CN114584360A

CN114584360A - Internet vulnerability optimization method based on big data mining and deep learning cloud system

Info

Publication number: CN114584360A
Application number: CN202210183862.7A
Authority: CN
Inventors: 苏春影
Original assignee: Individual
Current assignee: Individual
Priority date: 2022-02-28
Filing date: 2022-02-28
Publication date: 2022-06-03

Abstract

The embodiment of the application provides an internet vulnerability optimization method based on big data mining and a deep learning cloud system, wherein a target intelligence knowledge map of an internet access interaction channel and a risk behavior triggering track of the internet access interaction channel are paired through a threat intelligence penetration chain, so that safety intelligence tracking data of the internet access interaction channel and the risk behavior triggering track of the internet access interaction channel are integrated, and rich intelligence knowledge relations of the internet access interaction channel are extracted, thereby being convenient for efficiently searching for a vulnerability of a core to be optimized based on the intelligence knowledge relations in an analysis flow of the core vulnerability to be optimized; in addition, the core vulnerability to be optimized of the internet access interaction channel is extracted through the target information knowledge map of the internet access interaction channel, and the core vulnerability group to be optimized of the internet access interaction channel is obtained, so that the optimization of the key vulnerability can be conveniently carried out, and the information safety and reliability are improved.

Description

Internet vulnerability optimization method based on big data mining and deep learning cloud system

Technical Field

The application relates to the technical field of information security, in particular to an internet vulnerability optimization method based on big data mining and a deep learning cloud system.

Background

A vulnerability is a flaw in the hardware, software, protocol specific implementation, or system security policy that may allow an attacker to gain unauthorized access to or destroy the system, typically an inadvertently left unprotected entry point to a restricted computer, component, application, or other online resource. Therefore, the security vulnerability can reflect the threat attack attribute (such as the biased service type and the biased system type of the threat attack) of the cloud service security system, and how to accurately mine the threat attack attribute of the cloud service security system and timely make vulnerability optimization upgrade is a necessary link for information security protection.

In the related technology, the threat attack attribute of the related cloud service platform system is mined, and therefore vulnerability optimization is carried out in a targeted mode, so that information safety is guaranteed in real time. However, the inventor researches and discovers that if vulnerability optimization is simply performed by only depending on the threat attack attribute of the mined related cloud service platform system, many unreliable problems still exist, for example, some schemes do not usually consider the security intelligence condition of an internet access interaction channel, an actual optimized core vulnerability cannot be deeply restored, and sparsity inevitably exists in the process of performing global vulnerability optimization upgrading.

Disclosure of Invention

In order to overcome at least the above defects in the prior art, the present application aims to provide an internet vulnerability optimization method based on big data mining and a deep learning cloud system.

In a first aspect, the application provides an internet vulnerability optimization method based on big data mining, which is applied to a deep learning cloud system, wherein the deep learning cloud system is in communication connection with a plurality of internet service platforms, and the method comprises the following steps:

acquiring risk behavior big data of a target internet service platform according to threat attack attributes of the target internet service platform on a current internet access site, and performing security information tracking on the risk behavior big data through a security information tracking model to obtain security information tracking data of an internet access interaction channel in the risk behavior big data;

carrying out intelligence knowledge map analysis based on the safety intelligence tracking data of the Internet access interaction channel to obtain a target intelligence knowledge map of the Internet access interaction channel;

performing risk behavior triggering track analysis on the risk behavior big data based on a deep learning neural network to obtain a risk behavior triggering track of the Internet access interaction channel;

and carrying out threat information penetration chain pairing on a target information knowledge graph of an internet access interaction channel in the risk behavior big data and a risk behavior triggering track of the internet access interaction channel to obtain threat information penetration chain pairing information of the internet access interaction channel, carrying out core vulnerability extraction to be optimized on the risk behavior big data based on the threat information penetration chain pairing information of the internet access interaction channel, and obtaining a core vulnerability group to be optimized of the internet access interaction channel, wherein the core vulnerability group to be optimized is used for carrying out internet vulnerability optimization.

In a second aspect, an embodiment of the application further provides an internet vulnerability optimization system based on big data mining, which comprises a deep learning cloud system and a plurality of internet service platforms in communication connection with the deep learning cloud system;

the deep learning cloud system is used for:

According to any one of the aspects, in the implementation provided by the application, a target intelligence knowledge map of an internet access interaction channel and a risk behavior triggering track of the internet access interaction channel are paired through a threat intelligence penetration chain, so that safety intelligence tracking data of the internet access interaction channel and the risk behavior triggering track of the internet access interaction channel are integrated, and rich intelligence knowledge relations of the internet access interaction channel are extracted, thereby facilitating efficient searching of a core vulnerability to be optimized based on the intelligence knowledge relations in an analysis flow of the core vulnerability to be optimized; in addition, the core vulnerability to be optimized of the internet access interaction channel is extracted through the target information knowledge map of the internet access interaction channel, and the core vulnerability group to be optimized of the internet access interaction channel is obtained, so that the optimization of the key vulnerability can be conveniently carried out, and the information safety and reliability are improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that need to be called in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings may be obtained according to these drawings without inventive effort.

Fig. 1 is an application scenario diagram of an internet vulnerability optimization system based on big data mining according to an embodiment of the present application;

fig. 2 is a schematic flowchart of an internet vulnerability optimization method based on big data mining according to an embodiment of the present application;

fig. 3 is a block diagram illustrating a structure of a deep learning cloud system for implementing the method for optimizing internet vulnerabilities based on big data mining according to the embodiment of the present application.

Detailed Description

Fig. 1 is a scene schematic diagram of an internet vulnerability optimization system 10 based on big data mining according to an embodiment of the present application. The big data mining-based internet vulnerability optimization system 10 may include a deep learning cloud system 100 and an internet service platform 200 communicatively connected to the deep learning cloud system 100. The big data mining based internet vulnerability optimization system 10 shown in fig. 1 is only one possible example, and in other possible embodiments, the big data mining based internet vulnerability optimization system 10 may also only include at least some of the components shown in fig. 1 or may also include other components.

In a design idea, the deep learning cloud system 100 and the internet service platform 200 in the internet vulnerability optimization system 10 based on big data mining may cooperatively execute the internet vulnerability optimization method based on big data mining described in the following method embodiment, and the detailed description of the following method embodiment may be referred to in the specific steps of the deep learning cloud system 100 and the internet service platform 200.

In order to solve the technical problem in the foregoing background art, fig. 2 is a schematic flow chart of the internet vulnerability optimization method based on big data mining provided in the embodiment of the present application, and the internet vulnerability optimization method based on big data mining provided in the embodiment of the present application may be executed by the deep learning cloud system 100 shown in fig. 1, and the details of the internet vulnerability optimization method based on big data mining are described below.

And step S110, acquiring the risk behavior big data of the target Internet service platform according to the threat attack attribute of the target Internet service platform on the current Internet access site, and carrying out safety information tracking on the risk behavior big data through a safety information tracking model to obtain safety information tracking data of an Internet access interaction channel in the risk behavior big data.

And step S120, carrying out intelligence knowledge graph analysis based on the safety intelligence tracking data of the Internet access interaction channel to obtain a target intelligence knowledge graph of the Internet access interaction channel.

And step S130, carrying out risk behavior triggering track analysis on the risk behavior big data based on the deep learning neural network to obtain a risk behavior triggering track of the Internet access interaction channel.

