly offset according to a detection result disassembly condition of the test type hot spot risk detection result and a first basic disassembly condition corresponding to a first debugging example in the first annotation information; and combining the integration results of the first disturbance offset, the first risk content offset, the first confidence coefficient offset, the first global hot spot distribution offset and the first dismantling offset to obtain the expected offset of the first model. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, the supervised derivation process is enabled by a second machine learning model to obtain the derived risk detection result, and the method further comprises a step of debugging the second machine learning model, which comprises: determining a second debugging type session risk detection result set, wherein the second debugging type session risk detection result set comprises a second debugging type session risk detection result, an indication type debugging type session risk detection result corresponding to the second debugging type session risk detection result and second annotation information; converting the indication type debugging type session risk detection result by combining the second debugging type session risk detection result to obtain a debugging mapping session risk detection result, transmitting the debugging mapping session risk detection result and the second debugging type session risk detection result into the second machine learning model, and starting supervision derivation processing on the second debugging type session risk detection result to obtain a test type derivation risk detection result of the second debugging type session risk detection result; respectively transmitting the test type derived risk detection results to a second detection disturbance layer, a second description analysis layer and a second detection result dismantling layer to obtain a distinguishing condition, a description analysis condition and a detection result dismantling condition aiming at the test type derived risk detection results; and obtaining a second model expected deviation of the second machine learning model according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type derived risk detection result, and feeding back and optimizing the model variable of the second machine learning model through the second model expected deviation until a second debugging index is met. By the design, the second machine learning model can be assisted to debug based on the detection disturbance layer, the description analysis layer and the detection result disassembly layer, and on the basis of improving the precision of the machine learning model, accurate analysis of each local information of the cloud session risk detection result by the second machine learning model can also be realized.
Under some possible design considerations, obtaining a second model expected offset of the second machine learning model according to a distinguishing condition, a description analysis condition, and a detection result disassembly condition of a test-type derived risk detection result corresponding to the debugging-type session risk detection result includes: obtaining a first expected deviation and a second expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembly condition of the test type derivative risk detection result corresponding to the second debugging type session risk detection result; and obtaining the expected offset of the second model through the integrated result of the first expected offset and the second expected offset. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, obtaining a first expected offset through a distinguishing condition, a description analysis condition and a detection result disassembly condition of a test type derived risk detection result corresponding to the debugging type session risk detection result, including: determining a second risk content offset according to a test type derived risk detection result corresponding to the second debugging type session risk detection result and a second basic cloud session risk detection result corresponding to the second debugging type session risk detection result in the second annotation information; obtaining a second disturbance offset according to the distinguishing condition of the test type derived risk detection result and the distinguishing condition of the second detection disturbance layer on the second basic cloud session risk detection result; determining a second confidence offset by regression operation of the test-type derived risk detection result and the second base cloud session risk detection result; obtaining a second global hotspot distribution deviation according to the description and analysis condition of the test type derived risk detection result and a second basic label in the second annotation information; obtaining a second disassembly offset according to the disassembly condition of the detection result of the test-type derived risk detection result and the second basic disassembly condition in the second annotation information; and combining the integration results of the second disturbance offset, the second risk content offset, the second confidence coefficient offset, the second global hot spot distribution offset and the second dismantling offset to obtain the first expected offset. By designing in this way, because different degrees of deviation are provided, the performance evaluation of the machine learning model can be improved through each deviation.
Under some possible design ideas, obtaining a second expected offset through the distinguishing condition, the description analysis condition and the detection result disassembly condition of the test type derived risk detection result corresponding to the debugging type session risk detection result, including: determining the online business behavior local conversation risk detection result not lower than one online business behavior in the test type derived risk detection result, and respectively transmitting the online business behavior local conversation risk detection result not lower than one online business behavior to a detection disturbance layer, a description analysis layer and a detection result disassembly layer to obtain the distinguishing condition, the description analysis condition and the detection result disassembly condition of the online business behavior local conversation risk detection result not lower than one online business behavior; determining a third disturbance offset of the at least one online service behavior according to the distinguishing condition of the online service behavior local session risk detection result of the at least one online service behavior and the distinguishing condition of the second detection disturbance layer on the online service behavior local session risk detection result of the at least one online service behavior in the second basic cloud session risk detection result; obtaining a third global hotspot distribution deviation of the online business behavior not lower than one by the description and analysis condition of the online business behavior not lower than one local session risk detection result of the online business behavior not lower than one and the basic label of the online business behavior not lower than one in the second annotation information; obtaining a third disassembly offset of the at least one online business behavior according to the detection result disassembly condition of the online business behavior local conversation risk detection result of the at least one online business behavior and the basic disassembly condition of the at least one online business behavior in the second annotation information; and combining the integration result of the third disturbance offset, the third global hot spot distribution offset and the third dismantling offset of the at least one online business behavior to obtain a second expected offset of the machine learning model. By the design, the performance evaluation of the machine learning model can be further improved based on the characteristic deviation of each online business behavior.
According to another aspect of the present application, there is also provided a network security analysis system, including a processor, a network module, and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
Compared with the prior art, the network security analysis method and the network security analysis system applied to big data intelligence provided by the embodiment of the application have the following technical effects: the method can start the derivation processing of the first cloud session risk detection result by combining with not less than one indication type session risk detection result, the accuracy of the obtained derivation risk detection result is improved relative to the first cloud session risk detection result because the indication type session risk detection result comprises the local description information of the first cloud session risk detection result, even if part of information is lost in the first cloud session risk detection result, the accurate derivation risk detection result can be generated by integrating the indication type session risk detection result, in other words, the method can quickly start the derivation processing of the cloud session risk detection result by combining with a plurality of indication type session risk detection results to obtain the cloud session risk detection result with higher quality.
