CN114785545A - Threat situation analysis method and threat perception system combined with big data AI analysis - Google Patents

Threat situation analysis method and threat perception system combined with big data AI analysis Download PDF

Info

Publication number
CN114785545A
CN114785545A CN202210249025.XA CN202210249025A CN114785545A CN 114785545 A CN114785545 A CN 114785545A CN 202210249025 A CN202210249025 A CN 202210249025A CN 114785545 A CN114785545 A CN 114785545A
Authority
CN
China
Prior art keywords
threat
perception
variable
information
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210249025.XA
Other languages
Chinese (zh)
Inventor
张开维
刘章文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mao Chaoming
Original Assignee
Linyi Gaobo Photoelectric Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Linyi Gaobo Photoelectric Technology Co ltd filed Critical Linyi Gaobo Photoelectric Technology Co ltd
Priority to CN202210249025.XA priority Critical patent/CN114785545A/en
Publication of CN114785545A publication Critical patent/CN114785545A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application provides a threat situation analysis method and a threat perception system combined with big data AI analysis, which are characterized in that according to the information characteristic output based on a threat perception chain and threat continuous perception variable analysis of threat perception information data, a first threat continuous perception variable sequence is output, then derivative aggregation of multiple modes is carried out, a second threat continuous perception variable sequence and a third threat continuous perception variable sequence are output, therefore, initial model development and updating can be carried out on the threat situation decision model according to the threat continuous perception variable sequences in different derivative convergence modes, initial model development and updating are carried out on the threat situation decision model without considering threat perception information data of the calibrated threat development situation in advance, the data quantity requirement on the threat perception information data of the calibrated threat development situation is reduced, and the threat situation analysis performance of the target threat perception information data can be improved.