Step S140, threat information penetration chain matching is carried out on a target information knowledge graph of an Internet access interaction channel in the risk behavior big data and a risk behavior triggering track of the Internet access interaction channel to obtain threat information penetration chain matching information of the Internet access interaction channel, core loopholes to be optimized are extracted from the risk behavior big data based on the threat information penetration chain matching information of the Internet access interaction channel to obtain a core loophole group to be optimized of the Internet access interaction channel, wherein the core loophole group to be optimized is used for carrying out Internet loophole optimization.

In one design approach, the security intelligence tracking model may be understood as an executing application that needs to use security intelligence tracking to perform this operation. For a specific implementation of the security intelligence tracking, reference may be made to the following detailed description of step S110.

In one design idea, the internet access interaction channel may refer to a certain access interaction flow formed under the big data of the risk behaviors.

In a design idea, an intelligence knowledge graph can be used for representing network relationship information of intelligence knowledge entities corresponding to all internet access interaction channels, and a risk behavior triggering track can be used for describing connection track information formed for all triggering nodes in a risk behavior triggering process.

The method comprises the steps that a target intelligence knowledge map of an internet access interaction channel and a risk behavior triggering track of the internet access interaction channel are paired through a threat intelligence penetration chain, so that safety intelligence tracking data of the internet access interaction channel and the risk behavior triggering track of the internet access interaction channel are integrated, and the intelligence knowledge relation of the internet access interaction channel is extracted, so that the core vulnerability to be optimized can be searched efficiently based on the intelligence knowledge relation in the analysis flow of the core vulnerability to be optimized; in addition, the core vulnerability to be optimized of the internet access interaction channel is extracted through the target information knowledge map of the internet access interaction channel, and the core vulnerability group to be optimized of the internet access interaction channel is obtained, so that the optimization of the key vulnerability can be conveniently carried out, and the information safety and reliability are improved.

In the following description of the embodiments, further preferred solutions based on the above embodiments should be understood, and technical features essential for realizing the solution should not be understood. In an embodiment that can be implemented independently, for step S110, in the process of obtaining the security intelligence tracking data of the internet access interaction channel in the risky behavior big data by performing the security intelligence tracking on the risky behavior big data through the security intelligence tracking model, the following exemplary sub-steps can be implemented, which are described in detail below.

And a substep S111 of obtaining a suspicious attack tracing information set generated by the Internet service of each risk behavior data in the risk behavior big data.

In a design idea, it is worth explaining that the suspicious attack tracing information set includes suspicious attack tracing information that takes each suspicious attack object as a tracing target, and the suspicious attack tracing information includes suspicious attack reference information of the suspicious attack object, suspicious attack reference results, and attack trend information in the suspicious attack object.

A sub-step S112, aiming at each suspicious attack object, according to each risk behavior data in each attack trend grid in the plurality of attack trend grids in the attack trend information of the suspicious attack object, determining whether each attack feature vector in the attack trend grid is an effective attack feature vector according to the category attribute of the attack feature vector in the attack trend grid, according to the track information of the effective attack characteristic vector in the attack trend grid, determining the safety information of each attack routing node corresponding to the attack trend grid, aiming at the safety information of each attack routing node, dividing the safety information of the attack routing node into a plurality of safety information unit information, and determining whether the safety information of the attack routing node is the safety information of the preset blacklist attack source or not according to the attack source of each attack characteristic vector in each safety information unit information and a preset attack source configuration list.

It is worth to be noted that each attack feature vector corresponds to each attack launching flow.

And a substep S113, obtaining the information matching content attribute of each attack characteristic vector in the safety information of the preset blacklist attack source matched by the preset information matching template, wherein the information matching content attribute comprises an information content capture attribute and an information content information characteristic, and the preset information matching template comprises template description information corresponding to different information content attributes.

Substep S114, determining the active information derivative information of the active information characteristic and the passive information derivative information of each passive information characteristic of each information content according to the information matching content attribute of each attack trend information of different suspicious attack objects in the suspicious attack source information set, determining the information content node of each risk behavior data in the suspicious attack object according to the active information derivative information of the active information characteristic and the passive information derivative information of each passive information characteristic of each information content in the safety information of the preset blacklist attack source, and using the safety information node information in the information grid interval of the information content node and the safety information node information outside the information grid interval of the information content node and related to the information grid interval of the information content node as each risk behavior data after the safety information node information in the suspicious attack object And after the safety information node information of each risk behavior data in all suspicious attack objects is gathered, the safety information tracking data of the internet access interaction channel in the risk behavior big data is obtained.

For example, a passive intelligence feature refers to an intelligence feature in which the intelligence content is passively changed throughout the intelligence mining process. For example, an active intelligence feature refers to an intelligence feature in which intelligence content actively changes throughout the intelligence mining process.

In an embodiment, which can be implemented independently, for step S120, in the process of performing intelligence knowledgegraph analysis based on the security intelligence tracking data of the internet access interactive channel to obtain a target intelligence knowledgegraph of the internet access interactive channel, the following exemplary sub-steps can be implemented, which are described in detail below.

And a substep S121, obtaining the intelligence routing call information of the intelligence routing description cluster marked on the associated intelligence header information of each safety intelligence node information in the safety intelligence tracking data of the Internet access interactive channel, and determining a first intelligence knowledge entity sequence corresponding to the intelligence routing call information.

It is worth to be noted that the intelligence route invoking information includes invoking flow node information of intelligence flow information determined according to intelligence source information and intelligence application information of the intelligence route description cluster, and the first intelligence knowledge entity sequence includes a generation flow sequence of a plurality of intelligence knowledge entities of the invoking flow node information.

Substep S122 determines a first informative fragment based on the informative source information and a second informative fragment based on the informative application information of the associated informative header information of each security informative node information.

And a substep S123 of determining a first clustering mining information for performing K-means clustering on the first informative knowledge entity sequence according to the informative knowledge entity sequence of the first informative segment and the second informative segment.

And a substep S124, performing K-means clustering on the first intelligence knowledge entity sequence based on the first clustering mining information to obtain a second intelligence knowledge entity sequence.

And a substep S125, performing frequent item mining on the second intelligence knowledge entity sequence to obtain a plurality of frequent item mining sets, and performing a coding unit on each frequent item mining set to obtain frequent item mining characteristics.

And a substep S126, determining the intelligence knowledge graph of each safety intelligence node information according to the intelligence knowledge graph corresponding to the plurality of frequent item mining characteristics corresponding to the second intelligence knowledge entity sequence.

And a substep S127 of obtaining a target intelligence knowledge graph of the Internet access interaction channel based on the intelligence knowledge graph of each piece of security intelligence node information.

Further, in an embodiment that can be implemented independently, for step S130, in the process of performing risk behavior triggering trajectory analysis on the risk behavior big data based on the deep learning neural network to obtain the risk behavior triggering trajectory of the internet access interaction channel, the following exemplary sub-steps may be implemented, which are described in detail below.

And a substep S131, inputting the risk behavior big data into a preset deep learning neural network, and obtaining the correlation degree of the risk behavior big data matched with each preset neural unit.

And a substep S132, determining a target neural unit corresponding to the risk behavior big data according to the relevance of the risk behavior big data matched with each preset neural unit.

For example, a predetermined neural unit having a correlation degree not less than the predetermined correlation degree may be determined as a target neural unit corresponding to the risk behavior big data.

And a substep S133 of extracting a risk behavior triggering track matched with each Internet access interaction channel from the mining information of the risk behavior triggering node of the target neural unit corresponding to the risk behavior big data.