Detailed Description
The network security analysis system 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the network security analysis system 10 includes: memory 11, processor 12, network module 13 and network security analysis device 20 for big data intelligence.
The memory 11, the processor 12 and the network module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a network security analysis device 20 applied to big data intelligence, the network security analysis device 20 applied to big data intelligence comprises at least one software function module which can be stored in the memory 11 in the form of software or firmware (firmware), and the processor 12 executes various function applications and data processing by running software programs and modules stored in the memory 11, such as the network security analysis device 20 applied to big data intelligence in the embodiment of the present application, so as to implement the network security analysis method applied to big data intelligence in the embodiment of the present application.
The Memory 11 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 11 is used for storing a program, and the processor 12 executes the program after receiving an execution instruction.
The processor 12 may be an integrated circuit chip having data processing capabilities. The Processor 12 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 13 is used for establishing communication connection between the network security analysis system 10 and other communication terminal devices through a network, and implementing transceiving operation of network signals and data. The network signal may include a wireless signal or a wired signal.
It will be appreciated that the configuration shown in FIG. 1 is merely illustrative, and that network security analysis system 10 may include more or fewer components than shown in FIG. 1, or may have a different configuration than shown in FIG. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 1 shows a flowchart of a network security analysis method applied to big data intelligence provided by an embodiment of the present application. The method steps defined by the related procedures of the method are applied to the network security analysis system 10 and can be realized by the processor 12, and the method comprises the technical scheme recorded in the following steps 10-Step 30.
And Step10, determining a first cloud session risk detection result.
In the embodiment of the application, the first cloud session risk detection result can be understood as the to-be-processed cloud session risk detection result, and the cloud service interaction event corresponding to the to-be-processed cloud session risk detection result, that is, the first cloud session risk detection result, can be obtained first. In addition, the first cloud session risk detection result may include target cloud service interaction events of target categories, such as: the target cloud service interaction event in the embodiment of the application can be a government-enterprise cloud service interaction event, namely, derivative processing of a government-enterprise cloud session risk detection result can be achieved through the embodiment of the application, and therefore network security threats in the first cloud session risk detection result can be conveniently analyzed.
And Step20, determining that the first cloud session risk detection result is not lower than an indication type session risk detection result, wherein the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result.
In this embodiment of the application, the first cloud session risk detection result may be set with not less than one corresponding indication type session risk detection result. The indicated type session risk detection result carries indicated type big data (guidance information or prompt information) of the target cloud service interaction event in the first cloud session risk detection result, such as: and indicating type big data of not less than one target online business behavior of the target cloud service interaction event can be included. If the target cloud service interaction event is a government-enterprise event, the indication type session risk detection result may include a cloud session risk detection result of not less than one online business behavior of the network threat bound to the authentication authority of the target cloud service interaction event. In addition, the indication type session risk detection result in the embodiment of the application is a cloud session risk detection result with high feature recognition degree, so that the precision and accuracy of the derived risk detection result can be improved.
In some possible embodiments, the indication type session risk detection result bound with the first cloud session risk detection result may be directly received from the third party, or the indication type session risk detection result may be obtained according to the obtained session risk distribution about the target cloud service interaction event. The session risk distribution may include not less than one group of significant contents of the target cloud service interaction event, for example, when the target cloud service interaction event is a government-enterprise cloud service interaction event, the session risk distribution may include: the significance content (which may be understood as feature information) of the administrative enterprise cloud service interaction event not lower than a set of target online business behaviors, or the session risk distribution may also directly include a global session risk distribution of the target cloud service interaction event in the first cloud session risk detection result, for example, the session risk distribution of the cloud service interaction event of which the target cloud service interaction event is a certain known authentication right. Through session risk distribution, a similar cloud session risk detection result of a target cloud service interaction event of the first cloud session risk detection result, which is not lower than one target online service behavior, or a cloud session risk detection result including a cloud service interaction event the same as the cloud service interaction event in the first cloud session risk detection result can be determined, and the obtained various similar cloud session risk detection results or the cloud session risk detection results including the same cloud service interaction event can be used as indication type session risk detection results.
And Step30, performing supervised derivative processing on the first cloud session risk detection result through not less than one indication type session risk detection result of the first cloud session risk detection result to obtain a derivative risk detection result.