Description

Threat situation analysis method and threat perception system combined with big data AI analysis
Technical Field
The application relates to the technical field of AI and big data, in particular to a threat situation analysis method and a threat perception system combined with big data AI analysis.
Background
With the development of internet information technology, the information security of the cloud platform is very critical for relevant internet service providers. In the related technology, the cloud platform usually performs threat situation analysis by using big data and AI technology, systematically analyzes threats faced by the information system and vulnerabilities of the threats, and evaluates the possible damage degree of the security events once occurring, so as to prevent the information security risks from being generated, or control the risks at an acceptable level, and guarantee the security of the information system to the maximum extent. However, in the related art, it is difficult to collect a large amount of threat awareness intelligence data of the calibrated threat development situation in a short time, and the reliability of the threat situation decision for the threat awareness intelligence data by using the artificial intelligence technology is further influenced.
Disclosure of Invention
In order to overcome at least the above disadvantages of the prior art, the present application aims to provide a threat situation analysis method and a threat perception system in combination with big data AI analysis.
In a first aspect, the present application provides a threat situation analysis method combined with big data AI analysis, applied to a threat awareness system, the method including:
carrying out threat perception chain-based information characteristic output on first threat perception information data, carrying out threat continuous perception variable analysis on each piece of threat perception chain data obtained by information characteristic output, and outputting a first threat continuous perception variable sequence, wherein the first threat continuous perception variable sequence correspondingly represents a first threat continuous perception variable associated with each piece of threat perception chain data, and the first threat perception information data are threat perception information data without a threat development situation being calibrated;
deriving and converging the first threat continuous perception variables in the first threat continuous perception variable sequence, and outputting a second threat continuous perception variable sequence and a third threat continuous perception variable sequence, wherein the second threat continuous perception variables in the second threat continuous perception variable sequence correspond to different derived convergence patterns with the third threat continuous perception variables in the third threat continuous perception variable sequence;
combining the second threat continuous perception variable sequence and the third threat continuous perception variable sequence to carry out initial-order model development and updating on a threat situation decision model, wherein the threat situation decision model is used for carrying out threat situation decision on a threat perception information unit in target threat perception information data;
and carrying out advanced model development and updating on the threat situation decision model updated by the initial model development by combining second threat perception information data, carrying out threat situation decision on a threat perception information unit in target threat perception information data according to the threat situation decision model updated by the advanced model development, outputting threat situation decision information and then using the threat situation decision information as safety solidified firmware development source data, wherein the second threat perception information data is threat perception information data with a calibrated threat development situation.
In some possible embodiments, the method further comprises:
combining the threat situation decision model to carry out threat situation decision on threat perception information units in target threat perception information data corresponding to a target cloud Internet service system, and outputting a threat development situation associated with the target threat perception information data;
acquiring threat protection activity triggering information corresponding to the current threat protection application by combining each threat development situation variable corresponding to the threat development situation associated with the target threat perception information data;
loading threat protection activity trigger information to each threat protection scheduling container in combination with threat protection scheduling information of the threat protection application, wherein the threat protection activity trigger information comprises threat protection activities to be triggered and protection rule set information related to the threat protection activities;
acquiring a threat protection scheduling knowledge network of each threat protection scheduling container combined with the threat protection activity triggering information scheduling;
acquiring threat protection concern variable of a threat protection scheduling knowledge network responding to each threat protection scheduling container according to a preset threat protection concern library, and outputting a threat protection concern sequence, wherein the threat protection concern sequence comprises a plurality of threat protection concerns;
obtaining frequent item contact variables corresponding to each threat protection concern item in the threat protection concern item sequence and each threat protection scheduling knowledge network;
sorting the threat protection concern items by combining the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items, and outputting corresponding threat protection concern item clusters;
generating a threat protection scheduling container set corresponding to the threat protection scheduling knowledge network based on the threat protection concern item cluster, wherein the threat protection scheduling container set comprises a plurality of threat protection scheduling containers;
determining the target threat defense scheduling container from the plurality of threat defense scheduling containers,
and carrying out threat protection instruction scheduling on the threat protection activities based on the plurality of target threat protection scheduling containers, and carrying out collaborative recording on scheduling data of the target threat protection scheduling containers in a threat protection instruction scheduling process.
In some possible embodiments, the sorting the threat protection concern items and outputting a corresponding threat protection concern item cluster by combining the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items includes:
combining frequent item contact variables corresponding to the threat protection concern items and threat protection concern values of the threat protection concern items, performing intelligence characteristic output on the threat protection concern items, and outputting a plurality of threat protection concern item sets;
sorting each threat protection concern item set by combining threat protection concern values of each threat protection concern item in each threat protection concern item set, sorting each threat protection concern item in each threat protection concern item set respectively, and outputting the threat protection concern item cluster;
and the target threat protection scheduling container is determined by combining the sequencing positions of the threat protection concerns corresponding to the threat protection scheduling containers in the threat protection concern cluster.
For example, in some possible embodiments, the obtaining frequent item association variables corresponding to each threat protection concern in the sequence of threat protection concerns and the threat protection scheduling knowledge network includes:
respectively inputting the threat protection concern items into a pre-trained frequent item contact analysis network, analyzing frequent item contact variables of the threat protection concern items by a frequent item contact variable extraction unit based on frequent item contact learning in the pre-trained frequent item contact analysis network, and outputting the frequent item contact variables corresponding to the threat protection concern items generated by the frequent item contact variable extraction unit;
the combining the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items, sorting the threat protection concern items, and outputting corresponding threat protection concern item clusters includes:
respectively inputting the threat protection concern items and frequent item contact variables corresponding to the threat protection concern items into a threat protection concern value analysis unit in the pre-trained frequent item contact analysis network, analyzing and sequencing the threat protection concern items based on the threat protection concern value analysis unit, and outputting a first decision variable set of frequent item contact training information generated by the threat protection concern value analysis unit, wherein each threat protection concern item variable in the first decision variable set forms the threat protection concern item cluster;
generating a threat prevention scheduling container set corresponding to the threat prevention scheduling knowledge network based on the threat prevention concern item cluster, including: inputting the decision variable set into an attention variable extraction unit in the pre-trained frequent item contact analysis network, extracting attention variables based on the attention variable extraction unit, and outputting the threat protection scheduling container set generated by the attention variable extraction unit;
the pre-trained frequent item contact analysis network is trained by combining a training example data set comprising a plurality of basic training example data, wherein the training example data in the training example data set comprises example threat protection concerns with frequent item contact variables, and the frequent item contact variables represent frequent item contact information between the example threat protection concerns and example threat protection activities.
For example, in some possible embodiments, the frequent item contact analysis network is trained according to the following steps:
obtaining the training example data sets for a plurality of example threat prevention activities;
combining training example data in the training example data set, and performing wandering network weight optimization on the fuzzy tone frequent item contact analysis network to obtain the pre-trained frequent item contact analysis network; wherein, the optimization process of each wandering network weight is realized according to the following steps:
selecting a group of training example data aiming at the same example threat protection activity from the training example data set, respectively inputting example threat protection concerned items contained in each selected training example data into a frequent item contact variable extraction unit for frequent item contact learning in the fuzzy tone frequent item contact analysis network, and outputting frequent item contact variables corresponding to the example threat protection concerned items generated by the frequent item contact variable extraction unit;
determining a first generation value based on training cost values between frequent item contact variables corresponding to the threat protection concern items and corresponding frequent item contact variables; and
respectively inputting example threat protection concern items in each selected training example data and frequent item contact variables corresponding to the example threat protection concern items into a threat protection concern value analysis unit in the fuzzy tone frequent item contact analysis network, performing intelligence characteristic output on the example threat protection concern items based on the threat protection concern value analysis unit, and outputting a plurality of threat protection concern item sets;
ranking each threat protection concern item set based on the threat protection concern value analysis unit, and outputting a second decision variable set of frequent item contact training information generated by the threat protection concern value analysis unit;
inputting the second decision variable set into an attention variable extraction unit in the fuzzy tone frequent item association analysis network, extracting an attention variable based on the attention variable extraction unit, and outputting an attention variable set generated by the attention variable extraction unit, wherein the attention variable set comprises a plurality of attention training variables;
constructing a second generation value based on the distinguishing parameter values of the attention training variable in the attention variable set and the example attention variable in the example attention variable set; and
constructing a third generation value based on the concerned variable value of the concerned variable of the threat protection concerned item in each threat protection concerned item set; and combining the first generation value, the second generation value and the third generation value to carry out network training on the fuzzy tone frequent item contact analysis network.
For example, in some possible embodiments, the constructing a second cost value based on the distinguishing parameter values of the attention training variable in the attention variable set and the example attention variable in the example attention variable set includes:
for any attention training variable, determining a distinguishing parameter value of the attention training variable in the attention training variable set and an example attention variable in an example attention variable set based on a past importance value of the attention training variable in a preset attention training variable segment cluster and a past importance value of the attention training variable in the threat protection concern sequence, and constructing the second generation value based on the determined distinguishing parameter value.
In a second aspect, an embodiment of the present application further provides a threat situation analysis system combined with big data AI analysis, where the threat situation analysis system combined with big data AI analysis includes a threat awareness system and at least one cloud internet service system in communication connection with the threat awareness system;
the threat awareness system is to:
carrying out threat perception chain-based information characteristic output on first threat perception information data, carrying out threat continuous perception variable analysis on each threat perception chain data obtained by the information characteristic output, and outputting a first threat continuous perception variable sequence, wherein the first threat continuous perception variable sequence correspondingly represents a first threat continuous perception variable associated with each threat perception chain data, and the first threat perception information data is threat perception information data which is not marked with a threat development situation;
deriving and converging the first threat persistence perception variables in the first threat persistence perception variable sequence, and outputting a second threat persistence perception variable sequence and a third threat persistence perception variable sequence, wherein the second threat persistence perception variables in the second threat persistence perception variable sequence correspond to different derivation converging modes with the third threat persistence perception variables in the third threat persistence perception variable sequence;
combining the second threat continuous perception variable sequence and the third threat continuous perception variable sequence to carry out initial-order model development and updating on a threat situation decision model, wherein the threat situation decision model is used for carrying out threat situation decision on a threat perception information unit in target threat perception information data;