In an embodiment that can be implemented independently, for step S140, in the process of performing threat intelligence penetration chain pairing on the target intelligence knowledge graph of the internet access interaction channel in the risk behavior big data and the risk behavior triggering track of the internet access interaction channel to obtain threat intelligence penetration chain pairing information of the internet access interaction channel, the following exemplary sub-steps can be implemented, which are described in detail as follows.

And a substep S141 of adding the target intelligence knowledge map and the risk behavior triggering track of the Internet access interaction channel into a pairing space, and determining penetration partition related information of the target intelligence knowledge map and the risk behavior triggering track of the Internet access interaction channel corresponding to each preset threat intelligence penetration partition from the pairing space.

And a substep S142, clustering the relevant information of each penetration subarea according to an attack source of the subarea relation between the preset threat information penetration subareas in the relevant information of each different penetration subarea to obtain at least one penetration subarea relevant information cluster.

In a design idea, an attack source of a partition relation of a preset threat information infiltration partition in any two pieces of infiltration partition related information in the same infiltration partition related information group covers a preset attack source configuration list.

And a substep S143, for each relevant information group of the penetration partition, based on the relevant information of each penetration partition in the relevant information group of the penetration partition, determining the relevant information of the relevant information group of the penetration partition corresponding to the target information knowledge graph and the risk behavior triggering track of the internet access interaction channel from the pairing space.

In a design idea, unit partition related information at least comprises migration data of each infiltration migration relation of each infiltration partition related information in an infiltration partition related information group aiming at a target information knowledge graph of an Internet access interaction channel and a risk behavior triggering track, and the unit partition related information is used for determining infiltration output information of the infiltration relation of a preset threat information infiltration partition in each infiltration partition related information in the infiltration partition related information group corresponding to the target information knowledge graph of the Internet access interaction channel and the risk behavior triggering track.

And a substep S144, determining the penetration output information of the penetration relationship corresponding to the preset threat information penetration partition in the relevant information of each penetration partition in the relevant information group of the penetration partition based on the relevant information of the unit partition, matching the penetration output information of the penetration relationship to obtain the relevant information of the partition, and obtaining the threat information penetration chain pairing information of the internet access interaction channel according to the relevant information of the partition.

For example, in a possible example, for the sub-step S144, in the process of determining the penetration output information of the penetration relationship corresponding to the preset threat intelligence penetration partition in each penetration partition related information in the penetration partition related information group based on the unit partition related information, the following alternative embodiments may be implemented.

And a substep S1441 of determining threat information abstract information and threat information attack labels of unit partition related information, determining a plurality of threat information penetration matrixes according to a plurality of penetration targets in a prior penetration target sequence, performing penetration content extension according to penetration content parameters of each penetration target in each threat information penetration matrix and the threat information attack labels in the threat information abstract information to obtain a plurality of penetration content extension results corresponding to the plurality of threat information penetration matrixes respectively, and taking penetration marking information of the threat information penetration matrix corresponding to each penetration content extension result as target penetration marking information of each penetration content extension result.

And a substep S1442 of respectively obtaining permeation trace information of the relevant information of each permeation sub-zone corresponding to the threat intelligence attack tag determined in the threat intelligence abstract information based on the plurality of permeation content extension results to obtain a plurality of permeation trace information, and integrating the plurality of permeation trace information obtained based on the plurality of permeation content extension results according to the target permeation labeling information of each permeation content extension result to obtain a first permeation trace information set.

It is worth explaining that penetration marking information between any two penetration targets in each threat information penetration matrix is the same, penetration marking information corresponding to different threat information penetration matrices is different, each penetration content extension result is used for determining shared information head information corresponding to a preset threat information penetration partition in the relevant information of each penetration partition corresponding to the threat information attack label in any preset penetration range, and the penetration content extension result is obtained after penetration content extension is carried out according to a previous penetration target sequence.

And a substep S1443, obtaining penetration results of the preset threat information penetration subareas between the threat information abstract information and the threat information attack labels in the threat information abstract information according to the shared emotion header information of the preset threat information penetration subareas corresponding to the prior penetration target sequence and the threat information attack labels, and taking the target penetration track point sequence corresponding to the penetration results corresponding to the preset threat information penetration subareas as a second penetration track signal set.

And a substep S1444 of comparing the penetration track intersection information of the first penetration track information set and the second penetration track information set, and determining penetration output information of a penetration relation corresponding to each preset threat information penetration partition according to the penetration track intersection information and the shared context header information of each preset threat information penetration partition.

For example, in an embodiment that can be implemented independently, for sub-step S1444, the following embodiment can be implemented.

(1) And determining interactive intelligence characteristic information of a service dynamic environment corresponding to each preset threat intelligence infiltration subarea based on the penetration track intersection information, and determining the interactive intelligence matching characteristic information of each preset threat intelligence infiltration subarea through the intelligence pairing information of the shared intelligence header information of each preset threat intelligence infiltration subarea in the corresponding infiltration subarea related information.

(2) And extracting a first intelligence knowledge atlas set corresponding to the interactive intelligence characteristic information and a second intelligence knowledge atlas set corresponding to the interactive intelligence matching characteristic information, and determining a plurality of target map networks with different intelligence knowledge entity characteristics respectively included in the first intelligence knowledge atlas set and the second intelligence knowledge atlas set.

The target graph network can be understood as a distribution network formed by the information knowledge maps with the incidence relation in the first information knowledge map set and the second information knowledge map set.

(3) When the global information knowledge category of the first information knowledge atlas is the same as the global information knowledge category of the second information knowledge atlas, the relational information of the interactive information characteristic information in any target graph network of the first information knowledge atlas is obtained, and the target graph network with the information knowledge entity characteristics of the minimum connection times in the second information knowledge atlas is determined to be the candidate target graph network in parallel.

(4) And adding the relational information to the candidate target graph network based on the partition characteristics of each preset threat information penetration partition, and determining graph network content information corresponding to the relational information in the candidate target graph network.

(5) And generating a butt joint label between the interactive information characteristic information and the interactive information matching characteristic information through the connection content label between the relational information and the graph network content information.

(6) And obtaining target candidate network content information in the candidate target graph network by taking the graph network content information as reference search information, adding the target candidate network content information to the target graph network where the relational information is located according to a plurality of docking paths corresponding to the docking labels, obtaining information visualization information corresponding to the target candidate network content information in the target graph network where the relational information is located, and determining the information visualization information as penetration output information of a penetration relation corresponding to each preset threat information penetration partition according to the reference search information.

In an embodiment that can be implemented independently, still referring to step S140, in the process of extracting the core vulnerability to be optimized from the risk behavior big data based on the threat intelligence penetration chain pairing information of the internet access interaction channel to obtain the core vulnerability group to be optimized of the internet access interaction channel, the following exemplary sub-steps can be implemented, which are described in detail below.

And a substep S145, obtaining core vulnerability extraction information to be optimized of the Internet access interaction channel under the risk behavior big data.

And a substep S146, obtaining the core vulnerabilities to be optimized under the extraction information of the core vulnerabilities to be optimized and vulnerability optimization firmware information corresponding to each core vulnerability to be optimized.

And S147, covering and configuring threat information penetration chain pairing information of the Internet access interaction channel under vulnerability optimization firmware information corresponding to each core vulnerability to be optimized to obtain a core vulnerability group to be optimized of the Internet access interaction channel.

