CN115168844A - File information processing method and system based on digital security - Google Patents
File information processing method and system based on digital security Download PDFInfo
- Publication number
- CN115168844A CN115168844A CN202210668284.6A CN202210668284A CN115168844A CN 115168844 A CN115168844 A CN 115168844A CN 202210668284 A CN202210668284 A CN 202210668284A CN 115168844 A CN115168844 A CN 115168844A
- Authority
- CN
- China
- Prior art keywords
- threat
- learning
- threat intelligence
- intelligence
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention discloses a file information processing method and a system based on digital security, wherein a threat information relation network is determined by mining a threat information chain in file system threat sensing data, determining key threat information and linkage threat information from the threat information chain, and outputting the key threat information and the linkage threat information through a threat information relation network, and the threat information relation network is used for representing one or more threat information carrying information linkage relation, so that file system protection configuration is performed on a digital file server according to the threat information relation network. Therefore, the key threat information and the linkage threat information are determined firstly, so that the relationship between the key threat information and the linkage threat information is generated, a threat information relationship network capable of expressing a deeper information relationship can be obtained, and then the protection configuration of the archive system is carried out, and the reliability of the protection configuration of the archive system is improved.
Description
Technical Field
The invention relates to the technical field of archive information processing, in particular to an archive information processing method and system based on digital security.
Background
With the development of the digitization technology, the electronic file system based on digitization is gradually applied to business service systems of various industries, a file resource system taking file digital resources as the leading part can be established based on the electronic file system, and file resources are managed and mined through various online algorithm technologies, so that references are provided for decision making of a management layer timely and accurately, and the file utilization service capability is further improved. However, the information security performance of the file system is important to consider, and once an information security problem occurs, such as various forms of threat attack events, a file stealing situation may be caused. Therefore, in the related art, it is urgently needed to take corresponding measures to ensure the reliability of the protection configuration of the file system.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a method and a system for processing archive information based on digital security.
In a first aspect, an embodiment of the present invention provides an archive information processing method based on digital security, which is applied to an archive information processing system based on digital security, and specifically includes:
calling file system threat sensing data corresponding to a file system protection task according to the file system protection task triggered by a digital file server;
threat intelligence analysis is carried out on the archive system threat perception data to generate a threat intelligence chain in the archive system threat perception data;
determining key threat intelligence and linkage threat intelligence based on the threat intelligence chain, outputting threat intelligence relation network aiming at the key threat intelligence and the linkage threat intelligence, and determining a threat intelligence relation network, wherein the threat intelligence relation network is used for representing one or more threat intelligence carrying intelligence linkage relation;
and carrying out archive system protection configuration on the digital archive server according to the threat intelligence relationship network.
In some design considerations based on the first aspect, the threat intelligence chain includes threat intelligence of a plurality of different intelligence types in an active threat intelligence member, a passive threat intelligence member, and an upstream and downstream threat intelligence member;
wherein, the configuration of protecting the archive system of the digital archive server according to the threat information relationship network specifically comprises:
according to the key threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, related first file system protection configuration firmware data is quoted in a first file system protection configuration task;
according to the linkage threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, the associated second file system protection configuration firmware data is quoted in a second file system protection configuration task;
determining the first and second archive system protection configuration firmware data as combined archive system protection configuration firmware data of the archive system threat awareness data.
In some design ideas based on the first aspect, the archive system threat sensing data is archive system threat sensing data with threat dependency or archive system threat sensing data without threat dependency;
the threat intelligence analysis is carried out on the archive system threat perception data to generate a threat intelligence chain in the archive system threat perception data, and the threat intelligence analysis method specifically comprises the following steps:
and carrying out threat intelligence analysis on the archive system threat perception data with the threat dependency or the archive system threat perception data without the threat dependency to generate the threat intelligence chain in the archive system threat perception data with the threat dependency or the archive system threat perception data without the threat dependency.
In some design ideas based on the first aspect, determining key threat intelligence and linkage threat intelligence based on the threat intelligence chain, and performing threat intelligence relationship network output for the key threat intelligence and the linkage threat intelligence to determine a threat intelligence relationship network, specifically including:
determining a target active threat information member associated with a threat attack event of which the threat perception frequency is greater than a set threshold value in the archive system threat perception data as key threat information, determining a target passive threat information member corresponding to the target active threat information member, and determining a target upstream and downstream threat information member associated with a threat attack linkage event of which the linkage threat perception frequency is greater than the set threshold value as linkage threat information;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network, wherein the threat intelligence relationship network comprises a plurality of threat intelligence of different intelligence types in the target active threat intelligence member, the target passive threat intelligence member and the target upstream and downstream threat intelligence members.
In some design ideas based on the first aspect, key threat intelligence and linkage threat intelligence are determined based on the threat intelligence chain, and threat intelligence relationship network output is performed on the key threat intelligence and the linkage threat intelligence to determine a threat intelligence relationship network, which specifically includes:
determining the key threat intelligence based on the threat intelligence chain according to example data of a threat intelligence relationship network, wherein the key threat intelligence is one of the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
determining the linkage threat intelligence matched with the key threat intelligence according to the key threat intelligence, wherein the linkage threat intelligence is one or two of threat intelligence under the remaining two intelligence types except the key threat intelligence in the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
In some design ideas based on the first aspect, when the key threat intelligence is a target active threat intelligence member of an intelligence type corresponding to the active threat intelligence member, determining the linkage threat intelligence matching the key threat intelligence according to the key threat intelligence specifically includes:
according to the target active threat information member, determining a passive threat information member corresponding to the target active threat information member and a target upstream and downstream threat information member associated with a threat attack linkage event, wherein the linkage threat perception times of the threat information linkage member which is in a threat information linkage state with the target active threat information member is greater than a set threshold value, as the linkage threat information by combining an AI classification network model;
when the key threat intelligence is a target passive threat intelligence member of an intelligence type corresponding to the passive threat intelligence member, determining the linkage threat intelligence matching the key threat intelligence according to the key threat intelligence, specifically comprising:
according to the target passive threat information members, determining a target active threat information member corresponding to the target passive threat information member by combining an AI classification network model, and using a target upstream and downstream threat information member associated with a threat attack linkage event of which the linkage threat perception times of the passive threat information category of the target passive threat information member is greater than a set threshold value as the linkage threat information;
when the key threat intelligence is a target upstream and downstream threat intelligence member of an intelligence type associated with the upstream and downstream threat intelligence member, determining the linkage threat intelligence matching the key threat intelligence according to the key threat intelligence, specifically comprising:
and determining a target active threat information member associated with an active threat attack event of which the linkage threat perception times of the target upstream and downstream threat information members are greater than a set threshold value and a target passive threat information member corresponding to the target active threat information member as the linkage threat information by combining an AI classification network model according to the target upstream and downstream threat information members.