and carrying out advanced model development and updating on the threat situation decision model developed and updated by the initial-order model by combining second threat perception information data, carrying out threat situation decision on a threat perception information unit in target threat perception information data according to the advanced model developed and updated threat situation decision model, outputting threat situation decision information and then using the threat situation decision information as safety solidified firmware development source data, wherein the second threat perception information data is threat perception information data with a calibrated threat development situation.
Combining the above aspects, outputting a first threat continuous perception variable sequence according to information characteristic output and threat continuous perception variable analysis based on a threat perception chain on threat perception information data, performing multi-mode derivative convergence on a first threat continuous perception variable in the first threat continuous perception variable sequence, outputting a second threat continuous perception variable sequence and a third threat continuous perception variable sequence, further performing initial-order model development and updating on a threat situation decision model based on the threat continuous perception variable sequences in different derivative convergence modes, performing initial-order model development and updating on the threat situation decision model without considering threat perception information data of a calibrated threat development situation in advance, reducing the data quantity requirement on the perception information data of the calibrated threat development situation, and performing initial-order model development and updating on the threat situation decision model developed and updated according to the threat perception information data of the calibrated threat development situation And the advanced model development and updating are realized, the decision performance of the threat situation decision model is improved, and the threat situation analysis performance of target threat perception information data can be improved.
Drawings
Fig. 1 is a schematic flowchart of a threat situation analysis method combined with big data AI analysis according to an embodiment of the present application;
fig. 2 is a schematic block diagram of a structure of a threat awareness system for implementing the threat situation analysis method in conjunction with big data AI analysis according to an embodiment of the present application.
Detailed Description
The architecture of the threat situation analysis system 10 with big data AI analysis according to an embodiment of the present application is described below, and the threat situation analysis system 10 with big data AI analysis may include a threat awareness system 100 and a cloud internet service system 200 communicatively connected to the threat awareness system 100. In this embodiment, the threat awareness system 100 and the cloud internet service system 200 in the threat situation analysis system 10 combined with big data AI analysis may perform the threat situation analysis method combined with big data AI analysis according to the cooperation, which is described in the following method embodiments, and the detailed description of the method embodiments below may be referred to in the specific steps of the threat awareness system 100 and the cloud internet service system 200.
The threat situation analysis method combined with big data AI analysis provided by the present embodiment may be executed by the threat awareness system 100, and is described in detail below with reference to fig. 1.
STEP101, carry out threat perception chain-based information characteristic output to first threat perception information data, and carry out threat duration perception variable analysis to every threat perception chain data that information characteristic output obtained, output first threat duration perception variable sequence, first threat duration perception variable sequence corresponds the first threat duration perception variable that each threat perception chain data is relevant, first threat perception information data is the threat perception information data of not demarcating threat development situation.
In some possible embodiments, the threat situation decision model may be applicable to any service environment in which a threat development situation corresponding to target threat awareness information data is determined and analyzed, and thus, the first threat awareness information data may be target threat awareness information data of any service label. And the first threat awareness intelligence data is a target threat awareness intelligence data set of threat awareness intelligence data for an untapped threat development situation.
In some possible embodiments, after obtaining the first threat awareness intelligence data, the target threat awareness intelligence data is first subjected to an intelligence signature output based on the threat awareness chain. In some possible embodiments, the first threat awareness intelligence data may be subjected to intelligence feature output to be threat awareness chain data in the same awareness interval, and different threat awareness chain data carry different target threat awareness intelligence data information.
After the intelligence characteristic output is finished, threat continuous perception variable analysis is carried out on each threat perception chain data obtained by the intelligence characteristic output.
STEP102, deriving and converging a first threat continuous perception variable in the first threat continuous perception variable sequence, and outputting a second threat continuous perception variable sequence and a third threat continuous perception variable sequence, wherein the second threat continuous perception variable in the second threat continuous perception variable sequence and the third threat continuous perception variable in the third threat continuous perception variable sequence correspond to different derived convergence patterns.
In some possible embodiments, after the first threat persistent perceptual variable sequence is output, each first threat persistent perceptual variable in the first threat persistent perceptual variable sequence is subjected to different derivative aggregation, and a second threat persistent perceptual variable sequence and a third threat persistent perceptual variable sequence are output.
In some possible embodiments, each second threat persistence perceptual variable included in the second threat persistence perceptual variable sequence is different from target threat perception intelligence data information indicated by each threat persistence perceptual variable included in each third threat persistence perceptual variable included in the third threat persistence perceptual variable sequence, that is, different aggregation forms regarding the threat persistence perceptual variables in the first threat perception intelligence data are output according to different derived aggregation patterns.
And after derivation and convergence, the number of the output second threat persistence perception variables is the same as that of the first threat persistence perception variables in the first threat persistence perception variable sequence, and the number of the third threat persistence perception variables is the same as that of the first threat persistence perception variables.
STEP103, combining the second threat persistence perception variable sequence and the third threat persistence perception variable sequence to perform initial model development and update on a threat situation decision model, wherein the threat situation decision model is used for performing threat situation decision on a threat perception information unit in the target threat perception information data.
The initial-order model development and updating refers to a process of performing weight optimization on the threat situation decision model according to the example model training data set so that the threat situation decision model learns the threat situation feature expression in the example model training data set. The purpose of the initial-stage model development updating is to provide higher-value learning parameter layer configuration information for the training of a subsequent threat situation decision model on example model training data.
Because the second threat persistent perception variables in the second threat persistent perception variable sequence and the third threat persistent perception variables in the third threat persistent perception variable sequence are threat persistent perception variables of different derivative variable partitions, after each second threat persistent perception variable and each third threat persistent perception variable are respectively loaded to the threat situation decision model, unsupervised weight parameter updating of the threat situation decision model can be realized by combining the obtained threat situation decision information, further, the initialized model weight parameter updating is not required to be carried out by using threat perception information data of the calibrated threat development situation, and the calibration quantity of training labels can be reduced.
The threat situation decision model is used for carrying out threat situation decision on threat perception information units in target threat perception information data, and in some possible embodiments, the threat situation decision model can identify the threat situation of single target threat perception information data, and can also carry out threat situation decision on each target threat perception information data in a target threat perception information data set so as to complete the threat situation decision of the target threat perception information data set.
STEP104, combining the second threat perception information data to develop and update the advanced model of the threat situation decision model updated by the initial model development, so as to perform threat situation decision on the threat perception information units in the target threat perception information data according to the advanced model of the threat situation decision model updated by the development, and outputting threat situation decision information as the safety-solidified firmware development source data, wherein the second threat perception information data is the threat perception information data with the calibrated threat development situation.
The advanced model development and updating is a process of carrying out weight optimization on the threat situation decision model according to a small amount of example model training data sets with calibrated threat development situations, and a supervised AI training form is adopted in the weight parameter updating stage, so that the advanced model development and updating is carried out on the threat situation decision model updated by the primary model development by adopting second threat perception information data with calibrated threat development situations.
And the training data volume of the example model for developing and updating the advanced model is smaller than that of the example model for developing and updating the initial model, so that the quantity of the second threat perception information data is smaller than that of the first threat perception information data, and the data processing quantity of the threat perception information data of the calibrated threat development situation can be reduced.
According to the design, a first threat continuous perception variable sequence is output according to information characteristic output and threat continuous perception variable analysis based on a threat perception chain on threat perception information data, then multi-mode derivation and convergence are carried out on first threat continuous perception variables in the first threat continuous perception variable sequence, a second threat continuous perception variable sequence and a third threat continuous perception variable sequence are output, further, initial model development and updating can be carried out on a threat situation decision model on the basis of threat continuous perception variable sequences in different derivation and convergence modes, initial model development and updating are carried out on the threat situation decision model without considering threat perception information data of a calibrated threat development situation in advance, the data quantity requirement on threat perception information data of a calibrated threat development situation is reduced, and the initial model development and updating carries out an initial model development and updating on the threat situation decision model of the initial model according to the threat perception information data of the calibrated threat development situation And model development and updating are carried out, so that the decision performance of the threat situation decision model is improved, and the threat situation analysis performance of target threat perception information data can be improved.
In some possible embodiments, a real-time threat situation learning branch and a target threat situation learning branch are adopted to respectively perform threat situation decision of target threat perception information data on threat continuous perception variable sequences obtained by different derivative convergence, and then the initial model development and update process of a threat situation decision model is realized by combining threat situation decision information of the two branches, which is described in an exemplary manner below.
A threat situation analysis method in conjunction with big data AI analysis, as provided in another independent embodiment of the present application, is described below, including the following steps.
STEP201, carry out threat perception chain-based information characteristic output to the first threat perception information data, and carry out threat continuous perception variable analysis to each threat perception chain data obtained by the information characteristic output, output a first threat continuous perception variable sequence, the first threat continuous perception variable sequence correspondingly represents the first threat continuous perception variable associated with each threat perception chain data, the first threat perception information data is the threat perception information data of the uncalibrated threat development situation.
In some possible embodiments, the threat situation decision model may be, but is not limited to, a recurrent neural network, a convolutional network, a boltzmann machine, etc.
When a threat situation decision model is adopted to carry out threat situation decision on the first threat perception information data, firstly, carrying out information characteristic output on the first threat perception information data to be threat perception chain data in a fixed perception interval, and then, outputting and converting each threat perception chain data into a first threat continuous perception variable according to a threat penetration relation.
STEP202, expanding a derivative variable partition of a first threat persistence perception variable in a first threat persistence perception variable sequence based on a set variable expansion template, and outputting a first target threat persistence perception variable sequence and a second target threat persistence perception variable sequence, wherein the derivative variable partition of the first threat persistence perception variable in the first target threat persistence perception variable sequence is different from the derivative variable partition of the first threat persistence perception variable in the second target threat persistence perception variable sequence.
When the first threat continuous perception variables are derived and converged, firstly, the sequence of the first threat continuous perception variables is expanded based on a set variable expansion template, namely, the variables derive the derived variable partition information of each first threat continuous perception variable. In some possible embodiments, the derived variable partition of each first threat duration perceptual variable may be expanded based on a set variable expansion template when the random variable is derived, and the derived variable partition may be expanded to be different from the initial derived variable partition based on the set variable expansion template, and a part of the first threat duration perceptual variable may be extracted, and only the derived variable partition of the part of the first threat duration perceptual variable may be expanded based on the set variable expansion template.