For example, in an embodiment that can be implemented independently, after step S140, the following steps can be further included:

and S150, acquiring vulnerability firmware upgrading information groups obtained by core vulnerability groups to be optimized based on different Internet access interaction channels.

Step S160, obtaining protection resource information of a plurality of cloud protection nodes in the upgrade cloud protection data source of the vulnerability firmware upgrade information group.

In one design idea, each cloud protection node may be configured to indicate one or more protection upgrade flows that need to be enabled in a vulnerability optimization upgrade flow of a vulnerability firmware upgrade information group, and upgrade resource information of the protection upgrade flows indicated by each cloud protection node needs to be updated.

In one design idea, protection resource information of any cloud protection node is used for reflecting update coordination resources between any cloud protection node and other cloud protection nodes.

Step S170, dividing at least two cloud protection nodes into a target protection node combination set according to protection resource information of each cloud protection node.

In this implementation, the target protection node combination set is used to instruct vulnerability optimization upgrade to the upgrade resource information of the protection upgrade flow represented by the divided cloud protection nodes.

And step S180, updating the upgraded cloud protection data source by adopting the target protection node combination set, and sending the updated upgraded cloud protection data source to the vulnerability optimization upgrading service.

In this implementation, the updated upgrade cloud protection data source may be used to instruct the vulnerability optimization upgrade service to perform vulnerability optimization upgrade on upgrade resource information of the protection upgrade flow represented by the divided cloud protection nodes in the vulnerability optimization upgrade flow of the vulnerability firmware upgrade information group according to the instruction of the target protection node combination set, and output a vulnerability optimization upgrade result.

Based on the above steps, in this embodiment, at least two cloud protection nodes may be divided into a target protection node combination set according to protection resource information of a plurality of cloud protection nodes in an upgrade cloud protection data source of a vulnerability firmware upgrade information group, where the target protection node combination set is used to instruct to perform vulnerability optimization upgrade on upgrade resource information of a protection upgrade flow represented by the divided cloud protection nodes. And then, updating the upgraded cloud protection data source by adopting the target protection node combination set, and sending the updated upgraded cloud protection data source to the vulnerability optimization upgrading service, so that the vulnerability optimization upgrading service can perform vulnerability optimization upgrading on the upgrade resource information of the protection upgrading flow represented by the divided cloud protection nodes according to the indication of the target protection node combination set in the process of testing the vulnerability firmware upgrading information group, and the reliability of vulnerability optimization upgrading is improved.

In an embodiment, in the foregoing step S110, the threat attack attribute of the target internet service platform at the current internet access site may be implemented by the following steps.

Step A101, security vulnerability scanning information of a target Internet service platform at a current Internet access site is obtained.

In a design idea, the security vulnerability scanning information may include vulnerability sharing migration information corresponding to a current internet access site and vulnerability characteristic information of a scanned vulnerability object.

In a design idea, a current internet access site corresponds to vulnerability sharing migration information updated by a current threat attack attribute, and the vulnerability sharing migration information corresponding to the current internet access site is also the vulnerability sharing migration information updated by the current threat attack attribute. Considering that vulnerability scanning objects of different access sites are possibly different, even the reference threat attack attributes corresponding to the same vulnerability scanning process are possibly different, the vulnerability sharing and transferring information corresponding to the current Internet access site is used as a key reference basis for capturing.

In a design idea, a scanned vulnerability object, namely a target internet service platform, is from a scanning task where a current internet access site is located to an active vulnerability scanning object of the scanned task, the scanned vulnerability object of the embodiment of the present application may be an active vulnerability scanning object which is scanned in real time at the current internet access site, or a scanning vulnerability object which is obtained by the target internet service platform in the complete active vulnerability scanning object obtained by the current scanning task except the initiated active vulnerability scanning object. For example, the initial active scanning vulnerability object generated by the target internet service platform in the current scanning task is A-B-C-D, that is, the complete active scanning vulnerability object is a vulnerability scanning object cluster formed by starting from A, scanning vulnerability objects through B and C in sequence, and finally migrating to D scanning vulnerability objects, after the target internet service platform is migrated to the B-scan vulnerability object at a certain internet access site, migration may continue along the initial active scanning vulnerability object to scanning vulnerability object D, then the scanned vulnerability object at the internet access site is B-C-D, and if the target internet service platform replans the active scanning vulnerability object at the internet access site, the scanned vulnerability object is the regenerated active scanning vulnerability object.

The vulnerability characteristic information may be one or more of a vulnerability operating environment, a vulnerability updating record, vulnerability application service information, vulnerability permission information and a vulnerability exploiting program file, and is not limited specifically.

Step A102, security vulnerability scanning information of a target Internet service platform at a current Internet access site is input to a threat attack attribute analysis network meeting network convergence requirements, and a threat attack attribute of the current Internet access site output by the threat attack attribute analysis network is obtained.

According to the embodiment of the application, after security vulnerability scanning information of the current internet access site is obtained, the threat attack attribute of the target internet service platform on the current internet access site can be obtained by inputting the attack record characteristics of the current internet access site into the threat attack attribute analysis network meeting the network convergence requirement.

The threat attack attribute analysis network in the embodiment of the application is obtained in a network convergence configuration mode, and generally, for a training process, in order to obtain a better training effect, continuous interaction with a network parameter layer is needed through an AI network. For example, an AI network may be understood as a threat attack attribute analysis network.

For example, the AI network may output a classification learning information through the classification learning unit and act on the network parameter layer, the network parameter layer receives the classification learning information and then the parameter information changes, and generates a parameter optimization reference search information according to the network convergence configuration reference search information, the network parameter layer feeds back the current parameter information and the parameter optimization reference search information to the AI network, the AI network outputs the next classification learning information according to the parameter optimization reference search information and the current parameter information of the network parameter layer, and the principle of outputting the classification learning information is to increase the probability of being subjected to the forward parameter optimization reference search information. The selected classification learning information not only influences the current target network convergence configuration reference search information, but also influences the parameter information of the next vulnerability sharing migration information of the network parameter layer and the final target network convergence configuration reference search information, thereby realizing the closed-loop feedback training process.

The parameter optimization reference search information may refer to a loss function value. In the threat attack attribute prediction process of the embodiment of the application, the parameter optimization reference search information is obtained by configuring the reference search information through network convergence, and can be divided into two parts, wherein the first part is the classification accuracy degree of the threat attack attribute estimated by each internet access site, and the second part is attribute updating change information of a sequence formed by the threat attack attribute estimated by the current internet access site and the threat attack attributes of all previous internet access sites.

The configuration information of the parameter configuration information of the threat attack attribute analysis network during network convergence configuration comprises reference threat attack attributes of reference training sample data and a prior classification threat attack attribute cluster of each internet access site, and the output of the network convergence configuration benchmark search information is used for representing probability distribution information of classification accuracy of the classification threat attack attributes of each internet access site. The prior classified threat attack attribute cluster comprises classified threat attack attributes of at least one internet access site related to each internet access site; the classification threat attack attribute of each internet access site is obtained according to a classification information set of the threat attack attribute analyzed by a classification learning unit of the threat attack attribute analysis network in a network convergence optimization configuration process according to the security vulnerability scanning information of each internet access site.