In the embodiment of the application, after not less than one indication type session risk detection result corresponding to the first cloud session risk detection result is obtained, the derivative processing of the first cloud session risk detection result can be started by combining the obtained not less than one cloud session risk detection result. Because the indication type session risk detection result includes the indication type big data (which can be understood as the guiding information) of the target cloud service interaction event not less than one target online service behavior in the first cloud session risk detection result, the first cloud session risk detection result can be processed according to the indication type big data supervision derivation. And even if the first cloud session risk detection result is the cloud session risk detection result with certain information defect, a more accurate derivative risk detection result can be derived by combining the indication type big data. (where the derivation of the results for risk detection is understood to be an extension or enrichment of the results for risk derivation)
Under some possible design ideas, the indication type session risk detection result of the corresponding target online service behavior can be directly changed into the first cloud session risk detection result, and a derivative risk detection result is obtained. For example, when the indication type session risk detection result includes the indication type session risk detection result of the qualification handling branch, the indication type session risk detection result of the qualification handling branch may be changed to the first cloud session risk detection result, and when the indication type session risk detection result includes the indication type session risk detection result of the qualification handling branch, the indication type session risk detection result of the qualification handling branch may be changed to the first cloud session risk detection result. According to the method, the corresponding indication type session risk detection result can be directly changed into the first cloud session risk detection result, and the cloud session risk detection result is derived. The indication type big data of the indication type session risk detection results can be conveniently counted into the first cloud session risk detection result, derivative processing of the first cloud session risk detection result is achieved, and the obtained derivative risk detection result is also the cloud session risk detection result with high quality as the indication type session risk detection result is the cloud session risk detection result with high quality.
Under some possible design ideas, the derived risk detection result can be obtained based on the potential feature mining operation of the indication type session risk detection result and the first cloud session risk detection result.
Under some possible design ideas, the network state of the cloud service interaction event of the indication type session risk detection result of the target cloud service interaction event in the obtained first cloud session risk detection result may be different from the network state of the target cloud service interaction event in the first cloud session risk detection result, and at this time, each indication type session risk detection result needs to be paired with the first cloud session risk detection result. The network state of the cloud service interaction event in the indication type session risk detection result is adjusted to be consistent with the network state of the target cloud service interaction event in the first cloud session risk detection result, and then the derivation processing of the first cloud session risk detection result is started by combining the indication type session risk detection result after the network state is adjusted, so that the accuracy of the obtained derived risk detection result can be improved through the process.
Therefore, the embodiment of the application can quickly realize the derivation processing of the first cloud session risk detection result based on the first cloud session risk detection result and not less than one indication type session risk detection result, the obtained derivation risk detection result can be counted to the indication type big data of each indication type session risk detection result, and meanwhile, the quality can be improved to a certain extent.
It is to be understood that the embodiments of the present application will be described in detail with reference to the following examples.
For an independently implementable embodiment, the session risk detection results recorded at Step20 that determine not less than one indication type of the first cloud session risk detection result may illustratively include the content described at Step21 and Step 22.
And Step21, determining the session risk distribution of the first cloud session risk detection result.
In this embodiment of the application, the session risk distribution of the first cloud session risk detection result may include the significance content (or feature session risk distribution, feature map) of the target cloud service interaction event in the first cloud session risk detection result, which is not lower than one target online business behavior. Such as: on the premise that the target cloud service interaction event is a government and enterprise service interaction event, the session risk distribution may include: and the target cloud service interaction event is not lower than the significance content of the set of target online business behaviors. Or, the session risk distribution may also include authentication authority information of the cloud service interaction event in the first cloud session risk detection result, and the authentication authority information may include information for determining authentication authority of the cloud service interaction event. The above description is only an exemplary description of the session risk distribution, and is not limited to the session risk distribution of the present application, and other information related to the cloud service interaction event may be used as the session risk distribution.
Under some possible design considerations, the method for determining the risk distribution of the conversation may include at least one of the following methods: receiving a session risk distribution input by a third party and/or receiving a cloud session risk detection result with annotation information (the part annotated by the annotation information is a target online business behavior bound with a target cloud service interaction event in the first cloud session risk detection result). In other embodiments, the session risk distribution may also be received in other manners, which is not further limited in this application.
And Step22, determining an indication type session risk detection result bound with the target online business behavior of the cloud service interaction event by the session risk distribution of the first cloud session risk detection result.
In the embodiment of the application, after the session risk distribution is obtained, the indication type session risk detection result bound with the cloud service interaction event in the first cloud session risk detection result can be determined according to the session risk distribution. When the session risk distribution carries the session risk distribution of the cloud service interaction event which is not lower than one target online business behavior, the bound indication type session risk detection result can be determined based on the session risk distribution of each target online business behavior. The information set can comprise not less than one cloud session risk detection result of multiple cloud service interaction events, so that corresponding indication type session risk detection results can be conveniently determined based on session risk distribution.
Under some possible design considerations, the session risk distribution may also include authentication authority information about the cloud service interaction event _1 in the first cloud session risk detection result, and at this time, the cloud session risk detection result bound to the authentication authority information may be selected from the information set based on the authentication authority information as an indication type session risk detection result.
Therefore, an indication type session risk detection result bound with the target online business behavior of the cloud service interaction event in the first cloud session risk detection result can be determined based on the session risk distribution, and the accuracy of the determined cloud session risk detection result can be improved by performing derivation processing on the cloud session risk detection result in combination with the indication type session risk detection result.
It can be understood that after the indication type session risk detection result is obtained, a derivative processing process of the cloud session risk detection result can be started according to the indication type session risk detection result, except that the indication type session risk detection result can be directly changed to a corresponding target online business behavior of the first cloud session risk detection result, in addition, the embodiment of the present application can start change or flip processing after the conversion processing is started on the indication type session risk detection result, and further obtain the derivative risk detection result.
For an independently implementable embodiment, Step30 records that the first cloud session risk detection result is subjected to supervised derivative processing by not less than one indicating type session risk detection result of the first cloud session risk detection result to obtain a derivative risk detection result, which may exemplarily include the content recorded in Step31-Step 33.