In some possible embodiments, the second threat continuous perception variable sequence and the third threat continuous perception variable sequence are threat continuous perception variable sequences obtained according to different derivation aggregation modes for the first threat continuous perception variable, so that when random variable derivation is performed on the first threat continuous perception variable, different variable derivation modes are adopted to output the first target threat continuous perception variable sequence and the second target threat continuous perception variable sequence, and derivative variable partitions of the first threat continuous perception variable are different.
STEP203, combine the first target threat persistent perception variable sequence to perform variable derivation to obtain first derived variable information, and combine the second target threat persistent perception variable sequence to perform variable derivation to obtain second derived variable information.
After the variable derivation is performed on the first threat persistence perception variable, the variable derivation may be performed based on the first threat persistence perception variable sequence after the variable derivation. In some possible embodiments, the derived variable information about the first threat persistence perceptual variable sequence after variable derivation may be first constructed, including constructing the first derived variable information of the first target threat persistence perceptual variable sequence and the second derived variable information of the second target threat persistence perceptual variable sequence. The constructing of the first derivative variable information and the second derivative variable information may include the following steps.
STEP203a, in conjunction with a threat awareness chain-based intelligence feature output dimension of the first threat awareness intelligence data, determines intelligence feature configuration information.
In some possible embodiments, when the derived variable information is constructed, the size of the range of the constructed derived variable information can be determined based on the intelligence characteristic output dimension of the threat perception chain of the first threat perception intelligence data, and the mismatching between the range of the constructed derived variable information and the number of threat perception chain data obtained by the intelligence characteristic output is avoided.
STEP203b, combining the information characteristic configuration information, performing variable derivation on the first threat duration perception variable in the first target threat duration perception variable sequence, and outputting first derived variable information.
And after the intelligence characteristic configuration information is determined, first derivative variable information is constructed by combining the size of the intelligence characteristic configuration information, namely, variable derivation is carried out on a first threat continuous perception variable in a first target threat continuous perception variable sequence.
In some possible embodiments, the derivative variable partitions of the first threat duration perceptual variable may be sequentially selected based on the first target threat duration perceptual variable, and arranged to complete the construction of the first derivative variable information.
STEP203c, combines with the information characteristic configuration information, and performs variable derivation on the first threat persistence perception variable in the second target threat persistence perception variable sequence, and outputs second derived variable information.
By the design, second derivative variable information can be constructed by combining the information characteristic configuration information, namely, variable derivation is carried out on the first threat continuous perception variable in the second target threat continuous perception variable sequence. In some possible embodiments, the second derivative variable information may be constructed in the same or different form as the first derivative variable information.
STEP204, carry out the variable convergence to the first threat lasting perception variable in the first derivative variable information, and combine the variable convergence information to generate the second threat lasting perception variable sequence.
After the variable derivation is completed, the first threat continuous perception variables in the first derived variable information are subjected to variable aggregation, and a second threat continuous perception variable sequence is generated by combining the aggregation result, wherein target threat perception information data information in threat perception chain data corresponding to each second threat continuous perception variable in the second threat continuous perception variable sequence is changed, namely the target threat perception information data information is different from the target threat perception information data information in the threat perception chain data corresponding to each first threat continuous perception variable.
In some possible embodiments, the step of aggregating the variables and generating the second threat duration perception variable sequence in combination with the aggregated result may comprise the following steps.
STEP204a, extracting x first threat duration perception variables corresponding to the first derivative variable information according to the variable connection unit.
STEP204b, performing variable aggregation on the x first threat persistent perception variables, and outputting the first aggregated threat persistent perception variables.
In some possible embodiments, the variable aggregation form may include variable concatenation or aggregation, and the like.
STEP204c, outputting threat penetration relation to the y groups of first converged threat continuous perception variables, and outputting a second threat continuous perception variable sequence, wherein the y groups of first converged threat continuous perception variables are obtained according to a mobile sliding window.
In some possible embodiments, the y groups of first converged threat continuous perception variables can be obtained by walking the first derivative variable information according to the variable contact unit.
And after y groups of first convergence threat continuous perception variables are obtained, outputting threat penetration relations to the y groups of first convergence threat continuous perception variables, and outputting a second threat continuous perception variable sequence. In some possible embodiments, the threat penetration relationship output may be performed on the y groups of first converged threat persistent perception variables, a second threat persistent perception variable sequence is output, and the number of second threat persistent perception variables in the second threat persistent perception variable sequence obtained by the threat penetration relationship output is the same as the number of first threat persistent perception variables.
For example, 4 groups of aggregation of first threat persistent perception variables may be obtained according to the variable association unit, each group includes 4 first threat persistent perception variables, and the 4 first threat persistent perception variables included in each group are subjected to variable aggregation respectively, and the 4 groups of first converged threat persistent perception variables, that is, SL = { V1', V2', V3', V4' }, are output, where V1 'is a first converged threat persistent perception variable obtained by aggregation of V3, V5, V1, and V6, V2' is a first converged threat persistent perception variable obtained by aggregation of V5, V8, V6, and V2, V3 'is a first threat converged persistent perception variable obtained by aggregation of V1, V6, V9, and V4, V4' is a first threat persistent perception variable obtained by aggregation of V6, V2, V4, and V7. And outputting SL = { V1', V2', V3', V4' } to the threat penetration relationship, and outputting a second threat duration perception variable sequence.
STEP205, performing variable aggregation on the first threat persistence perception variable in the second derivative variable information, and generating a third threat persistence perception variable sequence by combining the variable aggregation information.
After the variable derivation is completed, carrying out variable aggregation on the first threat continuous perception variables in the second derived variable information, and generating a third threat continuous perception variable sequence by combining the aggregation result, wherein target threat perception information data information in threat perception chain data corresponding to each third threat continuous perception variable in the third threat continuous perception variable sequence is changed, namely the target threat perception information data information is different from the target threat perception information data information in the threat perception chain data corresponding to each first threat continuous perception variable. And the target threat perception intelligence data information of the threat perception chain data corresponding to the second threat continuous perception variable is different.
In some possible embodiments, the step of aggregating the variables and generating the third threat duration perception variable sequence in combination with the aggregated result may include the following steps.
STEP205a, extracting x first threat duration perception variables corresponding to the second derivative variable information according to the variable relation unit.
In some possible embodiments, when second derivative variable information is constructed, x first threat continuous perception variables are extracted for variable aggregation also according to a sampling mode of a variable connection unit.
STEP205b, the variables of x first threat persistence perception variables are converged, and a second converged threat persistence perception variable is output.
STEP205c, outputting threat penetration relation to the y groups of second converged threat continuous perception variables, and outputting a third threat continuous perception variable sequence, wherein the y groups of second converged threat continuous perception variables are obtained according to the mobile sliding window.
And after y groups of second convergence threat continuous perception variables are obtained, outputting threat penetration relations to the y groups of second convergence threat continuous perception variables, and outputting a third threat continuous perception variable sequence. In some possible embodiments, the threat penetration relationship output may be performed on the y groups of second converged threat persistent perceptual variables, and a third threat persistent perceptual variable sequence is output. And the number of the third threat continuous perception variables in the third threat continuous perception variable sequence obtained by outputting the threat penetration relationship is the same as that of the first threat continuous perception variables.
STEP206, loading the second threat continuous perception variable sequence to a real-time threat situation learning branch of the threat situation decision model, and outputting first threat situation decision information.
In some possible embodiments, after the second threat continuous perception variable sequence and the third threat continuous perception variable sequence are output, the first-order model development and updating can be performed on the threat situation decision model by using the second threat continuous perception variable sequence and the third threat continuous perception variable sequence.
In some possible embodiments, the threat situation decision model includes a real-time threat situation learning branch and a target threat situation learning branch, where the real-time threat situation learning branch and the threat situation decision model in the target threat situation learning branch have the same model configuration structure, but have different updating manners of the corresponding learning parameter layer configuration information.
In some possible embodiments, the second threat persistence perception variable sequence is loaded into a real-time threat situation learning branch of the threat situation decision model, and the real-time threat situation learning branch is used for deciding a target threat development situation of the first threat perception information data by combining the threat persistence perception variables indicated by the second threat persistence perception variable sequence, so as to obtain the first threat situation decision information.
STEP207, loading the third threat persistence perception variable sequence to a target threat situation learning branch of the threat situation decision model, and outputting second threat situation decision information.
In some possible embodiments, the third threat persistence perception variable sequence is loaded into a target threat situation learning branch, and the target threat situation learning branch is configured to decide a target threat development situation of the second threat perception information data by combining the threat persistence perception variables indicated by the third threat persistence perception variable sequence, that is, obtain second threat situation decision information. Loading a third threat continuous perception variable sequence into the convolution part in the same way as the first threat situation decision information, extracting threat continuous perception variables of the third threat continuous perception variable sequence, loading the extracted variables into a classifier for threat situation decision of target threat perception information data, and outputting second threat situation decision information.
STEP208, training the real-time threat situation learning branch by combining the first threat situation decision information and the second threat situation decision information.
Because the second threat continuous perception variable in the second threat continuous perception variable sequence is different from the third threat continuous perception variable in the third threat continuous perception variable sequence, in order to enable the threat situation decision model to accurately make a threat situation decision of target threat perception information data under different convergence forms on the same first threat perception information data characteristics, in some possible embodiments, a real-time threat situation learning branch is trained first by combining the first threat situation decision information and the second threat situation decision information. The method may include the following steps.
STEP208a, determining learning cost information of the first threat situation decision information and the second threat situation decision information.
In order to enable the threat situation decision model to make decisions on the threat continuous perception variables in different convergent variable forms consistent, learning cost information between first threat situation decision information and second threat situation decision information is determined, and then the threat situation decision model is trained by combining the learning cost information, so that the threat situation decision model can obtain the same threat situation decision information by combining the threat continuous perception variables in different convergent variable forms, and further the reliability of the threat situation decision model for making decisions on target threat perception information data is improved. The configuration information of the learning parameter layer of the threat situation decision model can be updated without using threat perception information data of a calibrated threat development situation, and unsupervised learning of the threat situation decision model is realized.