In some design ideas based on the first aspect, key threat intelligence and linkage threat intelligence are determined based on the threat intelligence chain, and threat intelligence relationship network output is performed on the key threat intelligence and the linkage threat intelligence to determine a threat intelligence relationship network, which specifically includes:
determining the key threat intelligence and the linkage threat intelligence based on the threat intelligence chain according to a threat intelligence mapping rule, wherein the key threat intelligence and the linkage threat intelligence comprise a plurality of threat intelligence of different intelligence types in the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
In some design ideas based on the first aspect, the threat intelligence analysis is performed on the archive system threat awareness data to generate a threat intelligence chain in the archive system threat awareness data, and the threat intelligence chain specifically includes:
loading the archive system threat perception data into a threat intelligence decision network meeting model deployment conditions, and determining a threat intelligence chain in the archive system threat perception data;
wherein, the threat intelligence decision network optimizes the network model weight parameters through the following steps:
obtaining an example file system threat perception learning data cluster associated with a basic threat intelligence learning training node from a distributed training and computing system corresponding to an AI training plan, obtaining an initial threat intelligence learning parameter layer data of a threat intelligence learning and training network associated with the basic threat intelligence learning and training node from a cooperative threat intelligence learning and training node in the distributed training and computing system corresponding to the AI training plan, configuring the threat intelligence learning parameter layer data of the threat intelligence learning and training network of the basic threat intelligence learning and training node as the initial threat intelligence learning parameter layer data, and splitting the example file system threat perception learning data cluster into example threat perception learning data groups with preset magnitude, wherein the example file system threat perception learning data comprises example file system threat perception data and prior threat intelligence information for carrying out prior authentication on the example file system threat perception data, and the example file system perception data is file system perception data for carrying out perception output on perception on an example file system, and the prior threat intelligence threat perception data represents threat of the example file system threat system corresponding to the example file system threat perception data;
selecting an example threat perception learning data cluster from the example threat perception learning data clusters with the preset magnitude as a target threat perception learning data cluster, learning and training a network according to the target threat perception learning data cluster and threat intelligence, using example file system threat perception data of example file system threat perception learning data in the target threat perception learning data cluster as threat intelligence learning basic data, outputting prior threat intelligence associated with the loaded example file system threat perception data as a threat intelligence learning result, and optimizing the network weight information of the threat intelligence learning and training network according to the threat intelligence learning and training network to generate an intermediate threat intelligence decision network;
analyzing whether incomplete learning example threat perception learning data cliques exist in the preset magnitude example threat perception learning data cliques or not;
obtaining an intermediate threat intelligence decision network with a preset magnitude after analyzing that no unfinished learning example threat perception learning data cluster exists;
selecting the example threat perception learning data cluster from the unfinished learning example threat perception learning data clusters as a new target threat perception learning data cluster when the sample threat perception learning data clusters which are not unfinished in learning are analyzed to exist, taking the finally output intermediate threat intelligence decision network as a new threat intelligence learning training network, and continuously executing the network weight information optimization step;
the method comprises the following steps of learning a training network according to a target threat perception learning data group and threat intelligence, using example archive system threat perception data of example archive system threat perception learning data in the target threat perception learning data group as threat intelligence learning basic data, outputting prior threat intelligence related to loaded example archive system threat perception data as a threat intelligence learning result, and optimizing network weight information of the training network according to the threat intelligence learning training network to generate an intermediate threat intelligence decision network, wherein the method specifically comprises the following steps:
updating iterative network weight information of a plurality of threat intelligence learning processes on the threat intelligence learning training network of a basic threat intelligence learning training node based on the target threat perception learning data cluster, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node;
loading the basic learning transfer function value to the collaborative threat information learning training nodes so that the collaborative threat information learning training nodes can obtain a fused learning transfer function value after obtaining the learning transfer function value transmitted by each learning training member, updating the initial threat information learning parameter layer data by combining the fused learning transfer function value, and sending the updated initial threat information learning parameter layer data to each learning training member so that each learning training member can serve as the initial threat information learning parameter layer data associated with the threat information learning flow of the basic threat information learning training node of the next round according to the updated initial threat information learning parameter layer data;
in the process of threat information learning process of each basic threat information learning training node, when the threat information learning training network matching network model deployment requirement of the basic threat information learning training node is analyzed, the threat information learning training network matching network model deployment requirement is used as an intermediate threat information decision network, and threat information analysis is carried out by means of the intermediate threat information decision network.
In some design ideas based on the first aspect, the iterative network weight information updating of a plurality of threat intelligence learning processes is performed on the threat intelligence learning training network of the basic threat intelligence learning training node based on the target threat perception learning data group, and a basic learning transfer function value of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node is determined, which specifically includes:
after threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node is configured to be the initial threat intelligence learning parameter layer data, analyzing whether the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state or not; when the threat intelligence learning training network of the basic threat intelligence learning training node is analyzed to enter the network updating retention state, increasing a first appointed iterative learning frequency on the premise of the iterative learning frequency of basic iterative learning updating in the threat intelligence learning flow of the previous basic threat intelligence learning training node, determining a target iterative learning frequency, and setting the iterative learning frequency of basic iterative learning updating in the threat intelligence learning flow of the first basic threat intelligence learning training node as 1;
updating basic iterative learning of the target iterative learning times on the basis of the threat intelligence learning training network of basic threat intelligence learning training nodes by the target threat perception learning data cluster, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training nodes;
wherein, whether the threat intelligence learning training network of the analysis basis threat intelligence learning training node is in a network updating retention state specifically includes:
analyzing whether learning transfer function variation values of a threat intelligence learning training network of a basic threat intelligence learning training node in the previous basic iterative learning updating of the latest second specified iterative learning times are smaller than specified variation values or not, wherein the learning transfer function variation values are variation values of learning transfer function values determined when the basic iterative learning of the threat intelligence learning process is updated and are compared with learning transfer function values determined when the basic iterative learning of the previous threat intelligence learning process is updated;
when the threat intelligence learning training network is analyzed to be smaller than the designated transaction value, determining that the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state;
and if the calculated abnormal values are not all smaller than the designated abnormal value, determining that the threat intelligence learning training network of the basic threat intelligence learning training node does not enter the network updating and retaining state.
For example, in some design ideas based on the first aspect, after configuring threat intelligence learning parameter layer data of the threat intelligence learning training network of the basic threat intelligence learning training node as the initial threat intelligence learning parameter layer data, performing iterative network weight information update of a plurality of threat intelligence learning processes on the threat intelligence learning training network of the basic threat intelligence learning training node based on the target threat perception learning data group, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node, the method further includes:
acquiring training calling resource data of a current basic threat intelligence learning training node, and determining a transfer cost value of the basic learning transfer function value transfer cooperative threat intelligence learning training node according to the training calling resource data and the calling resource quantity of the basic learning transfer function value;
acquiring the learning cost value of a threat intelligence learning process of each basic threat intelligence learning training node labeled in a priori, and calculating the cost change value of the transmission cost value relative to the learning cost value;
if the cost change value is larger than a first specified change value, destroying the basic learning transfer function value;
upon analyzing that the cost variance value is not greater than the first specified variance value, performing the step of loading the base learning transfer function value to the collaborative threat intelligence learning training node.