And Step31, combining the current network state of the target cloud service interaction event in the first cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state.
In this embodiment of the application, since the network state of the cloud service interaction event of the obtained indication type session risk detection result about the cloud service interaction event in the first cloud session risk detection result may be different from the network state of the cloud service interaction event in the first cloud session risk detection result, at this time, each indication type session risk detection result needs to be paired with the first cloud session risk detection result, that is, the network state of the cloud service interaction event in the indication type session risk detection result is the same as the network state of the target cloud service interaction event in the first cloud session risk detection result.
The embodiment of the application can start conversion processing on the indication type session risk detection result by combining a conversion processing method, and the network state of the cloud service interaction event in the indication type session risk detection result (which can be understood as a mapping session risk detection result) after the conversion processing is the same as the network state of the target cloud service interaction event in the first cloud session risk detection result.
In this way, not less than one mapping session risk detection result (one mapping session risk detection result is obtained after each indication type session risk detection result is subjected to mapping processing) with the same network state as that in the first cloud session risk detection result can be obtained, and the mapping session risk detection result and the first cloud session risk detection result are paired.
Step32, determining a local session risk detection result of the at least one target online business behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online business behavior bound with the target cloud service interaction event in the at least one indication type session risk detection result;
in this embodiment of the application, since the obtained indication type session risk detection result is a cloud session risk detection result bound to at least one target online service behavior in the first cloud session risk detection result, after mapping session risk detection results corresponding to the indication type session risk detection results are obtained through conversion processing, a local session risk detection result of the indication type online service behavior may be determined from the mapping session risk detection results based on the indication type online service behavior (the target online service behavior bound to the cloud service interaction event) corresponding to each indication type session risk detection result, and the local session risk detection result of the target online service behavior bound to the cloud service interaction event in the first cloud session risk detection result is split from the mapping session risk detection results. For example, when a target online service behavior bound to a cloud service interaction event in an indication type session risk detection result is image-text verification, a local session risk detection result of the image-text verification online service behavior can be determined from a mapping session risk detection result corresponding to the indication type session risk detection result. Therefore, the local session risk detection result bound with the online business behavior of the cloud service interaction event in the first cloud session risk detection result can be obtained.
Step33, obtaining the derived risk detection result based on the determined local session risk detection result and the first cloud session risk detection result.
In the embodiment of the application, after the local session risk detection result of the target cloud service interaction event not less than one target online service behavior is obtained, the obtained local session risk detection result and the first cloud session risk detection result may be combined to perform derivative processing on the cloud session risk detection result, so as to obtain a derivative risk detection result.
Under some possible design ideas, each local session risk detection result can be bound with not less than one target online business behavior in the cloud service interaction event of the first cloud session risk detection result, the cloud session risk detection result of the online business behavior bound in the local session risk detection result can be changed to the corresponding online business behavior in the first cloud session risk detection result, for example, when the image-text verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the image-text verification in the local session risk detection result can be changed to the image-text verification online business behavior in the first cloud session risk detection result, and when the password verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the password verification in the local session risk detection result can be changed to the first cloud session risk detection result The online business behavior is verified through the images and the texts, the cloud session risk detection result of the online business behavior bound with the cloud service interaction event in the determined local session risk detection result can be combined with the cloud session risk detection result to change the corresponding online business behavior in the first cloud session risk detection result based on similar thinking, and finally, a derivative risk detection result can be obtained.
Or, under some possible design ideas, the derived risk detection result may also be obtained through potential feature mining operations of the local session risk detection result and the first cloud session risk detection result.
It can be understood that each local session risk detection result and the first cloud session risk detection result may be transmitted to the RNN, at least one potential feature mining operation is enabled, feature integration of the cloud session risk detection results is realized, and finally, an integrated description content is obtained, based on which a derivative risk detection result corresponding to the integrated description content may be obtained. Therefore, the feature recognition degree of the first cloud session risk detection result can be improved, and meanwhile, an accurate derived risk detection result is obtained.
In other embodiments of the present application, in order to further improve the accuracy and quality of the cloud session risk detection result of the derivative risk detection result, a hotspot risk detection derivative operation may be performed on the first cloud session risk detection result to obtain a second cloud session risk detection result with higher feature recognition degree than the first cloud session risk detection result, and the cloud session risk detection result is enabled to perform derivative processing by combining the second cloud session risk detection result to obtain the derivative risk detection result.
Based on this, the supervised derivative processing is performed on the first cloud session risk detection result through the session risk detection result recorded at Step30, which is not lower than one indication type session risk detection result of the first cloud session risk detection result, so as to obtain a derivative risk detection result, which may further include the contents described at Step301-Step 304.
Step301, starting hotspot risk detection derivative operation on the first cloud session risk detection result to obtain a second cloud session risk detection result, wherein the feature recognition degree of the second cloud session risk detection result is greater than that of the first cloud session risk detection result.
In the embodiment of the application, on the premise that the first cloud session risk detection result is obtained, hotspot risk detection derivative operation can be started on the first cloud session risk detection result, so that the second cloud session risk detection result with higher feature recognition degree is obtained. And the hotspot risk detection deriving operation can derive the cloud session risk detection result with higher feature recognition degree through the cloud session risk detection result or the cloud session risk detection result set with relatively lower feature recognition degree. The cloud session risk detection result with the higher feature recognition degree represents that the cloud session risk detection result has more local description information and more accurate detection labels.