In some possible embodiments, the learning cost information represents difference value information between the first threat situation decision information and the second threat situation decision information, and any loss function may be adopted to determine the learning cost information between the first threat situation decision information and the second threat situation decision information.
STEP208b, combines the learning cost information, optimizes the learning parameter layer configuration information of the real-time threat situation learning branch according to the reverse learning transfer mode.
In some possible embodiments, the update task of the configuration information of the learning parameter layer in the real-time threat situation learning branch is different from the update task of the configuration information of the learning parameter layer in the target threat situation learning branch, wherein the real-time threat situation learning branch is updated in a reverse learning transfer mode, and the configuration information of the learning parameter layer in the target threat situation learning branch is updated in combination with the configuration information of the learning parameter layer in the real-time threat situation learning branch, so as to optimize the configuration information of the learning parameter layer of the threat situation decision model in the real-time threat situation learning branch and the target threat situation learning branch, that is, optimize the configuration information of the learning parameter layer of the threat situation decision model according to iterative training.
In some possible embodiments, after the learning cost information is determined, the configuration information of the learning parameter layer of the real-time threat situation learning branch can be optimized based on a learning cost information reverse learning transfer mode until the configuration information of the learning parameter layer meets the final training requirement, that is, the learning cost information is converged.
STEP209, combining the learning parameter layer configuration information of the optimized real-time threat situation learning branch, and optimizing the learning parameter layer configuration information of the target threat situation learning branch.
In some possible embodiments, after updating the learning parameter layer configuration information of the real-time threat situation learning branch each time, the learning parameter layer configuration information of the target threat situation learning branch is updated accordingly. Finally, when the configuration information of the learning parameter layer in the real-time threat situation learning branch meets the training requirement, the configuration information of the learning parameter layer of the target threat situation learning branch is updated again, and at the moment, the updating of the configuration information of the learning parameter layer is stopped by the real-time threat situation learning branch and the target threat situation learning branch.
STEP210, combining the second threat awareness intelligence data to perform advanced model development and update on the learning parameter layer configuration information of the target threat situation learning branch in the threat situation decision model.
In order to further improve the accuracy of the threat situation decision model for identifying the target threat development situation, a small amount of second threat perception information data of the marked threat development situation is adopted to carry out advanced model development and updating on the configuration information of the learning parameter layer of the threat situation decision model when the threat perception information data of the unmarked threat development situation is combined to develop and update the initial model of the threat situation decision model.
In some possible embodiments, advanced model development and update may be performed on the learning parameter layer configuration information of the target threat situation learning branch, and the advanced model development and update process may include the following steps.
STEP210a, loading the second threat perception information data to a target threat situation learning branch of the threat situation decision model, and outputting threat situation learning output information.
And loading the second threat perception information data of each calibrated threat development situation into a threat situation decision model of the target threat situation learning branch, and outputting threat situation learning output information associated with each second threat perception information data.
STEP210b, developing and updating learning parameter layer configuration information of the target threat situation learning branch according to a reverse learning transfer mode advanced model by combining the threat situation learning output information and the calibrated threat development situation associated with the second threat perception intelligence data.
After threat situation learning output information is determined, based on the threat situation learning output information and a calibrated threat development situation of a pre-calibrated threat development situation, developing and updating learning parameter layer configuration information according to a reverse learning transfer mode advanced model, and outputting a final threat situation decision model. For example, learning cost information can be determined based on threat situation learning output information and calibrated threat development situations of calibrated threat development situations, learning cost information is combined with a reverse-order model to develop and update learning parameter layer configuration information, and updated learning parameter layer configuration information is output.
And finally, carrying out threat situation decision of the target threat perception information data by combining a threat situation decision model for updating the configuration information of the learning parameter layer.
And performing initial model development and updating on the threat situation decision model by combining the obtained first threat situation decision information and the second threat situation decision information, so that the precision of outputting threat situation decision information when the threat situation decision model performs threat situation decision on different convergence forms of the same threat perception information data characteristic can be improved.
In some possible embodiments, if the reliability of the threat situation decision model needs to be further improved, the feature diversity of the threat continuous perception variables in the threat continuous perception variable sequence obtained after derivation, aggregation and promotion of derivation are performed for multiple times, and then the initial model development and update are performed on the threat situation decision model according to the threat continuous perception variable sequence with the diverse feature.
STEP301, carry out threat perception chain-based information characteristic output to first threat perception information data to carry out threat duration perception variable analysis to each threat perception chain data that information characteristic output obtained, output first threat duration perception variable sequence.
STEP302, deriving and converging the first threat persistence perception variables in the first threat persistence perception variable sequence, and outputting a second threat persistence perception variable sequence and a third threat persistence perception variable sequence.
For the implementation of STEP301 to STEP302, refer to STEP201 to STEP205, which are not described herein again.
And STEP303, combining the second threat continuous perception variable sequence, walking to perform multiple derived convergence, and outputting a third threat continuous perception variable sequence.
In some possible embodiments, in order to further improve the decision performance of the threat situation decision model, after the second threat continuous perception variable sequence is obtained, the second threat continuous perception variables in the second threat continuous perception variable sequence are continuously derived and converged, a new threat continuous perception variable sequence is output, the threat continuous perception variables in the new threat continuous perception variable sequence are continuously derived and converged, that is, the threat continuous perception variables are migrated and derived and converged for multiple times, and after iterative derivation and convergence, a third threat continuous perception variable sequence is output.
In some possible embodiments, the number of traversal cycles may be set based on a decision precision requirement of the threat situation decision model, and the number of traversal cycles is directly related to the decision precision of the threat situation decision model.
The method for deriving and converging the walk can refer to the above method for deriving and converging the first threat persistent perceptual variable in the first threat persistent perceptual variable sequence, that is, the method includes the processes of deriving and converging the variable of the second threat persistent perceptual variable, and finally outputting the threat penetration relationship. In the derivation and convergence process of the migration, the same derivation and convergence mode may be adopted, and different derivation and convergence modes may also be adopted, which is not limited in this embodiment.
And STEP304, combining the third threat persistence perception variable sequence, wandering to perform multiple derivation and convergence, and outputting a fourth threat persistence perception variable sequence.
And when the second threat continuous perception variable sequence wander is subjected to multiple derivation convergence, the third threat continuous perception variable sequence wander can also be subjected to multiple derivation convergence, and a fourth threat continuous perception variable sequence is output. Similarly, the derived convergence pattern includes the processes of variable derivation, convergence and finally threat penetration relation output of the third threat persistence perception variable, and the same or different derived convergence patterns can be adopted.
In some possible embodiments, the number of traversal cycles for iteratively deriving and aggregating the third threat persistence perception variable sequence may be the same as or different from the number of traversal cycles for iteratively deriving and aggregating the second threat persistence perception variable sequence. And in other possible embodiments, the plurality of derivative pools may also be performed in conjunction with only the second threat persistence perception variable sequence walk or the plurality of derivative pools may be performed in conjunction with only the third threat persistence perception variable sequence walk.
And STEP305, combining the third threat continuous perception variable sequence and the fourth threat continuous perception variable sequence to carry out initial model development and updating on the threat situation decision model.
In some possible embodiments, the step of performing initial model development and update on the threat situation decision model by combining the third threat continuous perception variable sequence and the fourth threat continuous perception variable sequence may refer to the step of performing initial model development and update on the threat situation decision model by combining the second threat continuous perception variable sequence and the third threat continuous perception variable sequence in the foregoing embodiments, and details are not repeated here.
STEP306, the advanced model development and update are carried out on the threat situation decision model which is developed and updated by the initial model in combination with second threat perception information data, and the second threat perception information data is the threat perception information data which is marked with the threat development situation.
In the embodiment of this STEP, reference may be made to STEP210, which is not described herein again.
In some possible embodiments, after the first threat continuous perception variable is derived and converged to obtain a second threat continuous perception variable sequence and a third threat continuous perception variable sequence, the second threat continuous perception variable sequence and the third threat continuous perception variable sequence are continuously combined to walk to perform derivative convergence, the finally obtained feature diversity of a third threat continuous perception variable in the third threat continuous perception variable sequence and a fourth threat continuous perception variable in the fourth threat continuous perception variable sequence is improved, and then the third threat continuous perception variable sequence and the fourth threat continuous perception variable sequence are combined to perform initial model development and update on the threat situation decision model, so that the robustness of the threat situation decision model is improved.
In the embodiment, the robustness of the threat situation decision model is further improved according to iterative derivation and convergence of the second threat continuous perception variable sequence and the third threat continuous perception variable sequence. In other possible embodiments, the threat situation learning branch of the threat situation decision model may be continuously added, so that the initial-order model development and update may be performed on the threat situation decision model by combining the multi-branch threat situation decision information. In some possible embodiments, the learning parameter layer configuration information of the real-time threat situation learning branch may be optimized based on a learning cost information reverse learning transfer mode between two pairs of threat situation decision information.
For example, the first threat awareness information data a01 is loaded into the first derivative aggregation module a02, the second derivative aggregation module a03, and the third derivative aggregation module a04, respectively, threat persistence perception variable sequences in different derivative aggregation modes are output, the threat persistence perception variable sequences are loaded into the threat situation decision model, the threat situation decision of the target threat awareness information data is performed, the first threat situation decision information Z, the second threat situation decision information Z ', and the third threat situation decision information Z ″ are output, further, the first learning cost information L1 can be determined based on the first threat situation decision information Z and the second threat situation decision information Z ', the second learning cost information L2 can be determined by combining the first threat situation decision information Z and the third threat situation decision information Z ″, and the third learning cost information can be determined by combining the second threat situation decision information Z ' and the third threat situation decision information Z ″ L3, determining the total loss by combining the first learning cost information L1, the second learning cost information L2, and the third learning cost information L3, optimizing the configuration information of the learning parameter layer of the threat situation decision model a05 in a reverse learning transfer manner, and updating the configuration information of the learning parameter layer of the threat situation decision model a06 and the threat situation decision model a07 by combining the configuration information of the learning parameter layer of the threat situation decision model a 05.
Therefore, threat situation decision of the target threat perception information data is respectively carried out according to the threat continuous perception variable sequences obtained in the multiple derivative convergence modes, and a threat situation decision model is trained by combining multiple threat situation decision information, so that the robustness of the threat situation decision model is improved.
In some possible embodiments, the present application may further include the following steps.