For example, the threat attack attribute analysis network may include a classification learning unit and network convergence configuration benchmark search information, security vulnerability scanning information of each internet access site with reference to training sample data is parameter information, if there are T internet access sites in the reference training sample data, there are T parameter information, each parameter information is used as an input of the classification learning unit, and the classification learning unit outputs the classification learning information based on the input parameter information: the classification information set of the threat attack attribute of each Internet access site; randomly screening the classified information set of the threat attack attribute of each internet access site to obtain key attribute extraction information: the classification threat attack attribute of each internet access site, so that for each internet access site, the classification threat attack attribute of at least one internet access site related to the internet access site is combined into a prior classification threat attack attribute cluster, the reference threat attack attribute and the prior classification threat attack attribute cluster of each internet access site are used as configuration information of network convergence configuration basic search information, the network convergence configuration basic search information generates probability distribution information for evaluating the classification accuracy degree of the classification threat attack attribute of each internet access site based on input, and a classification learning unit in the threat attack attribute analysis network is adjusted based on the probability distribution information, so that the probability of classifying the threat attack attribute with more accurate probability distribution information is increased, and the probability of classifying the threat attack attribute with poor probability distribution information is reduced, in this way, the classification learning unit satisfying the network convergence condition will learn the correct classification operation threatening the attack attribute.

It should be noted that the configuration intelligence of the parameter configuration information in the embodiment of the present application includes a reference threat attack attribute of reference training sample data and a cluster of previously categorized threat attack attributes of each internet access site. The reference threat attack attribute provides a reference for evaluating the classification accuracy of the classification threat attack attribute of each internet access site, and the prior classification threat attack attribute cluster of each internet access site is constructed, and the attribute change condition of the threat attack attribute is considered, namely, the parameter configuration information of the embodiment of the application can evaluate the threat attack attribute from two aspects of classification accuracy and attribute change, thereby laying a foundation for estimating the threat attack attribute which is more accordant with high classification accuracy and actual environment requirements in actual application.

According to the internet vulnerability optimization method based on big data mining, by obtaining the security vulnerability scanning information of a target internet service platform at the current internet access site, wherein the security vulnerability scanning information comprises vulnerability sharing migration information corresponding to the current internet access site and vulnerability characteristic information of a scanned vulnerability object, the threat attack attribute analysis network can more accurately classify the threat attack attribute according to the vulnerability sharing migration information and the scanned vulnerability object, and the configuration information of the parameter configuration information during network training of the threat attack attribute analysis network comprises the threat attack attribute and the prior classification threat attack attribute of each internet access site, compared with the prior art, the internet vulnerability optimization method based on the initial vulnerability sharing migration information in the online vulnerability information and the final threat attack attribute are only trained, according to the method and the device, network convergence configuration is carried out by using the threat attack attribute and the threat attack attribute determination parameter optimization benchmark search information of each step, the influence of dynamic migration and updating of the scanned vulnerability object on classification of the threat attack attribute is considered, and the security vulnerability analysis precision is higher.

Based on the foregoing embodiments, in an independently implementable embodiment, inputting security vulnerability scanning information of a target internet service platform at a current internet access site to a threat attack attribute analysis network that meets a network convergence requirement, and obtaining a threat attack attribute of the current internet access site output by the threat attack attribute analysis network includes:

step A1021, a deep coding unit is carried out on the security vulnerability scanning information of the current Internet access site, and the security vulnerability scanning characteristics of the current Internet access site are obtained. It is to be appreciated that the security breach scanning signature is an encoded signature representation of the results of the scanning of the security breach scanning information.

Step A1022, inputting security vulnerability scanning characteristics of the current Internet access site to a classification learning unit, and obtaining a classification information set of threat attack attributes of the current Internet access site output by the classification learning unit;

and A1023, extracting key attributes according to the classification information set of the threat attack attributes of the current Internet access site, and obtaining the threat attack attributes of the current Internet access site.

In an embodiment that can be implemented independently, a training process of the threat attack attribute analysis network according to the embodiment of the present application is described below, where the training process includes:

step A201, security vulnerability scanning information and threat attack attributes of each Internet access site of reference training sample data are obtained.

In one design approach, training of network convergence configuration is performed according to network parameter layers, for example, each network parameter layer is a one-time complete training process, that is, one reference training sample data, and one reference training sample data includes security vulnerability scanning information and final threat attack attributes of each internet access site in the training process.

For example, assuming that a reference security protection application executes a scanning vulnerability object in a current scanning task a, an internet access site is 1, security vulnerability scanning information is recorded as X1, a target scanning vulnerability object is C, the reference security protection application updates threat attack attributes continuously in a training process, when the reference security protection application migrates to a scanning vulnerability object B, a corresponding internet access site is n, security vulnerability scanning information is recorded as Xn, and if the number of internet access sites in the whole training process is T, the reference training sample data can be recorded as { X1, X2, …, Xn,. XT }, where n and T are positive integers and n is less than T.

Step A202, inputting the security vulnerability scanning information of each Internet access site into a classification learning unit of an initial threat attack attribute analysis network, and obtaining a classification information set of the threat attack attribute of each Internet access site output by the classification learning unit.

The classification learning unit of the embodiment of the application outputs the possibility of executing various classification learning information under parameter information based on the thought of the policy gradient algorithm, namely the classification information set of the threat attack attribute under the security vulnerability scanning information of each internet access site

For example, the security vulnerability scanning information Xn of the nth internet access site may be input to the classification learning unit, and the classification learning unit outputs the probability that the threat attack attribute of the nth internet access site is the threat attack attribute n1, the probability of the threat attack attribute n2, …, and the probability of the threat attack attribute nm, where the threat attack attribute nm represents the mth classification probability of the threat attack attribute n. The final output network layer at this point acts like the step of the multiple classification problem, the aofmax regression, outputting a classified information set, except that the classified information set is not used for classification.

Step A203, extracting key attributes according to the classification information set of the threat attack attributes, and obtaining the classification threat attack attributes of each Internet access site.

In a design idea, random screening is carried out according to a classification information set of threat attack attributes, a screening value is used as the classification threat attack attribute of each Internet access site, and a specific training target is parameter configuration information of an optimization classification learning unit, so that key attribute extraction information of the threat attack attribute can be as close as possible or equal to the threat attack attribute which enables target network convergence configuration benchmark search information of each step to be optimal.

Step A204, inputting a network convergence configuration reference search information layer according to the threat attack attribute and the prior classification threat attack attribute cluster of each Internet access site, and obtaining target network convergence configuration reference search information of each Internet access site output by the network convergence configuration reference search information layer.

Step A205, according to the target network convergence configuration reference search information of each Internet access site and the classification information set of the classification threat attack attribute, optimizing the parameter configuration information of the classification learning unit, and taking the classification learning unit meeting the network convergence condition as the target threat attack attribute analysis network.

For example, step a205 further includes:

and acquiring the summarized network convergence configuration reference searching information of each internet access site according to the fusion information set of the target network convergence configuration reference searching information of all the internet access sites behind each internet access site.

And optimizing the parameter configuration information of the classification learning unit by a gradient descent method according to the summarized network convergence configuration reference search information of each Internet access site and the classification information set of the threat attack attribute.