For example, in some design ideas based on the first aspect, after configuring threat information learning parameter layer data of the threat information learning training network of the basic threat information learning training node as the initial threat information learning parameter layer data, performing iterative network weight information update of multiple threat information learning processes on the threat information learning training network of the basic threat information learning training node based on the target threat perception learning data group, and determining a basic learning transfer function value of each threat information learning parameter layer data in the threat information learning training network of the basic threat information learning training node, specifically includes:
configuring threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node as the initial threat intelligence learning parameter layer data;
loading the example file system threat perception learning data cluster to a threat intelligence feature analysis branch of the threat intelligence learning training network of a basic threat intelligence learning training node to carry out threat intelligence feature analysis to obtain threat intelligence features;
loading the threat intelligence features to a threat intelligence output branch of the threat intelligence learning training network of a basic threat intelligence learning training node to obtain learning support values and threat intelligence member mapping data of threat intelligence members in the example file system threat perception learning data cluster;
determining a current learning transfer function value of a network convergence evaluation index of the threat intelligence learning training network relative to current threat intelligence learning parameter layer data in a threat intelligence learning training network of a basic threat intelligence learning training node according to the learning support value and the threat intelligence member mapping data so as to complete one-turn basic iterative learning updating of the basic threat intelligence learning training node;
analyzing whether the updated iterative learning times of the basic iterative learning performed by the basic threat information learning training node is not less than the third appointed iterative learning times;
when the number of times of the third specified iterative learning is analyzed to be not less than the number of times of the third specified iterative learning, taking the current learning transfer function value as a basic learning transfer function value;
and if the number of times of the third appointed iterative learning is not less than the analyzed number of times, updating threat information learning parameter layer data in the threat information learning training network of a basic threat information learning training node according to the current learning transfer function value, and returning to execute the step of loading the sample file system threat perception learning data cluster to a threat information feature analysis branch of the threat information learning training network of the basic threat information learning training node to analyze the threat information features to obtain the threat information features.
Deploying a threat intelligence learning training network to each learning training member of a distributed training computing system corresponding to an AI training plan, obtaining example archive system threat perception learning data clusters associated with basic threat intelligence learning training nodes from the distributed training computing system corresponding to the AI training plan by each learning training member, and obtaining initial threat intelligence learning parameter layer data of the threat intelligence learning training network associated with the basic threat intelligence learning training nodes from cooperative threat intelligence learning training nodes in the distributed training computing system corresponding to the AI training plan; configuring threat intelligence learning parameter layer data of a threat intelligence learning training network of a basic threat intelligence learning training node into initial threat intelligence learning parameter layer data, then updating iterative network weight information of a plurality of threat intelligence learning processes on the threat intelligence learning training network of the basic threat intelligence learning training node according to a target threat perception learning data group, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node; loading the basic learning transfer function value to a collaborative threat information learning training node so that the collaborative threat information learning training node can obtain a fused learning transfer function value after obtaining the learning transfer function value transmitted by each learning training member, updating the initial threat information learning parameter layer data in combination with the learning transfer function value, and sending the updated initial threat information learning parameter layer data to each learning training member so that each learning training member can serve as the initial threat information learning parameter layer data associated with the threat information learning flow of the basic threat information learning training node of the next round according to the updated initial threat information learning parameter layer data; in the process of threat information learning process of each basic threat information learning training node, when the threat information learning training network matching network model deployment requirement of the basic threat information learning training node is analyzed, the threat information learning training network matching network model deployment requirement is used as an intermediate threat information decision network, and threat information analysis is carried out by means of the intermediate threat information decision network. Therefore, after the threat information learning process of the basic threat information learning training node is completed by each learning training member, the basic learning transfer function value is loaded to the cooperative threat information learning training node for global processing, so that the cooperative threat information learning training of each learning training member is realized, and the training reliability is improved.
In a second aspect, an embodiment of the present invention provides an archive information processing system based on digital security, which specifically includes:
a processor;
a memory, in which a computer program is stored, wherein the computer program is executed to implement the archive information processing method based on digital security of the first aspect.
As described above, in the embodiments of the present invention, according to an archive system protection task triggered by a digital archive server, archive system threat awareness data corresponding to the archive system protection task is called, the archive system threat awareness data is analyzed, threat intelligence chains in the archive system threat awareness data are mined, key threat intelligence and linkage threat intelligence are determined from the threat intelligence chains, and the key threat intelligence and the linkage threat intelligence are output by a threat intelligence relationship network to determine a threat intelligence relationship network, where the threat intelligence relationship network is used to represent one or more threats carrying intelligence linkage relationships, so as to perform archive system protection configuration on the digital archive server according to the threat intelligence relationship network. Therefore, the key threat information and the linkage threat information are determined firstly, so that the relationship between the key threat information and the linkage threat information is generated, a threat information relationship network capable of expressing deeper information relationship can be obtained, and then the protection configuration of the archive system is carried out, and the reliability of the protection configuration of the archive system is improved.
Drawings
FIG. 1 is a flowchart illustrating steps of a file information processing method based on digital security according to an embodiment of the present invention;
fig. 2 is a block diagram schematically illustrating a structure of an archive information processing system based on digital security for performing the archive information processing method based on digital security of fig. 1 according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of one or more embodiments of the present disclosure more apparent, the technical solutions of one or more embodiments of the present disclosure will be clearly and completely described below with reference to specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present specification, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments given herein without making any creative effort fall within the scope of protection of one or more embodiments of the present specification.
Step 101: and calling file system threat sensing data corresponding to the file system protection task according to the file system protection task triggered by the digital file server.
In some alternative embodiments, the digital archive server may send archive system protection tasks to the digital security based archive information processing system for threat intelligence analysis and archive system protection configuration in accordance with the digital security based archive information processing system. The archive system threat perception data can be log data obtained by perceiving threat attack aiming at an archive data system corresponding to the digital archive server, for example, data of threat attack activity identified by an attack chain which is used for perceiving file behavior by constructing a detection ecosphere by adopting an information sharing mechanism.
Step 102: and carrying out threat intelligence analysis on the archive system threat perception data to generate a threat intelligence chain in the archive system threat perception data.
In some alternative embodiments, the threat intelligence chain in the archival system threat awareness data may refer to a chain of threat intelligence members arranged based on a time-series relationship or a space-series relationship.
Step 103: and determining key threat intelligence and linkage threat intelligence based on the threat intelligence chain, and outputting a threat intelligence relationship network aiming at the key threat intelligence and the linkage threat intelligence to determine a threat intelligence relationship network.
In some alternative embodiments, the threat intelligence relationship network is used to characterize one or more threat intelligence carrying intelligence linkages. The linkage threat intelligence can be understood as threat intelligence having linkage relation with key threat intelligence, and the key threat intelligence can be determined by a rule based on actual conditions. The key threat information and the linkage threat information are output by a threat information relationship network, so that the key threat information and the linkage threat information are connected in an information linkage relationship, and the threat information relationship network capable of expressing a deeper information relationship is obtained.