It is to be appreciated that enabling the hotspot risk detection derivative operations may include: the method comprises the steps of starting up sampling processing on a first cloud session risk detection result to improve accuracy of the cloud session risk detection result, starting at least one time of potential feature mining operation (which can be understood as moving average processing) on the cloud session risk detection result obtained through up sampling to obtain a cloud session risk detection result after hotspot risk detection derivative operation, namely a second cloud session risk detection result.
Step302, combining the current network state of the target cloud service interaction event in the second cloud session risk detection result, starting conversion processing on the at least one indication type session risk detection result, and obtaining a mapping session risk detection result corresponding to the indication type session risk detection result in the current network state.
In this embodiment of the application, Step31 is synchronized, because the second cloud session risk detection result is a cloud session risk detection result whose feature recognition degree is improved relative to the first cloud session risk detection result, and a network state of a target cloud service interaction event in the second cloud session risk detection result may also be different from a network state of an indication type session risk detection result, before derivative processing is started, the indication type session risk detection result may be converted and adjusted according to the network state of the target cloud service interaction event in the second cloud session risk detection result, so as to obtain a mapping session risk detection result the same as the network state of the target cloud service interaction event in the second cloud session risk detection result.
And Step303, determining a local session risk detection result of the at least one target online service behavior from a mapping session risk detection result corresponding to the indication type session risk detection result through the at least one target online service behavior bound with the cloud service interaction event in the at least one indication type session risk detection result.
In this embodiment, as in Step32, since the obtained indication type session risk detection result is a cloud session risk detection result bound to at least one target online service behavior in the second cloud session risk detection result, after the mapping session risk detection results corresponding to the indication type session risk detection results are obtained through conversion processing, the local session risk detection result of the indication type online service behavior may be determined from the mapping session risk detection results based on the indication type online service behavior corresponding to each indication type session risk detection result (the target online service behavior bound to the cloud service interaction event), that is, the local session risk detection result of the target online service behavior bound to the cloud service interaction event in the first cloud session risk detection result is split from the mapping session risk detection results.
And Step304, obtaining the derived risk detection result based on the determined local conversation risk detection result and the second cloud conversation risk detection result.
In the embodiment of the application, after the local session risk detection result of the target cloud service interaction event not less than one target online service behavior is obtained, cloud session risk detection result derivation processing can be performed by combining the obtained local session risk detection result and the second cloud session risk detection result to obtain a derived risk detection result.
Under some possible design ideas, each local session risk detection result can be bound with not less than one target online business behavior in the cloud service interaction event of the second cloud session risk detection result, the cloud session risk detection result of the online business behavior bound in the local session risk detection result can be changed to the corresponding online business behavior in the second cloud session risk detection result, for example, when the image-text verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the image-text verification in the local session risk detection result can be changed to the image-text verification online business behavior in the first cloud session risk detection result, and when the password verification of the local session risk detection result is bound with the cloud service interaction event, the cloud session risk detection result set of the password verification in the local session risk detection result can be changed to the second cloud session risk detection result The online business behavior is verified through the images and the texts, the cloud session risk detection result of the online business behavior bound with the cloud service interaction event in the determined local session risk detection result can be combined with the cloud session risk detection result to change the corresponding online business behavior in the second cloud session risk detection result based on similar thinking, and finally, a derivative risk detection result can be obtained.
Or, under some possible design ideas, the derived risk detection result may also be obtained through potential feature mining operations of the local session risk detection result and the second cloud session risk detection result. The local session risk detection results and the second cloud session risk detection result can be transmitted to the RNN, at least one potential feature mining operation is started, feature integration of the cloud session risk detection results is achieved, integration description content is obtained finally, and derivative risk detection results corresponding to the integration description content can be obtained based on the integration description content. Therefore, the feature recognition degree of the first cloud session risk detection result can be further improved through hotspot risk detection derivative operation, and meanwhile, a more accurate derivative risk detection result is obtained.
In the embodiment of the application, after the derived risk detection result of the first cloud session risk detection result is obtained, the authentication authority analysis of the cloud service interaction event in the cloud session risk detection result can be started by combining the derived risk detection result. The authentication authority information of a plurality of cloud service interaction events can be contained in the authentication authority information set, and the accuracy of the obtained authentication authority information is relatively improved due to the fact that the derived risk detection result is high in quality such as feature identification degree and quality.
For an independently implementable embodiment, a first cloud session risk detection result1 may be determined, the feature recognition degree of the first cloud session risk detection result1 is low, and the first cloud session risk detection result1 is introduced into a machine learning model network _ a to enable a hotspot risk detection derivative operation, so as to obtain a second cloud session risk detection result 2. After obtaining the second cloud session risk detection result2, a derivation process of the cloud session risk detection result may be implemented based on the second cloud session risk detection result. The indication type session risk detection result3 of the first cloud session risk detection result may be obtained, for example, each indication type session risk detection result3 may be obtained based on the session risk distribution of the first cloud session risk detection result1, and each mapping session risk detection result4 is obtained by enabling conversion processing on the indication type session risk detection result3 according to the network state of the cloud service interaction event in the second cloud session risk detection result 2. And then, according to the online service behavior corresponding to the indication type session risk detection result, a local session risk detection result5 of the corresponding online service behavior can be determined from the mapping session risk detection result.