Based on the foregoing embodiments, an embodiment that can be implemented independently, where a network convergence configuration reference search information layer is input according to a threat attack attribute and a previously categorized threat attack attribute cluster of each internet access station, and target network convergence configuration reference search information of each internet access station output by the network convergence configuration reference search information layer is obtained, includes:

step A301, inputting the classification threat attack attribute and the threat attack attribute of each Internet access site into a network convergence configuration reference search information layer, and obtaining first network convergence configuration reference search information of the classification threat attack attribute of each Internet access site output by the network convergence configuration reference search information layer; the first network convergence configuration reference searching information is used for representing the classification accuracy of the classification threat attack attribute of each internet access site;

in the method and the device for searching the internet access sites, in the process of calculating the parameter optimization reference searching information, the parameter optimization reference searching information is divided into first network convergence configuration reference searching information used for representing the classification accuracy degree of the classification threat attack attribute of each internet access site and second network convergence configuration reference searching information used for representing the attribute update change information of the classification threat attack attribute of each internet access site relative to the attribute of the prior classification threat attack attribute cluster.

For the first network convergence configuration reference search information, it is evaluated according to the classified threat attack attribute and threat attack attribute of each internet access site, for example:

step A301a, determining the actual threat attack attribute of the scanned vulnerability object of each Internet access site according to the vulnerability sharing migration information and the threat attack attribute corresponding to each Internet access site, wherein the vulnerability sharing migration information corresponding to each Internet access site is recorded by referring to training sample data, and the actual threat attack category is recorded in the threat attack attribute, so the actual threat attack attribute of the scanned vulnerability object can be obtained according to the two information.

Step A301b, determining loss information of the classification threat attack attribute of each Internet access site and the actual threat attack attribute of the scanned vulnerability object, and obtaining first network convergence configuration reference search information of each Internet access site according to the loss information.

Since the smaller the loss information of the actual threat attack attribute and the classified threat attack attribute is, the higher the classification accuracy of the threat attack attribute is, the first network convergence configuration reference search information with different differences may be determined according to different intervals, for example, the parameter optimization reference search information with the difference between 0 and 1 is 1, and the parameter optimization reference search information with the difference greater than 1 is 0, so that the first network convergence configuration reference search information of the tth internet access station is 0.

Step A302, inputting the classification threat attack attribute and the prior classification threat attack attribute cluster of each Internet access site into a network convergence configuration reference search information layer, and acquiring second network convergence configuration reference search information of each Internet access site output by the network convergence configuration reference search information layer; and the second network convergence configuration reference searching information is used for representing the attribute updating change information of the classified threat attack attribute of each internet access site relative to the attribute of the prior classified threat attack attribute cluster.

According to the method and the device, the accuracy of predicting and classifying the threat attack attribute is evaluated, and meanwhile, the attribute updating change information of the threat attack attribute cluster is further required to be evaluated. For example:

step a302a, for any internet access site of the at least one internet access site associated with each internet access site, determining an affiliation between the classified threat attack attribute of any internet access site and a previous internet access site associated with any internet access site.

Step A302b, if it is determined that the classification threat attack attribute of any Internet access site covers the classification threat attack attribute of the previous Internet access site associated with any Internet access site, the attribute update change information of any Internet access site is first preset update change information; and if the classification threat attack attribute of any internet access site is determined to belong to the classification threat attack attribute of the previous internet access site associated with any internet access site, the attribute update change information of each internet access site is second preset update change information.

Step a302c, updating the change information according to the attributes of all internet access sites of the at least one internet access site related to each internet access site, and obtaining the second network convergence configuration reference search information of each internet access site.

Step a303, combining the first network convergence configuration reference search information and the second network convergence configuration reference search information of each internet access site, obtaining the target network convergence configuration reference search information of each internet access site.

That is, when calculating the second network convergence configuration reference search information, for each internet access station, first determining an attribution relationship between classification threat attack attributes of any two associated internet access stations, for example, if calculating the second network convergence configuration reference search information of the 5 th internet access station, determining an attribution relationship between a threat attack attribute 5 and a threat attack attribute 4, an attribution relationship between a threat attack attribute 4 and a threat attack attribute 3, an attribution relationship between a threat attack attribute 3 and a threat attack attribute 2, and an attribution relationship between a threat attack attribute 2 and a threat attack attribute 1, respectively, where the threat attack attribute n represents a classification threat attack attribute of the nth internet access station.

If the attribute value of the threat attack attribute 5 is determined to be greater than the threat attack attribute 4, the attribute update change information of the threat attack attribute 5 is 0, and if the threat attack attribute 5 is determined to be less than the threat attack attribute 4, the attribute update change information of the threat attack attribute 5 is 1. It should be noted that, in the embodiment of the present application, specific values of the attribute update change information are not particularly limited. For another example, if the attribute update change information of the threat attack attribute 2 to the threat attack attribute 4 is calculated to be 0, 1 and 1, the attribute update change information of the 5 th internet access site may be 0+1+1+1= 3. Of course, in addition to calculating the second network convergence configuration reference search information by summing up the attribute update change information of all internet access sites, the embodiment of the present application may further perform weighted averaging as the second network convergence configuration reference search information.

Based on the foregoing embodiment, optimizing the parameter configuration information of the classification learning unit includes:

step A401, dividing all learning weight information of a classification learning unit into first classification learning weight information and second classification learning weight information, wherein the first classification learning weight information and the second classification learning weight information do not have the same parameter configuration information;

step A402, generating security vulnerability scanning characteristics according to security vulnerability scanning information;

step A403, according to the average value of the multidimensional normal distribution of the security vulnerability scanning characteristics and the first classification learning weight information, and according to the standard deviation of the multidimensional normal distribution of the security vulnerability scanning characteristics and the second classification learning weight information, training of parameter configuration information of the classification learning unit is completed.

Based on the foregoing embodiment, the security vulnerability scanning information of the embodiment of the present application may further include a threat attack attribute of each internet access site related to the current internet access site. By using the threat attack attribute of each internet access site related to each internet access site as the security vulnerability scanning information, the threat attack attribute analysis network can repeatedly learn the dynamic change information of the threat attack attribute of each internet access site in the prediction process, so that the accuracy of the threat attack attribute prediction is improved.

Because each internet access site related to each internet access site is dynamically adaptively updated, the security vulnerability scanning characteristics of each internet access site after being used as the security vulnerability scanning information are not fixed, and the security vulnerability scanning information is not suitable for the above classification learning unit any more, and can be suitable for a recurrent neural network, a long-term memory network and a short-term memory network and the like.

For example, in the structure description of the initial threat attack attribute analysis network provided in another embodiment of the present application, a network input node of the threat attack attribute analysis network is used to obtain security vulnerability scanning information and threat attack attributes of input reference training sample data, where the security vulnerability scanning information includes vulnerability sharing migration information of each internet access site and vulnerability characteristic information of a scanned vulnerability object, and may also include threat attack attributes of each internet access site related to each internet access site;

the threat attack attribute analysis network may output the classification threat attack attribute of each internet access site by using the security vulnerability scanning information of each step as input by using the threat attack attribute classification unit, for example, the coding unit layer extracts the security vulnerability scanning information and the security vulnerability scanning feature of the threat attack attribute, and further processes the security vulnerability scanning feature of the security vulnerability scanning information through the classification information set acquisition layer to obtain the classification information set of the threat attack attribute of each internet access site, and then obtains the classification threat attack attribute of each internet access site by randomly adopting the classification information set of the threat attack attribute of each internet access site through the filtering unit.