Step 104: and carrying out archive system protection configuration on the digital archive server according to the threat intelligence relationship network.
By adopting the technical scheme, the threat intelligence chain in the threat perception data of the archive system is mined, the key threat intelligence and the linkage threat intelligence are determined from the threat intelligence chain, and the key threat intelligence and the linkage threat intelligence are output through a threat intelligence relationship network to determine a threat intelligence relationship network, wherein the threat intelligence relationship network is used for representing one or more threat intelligence carrying information linkage relationship, so that the archive system protection configuration is carried out on the digital archive server according to the threat intelligence relationship network. Therefore, the key threat information and the linkage threat information are determined firstly, so that the relationship between the key threat information and the linkage threat information is generated, a threat information relationship network capable of expressing a deeper information relationship can be obtained, and then the protection configuration of the archive system is carried out, and the reliability of the protection configuration of the archive system is improved.
In some alternative embodiments, the chain of threat intelligence includes a plurality of different intelligence types of threat intelligence in an active threat intelligence member, a passive threat intelligence member, and an upstream and downstream threat intelligence member. In addition, the active threat intelligence member may refer to a threat intelligence member corresponding to an actively triggered threat attack event, the passive threat intelligence member may refer to a threat intelligence member corresponding to a passively triggered threat attack event, and the upstream and downstream threat intelligence members may refer to threat intelligence members corresponding to threat attack events having upstream and downstream dependency triggering relationships.
In some alternative embodiments, an exemplary design concept for step 104 is described below.
Step 201: and according to the key threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, referring to the associated first file system protection configuration firmware data in a first file system protection configuration task.
Step 202: and according to the linkage threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, referring to associated second file system protection configuration firmware data in a second file system protection configuration task.
Step 203: determining the first and second archive system protection configuration firmware data as combined archive system protection configuration firmware data of the archive system threat awareness data.
In some alternative embodiments, the step 103 may determine key threat intelligence and linkage threat intelligence based on the threat intelligence chain, and perform threat intelligence relationship network output for the key threat intelligence and the linkage threat intelligence to determine a threat intelligence relationship network, and the specific implementation manner may be step 103A1 and step 103A2.
Step 103A1: and determining a target active threat information member associated with a threat attack event of which the threat perception times are greater than a set threshold value in the archive system threat perception data as key threat information, determining a target passive threat information member corresponding to the target active threat information member, and determining a target upstream and downstream threat information member associated with a threat attack linkage event of which the linkage threat perception times are greater than the set threshold value as linkage threat information.
Step 103A2: outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network,
in some alternative embodiments, the threat intelligence relationship network comprises a plurality of different intelligence types of threat intelligence in the target active threat intelligence member, the target passive threat intelligence member, and the target upstream and downstream threat intelligence members.
By adopting the technical scheme, under the threat attack linkage event that the linkage threat perception frequency is greater than the set threshold value in the threat attack event, the upstream and downstream threat information members of the target are determined to be used as linkage threat information, and further the key threat information and the linkage threat information are used for expanding the characteristic details of the threat information relationship network.
In alternative embodiments, determining key threat intelligence and linked threat intelligence in step 103 based on the chain of threat intelligence and performing threat intelligence relationship network output for the key threat intelligence and the linked threat intelligence to determine a threat intelligence relationship network may include steps 103B 1-103B 3.
Step 103B1: determining the key threat intelligence based on the threat intelligence chain according to paradigm data of a threat intelligence relationship network.
In some alternative embodiments, the key threat intelligence is one of the active threat intelligence member, the passive threat intelligence member, and the upstream and downstream threat intelligence members.
Step 103B2: and determining the linkage threat intelligence matched with the key threat intelligence according to the key threat intelligence.
In some alternative embodiments, the coordinated threat intelligence is one or both of threat intelligence for the remaining two intelligence types of the active threat intelligence member, the passive threat intelligence member, and the upstream and downstream threat intelligence members other than the critical threat intelligence.
Step 103B3: and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
In some alternative embodiments, when the key threat intelligence is a target active threat intelligence member of the intelligence type corresponding to the active threat intelligence member, determining the linkage threat intelligence matching the key threat intelligence according to the key threat intelligence may be implemented by: and determining a passive threat information member corresponding to the target active threat information member and a target upstream and downstream threat information member related to a threat attack linkage event, wherein the linkage threat perception times of the threat information linkage member and the target active threat information member which are in a threat information linkage state at the same time are larger than a set threshold value, as the linkage threat information by combining an AI classification network model according to the target active threat information member.
For example, the threat information linkage member in the threat information linkage state with the target active threat information member has linkage threat perception times larger than the set threshold value, and the target upstream and downstream threat information members associated with the threat attack linkage event can be understood as follows: and the threat attack linkage event corresponding to the target upstream and downstream threat information members and the linkage threat perception times of the threat information linkage members, and the threat information linkage members and the target active threat information members are in a threat information linkage state at the same time.
In some alternative embodiments, when the key threat intelligence is a targeted passive threat intelligence member of an intelligence type corresponding to the passive threat intelligence member, determining the coordinated threat intelligence matching the key threat intelligence based on the key threat intelligence may be implemented by: and determining a target active threat information member corresponding to the target passive threat information member and a target upstream and downstream threat information member associated with a threat attack linkage event with the linkage threat perception times of the passive threat information category of the target passive threat information member being greater than a set threshold value as the linkage threat information by combining an AI classification network model according to the target passive threat information member.
In some alternative embodiments, when the key threat intelligence is a targeted upstream and downstream threat intelligence member of the intelligence type associated with the upstream and downstream threat intelligence member, determining the coordinated threat intelligence matching the key threat intelligence according to the key threat intelligence may be implemented by: and determining a target active threat information member associated with an active threat attack event of which the linkage threat perception times of the target upstream and downstream threat information members are greater than a set threshold value and a target passive threat information member corresponding to the target active threat information member as the linkage threat information by combining an AI classification network model according to the target upstream and downstream threat information members.
In alternative embodiments, determining key threat intelligence and coordinated threat intelligence in step 103 based on the chain of threat intelligence and performing threat intelligence relationship network output for the key threat intelligence and the coordinated threat intelligence to determine a threat intelligence relationship network may include step 103C1 and step 103C2.
Step 103C1: and obtaining threat intelligence mapping rules, and determining the key threat intelligence and the linkage threat intelligence based on the threat intelligence chain by combining the threat intelligence mapping rules.
In some alternative embodiments, said key threat intelligence and said coordinated threat intelligence comprise a plurality of different intelligence types of threat intelligence in said active threat intelligence member, said passive threat intelligence member, and said upstream and downstream threat intelligence members.
Step 103C2: and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
In some alternative embodiments, the archival system threat awareness data is archival system threat awareness data with threat dependencies or archival system threat awareness data without threat dependencies. On this basis, in step 102, threat intelligence analysis is performed on the archive system threat perception data to generate a threat intelligence chain in the archive system threat perception data, and the specific implementation manner may be: and analyzing the archive system threat perception data with threat dependency or the archive system threat perception data without threat dependency, and analyzing the threat intelligence chain from the archive system threat perception data with threat dependency or the linkage archive system threat perception threat intelligence.