Further, derived risk detection results are obtained according to the local session risk detection results result5 and the second cloud session risk detection result2, wherein potential feature mining operations can be enabled for the local session risk detection results result5 and the second cloud session risk detection results result2 to obtain integrated description content, and the final derived risk detection result6 is obtained based on the integrated description content.
For a stand-alone embodiment, the process of debugging a machine learning model may illustratively include the description of Step51-Step 54.
Step51, determining a first debugging type session risk detection result set, wherein the first debugging type session risk detection result set covers a plurality of first debugging type session risk detection results and first annotation information corresponding to the first debugging type session risk detection results.
Under some possible design ideas, the debugging type session risk detection result set can cover a plurality of first debugging type session risk detection results, and the plurality of first debugging type session risk detection results can be cloud session risk detection results with low feature recognition degrees. Correspondingly, the first debug-type session risk detection result set may further include annotation information (which may be understood as supervision information) corresponding to each first debug-type session risk detection result, and the first annotation information in the embodiment of the present application may be determined according to the model variable of the cost. Such as: a first basic cloud session risk detection result (a cloud session risk detection result with higher quality or a standard cloud session risk detection result) corresponding to the first debug type session risk detection result, and a first basic label (a standard feature) of the first basic cloud session risk detection result may be included.
Step52, transmitting not less than one first debugging type session risk detection result in the first debugging type session risk detection result set to the first machine learning model to enable the hot spot risk detection derivation operation, and obtaining a testing type hot spot risk detection result corresponding to the first debugging type session risk detection result.
In this embodiment of the application, when the first machine learning model is debugged, the cloud session risk detection results in the first debug type session risk detection result set may be transmitted to the first machine learning model together, or may be transmitted to the first machine learning model one by one, so as to obtain the test type hotspot risk detection results after the hotspot risk detection derivative operation corresponding to each first debug type session risk detection result, respectively.
Step53, inputting the test type hot spot risk detection result into a first detection disturbance layer, a first description analysis layer and a first detection result disassembly layer respectively, and obtaining the distinguishing situation, the description analysis situation and the detection result disassembly situation of the test type hot spot risk detection result corresponding to the first debugging type session risk detection result.
In the embodiment of the application, the debugging of the first machine learning model can be realized by combining a detection disturbance layer (a countering neural network), a description analysis layer (a feature extraction network) and a detection result disassembly layer (a segmentation network). Wherein the information derivation layer (generator) corresponds to the first machine learning model of the embodiments of the present application. The first machine learning model of the information derivation layer as the network part enabling the hotspot risk detection derivation operation is taken as an example for explanation.
And transmitting the test type hot spot risk detection result output by the information export layer into a detection disturbance layer, a description analysis layer and a detection result disassembly layer, and obtaining a distinguishing condition (which can be understood as a distinguishing result), a description analysis condition (which can be understood as a feature identification result) and a detection result disassembly condition aiming at the test type hot spot risk detection result corresponding to the debugging type session risk detection result. The distinguishing condition represents whether the first detection disturbance layer can analyze the actual conditions of the test type hotspot risk detection result and the marked cloud session risk detection result, the description analysis condition comprises the distribution analysis condition of an obvious operation link, and the detection result disassembly condition comprises information labels corresponding to all online business behaviors of the cloud service interaction event.
And Step54, obtaining a first model expected deviation according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type hot spot risk detection result, and feeding back and optimizing the model variables of the first machine learning model through the first model expected deviation until the first model expected deviation meets a first debugging index.
In this embodiment of the application, the first debugging index (which may be understood as a training requirement) is that the expected deviation (which may be understood as a network loss) of the first model is smaller than or the first deviation quantization result, that is, when the obtained expected deviation of the first model is smaller than the first deviation quantization result, the debugging of the first machine learning model can be terminated, and at this time, the obtained machine learning model has higher hot-spot risk detection derivation operation accuracy. The first offset quantization result may be a value smaller than 1, for example, may be 0.5, and the embodiment of the present application is not limited further.
Under some possible design ideas, a disturbance offset (which can be understood as a countermeasure loss) can be obtained according to a distinguishing condition of a test type hot spot risk detection result, a disassembly offset (which can be understood as a disassembly loss) can be obtained according to a disassembly condition of the detection result, a global hot spot distribution offset (which can be understood as a visual map loss) can be obtained according to an obtained description analysis condition, and a corresponding risk content offset (which can be understood as a risk content loss) and a processed confidence offset (which can be understood as a weight loss) can be obtained according to an obtained test type hot spot risk detection result.
In an actual implementation process, a first disturbance offset may be obtained according to a distinguishing condition of the test type hotspot risk detection result and a distinguishing condition of a first detection disturbance layer on a first basic cloud session risk detection result in the first annotation information. The first disturbance offset may be determined by combining a distinguishing condition of a test type hotspot risk detection result corresponding to each first debugging type session risk detection result in the first debugging type session risk detection result set and a distinguishing condition of a first detection disturbance layer to a first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information.
In addition, the first risk content offset may be determined according to the test type hotspot risk detection result corresponding to the first debugging type session risk detection result and the first basic cloud session risk detection result corresponding to the first debugging type session risk detection result in the first annotation information. Further, a first confidence offset may be determined by a regression operation of the test-type hotspot risk detection result and the first base cloud session risk detection result. And obtaining a first confidence coefficient offset corresponding to the test type hot spot risk detection result through the confidence coefficient offset. In addition, a first global hotspot distribution deviation is obtained through the description and analysis condition of the test type hotspot risk detection result corresponding to the debugging type session risk detection result and the first basic tag in the first annotation information. In addition, a first disassembly offset is obtained according to a detection result disassembly condition of the test type hotspot risk detection result corresponding to the debugging type session risk detection result and a first basis disassembly condition in the first annotation information.