Obtaining, by using the threat attack attribute and the classification threat attack attribute as input through the first reference search information layer, target network convergence configuration reference search information of each internet access site, for example: outputting first network convergence configuration reference search information of the classification threat attack attribute of each internet access site by taking the classification threat attack attribute of each internet access site and the security vulnerability scanning characteristic of the threat attack attribute as input; and further obtains a prior classified threat attack attribute cluster of each internet access site according to the classified threat attack attribute of each internet access site, the prior classified threat attack attribute cluster of each internet access site comprising a plurality of clusters arranged in sequence according to the internet access site order, the classification threat attack attribute of at least one internet access site related to the internet access site further outputs second network convergence configuration reference search information of each internet access site by taking the classification threat attack attribute of each internet access site and a prior classification threat attack attribute cluster as input through a second reference search information layer, and finally obtains target network convergence configuration reference search information of each internet access site according to the first network convergence configuration reference search information and the second network convergence configuration reference search information of each internet access site.

On this basis, the parameter configuration information in the threat attack attribute classification unit can be adjusted according to the target network convergence configuration reference search information of each internet access site and the classification information set classifying the threat attack attributes, for example, the target network convergence configuration reference search information of all internet access sites behind each internet access site is used as input, the summarized network convergence configuration reference search information of each internet access site is obtained in a summation mode, then the summarized network convergence configuration reference search information of each internet access site and the classification information set classifying the threat attack attributes are optimized through a gradient descent method. After network convergence configuration is completed, the network input node and the threat attack attribute classifying unit are reserved, and then the threat attack attribute analysis network meeting the network convergence condition can be obtained.

For example, based on the same inventive concept, an embodiment of the present application provides a training method for threat attack attributes, including:

step A501, at least one piece of reference training sample data is obtained, wherein the reference training sample data comprises security vulnerability scanning information and threat attack attributes of each Internet access site in a previous training process.

Step A502, inputting security vulnerability scanning information of each Internet access site in reference training sample data into a classification learning unit of an initial threat attack attribute analysis network, and obtaining a classification information set of the threat attack attribute of each Internet access site output by the classification learning unit.

Step A503, extracting key attributes according to the classification information set of the threat attack attributes, and obtaining the classification threat attack attributes of each Internet access site.

Step A504, inputting the threat attack attribute in the reference training sample data and the prior classification threat attack attribute cluster of each Internet access site into a network convergence configuration basic search information layer, and obtaining target network convergence configuration basic search information of each Internet access site output by the network convergence configuration basic search information layer.

Step A505, according to the target network convergence configuration reference search information of each Internet access site and the classification information set of the classification threat attack attribute, optimizing the parameter configuration information of the classification learning unit, and taking the classification learning unit meeting the network convergence condition as the target threat attack attribute analysis network.

Fig. 3 is a schematic diagram illustrating a hardware structure of a deep learning cloud system 100 for implementing the above-described internet vulnerability optimization method based on big data mining according to an embodiment of the present application, and as shown in fig. 3, the deep learning cloud system 100 may include a processing chip 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.

In a specific implementation process, at least one processing chip 110 executes computer-executable instructions stored in the machine-readable storage medium 120, so that the processing chip 110 may execute the method for optimizing the internet vulnerability based on big data mining according to the above method embodiment, the processing chip 110, the machine-readable storage medium 120, and the communication unit 140 are connected through the bus 130, and the processing chip 110 may be configured to control the transceiving action of the communication unit 140, so as to perform data transceiving with the aforementioned internet service platform 200.

For a specific implementation process of the processing chip 110, reference may be made to the above-mentioned method embodiments executed by the deep learning cloud system 100, and the implementation principle and the technical effect are similar, which are not described herein again.

In addition, an embodiment of the present application further provides a readable storage medium, where a computer execution instruction is preset in the readable storage medium, and when a processing chip executes the computer execution instruction, the method for optimizing the internet vulnerability based on big data mining is implemented.

Finally, it should be understood that the examples in this specification are only intended to illustrate the principles of the examples in this specification. Other variations are also possible within the scope of this description. Accordingly, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be seen as matching the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims

1. The internet vulnerability optimization method based on big data mining is applied to a deep learning cloud system, wherein the deep learning cloud system is in communication connection with a plurality of internet service platforms, and the method comprises the following steps:

2. The internet vulnerability optimization method based on big data mining according to claim 1, wherein the obtaining of the security intelligence tracking data of the internet access interaction channel in the big risk behavior data by performing security intelligence tracking on the big risk behavior data through a security intelligence tracking model comprises:

obtaining a suspicious attack tracing information set generated by internet service of each risk behavior data in the risk behavior big data, wherein the suspicious attack tracing information set comprises suspicious attack tracing information taking each suspicious attack object as a tracing target, and the suspicious attack tracing information comprises suspicious attack quotation information of the suspicious attack object, a suspicious attack quotation result and attack trend information in the suspicious attack object;

aiming at each suspicious attack object, according to each attack trend grid in a plurality of attack trend grids in the attack trend information of the suspicious attack object of each risk behavior data, determining whether each attack characteristic vector in the attack trend grid is an effective attack characteristic vector according to the class attribute of the attack characteristic vector in the attack trend grid, determining the safety information of each attack routing node corresponding to the attack trend grid according to the track information of the effective attack characteristic vector in the attack trend grid, dividing the safety information of each attack routing node into a plurality of safety information unit information according to the safety information of each attack characteristic vector in each safety information unit information and a preset attack source configuration list, determining whether the safety information of each attack routing node is the safety information of a preset blacklist attack source or not, wherein each attack feature vector corresponds to each attack launching flow;

and obtaining the security information tracking data of the internet access interaction channel in the risk behavior big data based on the determined security information of the preset blacklist attack source.

3. The internet vulnerability optimization method based on big data mining according to claim 2, wherein the step of obtaining the security intelligence tracking data of internet access interaction channels in the risky behavior big data based on the determined security intelligence information of the preset blacklist attack sources comprises:

acquiring an information matching content attribute of each attack characteristic vector in the safety information of a preset blacklist attack source matched by a preset information matching template, wherein the information matching content attribute comprises an information content capture attribute and an information content information characteristic, and the preset information matching template comprises template description information corresponding to different information content attributes;

determining active information derived information of active information characteristics and passive information derived information of passive information characteristics of each information content according to information matching content attributes of each attack trend information of different suspicious attack objects in the suspicious attack tracing information set, determining each risk behavior data in an information content node of the suspicious attack object according to the active information derived information of the active information characteristics and the passive information derived information of the passive information characteristics of each information content in the safety information of the preset blacklist attack source, and using the safety information node information in an information grid interval of the information content node and related to the information content of the information content node outside the information grid interval of the information content of the suspicious attack source as the safety information of each risk behavior data in the suspicious attack object After the information of the information nodes, the safety information node information of each risk behavior data in all suspicious attack objects is summarized to obtain the safety information tracking data of the internet access interaction channel in the risk behavior big data.