Step R110, a threat situation decision is made on a threat perception information unit in target threat perception information data corresponding to a target cloud Internet service system by combining the threat situation decision model, and a threat development situation associated with the target threat perception information data is output;
and step R120, acquiring threat protection activity triggering information corresponding to the current threat protection application by combining each threat development situation variable corresponding to the threat development situation associated with the target threat perception information data.
And step R130, loading threat protection activity triggering information to each threat protection scheduling container by combining threat protection scheduling information of threat protection application, wherein the threat protection activity triggering information comprises threat protection activities to be triggered and protection rule set information related to the threat protection activities.
And R160, acquiring a threat protection scheduling knowledge network of each threat protection scheduling container combined with the threat protection activity trigger information scheduling.
And R150, analyzing the acquired threat protection scheduling knowledge network responded by each threat protection scheduling container according to a preset threat protection concern item library corresponding to the threat protection activity, and determining a plurality of target threat protection scheduling containers from the plurality of threat protection scheduling containers based on analysis information.
And R160, carrying out threat protection instruction scheduling on the threat protection activities based on the target threat protection scheduling containers, and carrying out collaborative recording on scheduling data of the target threat protection scheduling containers in a threat protection instruction scheduling process.
In some possible embodiments, the step R150 may be implemented according to the following steps A1-A5, which are exemplarily described below.
A1, obtaining threat protection concern variables of a threat protection scheduling knowledge network corresponding to each threat protection scheduling container according to the threat protection concern library, and outputting a threat protection concern sequence, wherein the threat protection concern sequence comprises a plurality of threat protection concerns. Wherein the threat protection concern bank may be a knowledge graph relating to the threat protection activity determined by big data statistics and analysis in advance, and used for analyzing the responding threat protection scheduling knowledge network.
A2, obtaining frequent item association variables corresponding to each threat protection concern item in the threat protection concern item sequence and each threat protection scheduling knowledge network. The frequent item contact variable can be used for representing a quantitative index of protection coordination of a corresponding threat protection scheduling knowledge network obtained by combining the threat protection concern item library.
A3, combining the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items, sequencing the threat protection concern items, and outputting corresponding threat protection concern item clusters. For example, first, the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items may be combined to perform intelligence feature output on the threat protection concern items and output a plurality of threat protection concern item sets; then, sorting each threat protection concern item set by combining the threat protection concern value of each threat protection concern item in each threat protection concern item set, sorting each threat protection concern item in each threat protection concern item set respectively, and outputting the threat protection concern item cluster. The target threat protection scheduling container may be determined by combining the ranking positions of the threat protection concerns corresponding to the threat protection concerns in the threat protection concerns cluster, for example, a preset number of threat protection scheduling containers ranked in the top may be determined as the target threat protection scheduling container.
For example, the threat protection concern value of each threat protection concern item may be updated by respectively combining the frequent item association variables corresponding to each threat protection concern item, and the final reference threat protection concern value of each threat protection concern item is output; and then, combining the final reference threat protection concern value of each threat protection concern item to output intelligence characteristics of each threat protection concern item, and outputting a plurality of threat protection concern item sets. The updating mode can be that weight aggregation is carried out on each threat protection concern value according to preset weight, and the threat protection concern value after the weight aggregation is output.
A4, generating a threat prevention scheduling container set corresponding to the threat prevention scheduling knowledge network based on the threat prevention concern item cluster, wherein the threat prevention scheduling container set comprises a plurality of threat prevention scheduling containers.
A5, determining the target threat prevention schedule container from the plurality of threat prevention schedule containers.
In step a3, first, in combination with the number of threat protection attention items included in each threat protection attention item set, ranking each threat protection attention item set; then, for each set of threat protection concern items, respectively performing the following operations: then, combining the threat protection concern value of each threat protection concern in the threat protection concern set with the training cost value of the threat protection concern set, and sequencing each threat protection concern in the threat protection concern set; and finally, generating the threat protection concern item cluster based on the sequencing information among each threat protection concern item set and the sequencing information of each threat protection concern item in each threat protection concern item set. The training cost values may be the loss between each threat protection concern value and the average threat protection concern value in the combination, which may then be ranked in conjunction with a ranking order of the loss values.
For example, the frequent items contact variable may be obtained in the following manner: and respectively inputting the threat protection concerned items into a pre-trained frequent item contact analysis network, analyzing frequent item contact variables of the threat protection concerned items by a frequent item contact variable extraction unit based on frequent item contact learning in the pre-trained frequent item contact analysis network, and outputting the frequent item contact variables corresponding to the threat protection concerned items generated by the frequent item contact variable extraction unit.
In some possible embodiments, the cluster of threat protection concerns may be derived in the following manner:
respectively inputting the threat protection concern items and frequent item contact variables corresponding to the threat protection concern items into a threat protection concern value analysis unit in the pre-trained frequent item contact analysis network, analyzing and sequencing the threat protection concern items based on the threat protection concern value analysis unit, and outputting a first decision variable set of frequent item contact training information generated by the threat protection concern value analysis unit, wherein each threat protection concern item variable in the first decision variable set forms the threat protection concern item cluster. Based on this, in step a4, generating the set of threat prevention scheduling containers corresponding to the threat prevention scheduling knowledge network based on the cluster of threat prevention concerns may include: inputting the decision variable set into an attention variable extraction unit in the pre-trained frequent item contact analysis network, extracting attention variables based on the attention variable extraction unit, and outputting the threat protection scheduling container set generated by the attention variable extraction unit.
The pre-trained frequent item contact analysis network is trained by combining a training example data set comprising a plurality of basic training example data, wherein the training example data in the training example data set comprises example threat protection concerns with frequent item contact variables, and the frequent item contact variables represent frequent item contact information between the example threat protection concerns and example threat protection activities.
For example, the frequent item contact analysis network may perform walk-away network weight optimization on the fuzzy frequent item contact analysis network according to a training example data set obtained for a plurality of example threat protection activities and then in combination with training example data in the training example data set to obtain the pre-trained frequent item contact analysis network.
Wherein, the optimization process of each wandering network weight is realized according to the following steps:
1. selecting a group of training example data aiming at the same example threat protection activity from the training example data set, respectively inputting example threat protection concerned items contained in each selected training example data into a frequent item contact variable extraction unit for frequent item contact learning in the fuzzy tone frequent item contact analysis network, and outputting frequent item contact variables corresponding to the example threat protection concerned items generated by the frequent item contact variable extraction unit.
2. And determining a first generation value based on training cost values between the frequent item contact variables corresponding to the example threat protection concern items and the corresponding frequent item contact variables.
3. Respectively inputting example threat protection concerned items in each selected training example data and frequent item contact variables corresponding to the example threat protection concerned items into a threat protection concerned value analysis unit in the fuzzy tone frequent item contact analysis network, performing intelligence characteristic output on the example threat protection concerned items based on the threat protection concerned value analysis unit, and outputting a plurality of threat protection concerned item sets.
4. And sequencing each threat protection concern item set based on the threat protection concern value analysis unit, and outputting a second decision variable set of the frequent item contact training information generated by the threat protection concern value analysis unit.
5. Inputting the second decision variable set into an attention variable extraction unit in the fuzzy tone frequent item association analysis network, extracting attention variables based on the attention variable extraction unit, and outputting an attention variable set generated by the attention variable extraction unit, wherein the attention variable set comprises a plurality of attention training variables; constructing a second generation value based on the discriminative parameter values of the attention training variable of the attention variable set and the example attention variables of the example attention variable set.
6. Constructing a third generation value based on the concerned variable value of the concerned variable of the threat protection concerned item in each threat protection concerned item set; and combining the first generation value, the second generation value and the third generation value to carry out network training on the fuzzy tone frequent item contact analysis network.
In step 5, the second generation value is constructed based on the distinguishing parameter values of the attention training variable in the attention variable set and the example attention variable in the example attention variable set, and may be implemented according to the following steps.
Firstly, for any attention training variable, based on the past importance value of the attention training variable in a preset attention training variable segment cluster and the past importance value of the attention training variable in the threat protection concern sequence, determining a distinguishing parameter value of the attention training variable in the attention training variable set and an example attention variable in an example attention variable set, and constructing the second generation value based on the determined distinguishing parameter value.
Fig. 2 illustrates a hardware structural diagram of the threat awareness system 100 for implementing the threat situation analysis method in combination with big data AI analysis, according to an embodiment of the present application, and as shown in fig. 2, the threat awareness system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.
In one possible design, the threat awareness system 100 may be a single server or a group of servers. The set of servers may be centralized or distributed (e.g., threat awareness system 100 may be a distributed system). In some embodiments, the threat awareness system 100 may be local or remote. For example, the threat awareness system 100 may access information and/or data stored in the machine-readable storage medium 120 via a network. As another example, the threat awareness system 100 may be directly connected to the machine-readable storage medium 120 to access stored information and/or data. In some embodiments, the threat awareness system 100 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
Machine-readable storage medium 120 may store data and/or instructions. In some embodiments, the machine-readable storage medium 120 may store data obtained from an external terminal. In some embodiments, the machine-readable storage medium 120 may store data and/or instructions for execution or use by the threat awareness system 100 to perform the example methods described herein. In some embodiments, the machine-readable storage medium 120 may include mass storage, removable storage, volatile read-write memory, read-only memory (ROM), and the like, or any combination thereof. Exemplary mass storage devices may include magnetic disks, optical disks, solid state disks, and the like. Exemplary removable memories may include flash drives, floppy disks, optical disks, memory cards, compact disks, magnetic tape, and so forth. Exemplary volatile read-write memory can include Random Access Memory (RAM). Exemplary RAM may include active random access memory (DRAM), double data rate synchronous active random access memory (DDR SDRAM), passive random access memory (SRAM), thyristor random access memory (T-RAM), and zero capacitance random access memory (Z-RAM), among others. Exemplary read-only memories may include mask read-only memory (MROM), programmable read-only memory (PROM), erasable programmable read-only memory (perrom), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), digital versatile disc read-only memory (dvd-ROM), and the like. In some embodiments, the machine-readable storage medium 120 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
In particular implementation, the one or more processors 110 execute the computer-executable instructions stored in the machine-readable storage medium 120, so that the processors 110 may execute the threat situation analysis method combined with big data AI analysis according to the above method embodiment, the processors 110, the machine-readable storage medium 120, and the communication unit 140 are connected by the bus 130, and the processors 110 may be configured to control the transceiving actions of the communication unit 140.
For a specific implementation process of the processor 110, reference may be made to the above-mentioned various method embodiments executed by the threat awareness system 100, which implement principles and technical effects similar to each other, and details of this embodiment are not described herein again.
In addition, an embodiment of the present application further provides a readable storage medium, where computer-executable instructions are preset in the readable storage medium, and when a processor executes the computer-executable instructions, the threat situation analysis method in combination with big data AI analysis as above is implemented.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, where the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-only Memory (ROM), RAM, magnetic disk, or optical disk.