It is understood that the specific formula of the above offset can be flexibly adjusted according to actual situations, and the application is not limited and developed in detail.
The first model expected offset of the first machine learning model can be obtained through the method, when the first model expected offset is larger than the first offset quantization result, the first model expected offset is determined to be not in line with the first debugging index, at this time, a model variable of the first machine learning model, such as a moving average model variable, can be optimized reversely, the hot spot risk detection operation is continuously started on the debugging type session risk detection result set through the first machine learning model for adjusting the model variable until the obtained first model expected offset is smaller than or equal to the first offset quantization result, the first model expected offset can be determined to be in line with the first debugging index, and the debugging of the machine learning model is terminated.
It is understood that, in the embodiment of the present application, the debugging process for the first machine learning model may also enable a cloud session risk detection derivation process of Step30 through a second machine learning model, such as: the second machine learning model may be an RNN.
For a separately implementable embodiment, the process of debugging the second machine learning model may include the content recorded at Step61-Step 64.
Step61, determining a second debugging type session risk detection result set, wherein the second debugging type session risk detection result set covers a plurality of second debugging type session risk detection results, indication type debugging type session risk detection results corresponding to the second debugging type session risk detection results and second annotation information.
Under some possible design ideas, the second debugging type session risk detection result in the second debugging type session risk detection result set may be a test type hotspot risk detection result expected to be formed by the first machine learning model, or may also be a cloud session risk detection result with relatively low feature recognition degree obtained through other manners, or may also be a cloud session risk detection result after an interference factor is applied, which is not further limited by the present application.
For example, when debugging of the second machine learning model is enabled, not less than one instruction type debugging type session risk detection result may be set for each debugging type session risk detection result, where the instruction type debugging type session risk detection result includes instruction type big data of a corresponding second debugging type session risk detection result, such as: and not less than a cloud session risk detection result of an online business behavior. The indication type debugging type session risk detection result is also a cloud session risk detection result with high feature recognition degree and accuracy. Each second debugging type session risk detection result may include different numbers of indication type debugging type session risk detection results, and the indication type online service behaviors corresponding to the indication type debugging type session risk detection results may also be different, which is not further limited in this application.
It can be understood that the second annotation information may also be determined according to a model variable of the cost, and may include a second base cloud session risk detection result (an accurate cloud session risk detection result) corresponding to the second debug type session risk detection result, a second base tag (an actual analytic feature of distribution of each significant operation link) of the second base cloud session risk detection result, a second base disassembly condition (an actual disassembly condition of each online business behavior), and may also include a differentiation condition of each online business behavior in the second base cloud session risk detection result (a differentiation condition of detecting output of a disturbance layer), a description analytic condition, a disassembly condition, and the like. When the second debugging type session risk detection result is the testing type hotspot risk detection result output by the first machine learning model, the first basic cloud session risk detection result is the same as the second basic cloud session risk detection result, the first basic disassembly condition is the same as the second basic disassembly condition, and the first basic label result is the same as the second basic label result.
Step62, converting the indication type debugging type session risk detection result by combining a second debugging type session risk detection result to obtain a debugging mapping session risk detection result, transmitting the debugging mapping session risk detection result and the second debugging type session risk detection result into the second machine learning model, and starting supervision derivation processing (which can be understood as derivation extension operation based on labels, indications or reminding information) on the second debugging type session risk detection result to obtain a test type derivation risk detection result of the second debugging type session risk detection result.
In this embodiment of the application, each second debugging type session risk detection result may have a corresponding no less than one indication type session risk detection result, and the network state of the cloud service interaction event in the second debugging type session risk detection result may enable conversion processing on the indication type debugging type session risk detection result to obtain no less than one debugging mapping session risk detection result. The second machine learning model may be used to obtain a corresponding test-type derived risk detection result by transmitting not less than one debug mapping session risk detection result and the second debug type session risk detection result corresponding to the second debug type session risk detection result to the second machine learning model.
Step63, respectively transmitting the test type derived risk detection results corresponding to the debugging type session risk detection results to a second detection disturbance layer, a second description analysis layer and a second detection result dismantling layer, and obtaining the distinguishing condition, the description analysis condition and the detection result dismantling condition of the test type derived risk detection results corresponding to the second debugging type session risk detection results.
In this embodiment of the application, the second machine learning model may be debugged by using the structure described above, at this time, the information derivation layer may represent the second machine learning model, and the test-type derived risk detection results corresponding to the second debugging-type session risk detection results may also be respectively transmitted to the detection perturbation layer, the description analysis layer, and the detection result disassembly layer, so as to obtain a distinguishing situation, a description analysis situation, and a detection result disassembly situation for the test-type derived risk detection results. The distinguishing condition represents an actual condition distinguishing condition between the test type derived risk detection result and the basic cloud session risk detection result, the description analysis condition comprises a distribution analysis condition of a significant operation link in the test type derived risk detection result, and the detection result disassembly condition comprises a disassembly condition of information labels corresponding to all online business behaviors of the cloud service interaction event in the test type derived risk detection result.