4. The internet vulnerability optimization method based on big data mining according to claim 1, wherein the step of performing intelligence knowledge graph analysis based on the security intelligence tracking data of the internet access interaction channel to obtain the target intelligence knowledge graph of the internet access interaction channel comprises:

acquiring intelligence route calling information of an intelligence route description cluster marked on associated intelligence header information of each safety intelligence node information in safety intelligence tracking data of the Internet access interaction channel, and determining a first intelligence knowledge entity sequence corresponding to the intelligence route calling information, wherein the intelligence route calling information comprises calling flow node information of intelligence flow information determined according to intelligence source information and intelligence application information of the intelligence route description cluster, and the first intelligence knowledge entity sequence comprises a generation flow sequence of a plurality of intelligence knowledge entities of the calling flow node information;

determining a first intelligence segment of related intelligence header information of each safety intelligence node information based on intelligence source information and a second intelligence segment based on intelligence application information;

determining first clustering mining information for performing K-means clustering on the first intelligence knowledge entity sequence according to the intelligence knowledge entity sequence of the first intelligence segment and the second intelligence segment;

performing K-means clustering on the first information knowledge entity sequence based on the first clustering mining information to obtain a second information knowledge entity sequence;

performing frequent item mining on the second intelligence knowledge entity sequence to obtain a plurality of frequent item mining sets, and performing coding unit on each frequent item mining set to obtain frequent item mining characteristics;

according to a plurality of frequent item mining characteristics corresponding to the second information knowledge entity sequence, determining an information knowledge graph of each safety information node information;

and obtaining a target intelligence knowledge graph of the Internet access interaction channel based on the intelligence knowledge graph of each piece of safety intelligence node information.

5. The internet vulnerability optimization method based on big data mining according to claim 1, wherein the step of analyzing the risk behavior triggering trajectory of the big risk behavior data based on the deep learning neural network to obtain the risk behavior triggering trajectory of the internet access interaction channel comprises:

inputting the risk behavior big data into a preset deep learning neural network to obtain the correlation degree of the risk behavior big data matched with each preset neural unit, wherein the preset deep learning neural network is configured with the corresponding relation between the risk behavior coding vectors of different risk behavior big data and the correlation parameters of each preset neural unit;

determining a target neural unit corresponding to the risk behavior big data according to the relevance of the risk behavior big data matched with each preset neural unit;

and extracting a risk behavior triggering track matched with each Internet access interaction channel from the mining information of the risk behavior triggering node of the target neural unit corresponding to the risk behavior big data.

6. The internet vulnerability optimization method based on big data mining according to any one of claims 1-5, wherein the step of performing threat intelligence penetration chain pairing on the target intelligence knowledge graph of the internet access interaction channel in the big risk behavior data and the risk behavior triggering track of the internet access interaction channel to obtain threat intelligence penetration chain pairing information of the internet access interaction channel comprises:

adding the target intelligence knowledge graph and the risk behavior triggering track of the Internet access interaction channel into a pairing space, and determining infiltration partition related information of the target intelligence knowledge graph and the risk behavior triggering track of the Internet access interaction channel corresponding to each preset threat intelligence infiltration partition from the pairing space;

clustering the relevant information of each penetration subarea according to an attack source which presets the subarea relation among the penetration subareas and threatens the information in the relevant information of each different penetration subarea to obtain at least one relevant information cluster of the penetration subarea; the method comprises the steps that attack sources of the partition relation of preset threat information infiltration partitions in any two pieces of infiltration partition related information in the same infiltration partition related information group cover a preset attack source configuration list;

for each relevant information group of the infiltration subareas, based on relevant information of each infiltration subarea in the relevant information group of the infiltration subareas, determining relevant information of the relevant information group of the infiltration subareas for a unit subarea corresponding to a target information knowledge graph and a risk behavior triggering track of the Internet access interaction channel from the pairing space; the unit partition related information at least comprises migration data of each infiltration migration relationship of each infiltration partition related information in an infiltration partition related information group aiming at a target information knowledge graph and a risk behavior triggering track of the Internet access interaction channel, and the unit partition related information is used for determining infiltration output information of the infiltration relationship of a preset threat information infiltration partition in each infiltration partition related information in the infiltration partition related information group corresponding to the target information knowledge graph and the risk behavior triggering track of the Internet access interaction channel;

and determining the penetration output information of the penetration relationship corresponding to the preset threat information penetration partition in the penetration partition related information in each penetration partition related information group based on the unit partition related information, matching the penetration output information of the penetration relationship to obtain partition related information, and obtaining threat information penetration chain pairing information of the internet access interaction channel according to the partition related information.

7. The internet vulnerability optimization method based on big data mining according to claim 6, wherein the step of determining the penetration output information of the penetration relationship corresponding to the preset threat intelligence penetration partition in each penetration partition related information in the penetration partition related information group based on the unit partition related information comprises:

determining threat information abstract information and a threat information attack label of the unit partition related information, determining a plurality of threat information penetration matrixes according to a plurality of penetration targets in a prior penetration target sequence, performing penetration content extension according to penetration content parameters of each penetration target in each threat information penetration matrix and the threat information attack label in the threat information abstract information to obtain a plurality of penetration content extension results corresponding to the plurality of threat information penetration matrixes respectively, and taking the penetration marking information of the threat information penetration matrix corresponding to each penetration content extension result as the target penetration marking information of each penetration content extension result;

respectively obtaining penetration track information which determines relevant information of each penetration subarea corresponding to the threat information attack label in the threat information abstract information based on a plurality of penetration content extension results to obtain a plurality of penetration track information, integrating the plurality of penetration track information obtained based on the plurality of penetration content extension results according to target penetration marking information of each penetration content extension result to obtain a first penetration track information set, wherein the penetration marking information between any two penetration targets in each threat information penetration matrix is the same, the penetration marking information corresponding to different threat information penetration matrices is different, and each penetration content extension result is used for determining shared information head information corresponding to a preset threat penetration subarea in relevant information of each penetration subarea corresponding to the threat information attack label in any preset penetration range, the penetration content extension result is obtained by performing penetration content extension according to a prior penetration target sequence;

according to the prior penetration target sequence and shared header information of a plurality of preset threat information penetration subareas corresponding to the threat information attack labels, obtaining penetration results of the preset threat information penetration subareas between the threat information abstract information and the threat information attack labels, and taking a target penetration track point sequence corresponding to the penetration results corresponding to the preset threat information penetration subareas as a second penetration track signal set;

and comparing penetration track intersection information of the first penetration track information set and the second penetration track information set, and determining penetration output information of a penetration relation corresponding to each preset threat information penetration partition according to the penetration track intersection information and shared context header information of each preset threat information penetration partition.

8. The internet vulnerability optimization method based on big data mining according to claim 7, wherein determining penetration output information of penetration relationship corresponding to each preset threat intelligence penetration partition according to the penetration track intersection information and the shared context header information of each preset threat intelligence penetration partition comprises:

determining interactive intelligence characteristic information of a service dynamic environment corresponding to each preset threat intelligence infiltration subarea based on the infiltration track intersection information, and determining interactive intelligence matching characteristic information of each preset threat intelligence infiltration subarea through intelligence pairing information of shared intelligence header information of each preset threat intelligence infiltration subarea in corresponding infiltration subarea related information;

and determining the penetration output information of the penetration relation corresponding to each preset threat information penetration partition based on the interaction information characteristic information and the interaction information matching characteristic information.

9. The internet vulnerability optimization method based on big data mining according to any one of claims 1-8, wherein the core vulnerability group to be optimized is used for internet vulnerability optimization, and comprises:

obtaining core vulnerability extraction information to be optimized of the Internet access interaction channel under the risk behavior big data;

acquiring a core vulnerability group to be optimized under the extraction information of the core vulnerabilities to be optimized and vulnerability optimization firmware information corresponding to each core vulnerability to be optimized in the core vulnerability group to be optimized;

and performing internet vulnerability optimization on the target internet service platform based on vulnerability optimization firmware information corresponding to each core vulnerability to be optimized.

10. A deep learning cloud system, comprising:

a machine readable storage medium for storing a computer program;

a processing chip, configured to execute the computer program to perform the method for optimizing an internet vulnerability based on big data mining according to any one of claims 1 to 9.