In some alternative embodiments, threat intelligence parsing is performed on the archive system threat awareness data to generate a threat intelligence chain in the archive system threat awareness data, specifically including: and loading the file system threat perception data into a threat intelligence decision network meeting model deployment conditions, and determining a threat intelligence chain in the file system threat perception data.
Wherein, the threat intelligence decision network optimizes the network model weight parameters through the following steps:
(1) Obtaining an example file system threat perception learning data cluster associated with a basic threat intelligence learning training node from a distributed training and computing system corresponding to an AI training plan, obtaining an initial threat intelligence learning parameter layer data of a threat intelligence learning and training network associated with the basic threat intelligence learning and training node from a cooperative threat intelligence learning and training node in the distributed training and computing system corresponding to the AI training plan, configuring the threat intelligence learning parameter layer data of the threat intelligence learning and training network of the basic threat intelligence learning and training node as the initial threat intelligence learning parameter layer data, and splitting the example file system threat perception learning data cluster into example threat perception learning data groups with preset magnitude, wherein the example file system threat perception learning data comprises example file system threat perception data and prior threat intelligence information for carrying out prior authentication on the example file system threat perception data, and the example file system perception data is file system perception data for carrying out perception output on perception on an example file system, and the prior threat intelligence threat perception data represents threat of the example file system threat system corresponding to the example file system threat perception data;
(2) Selecting an example threat perception learning data group from the example threat perception learning data groups with the preset magnitude as a target threat perception learning data group, and outputting prior threat intelligence associated with the loaded example file system threat perception data as a threat intelligence learning result according to the example file system threat perception learning data in the target threat perception learning data group as threat intelligence learning basic data and a threat intelligence learning training network to optimize network weight information of the threat intelligence learning training network according to the threat intelligence learning training network to generate an intermediate threat intelligence decision network;
(3) Analyzing whether incomplete learning example threat perception learning data cliques exist in the preset magnitude example threat perception learning data cliques or not;
(4) Obtaining an intermediate threat intelligence decision network with a preset magnitude after analyzing that no unfinished learning example threat perception learning data group exists;
(5) And when the fact that the incomplete learning example threat perception learning data cliques exist is analyzed, selecting the example threat perception learning data cliques from the incomplete learning example threat perception learning data cliques as a new target threat perception learning data clique, using the finally output intermediate threat intelligence decision network as a new threat intelligence learning training network, and continuously executing the network weight information optimization step.
According to a target threat perception learning data group and a threat information learning training network, example archive system threat perception data of example archive system threat perception learning data in the target threat perception learning data group is used as threat information learning basic data, prior threat information related to loaded example archive system threat perception data is output as a threat information learning result, and the threat information learning training network is optimized according to network weight information to generate an intermediate threat information decision network, wherein the intermediate threat information decision network specifically comprises the following steps: updating iterative network weight information of a plurality of threat intelligence learning processes on the threat intelligence learning training network of a basic threat intelligence learning training node based on the target threat perception learning data cluster, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node; loading the basic learning transfer function value to the collaborative threat information learning training nodes so that the collaborative threat information learning training nodes obtain a fused learning transfer function value after obtaining the learning transfer function value transferred by each learning training member, updating the initial threat information learning parameter layer data by combining the fused learning transfer function value, and sending the updated initial threat information learning parameter layer data to each learning training member so that each learning training member is used as the initial threat information learning parameter layer data associated with the threat information learning process of the next round of basic threat information learning training nodes according to the updated initial threat information learning parameter layer data; in the process of threat information learning process of each basic threat information learning training node, when the threat information learning training network matching network model deployment requirement of the basic threat information learning training node is analyzed, the threat information learning training network matching network model deployment requirement is used as an intermediate threat information decision network, and threat information analysis is carried out by means of the intermediate threat information decision network.
Wherein, based on the object threat perception learning data group, the threat intelligence learning training network of the basic threat intelligence learning training node is updated with the iterative network weight information of a plurality of threat intelligence learning processes, and the basic learning transfer function value of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node is determined, which specifically comprises: after threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node is configured to be the initial threat intelligence learning parameter layer data, analyzing whether the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state or not; when the threat intelligence learning training network of the basic threat intelligence learning training node is analyzed to enter the network updating and retaining state, increasing a first specified iterative learning frequency on the premise of the iterative learning frequency updated by basic iterative learning in the threat intelligence learning process of the previous basic threat intelligence learning training node, determining a target iterative learning frequency, and setting the iterative learning frequency updated by basic iterative learning in the threat intelligence learning process of the first basic threat intelligence learning training node to be 1; updating basic iterative learning of the target iterative learning times on the threat information learning training network of basic threat information learning training nodes based on the target threat perception learning data group, and determining basic learning transfer function values of each threat information learning parameter layer data in the threat information learning training network of the basic threat information learning training nodes;
wherein, whether the threat intelligence learning training network of the analysis basic threat intelligence learning training node is in the network updating retention state specifically includes: analyzing whether learning transfer function variation values of a threat intelligence learning training network of a basic threat intelligence learning training node in the updating of the prior basic iterative learning of the latest second specified iterative learning times are smaller than specified variation values or not, wherein the learning transfer function variation values refer to variation values of learning transfer function values determined when the basic iterative learning of the threat intelligence learning flow is updated compared with the learning transfer function values determined when the basic iterative learning of the previous threat intelligence learning flow is updated; when the calculated abnormal values are smaller than the designated abnormal values, determining that the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state; and if the calculated abnormal values are not all smaller than the designated abnormal value, determining that the threat intelligence learning training network of the basic threat intelligence learning training node does not enter the network updating and retaining state.
For example, in some design ideas, after configuring threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node as the initial threat intelligence learning parameter layer data, performing iterative network weight information update of a plurality of threat intelligence learning processes on the threat intelligence learning training network of the basic threat intelligence learning training node based on the target threat perception learning data cluster, and determining a basic learning transfer function value of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node, the method further includes: acquiring training calling resource data of a current basic threat intelligence learning training node, and determining a transfer cost value of the basic learning transfer function value transfer cooperative threat intelligence learning training node according to the training calling resource data and the calling resource quantity of the basic learning transfer function value; acquiring the learning cost value of a threat intelligence learning process of each basic threat intelligence learning training node labeled in a priori, and calculating the cost change value of the transmission cost value relative to the learning cost value; if the cost change value is larger than a first specified change value, destroying the basic learning transfer function value; and if the cost variation value is not larger than the first designated variation value, the step of loading the basic learning transfer function value to the cooperative threat intelligence learning training node is executed.