Step64, obtaining a second model expected deviation of the second machine learning model according to the distinguishing condition, the description analysis condition and the detection result disassembling condition of the test type derived risk detection result corresponding to the second debugging type session risk detection result, and feeding back and optimizing the model variable of the second machine learning model through the second model expected deviation until the second debugging index is met.
Under some possible design considerations, the expected second model offset may be an integration result of the first expected offset and the second expected offset, so that the first expected offset and the second expected offset can be obtained through a distinguishing condition, a description analysis condition and a detection result disassembly condition of the test-type derived risk detection result corresponding to the debugging-type session risk detection result, and the expected second model offset can be obtained through an integration result of the first expected offset and the second expected offset. The first expected offset may be an integration result of a perturbation offset, a risk content offset, a confidence offset, a disassembly offset, and a global hotspot distribution offset based on the test-type derived risk detection result.
Similarly, in the same manner as the determination of the first disturbance offset, in combination with the disturbance offset, a second disturbance offset may be obtained by distinguishing the test-type derived risk detection result from the detection disturbance layer and distinguishing the second basic cloud session risk detection result from the second annotation information; determining a second risk content offset by using a test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic cloud session risk detection result corresponding to the second debugging-type session risk detection result in the same manner as the determination of the first risk content offset in combination with the risk content offset; determining a second confidence coefficient offset by regression operation of a test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic cloud session risk detection result in the same manner as the determination of the first confidence coefficient offset in combination with the confidence coefficient offset; the determination method is the same as the determination method of the first global hotspot distribution offset, and a second global hotspot distribution offset can be obtained through the description analysis condition of the test-type derived risk detection result corresponding to the second debugging-type session risk detection result and a second basic tag in the second annotation information by combining the global hotspot distribution offset; in the same way as the first disassembly offset, in combination with the disassembly offset, a second disassembly offset can be obtained through a detection result disassembly condition of a test-type derived risk detection result corresponding to the second debug-type session risk detection result and a second basis disassembly condition in the second annotation information; and combining the integration results of the second disturbance offset, the second risk content offset, the second confidence coefficient offset, the second global hot spot distribution offset and the second dismantling offset to obtain the first expected offset.
Further, the method of determining a second desired offset for a second machine learning model may include: determining an online business behavior local conversation risk detection result corresponding to not less than one online business behavior in the test type derived risk detection result, and respectively transmitting the online business behavior local conversation risk detection result not less than one online business behavior to a detection disturbance layer, a description analysis layer and a detection result disassembly layer to obtain the distinguishing condition, the description analysis condition and the detection result disassembly condition of the online business behavior local conversation risk detection result not less than one online business behavior; determining a third disturbance offset of the online business behavior not lower than one according to the distinguishing condition of the online business behavior local session risk detection result not lower than one and the distinguishing condition of the second detection disturbance layer on the online business behavior local session risk detection result not lower than one in the second basic cloud session risk detection result corresponding to the second debugging type session risk detection result; obtaining a third global hotspot distribution deviation of the online business behavior not lower than one through the description and analysis condition of the online business behavior local session risk detection result not lower than one online business behavior and the basic label corresponding to the online business behavior in the second annotation information; obtaining a third disassembly offset of the online business behavior not lower than one according to the detection result disassembly condition of the online business behavior not lower than one local conversation risk detection result of the online business behavior and the basic disassembly condition of the online business behavior not lower than one in the second annotation information; and combining the integration result of the third disturbance offset, the third global hot spot distribution offset and the third dismantling offset of the at least one online business behavior to obtain a second expected offset of the machine learning model.
As with the method for determining the offset, a second expected offset of each online business behavior may be determined by combining the integrated result of the third disturbance offset, the third risk content offset, and the third confidence offset of the local session risk detection result of each online business behavior in the test-type derived risk detection result.
The second model expected offset of the second machine learning model can be obtained through the method, when the second model expected offset is larger than the second offset quantization result, the second model expected offset is determined to be not in accordance with the second debugging index, at this time, a model variable of the second machine learning model, such as a moving average model variable, can be optimized reversely, the second machine learning model for adjusting the model variable continues to enable the hot spot risk detection operation on the debugging type session risk detection result set, until the obtained second model expected offset is smaller than or equal to the second offset quantization result, the second model expected offset can be determined to be in accordance with the second debugging index, the debugging of the second machine learning model is terminated, and the obtained second machine learning model can accurately obtain the test type derivative risk detection result.
In summary, in the embodiment of the present application, a derivation process of a cloud session risk detection result with relatively low feature recognition degree may be enabled for the indication-based session risk detection result, so as to obtain an accurate derived risk detection result. The method can improve the characteristic recognition degree of the cloud session risk detection result conveniently, and obtain an accurate cloud session risk detection result.
Based on the same inventive concept, there is also provided a network security analysis apparatus 20 applied to big data intelligence, which is applied to a network security analysis system 10, and the apparatus includes:
the detection result acquisition module 21 is configured to determine a first cloud session risk detection result;
the detection result comparison module 22 is configured to determine that at least one of the first cloud session risk detection results is an indication type session risk detection result, where the indication type session risk detection result carries indication type big data of a target cloud service interaction event in the first cloud session risk detection result;
and the detection result derivation module 23 is configured to perform supervised derivation processing on the first cloud session risk detection result according to at least one indication type session risk detection result of the first cloud session risk detection result to obtain a derived risk detection result.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.