Each embodiment in the present specification is described in a progressive manner, and the same and similar parts in each embodiment are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, the apparatus and system embodiments, because they are substantially similar to the method embodiments, are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement without inventive effort.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A threat situation analysis method combined with big data AI analysis is applied to a threat perception system and comprises the following steps:
carrying out threat perception chain-based information characteristic output on first threat perception information data, carrying out threat continuous perception variable analysis on each piece of threat perception chain data obtained by information characteristic output, and outputting a first threat continuous perception variable sequence, wherein the first threat continuous perception variable sequence correspondingly represents a first threat continuous perception variable associated with each piece of threat perception chain data, and the first threat perception information data are threat perception information data without a threat development situation being calibrated;
deriving and converging the first threat continuous perception variables in the first threat continuous perception variable sequence, and outputting a second threat continuous perception variable sequence and a third threat continuous perception variable sequence, wherein the second threat continuous perception variables in the second threat continuous perception variable sequence correspond to different derived convergence patterns with the third threat continuous perception variables in the third threat continuous perception variable sequence;
combining the second threat continuous perception variable sequence and the third threat continuous perception variable sequence to carry out initial-order model development and updating on a threat situation decision model, wherein the threat situation decision model is used for carrying out threat situation decision on a threat perception information unit in target threat perception information data;
and carrying out advanced model development and updating on the threat situation decision model developed and updated by the initial-order model by combining second threat perception information data, carrying out threat situation decision on a threat perception information unit in target threat perception information data according to the advanced model developed and updated threat situation decision model, outputting threat situation decision information and then using the threat situation decision information as safety solidified firmware development source data, wherein the second threat perception information data is threat perception information data with a calibrated threat development situation.
2. The method for threat situation analysis in combination with big data AI analysis according to claim 1, wherein after the deriving aggregation of the first threat duration perceptual variable in the first threat duration perceptual variable sequence and the output of a second threat duration perceptual variable sequence and a third threat duration perceptual variable sequence, the method comprises:
in combination with the second threat continuous perception variable sequence, the wandering process is carried out for multiple times of derivation convergence, and a third threat continuous perception variable sequence is output;
combining the third threat continuous perception variable sequence, wandering to perform multiple derivation convergence, and outputting a fourth threat continuous perception variable sequence;
and performing initial model development and updating on the threat situation decision model by combining the third threat continuous perception variable sequence and the fourth threat continuous perception variable sequence.
3. The method for threat situation analysis in combination with big data AI analysis according to claim 1, wherein the performing of the initial stage model development and update on the threat situation decision model in combination with the second and third threat persistence perception variable sequences comprises:
loading the second threat continuous perception variable sequence to a real-time threat situation learning branch of the threat situation decision model, and outputting first threat situation decision information;
loading the third threat continuous perception variable sequence to a target threat situation learning branch of the threat situation decision model, and outputting second threat situation decision information;
determining learning cost information of the first threat situation decision information and the second threat situation decision information;
optimizing learning parameter layer configuration information of the real-time threat situation learning branch according to a reverse learning transfer mode by combining the learning cost information;
and optimizing the configuration information of the learning parameter layer of the target threat situation learning branch by combining the optimized configuration information of the learning parameter layer of the real-time threat situation learning branch.
4. The threat situation analysis method in combination with big data AI analysis according to claim 3, wherein the advanced model development updating of the threat situation decision model updated by the preliminary model development in combination with second threat awareness intelligence data comprises:
loading the second threat awareness intelligence data to the target threat situation learning branch of the threat situation decision model, and outputting threat situation learning output information;
and developing and updating the learning parameter layer configuration information of the target threat situation learning branch according to a reverse learning transfer mode advanced model by combining the threat situation learning output information and the calibrated threat development situation associated with the second threat perception information data.
5. The method for threat situation analysis in combination with big data AI analysis according to claim 1, wherein the deriving and aggregating the first threat persistence perceptual variable in the first threat persistence perceptual variable sequence, outputting a second threat persistence perceptual variable sequence and a third threat persistence perceptual variable sequence comprises:
expanding a derivative variable partition of the first threat persistence perception variable in the first threat persistence perception variable sequence based on a set variable expansion template, and outputting a first target threat persistence perception variable sequence and a second target threat persistence perception variable sequence, wherein the derivative variable partition of the first threat persistence perception variable in the first target threat persistence perception variable sequence is different from the derivative variable partition of the first threat persistence perception variable in the second target threat persistence perception variable sequence;
performing variable derivation by combining the first target threat continuous perception variable sequence to obtain first derived variable information, and performing variable derivation by combining the second target threat continuous perception variable sequence to obtain second derived variable information;
performing variable aggregation on the first threat continuous perception variable in the first derivative variable information, and generating a second threat continuous perception variable sequence by combining variable aggregation information;
and performing variable aggregation on the first threat continuous perception variable in the second derivative variable information, and generating a third threat continuous perception variable sequence by combining variable aggregation information.
6. The method for threat situation analysis in combination with big data AI analysis according to claim 5, wherein the variable aggregation of the first threat persistence perception variables in the first derivative variable information and the generation of the second threat persistence perception variable sequence in combination with variable aggregation information comprises:
extracting x first threat continuous perception variables corresponding to the first derivative variable information according to a variable connection unit;
carrying out variable aggregation on the x first threat continuous perception variables, and outputting first aggregated threat continuous perception variables;
outputting threat penetration relation to the y groups of first converged threat continuous perception variables, and outputting the second threat continuous perception variable sequence, wherein the y groups of first converged threat continuous perception variables are obtained by performing variable relation output in a variable relation unit;
the performing variable aggregation on the first threat persistence perception variable in the second derivative variable information, and generating the third threat persistence perception variable sequence by combining variable aggregation information includes:
extracting x first threat continuous perception variables corresponding to the second derivative variable information according to a variable connection unit;
carrying out variable aggregation on the x first threat continuous perception variables, and outputting a second aggregation threat continuous perception variable;
and outputting threat penetration relation to the y groups of second converged threat continuous perception variables, outputting the third threat continuous perception variable sequence, and outputting the y groups of second converged threat continuous perception variables according to variable relation in a variable relation unit.
7. The method for threat situation analysis in combination with big data AI analysis of claim 5, wherein the performing variable derivation in combination with the first target threat persistence perception variable sequence to obtain first derived variable information, and performing variable derivation in combination with the second target threat persistence perception variable sequence to obtain second derived variable information comprises:
determining intelligence feature configuration information by combining the intelligence feature output dimension of the first threat perception intelligence data based on the threat perception chain;
combining the information characteristic configuration information, carrying out variable derivation on a first threat sustained perception variable in the first target threat sustained perception variable sequence, and outputting first derived variable information;
and performing variable derivation on the first threat continuous perception variable in the second target threat continuous perception variable sequence by combining the information characteristic configuration information, and outputting second derived variable information.
8. The method for threat situation analysis in combination with big data AI analysis according to any of the claims 1-7, characterized in that the method further comprises:
carrying out threat situation decision on a threat perception information unit in target threat perception information data corresponding to a target cloud internet service system by combining the threat situation decision model, and outputting a threat development situation associated with the target threat perception information data;
acquiring threat protection activity triggering information corresponding to the current threat protection application by combining each threat development situation variable corresponding to the threat development situation associated with the target threat perception information data;
loading threat protection activity trigger information to each threat protection scheduling container in combination with threat protection scheduling information of the threat protection application, wherein the threat protection activity trigger information comprises threat protection activities to be triggered and protection rule set information related to the threat protection activities;
acquiring a threat protection scheduling knowledge network of each threat protection scheduling container in combination with the threat protection activity triggering information scheduling;
acquiring threat protection concern variable of a threat protection scheduling knowledge network responding to each threat protection scheduling container according to a preset threat protection concern library, and outputting a threat protection concern sequence, wherein the threat protection concern sequence comprises a plurality of threat protection concerns;
obtaining frequent item contact variables corresponding to each threat protection concern item in the threat protection concern item sequence and each threat protection scheduling knowledge network;
sorting the threat protection concern items by combining the frequent item contact variables corresponding to the threat protection concern items and the threat protection concern values of the threat protection concern items, and outputting corresponding threat protection concern item clusters;
generating a threat protection scheduling container set corresponding to the threat protection scheduling knowledge network based on the threat protection concern item cluster, wherein the threat protection scheduling container set comprises a plurality of threat protection scheduling containers;
and determining a target threat protection scheduling container from the plurality of threat protection scheduling containers, performing threat protection instruction scheduling of the threat protection activity based on the plurality of target threat protection scheduling containers, and performing collaborative recording on scheduling data of the target threat protection scheduling container in a threat protection instruction scheduling process.
9. The method for analyzing the threat situation in combination with big data AI according to claim 1, wherein the step of sorting the threat protection concerns and outputting corresponding threat protection concern clusters in combination with frequent item contact variables corresponding to the threat protection concerns and threat protection concern values of the threat protection concerns comprises:
combining frequent item contact variables corresponding to the threat protection concern items and threat protection concern values of the threat protection concern items, performing intelligence characteristic output on the threat protection concern items, and outputting a plurality of threat protection concern item sets;
sorting each threat protection concern item set by combining threat protection concern values of each threat protection concern item in each threat protection concern item set, sorting each threat protection concern item in each threat protection concern item set respectively, and outputting the threat protection concern item cluster;
and the target threat protection scheduling container is determined by combining the sequencing positions of the threat protection concerns corresponding to the threat protection scheduling containers in the threat protection concern cluster.
10. A threat awareness system, comprising a processor adapted to implement one or more instructions; and a computer storage medium having one or more instructions stored thereon; wherein the one or more instructions are adapted to be loaded and executed by the processor to implement the threat situation analysis method in conjunction with big data AI analysis of any of claims 1-8.
CN202210249025.XA 2022-03-15 2022-03-15 Threat situation analysis method and threat perception system combined with big data AI analysis Withdrawn CN114785545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210249025.XA CN114785545A (en) 2022-03-15 2022-03-15 Threat situation analysis method and threat perception system combined with big data AI analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210249025.XA CN114785545A (en) 2022-03-15 2022-03-15 Threat situation analysis method and threat perception system combined with big data AI analysis