For example, in some design ideas, after configuring threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node as the initial threat intelligence learning parameter layer data, performing iterative network weight information update of a plurality of threat intelligence learning processes on the threat intelligence learning training network of the basic threat intelligence learning training node based on the target threat perception learning data cluster, and determining a basic learning transfer function value of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node specifically includes: configuring threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node as the initial threat intelligence learning parameter layer data; loading the threat perception learning data cluster of the example file system to a threat intelligence feature analysis branch of the threat intelligence learning training network of a basic threat intelligence learning training node to analyze threat intelligence features to obtain threat intelligence features; loading the threat intelligence features to a threat intelligence output branch of the threat intelligence learning training network of a basic threat intelligence learning training node to obtain learning support values and threat intelligence member mapping data of threat intelligence members in the example file system threat perception learning data cluster; determining a current learning transfer function value of a network convergence evaluation index of the threat intelligence learning training network relative to current threat intelligence learning parameter layer data in a threat intelligence learning training network of a basic threat intelligence learning training node according to the learning support value and the threat intelligence member mapping data so as to complete one-turn basic iterative learning updating of the basic threat intelligence learning training node; analyzing whether the iterative learning times updated by the basic iterative learning performed by the basic threat intelligence learning training node is not less than a third specified iterative learning times; when the number of times of the third specified iterative learning is analyzed to be not less than the number of times of the third specified iterative learning, taking the current learning transfer function value as a basic learning transfer function value; and if the number of times of the third appointed iterative learning is not less than the analyzed number of times of the third appointed iterative learning, updating threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node according to the current learning transfer function value, and returning to execute the step of loading the sample file system threat perception learning data cluster to a threat intelligence feature analysis branch of the threat intelligence learning training network of the basic threat intelligence learning training node to analyze the threat intelligence feature to obtain the threat intelligence feature.
By adopting the technical scheme, the threat intelligence learning training network is deployed to each learning training member of the distributed training computing system corresponding to the AI training plan, each learning training member acquires the example archive system threat perception learning data cluster associated with the basic threat intelligence learning training node from the distributed training computing system corresponding to the AI training plan, and acquires the initial threat intelligence learning parameter layer data of the threat intelligence learning training network associated with the basic threat intelligence learning training node from the cooperative threat intelligence learning training node in the distributed training computing system corresponding to the AI training plan; configuring threat information learning parameter layer data of a threat information learning training network of a basic threat information learning training node into initial threat information learning parameter layer data, then updating iterative network weight information of a plurality of threat information learning processes on the threat information learning training network of the basic threat information learning training node according to a target threat perception learning data group, and determining basic learning transfer function values of all threat information learning parameter layer data in the threat information learning training network of the basic threat information learning training node; loading the basic learning transfer function value to a collaborative threat information learning training node so that the collaborative threat information learning training node obtains a fusion learning transfer function value after obtaining the learning transfer function value transmitted by each learning training member, updating the initial threat information learning parameter layer data in combination with the learning transfer function value, and sending the updated initial threat information learning parameter layer data to each learning training member so that each learning training member can serve as the initial threat information learning parameter layer data associated with the threat information learning process of the next turn of basic threat information learning training node according to the updated initial threat information learning parameter layer data; in the process of threat intelligence learning process of each basic threat intelligence learning training node, when the threat intelligence learning training network of the basic threat intelligence learning training node is analyzed to be matched with the deployment requirement of the network model, the threat intelligence learning training network matched with the deployment requirement of the network model is used as an intermediate threat intelligence decision network, so that the threat intelligence is analyzed by means of the intermediate threat intelligence decision network. Therefore, after the threat information learning process of the basic threat information learning training node is completed by each learning training member, the basic learning transfer function value is loaded to the cooperative threat information learning training node for global processing, so that the cooperative threat information learning training of each learning training member is realized, and the training reliability is improved.
Based on the same inventive concept, an embodiment of the present invention further provides an archive information Processing system based on digital security, referring to fig. 2, fig. 2 is a structural diagram of the archive information Processing system 100 based on digital security according to an embodiment of the present invention, and the archive information Processing system 100 based on digital security may generate relatively large differences due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 112 (e.g., one or more processors) and a memory 111. Wherein the memory 111 may be a transient storage or a persistent storage. The program stored in memory 111 may include one or more modules, each of which may include a sequence of instructions operating on the digital security based archive information processing system 100. Further, central processor 112 may be configured to communicate with memory 111 to execute a sequence of instruction operations in memory 111 on digital security based archival information processing system 100.
Digitized security-based archive information handling system 100 may also include one or more power supplies, one or more communication units 113, one or more delivery to output interfaces, and/or one or more operating systems, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, and the like.
The steps executed by the digital security-based archive information processing system in the above embodiment may be combined with the digital security-based archive information processing system structure shown in fig. 2.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium is used to store a computer program, and the computer program is used to execute the method provided by the foregoing embodiment.
Embodiments of the present invention also provide a computer program product including instructions, which when run on a computer, cause the computer to perform the method provided by the above embodiments.
The central processor may be implemented in any suitable manner, for example, the central processor may take the form of, for example, a microprocessor or processor and a computer-readable medium that stores computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel at91SAM, microchip pic18F26K20, and silicon labsc8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing a central processing unit in purely computer readable program code, the central processing unit may be implemented to perform the same functions by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a central processing unit may therefore be regarded as a hardware component, and the means included therein for performing the various functions may also be regarded as structures within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information which can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present application shall be included in the scope of the claims of the present application.
Claims (10)
1. A archive information processing method based on digital security is applied to an archive information processing system based on digital security, and is characterized by specifically comprising the following steps:
calling file system threat sensing data corresponding to a file system protection task according to the file system protection task triggered by a digital file server;
threat intelligence analysis is carried out on the archive system threat perception data, and a threat intelligence chain in the archive system threat perception data is generated;
determining key threat intelligence and linkage threat intelligence based on the threat intelligence chain, outputting threat intelligence relation network aiming at the key threat intelligence and the linkage threat intelligence, and determining a threat intelligence relation network, wherein the threat intelligence relation network is used for representing one or more threat intelligence carrying intelligence linkage relation;
and carrying out archive system protection configuration on the digital archive server according to the threat intelligence relationship network.
2. The archive information processing method based on digitized security as claimed in claim 1, wherein the threat intelligence chain includes a plurality of threat intelligence of different intelligence types among active threat intelligence members, passive threat intelligence members, and upstream and downstream threat intelligence members;
wherein, the configuration of protecting the archive system of the digital archive server according to the threat information relationship network specifically comprises:
according to the key threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, related first file system protection configuration firmware data is quoted in a first file system protection configuration task;
according to the linkage threat intelligence in the threat intelligence relationship network and the corresponding intelligence linkage relationship, related second file system protection configuration firmware data is quoted in a second file system protection configuration task;
determining the first and second archive system protection configuration firmware data as combined archive system protection configuration firmware data of the archive system threat awareness data.
3. The archive information processing method based on digital security as claimed in claim 1, wherein the archive system threat awareness data is archive system threat awareness data with threat dependency or archive system threat awareness data without threat dependency;
the threat intelligence analysis is carried out on the archive system threat perception data to generate a threat intelligence chain in the archive system threat perception data, and the threat intelligence analysis method specifically comprises the following steps:
and carrying out threat intelligence analysis on the archive system threat perception data with threat dependency or the archive system threat perception data without threat dependency to generate the threat intelligence chain in the archive system threat perception data with threat dependency or the archive system threat perception data without threat dependency.
4. The archive information processing method based on digitized security according to claim 2, wherein key threat information and linkage threat information are determined based on the threat information chain, and threat information relationship network output is performed for the key threat information and the linkage threat information, so as to determine a threat information relationship network, specifically comprising:
determining a target active threat information member associated with a threat attack event of which the threat perception times are greater than a set threshold value in the archive system threat perception data as key threat information, determining a target passive threat information member corresponding to the target active threat information member, and determining a target upstream and downstream threat information member associated with a threat attack linkage event of which the linkage threat perception times are greater than the set threshold value as linkage threat information;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network, wherein the threat intelligence relationship network comprises a plurality of threat intelligence of different intelligence types in the target active threat intelligence member, the target passive threat intelligence member and the target upstream and downstream threat intelligence members.
5. The archive information processing method based on digitized security according to claim 2, characterized in that, key threat intelligence and linkage threat intelligence are determined based on the threat intelligence chain, and threat intelligence relationship network output is performed for the key threat intelligence and the linkage threat intelligence, so as to determine a threat intelligence relationship network, specifically comprising:
determining key threat intelligence based on the threat intelligence chain according to example data of a threat intelligence relationship network, wherein the key threat intelligence is one of the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
determining the linkage threat intelligence matched with the key threat intelligence according to the key threat intelligence, wherein the linkage threat intelligence is one or two of threat intelligence under the remaining two intelligence types except the key threat intelligence in the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
6. The archive information processing method based on digitized security according to claim 5, wherein when the key threat intelligence is a target active threat intelligence member of an intelligence type corresponding to the active threat intelligence member, determining the linkage threat intelligence matching the key threat intelligence according to the key threat intelligence, specifically comprising:
according to the target active threat information member, determining a passive threat information member corresponding to the target active threat information member and a target upstream and downstream threat information member related to a threat attack linkage event, wherein the linkage threat perception times of the threat information linkage member and the target active threat information member are simultaneously in a threat information linkage state and are greater than a set threshold value, as the linkage threat information by combining an AI classification network model;
when the key threat intelligence is a target passive threat intelligence member of an intelligence type corresponding to the passive threat intelligence member, determining the linkage threat intelligence matched with the key threat intelligence according to the key threat intelligence, and specifically comprising the following steps:
according to the target passive threat information members, determining a target active threat information member corresponding to the target passive threat information member by combining an AI classification network model, and using target upstream and downstream threat information members associated with a threat attack linkage event with the linkage threat perception times of the passive threat information category of the target passive threat information member being greater than a set threshold value as the linkage threat information;
when the key threat intelligence is a target upstream and downstream threat intelligence member of an intelligence type associated with the upstream and downstream threat intelligence member, determining the linkage threat intelligence matched with the key threat intelligence according to the key threat intelligence, and specifically comprising the following steps:
and determining a target active threat information member associated with an active threat attack event of which the linkage threat perception times of the target upstream and downstream threat information members are greater than a set threshold value and a target passive threat information member corresponding to the target active threat information member as the linkage threat information by combining an AI classification network model according to the target upstream and downstream threat information members.
7. The archive information processing method based on digitized security according to claim 2, wherein key threat information and linkage threat information are determined based on the threat information chain, and threat information relationship network output is performed for the key threat information and the linkage threat information, so as to determine a threat information relationship network, specifically comprising:
determining the key threat intelligence and the linkage threat intelligence based on the threat intelligence chain according to a threat intelligence mapping rule, wherein the key threat intelligence and the linkage threat intelligence comprise a plurality of threat intelligence of different intelligence types in the active threat intelligence member, the passive threat intelligence member and the upstream and downstream threat intelligence members;
and outputting the key threat intelligence and the linkage threat intelligence by a threat intelligence relationship network to determine the threat intelligence relationship network.
8. The archive information processing method based on digitized security according to any of claims 1-7, wherein the threat intelligence analysis is performed on the archive system threat awareness data to generate a threat intelligence chain in the archive system threat awareness data, specifically comprising:
loading the file system threat perception data into a threat intelligence decision network meeting model deployment conditions, and determining a threat intelligence chain in the file system threat perception data;
wherein, the threat intelligence decision network optimizes the network model weight parameters through the following steps:
obtaining an example file system threat perception learning data cluster associated with a basic threat intelligence learning training node from a distributed training and computing system corresponding to an AI training plan, obtaining an initial threat intelligence learning parameter layer data of a threat intelligence learning and training network associated with the basic threat intelligence learning and training node from a cooperative threat intelligence learning and training node in the distributed training and computing system corresponding to the AI training plan, configuring the threat intelligence learning parameter layer data of the threat intelligence learning and training network of the basic threat intelligence learning and training node as the initial threat intelligence learning parameter layer data, and splitting the example file system threat perception learning data cluster into example threat perception learning data groups with preset magnitude, wherein the example file system threat perception learning data comprises example file system threat perception data and prior threat intelligence information for carrying out prior authentication on the example file system threat perception data, and the example file system perception data is file system perception data for carrying out perception output on perception on an example file system, and the prior threat intelligence threat perception data represents threat of the example file system threat system corresponding to the example file system threat perception data;
selecting an example threat perception learning data cluster from the example threat perception learning data clusters with the preset magnitude as a target threat perception learning data cluster, learning and training a network according to the target threat perception learning data cluster and threat intelligence, using example file system threat perception data of example file system threat perception learning data in the target threat perception learning data cluster as threat intelligence learning basic data, outputting prior threat intelligence associated with the loaded example file system threat perception data as a threat intelligence learning result, and optimizing the network weight information of the threat intelligence learning and training network according to the threat intelligence learning and training network to generate an intermediate threat intelligence decision network;
analyzing whether the sample threat perception learning data clusters with the preset magnitude exist incomplete learning sample threat perception learning data clusters or not;
when the fact that an unfinished learning example threat perception learning data cluster does not exist is analyzed, an intermediate threat intelligence decision network with a preset magnitude is obtained;
when the situation that the unfinished learning example threat perception learning data cluster exists is analyzed, the case threat perception learning data cluster is selected from the unfinished learning example threat perception learning data cluster to serve as a new target threat perception learning data cluster, a finally output intermediate threat intelligence decision network is used as a new threat intelligence learning training network, and the network weight information optimization step is continuously executed;
the method comprises the following steps of learning a training network according to a target threat perception learning data group and threat intelligence, using example archive system threat perception data of example archive system threat perception learning data in the target threat perception learning data group as threat intelligence learning basic data, outputting prior threat intelligence related to loaded example archive system threat perception data as a threat intelligence learning result, and optimizing network weight information of the training network according to the threat intelligence learning training network to generate an intermediate threat intelligence decision network, wherein the method specifically comprises the following steps:
updating iterative network weight information of a plurality of threat intelligence learning processes on the threat intelligence learning training network of a basic threat intelligence learning training node based on the target threat perception learning data cluster, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node;
loading the basic learning transfer function value to the collaborative threat information learning training nodes so that the collaborative threat information learning training nodes can obtain a fused learning transfer function value after obtaining the learning transfer function value transmitted by each learning training member, updating the initial threat information learning parameter layer data by combining the fused learning transfer function value, and sending the updated initial threat information learning parameter layer data to each learning training member so that each learning training member can serve as the initial threat information learning parameter layer data associated with the threat information learning process flow of the basic threat information learning training node of the next round according to the updated initial threat information learning parameter layer data;
in the process of threat intelligence learning process of each basic threat intelligence learning training node, when the threat intelligence learning training network of the basic threat intelligence learning training node is analyzed to be matched with the deployment requirement of the network model, the threat intelligence learning training network matched with the deployment requirement of the network model is used as an intermediate threat intelligence decision network, so that the intermediate threat intelligence decision network is used for threat intelligence analysis.