Publications (1)

Publication Number Publication Date
CN114785545A true CN114785545A (en) 2022-07-22

Family

ID=82424359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210249025.XA Withdrawn CN114785545A (en) 2022-03-15 2022-03-15 Threat situation analysis method and threat perception system combined with big data AI analysis

Country Status (1)

Country Link
CN (1) CN114785545A (en)

Similar Documents

Publication Publication Date Title
CN108475393A (en) The system and method that decision tree is predicted are promoted by composite character and gradient
CN110349000A (en) Method, apparatus and electronic equipment are determined based on the volume strategy that mentions of tenant group
CN113435770A (en) Transaction risk assessment method and device based on block chain
CN110798467B (en) Target object identification method and device, computer equipment and storage medium
WO2020124240A1 (en) Accurate and transparent path prediction using process mining
CN111027629A (en) Power distribution network fault outage rate prediction method and system based on improved random forest
CN111310918B (en) Data processing method, device, computer equipment and storage medium
CN110222838B (en) Document sorting method and device, electronic equipment and storage medium
KR102330423B1 (en) Online default forecasting system using image recognition deep learning algorithm
CN117632905B (en) Database management method and system based on cloud use records
CN110349007A (en) The method, apparatus and electronic equipment that tenant group mentions volume are carried out based on variable discrimination index
CN110956277A (en) Interactive iterative modeling system and method
CN118037440B (en) Trusted data processing method and system for comprehensive credit system
CN112884569A (en) Credit assessment model training method, device and equipment
CN114942947A (en) Follow-up visit data processing method and system based on intelligent medical treatment
CN116881224A (en) Database parameter tuning method, device, equipment and storage medium
CN115185804A (en) Server performance prediction method, system, terminal and storage medium
CN116933037A (en) Photovoltaic output prediction method based on multi-model fusion and related device
CN114785545A (en) Threat situation analysis method and threat perception system combined with big data AI analysis
CN114841664A (en) Method and device for determining multitasking sequence
CN115455426A (en) Business error analysis method based on vulnerability analysis model development and cloud AI system
CN113596061A (en) Network security vulnerability response method and system based on block chain technology
CN114529108B (en) Tree model based prediction method, apparatus, device, medium, and program product
CN113238770B (en) Product platform updating method and device, electronic equipment and storage medium
CN115393659B (en) Personalized classification process optimization method and device based on multi-level decision tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20221014

Address after: 276000 Bai Sha Bu Zhen Zhu pan Cun, Lanshan District, Linyi City, Shandong Province

Applicant after: Mao Chaoming

Address before: 276000 No. 5-6, Feihong District, Linyi City, Shandong Province

Applicant before: Linyi Gaobo Photoelectric Technology Co.,Ltd.

TA01 Transfer of patent application right
WW01 Invention patent application withdrawn after publication

Application publication date: 20220722

WW01 Invention patent application withdrawn after publication