9. The archive information processing method based on digitized security according to claim 8, wherein the iterative network weight information updating of a plurality of threat intelligence learning procedures is performed on the threat intelligence learning training network of the basic threat intelligence learning training node based on the target threat perception learning data group to determine basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training node, specifically comprising:
after threat intelligence learning parameter layer data of the threat intelligence learning training network of a basic threat intelligence learning training node is configured to be the initial threat intelligence learning parameter layer data, analyzing whether the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state or not;
when the threat intelligence learning training network of the basic threat intelligence learning training node is analyzed to enter the network updating and retaining state, increasing a first specified iterative learning frequency on the premise of the iterative learning frequency updated by basic iterative learning in the threat intelligence learning process of the previous basic threat intelligence learning training node, determining a target iterative learning frequency, and setting the iterative learning frequency updated by basic iterative learning in the threat intelligence learning process of the first basic threat intelligence learning training node to be 1;
updating basic iterative learning of the target iterative learning times on the basis of the threat intelligence learning training network of basic threat intelligence learning training nodes by the target threat perception learning data cluster, and determining basic learning transfer function values of each threat intelligence learning parameter layer data in the threat intelligence learning training network of the basic threat intelligence learning training nodes;
wherein, whether the threat intelligence learning training network of the analysis basis threat intelligence learning training node is in a network update retention state specifically includes:
analyzing whether learning transfer function variation values of a threat intelligence learning training network of a basic threat intelligence learning training node in the updating of the prior basic iterative learning of the latest second specified iterative learning times are smaller than specified variation values or not, wherein the learning transfer function variation values refer to variation values of learning transfer function values determined when the basic iterative learning of the threat intelligence learning flow is updated compared with the learning transfer function values determined when the basic iterative learning of the previous threat intelligence learning flow is updated;
when the calculated abnormal values are smaller than the designated abnormal values, determining that the threat intelligence learning training network of the basic threat intelligence learning training node is in a network updating and retaining state;
and if the threat intelligence learning training network is analyzed to be not smaller than the specified transaction value, determining that the threat intelligence learning training network of the basic threat intelligence learning training node does not enter the network updating and retaining state.
10. An archive information processing system based on digital security is characterized by specifically comprising:
a processor;
a memory having stored therein a computer program that, when executed, implements the archival information processing method based on digital security of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210668284.6A CN115168844B (en) | 2022-06-14 | 2022-06-14 | File information processing method and system based on digital security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210668284.6A CN115168844B (en) | 2022-06-14 | 2022-06-14 | File information processing method and system based on digital security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115168844A true CN115168844A (en) | 2022-10-11 |
| CN115168844B CN115168844B (en) | 2023-03-28 |
Family
ID=83484391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210668284.6A Active CN115168844B (en) | 2022-06-14 | 2022-06-14 | File information processing method and system based on digital security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115168844B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3817316A1 (en) * | 2019-10-30 | 2021-05-05 | Vocalink Limited | Detection of security threats in a network environment |
| CN113297578A (en) * | 2021-06-25 | 2021-08-24 | 深圳市合美鑫精密电子有限公司 | Information perception method and information security system based on big data and artificial intelligence |
| CN114143060A (en) * | 2021-11-25 | 2022-03-04 | 潍坊安芯智能科技有限公司 | Information security prediction method based on artificial intelligence prediction and big data security system |
-
2022
- 2022-06-14 CN CN202210668284.6A patent/CN115168844B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3817316A1 (en) * | 2019-10-30 | 2021-05-05 | Vocalink Limited | Detection of security threats in a network environment |
| CN113297578A (en) * | 2021-06-25 | 2021-08-24 | 深圳市合美鑫精密电子有限公司 | Information perception method and information security system based on big data and artificial intelligence |
| CN114143060A (en) * | 2021-11-25 | 2022-03-04 | 潍坊安芯智能科技有限公司 | Information security prediction method based on artificial intelligence prediction and big data security system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115168844B (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230289661A1 (en) | Root cause discovery engine | |
| US10936717B1 (en) | Monitoring containers running on container host devices for detection of anomalies in current container behavior | |
| US20230007023A1 (en) | Detecting anomalous digital actions utilizing an anomalous-detection model | |
| US10979288B2 (en) | Distributed rules engine for processing events associated with internet of things devices | |
| CN112805740B (en) | Artificial intelligence assisted rule generation | |
| CN110427969B (en) | Data processing method and device and electronic equipment | |
| EP3640826A1 (en) | Utilizing heuristic and machine learning models to generate a mandatory access control policy for an application | |
| US20230237356A1 (en) | Configuration assessment based on inventory | |
| US9998865B2 (en) | Method for performing distributed geographic event processing and geographic event processing system | |
| CN113778442A (en) | System menu generating method, device, equipment and storage medium | |
| Ordóñez et al. | Comparing drools and ontology reasoning approaches for automated monitoring in telecommunication processes | |
| Opara et al. | Auto-ML cyber security data analysis using Google, Azure and IBM Cloud Platforms | |
| Schmieders et al. | Runtime model-based privacy checks of big data cloud services | |
| CN116933886B (en) | Quantum computing execution method, quantum computing execution system, electronic equipment and storage medium | |
| Reyhani Hamedani et al. | AndroClass: An effective method to classify Android applications by applying deep neural networks to comprehensive features | |
| CN115168844B (en) | File information processing method and system based on digital security | |
| US20200349527A1 (en) | Machine learning risk assessment utilizing calendar data | |
| US20230169168A1 (en) | Detect anomalous container deployment at a container orchestration service | |
| CN113206855B (en) | Data access abnormity detection method and device, electronic equipment and storage medium | |
| CN116980162A (en) | Cloud audit data detection method, device, equipment, medium and program product | |
| Veeramany et al. | A framework for development of risk-informed autonomous adaptive cyber controllers | |
| CN114968422A (en) | Method and device for automatically executing contracts based on variable state | |
| MacDermott et al. | Distributed attack prevention using Dempster-Shafer theory of evidence | |
| CN112085369A (en) | Security detection method, device, equipment and system for rule model | |
| US20230409710A1 (en) | Allow list of container images based on deployment configuration at a container orchestration service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |