CN115269981A

CN115269981A - Abnormal behavior analysis method and system combined with artificial intelligence

Info

Publication number: CN115269981A
Application number: CN202210887832.4A
Authority: CN
Inventors: 马俊锋; 徐彦辉
Original assignee: Individual
Current assignee: Individual
Priority date: 2022-03-03
Filing date: 2022-03-03
Publication date: 2022-11-01
Also published as: CN114491282A; CN114491282B

Abstract

The invention provides an abnormal behavior analysis method and system combined with artificial intelligence, wherein on the premise that an abnormal user behavior log to be processed comprises an online abnormal user behavior log crawled by an abnormal log capturing thread deployed in a big data security protection terminal, after an updated behavior preference knowledge base is obtained, behavior preference knowledge characteristics of at least one second target behavior event included in the abnormal user behavior log to be processed are determined based on the updated behavior preference knowledge base; and indicating the big data security protection terminal to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event.

Description

Abnormal behavior analysis method and system combined with artificial intelligence

The invention relates to a divisional application with the application number of CN202210204194.1, the application date of 2022, 03.03.2022 and the application name of a method and a system for analyzing abnormal user behaviors based on cloud computing.

Technical Field

The invention relates to the technical field of artificial intelligence, in particular to an abnormal behavior analysis method and system combined with artificial intelligence.

Background

In the context of cloud computing, the behavior of analytical studies on data obtained by monitoring user behavior is often summarized as user behavior analysis. On one hand, the behavior of the user can be more detailed and clearly known by analyzing the normal user behavior, so that the problems of different types of products can be found, the product upgrading is facilitated, and the service conversion rate is effectively improved. On the other hand, adaptive safety information protection can be performed by analyzing abnormal user behaviors. However, it is difficult for the related analysis technology for abnormal user behavior to ensure the quality of information protection, and for this problem, the inventors have found through long-term intensive research and analysis that the influence of the knowledge base for reflecting behavior preference of abnormal user behavior on the quality of information protection is important, but the above technology has difficulty in obtaining a high-quality knowledge base for information protection.

Disclosure of Invention

The invention provides an abnormal behavior analysis method and system combined with artificial intelligence, and the following technical scheme is adopted in the application to achieve the technical purpose.

The first aspect is an abnormal behavior analysis method combined with artificial intelligence, which is applied to a cloud computing service system, and the method at least comprises the following steps: receiving an abnormal user behavior log to be processed and a behavior preference knowledge base which is corresponding to the abnormal user behavior log to be processed and has an updating requirement; performing key content mining on the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information through a set artificial intelligence model which is configured and has a behavior preference knowledge base updating function; the knowledge base updating indication information is used for reflecting at least one of knowledge content to be corrected and knowledge content to be compensated corresponding to the behavior preference knowledge base with the updating requirement; and updating the behavior preference knowledge base with the updating requirement through the set artificial intelligence model and the knowledge base updating indication information to obtain an updated behavior preference knowledge base.

By setting the artificial intelligence model, key content mining is carried out on the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information, the knowledge base updating indication information can be used for reflecting at least one of the knowledge content to be corrected and the completely known content to be compensated which are covered in the behavior preference knowledge base with the updating requirement, and then the behavior preference knowledge base with the updating requirement can be updated by setting the artificial intelligence model and the knowledge base updating indication information, for example, the knowledge content to be corrected in the behavior preference knowledge base with the updating requirement can be filtered, or incomplete preference knowledge characteristics in the behavior preference knowledge base with the updating requirement are perfected, and the updated behavior preference knowledge base with high quality evaluation is obtained. Therefore, the behavior preference knowledge base can reflect the behavior preference knowledge characteristics with attack threat and danger intention from the global level, and an accurate and credible data information basis is provided for subsequent information security analysis.

In an exemplary embodiment, the updating the behavior preference knowledge base with the update requirement by the setting artificial intelligence model and the knowledge base update indication information to obtain an updated behavior preference knowledge base includes: performing key content mining on the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement through the set artificial intelligence model to obtain a target key content set; wherein the target key content set is intended to indicate to filter the knowledge content to be modified in the behavior preference knowledge base with the update requirement, and/or is intended to indicate to refine the behavior preference knowledge characteristics in the behavior preference knowledge base with the update requirement; and updating the behavior preference knowledge base with the updating requirement through the target key content set to obtain the updated behavior preference knowledge base.

By means of the design, the target key content set is obtained, the target key content set can filter out knowledge content to be corrected in the behavior preference knowledge base with the updating requirement and/or can perfect behavior preference knowledge characteristics in the behavior preference knowledge base with the updating requirement, and the behavior preference knowledge base with the updating requirement is updated through the target key content set to obtain the updated behavior preference knowledge base with high quality evaluation.

In one exemplary embodiment, the performing key content mining on the knowledge base update indication information and the behavior preference knowledge base with the update requirement through the setting artificial intelligence model to obtain a target key content set includes: performing key content mining on the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement through the set artificial intelligence model to obtain a plurality of first key content sets with different dimensions; taking a first key content set of a first dimension as a key content set to be processed, and performing key content adjustment on the key content set to be processed to obtain a second key content set; wherein the key content adjustment comprises at least one of a moving average operation and a key content expansion; obtaining a third key content set according to the second key content set and the first key content set which is consistent with the second key content set in dimension; and taking the third key content set as a to-be-processed key content set which is adjusted, skipping to a step of adjusting key content of the to-be-processed key content set to obtain a second key content set until the dimension of the obtained third key content set is the same as the second dimension corresponding to the first key content set, and determining the third key content set corresponding to the second dimension as the target key content set.

By the design, after the first key content sets with different dimensions are determined, key content adjustment can be performed on the key content sets to be processed to obtain the second key content set, and the third key content set can be obtained based on the second key content set and the first key content set with the dimension consistent with that of the second key content set.

In an exemplary embodiment, the configuration of the artificial intelligence model is set as follows: receiving a reference example for model configuration, wherein the reference example for model configuration comprises an example abnormal user behavior log, a first behavior preference knowledge base and a second behavior preference knowledge base corresponding to the example abnormal user behavior log, and the quality evaluation of the first behavior preference knowledge base is higher than that of the second behavior preference knowledge base; and configuring an initial artificial intelligence model through the reference example for model configuration to obtain the set artificial intelligence model.

In an exemplary embodiment, on the premise that the reference example for model configuration further includes example threat event label distribution and example behavior feature category distribution corresponding to an example abnormal user behavior log, and the set artificial intelligence model includes a parallel AI model and a knowledge base update model, the configuring an initial artificial intelligence model by the reference example for model configuration to obtain the set artificial intelligence model includes: loading the second behavior preference knowledge base and the example abnormal user behavior log into the parallel AI model to obtain test knowledge base updating indication information, test behavior characteristic type distribution and test threat event label distribution corresponding to the example abnormal user behavior log; loading the test-type knowledge base update indication information and the second behavior preference knowledge base into the knowledge base update model to obtain the test-type behavior preference knowledge base; and configuring the initial artificial intelligence model according to at least one knowledge base set in the test type behavior feature type distribution and the example behavior feature type distribution, the test type threat event label distribution and the example threat event label distribution, the test type behavior preference knowledge base and the first behavior preference knowledge base, and the test type behavior preference knowledge base and the second behavior preference knowledge base to obtain the set artificial intelligence model.

In this way, the reference example for model configuration includes example behavior feature class distribution and example threat event label distribution, and by expanding the example behavior feature class distribution and the example threat event label distribution, the configured set artificial intelligence model can relatively accurately dig out feature classes and label distributions in the abnormal user behavior log, and because the behavior preference knowledge features have certain relation with the feature classes and the label distributions, the configured set artificial intelligence model can obtain an updated behavior preference knowledge base with high-quality evaluation based on the feature classes and the label distributions.

In an exemplary embodiment, the configuring the initial artificial intelligence model according to at least one knowledge base set of the distribution of the test-type behavior feature classes and the distribution of the example behavior feature classes, the distribution of the test-type threat event labels and the distribution of the example threat event labels, the knowledge base of the test-type behavior preferences and the knowledge base of the first behavior preferences, and the knowledge base of the test-type behavior preferences and the knowledge base of the second behavior preferences, to obtain the set artificial intelligence model, includes: determining a first quantization model cost for reflecting behavior preference knowledge characteristic disturbance and a second quantization model cost for reflecting behavior preference significance disturbance according to the test type behavior preference knowledge base and the first behavior preference knowledge base; determining a third quantitative model cost for reflecting characteristic type disturbance according to the test type behavior characteristic type distribution and the example behavior characteristic type distribution; determining a fourth quantitative model cost for reflecting label distribution disturbance according to the test type threat event label distribution and the example threat event label distribution; determining a fifth quantization model cost for reflecting the fuzzy condition of the knowledge base by means of a second behavior preference knowledge base and the test type behavior preference knowledge base; determining a target quantization model cost according to one or more quantization model costs of the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost and the fifth quantization model cost; and configuring the initial artificial intelligence model according to the target quantization model cost to obtain the set artificial intelligence model.

By the design, multiple quantization model costs are configured, the target quantization model cost can be determined through one or more quantization model costs, and when the artificial intelligent model is configured through the target quantization model cost, the obtained set artificial intelligent model has high-quality evaluation.

In an exemplary embodiment, on the premise that the target quantitative model cost includes a fourth quantitative model cost, the determining a fourth quantitative model cost reflecting a disturbance of a tag distribution according to the test-type threat event tag distribution and the example threat event tag distribution includes: determining a word vector distance between a first tag topic of each first threat event tag in the distribution of test-type threat event tags and a second tag topic of a second threat event tag bound to the first threat event tag in the distribution of example threat event tags according to the distribution of test-type threat event tags and the distribution of example threat event tags; and determining the fourth quantitative model cost according to the word vector distance corresponding to each first threat event label and the number of the first threat event labels.

In an exemplary embodiment, on the premise that the target quantization model cost includes a second quantization model cost, the determining, according to the test-type behavior preference knowledge base and the first behavior preference knowledge base, a second quantization model cost for reflecting a behavior preference significance perturbation includes: determining a first label change index of each threat event label in the test type behavior preference knowledge base under a single-side user behavior state and a second label change index under a multi-side user behavior state; determining a third label change index of each threat event label in the first behavior preference knowledge base in a single-side user behavior state and a fourth label change index of each threat event label in a multi-side user behavior state; and determining the second quantitative model cost according to the first label change index and the second label change index corresponding to each third threat event label in the test type behavior preference knowledge base, and the third label change index and the fourth label change index corresponding to a fourth threat event label bound with the third threat event label in the first behavior preference knowledge base.

In an exemplary embodiment, on the premise that the target quantization model cost includes a fifth quantization model cost, the determining, based on the second behavior preference knowledge base and the test-type behavior preference knowledge base, a fifth quantization model cost for reflecting the fuzzy condition of the knowledge base includes: respectively carrying out key content mining on the test type behavior preference knowledge base and the second behavior preference knowledge base through a configured key content mining model to obtain a first target key content set corresponding to the test type behavior preference knowledge base and a second target key content set corresponding to the second behavior preference knowledge base; and determining the fifth quantitative model cost according to the first target key content set and the second target key content set.

In one exemplary embodiment, the determining the fifth quantization model cost from the first set of target key content and the second set of target key content comprises: determining a quantified difference between a first description value of each first key content in the first target key content set and a second description value of a second key content bound to the first key content in the second target key content set; and determining a global processing result of the quantization difference corresponding to each first key content as the fifth quantization model cost.

In an exemplary embodiment, before the loading the second behavior preference knowledge base and the example abnormal user behavior log into the parallel AI model to obtain corresponding test knowledge base update indication information, test behavior feature class distribution and test threat event label distribution of the example abnormal user behavior log, the method further includes: and matching the example abnormal user behavior log and the second behavior preference knowledge base to obtain an example abnormal user behavior log and a second behavior preference knowledge base which are matched, wherein threat event labels with consistent label positioning results in the example abnormal user behavior log and the second behavior preference knowledge base which are matched correspond to the same service type in the cloud service interaction environment.

In an exemplary embodiment, on the premise that the to-be-processed abnormal user behavior log includes a cloud service abnormal user behavior log crawled by a dynamic user behavior processing thread, after obtaining the updated behavior preference knowledge base, the method further includes: determining behavior preference knowledge characteristics of at least one first target behavior event included in the abnormal user behavior log to be processed according to the updated behavior preference knowledge base; determining a threat delivery situation between each first target behavior event and the reference behavior event through the behavior preference knowledge characteristics of the first target behavior event and the safety state description of the reference behavior event determined in advance; and obtaining a target abnormal user behavior log carrying the reference behavior event according to the threat transfer condition and the abnormal user behavior log to be processed, and indicating the dynamic user behavior processing thread to output the target abnormal user behavior log.

Due to the design, due to the fact that the updated behavior preference knowledge base has high-quality evaluation, threat transfer conditions between the reference behavior event and the first target behavior event can be determined relatively accurately and comprehensively through the updated behavior preference knowledge base with high-quality evaluation, and the integrity and the reliability of the determined target abnormal user behavior log can be improved when the target abnormal user behavior log with the reference behavior event is obtained based on the threat transfer conditions and the abnormal user behavior log to be processed.

In one exemplary embodiment, on the premise that no less than one group of stage-type abnormal user behavior logs are included in the to-be-processed abnormal user behavior log, after the obtaining the updated behavior preference knowledge base, the method further includes: and determining a global stage knowledge base according to the at least one group of stage type abnormal user behavior logs and the updated behavior preference knowledge base corresponding to each group of stage type abnormal user behavior logs.

By designing in this way, since the updated behavior preference knowledge base has a high-quality evaluation, the determined global stage-type knowledge base can be made to have a high-quality evaluation by the updated behavior preference knowledge base having a high-quality evaluation.

In an illustrative embodiment, on the premise that the to-be-processed abnormal user behavior log includes an online abnormal user behavior log crawled by an abnormal log capture thread deployed in a big data security protection terminal, after the obtaining the updated behavior preference knowledge base, the method further includes: determining behavior preference knowledge characteristics of at least one second target behavior event included in the abnormal user behavior log to be processed according to the updated behavior preference knowledge base; and indicating the big data security protection terminal to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event.

Due to the design, the updated behavior preference knowledge base has high-quality evaluation, the behavior preference knowledge characteristics of the second target behavior event can be determined through the high-quality evaluation, and then the large data security protection terminal can be more accurately indicated to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event, so that the information security protection processing effect can be improved.

A second aspect is a cloud computing service system comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud computing service system to perform the method of the first aspect.

Drawings

Fig. 1 is a schematic flow chart of an abnormal behavior analysis method in combination with artificial intelligence according to an embodiment of the present invention.

Fig. 2 is a block diagram of an abnormal behavior analysis apparatus incorporating artificial intelligence according to an embodiment of the present invention.

Detailed Description

In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," or "third," etc., may explicitly or implicitly include one or more of that feature.

Fig. 1 is a schematic flowchart illustrating an abnormal behavior analysis method in conjunction with artificial intelligence according to an embodiment of the present invention, where the abnormal behavior analysis method in conjunction with artificial intelligence may be implemented by a cloud computing service system, and the cloud computing service system may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud computing service system to perform the technical solution described in the following steps.

Step 101, receiving an abnormal user behavior log to be processed and a behavior preference knowledge base corresponding to the abnormal user behavior log to be processed and having an updating requirement.

And 102, mining key contents of the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information by finishing the configured set artificial intelligence model with the behavior preference knowledge base updating function.

In the embodiment of the invention, the knowledge base updating indication information is used for reflecting at least one of knowledge content to be corrected and knowledge content to be compensated corresponding to the behavior preference knowledge base with the updating requirement.

And 103, updating the behavior preference knowledge base with the updating requirement by setting the artificial intelligence model and the knowledge base updating indication information to obtain an updated behavior preference knowledge base.

By setting the artificial intelligence model, key content mining is carried out on the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information, the knowledge base updating indication information can be used for reflecting at least one of the knowledge content to be corrected and the completely known content to be compensated which are covered in the behavior preference knowledge base with the updating requirement, and then the behavior preference knowledge base with the updating requirement can be updated by setting the artificial intelligence model and the knowledge base updating indication information, for example, the knowledge content to be corrected in the behavior preference knowledge base with the updating requirement can be filtered, and/or the incomplete behavior preference knowledge characteristics in the behavior preference knowledge base with the updating requirement are perfected, and the updated behavior preference knowledge base with high quality evaluation is obtained.

The following is an exemplary description of the above steps 101 to 103.

For step 101, the to-be-processed abnormal user behavior log may be understood as one set of abnormal user behavior logs in the cloud service interaction environment, for example: the abnormal user behavior log to be processed may be a payment user behavior log or an office user behavior log. The behavior preference knowledge base with the update requirement can be understood as a set of behavior preference feature sets obtained, for example: the behavior preference knowledge base with the updating requirement can be understood as a behavior preference feature set corresponding to the abnormal user behavior log to be processed, which is acquired by the behavior preference acquisition thread, and can also be understood as a behavior preference feature set corresponding to the abnormal user behavior log to be processed, which is acquired by a related algorithm (such as a feature pairing algorithm).

In this way, the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed are the abnormal user behavior logs which are matched, for example: the behavior preference knowledge base with the updating requirement can be matched, so that the threat event labels with consistent labeling positioning results in the abnormal user behavior log to be processed and the behavior preference knowledge base with the updating requirement, which is matched, correspond to the same service category in the cloud service interaction environment.

For steps 102 and 103, setting the artificial intelligence model may include a parallel AI model (such as a multithreading model) and a knowledge base update model, and may regard the behavior preference knowledge base with an update requirement and the abnormal user behavior log to be processed as a first abnormal user behavior log in a multi-state, and perform key content mining on the first abnormal user behavior log by setting the parallel AI model in the artificial intelligence model to obtain knowledge base update indication information. The knowledge base updating indication information is used for reflecting at least one of knowledge content to be corrected and knowledge content to be completed, which correspond to the behavior preference knowledge base with the updating requirement. And moreover, the knowledge base updating indication information and the behavior preference knowledge base with updating requirements can be used as a second abnormal user behavior log in a multi-state, and the knowledge base updating model in the artificial intelligence model is set to mine key contents of the second abnormal user behavior log so as to obtain an updated behavior preference knowledge base after updating operation. For example, the updated behavior preference knowledge base may be a knowledge graph with transitivity and potential derivation corresponding to the attack behavior preference/attack behavior intention/threat operation tendency of the above-mentioned related abnormal behavior, and the updated behavior preference knowledge base may cover richer and more comprehensive behavior feature knowledge for the information security aspect, thereby providing a decision basis for the subsequent information protection processing.

It can be understood that the parallel AI model may include a key content mining network and a parallel feature translation network, the key content mining network may be understood as a feature mining-feature translation machine learning model, and the key content mining network may include a feature mining unit and a feature translation unit. The feature mining unit can be used for mining key contents of the imported behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed. For example: the feature mining unit can be composed of an information extraction layer and/or a feature simplification layer, and performs key content mining on a behavior preference knowledge base with updating requirements and abnormal user behavior logs to be processed through the feature mining unit to obtain a first transitional key content set. The state category of the first transitional key content set can be expanded and mined through the information extraction layer and the feature simplification layer, and therefore the significance of the key content can be reduced.

It can be understood that the feature translation unit may include an information extraction layer and/or a feature extension layer, and further, the feature translation unit may perform key content mining and/or feature extension processing on the obtained first transitional key content set to obtain a second transitional key content set having a feature recognition degree consistent with the abnormal user behavior log to be processed.

It can be understood that the parallel feature translation network may include a plurality of analysis units, and the plurality of analysis units are respectively configured to analyze to obtain knowledge base update indication information, analyze to obtain behavior feature class distribution, and analyze to obtain threat event label distribution. Each analysis unit may structurally be composed of one or several information extraction layers bound one by one. For example, the time interval of the information extraction layer in each analysis unit may be ti, and a test-type abnormal user behavior log with a state type i and consistent with the feature recognition degree of the abnormal user behavior log to be processed may be obtained (for example, the test-type abnormal user behavior log may be test-type knowledge base update indication information, test-type behavior feature type distribution, or test-type threat event label distribution). Wherein, when setting the configuration of the artificial intelligence model, a plurality of analysis units can be stored. When the artificial intelligence model analysis is set, the analysis units corresponding to the behavior characteristic category distribution and the analysis units corresponding to the threat event label distribution can be discarded, and only the analysis units corresponding to the knowledge base updating indication information are stored.

For a possible embodiment, the behavior preference knowledge base with an update requirement is updated by setting the artificial intelligence model and knowledge base update indication information recorded in step 103, so as to obtain an updated behavior preference knowledge base, which may exemplarily include the following contents recorded in step 1031 and step 1032.

And step 1031, mining key contents of the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement by setting an artificial intelligence model to obtain a target key content set.

In the embodiment of the invention, the target key content set is used for indicating to filter the knowledge content to be modified in the behavior preference knowledge base with the updating requirement and/or indicating to perfect the behavior preference knowledge characteristics in the behavior preference knowledge base with the updating requirement.

And 1032, updating the behavior preference knowledge base with the updating requirement through the target key content set to obtain an updated behavior preference knowledge base.

Implementing step 1031 and step 1032, by determining a target key content set, the target key content set being capable of filtering out knowledge content to be corrected in the behavior preference knowledge base having the updating requirement and/or being capable of perfecting behavior preference knowledge characteristics in the behavior preference knowledge base having the updating requirement, and performing an updating operation on the behavior preference knowledge base having the updating requirement through the target key content set to obtain an updated behavior preference knowledge base having high quality evaluation.

For step 1031, key content mining may be performed on the knowledge base update indication information and the behavior preference knowledge base with the update requirement by setting a knowledge base update model in the artificial intelligence model to obtain a target key content set.

For a possible embodiment, the step 1031 records key content mining on the knowledge base update indication information and behavior preference knowledge base with update requirement by setting artificial intelligence model to obtain target key content set, which may exemplarily include the recorded contents of steps 10311 to 10314.

And step 10311, performing key content mining on the knowledge base updating indication information and the behavior preference knowledge base with updating requirements by setting an artificial intelligence model to obtain a plurality of first key content sets with different dimensions.

Step 10312, taking the first key content set of the first dimension (such as the minimum dimension) as a key content set to be processed, and performing key content adjustment on the key content set to be processed to obtain a second key content set; wherein the key content adaptation comprises at least one of a moving average operation (which may be understood as a convolution process) and a key content extension (which may be understood as a feature upsampling process).

Step 10313, obtaining a third key content set based on the second key content set and the first key content set consistent with the second key content set in dimension.

Step 10314, taking the third key content set as the to-be-processed key content set which is completed with adjustment, skipping to the step of performing key content adjustment on the to-be-processed key content set to obtain a second key content set until the dimension of the obtained third key content set is the same as a second dimension (such as the maximum dimension) corresponding to the first key content set, and determining the third key content set corresponding to the second dimension as a target key content set.

In practical implementation, the knowledge base updating indication information and the behavior preference knowledge base with updating requirements can be used as a second abnormal user behavior log in a multi-state, key content mining can be performed on the second abnormal user behavior log by setting a knowledge base updating model in an artificial intelligence model to obtain a first key content set of a first dimension, then key content mining can be performed on the first key content set of the first dimension to obtain a first key content set of a second dimension, and the first key content sets of a plurality of different dimensions can be obtained by calculating one by one. For example, the key content mining process may be implemented by an information extraction layer.

It can be appreciated that the first set of key content for the number of different dimensions can include a first set of key content for a first dimension, a first set of key content for a second dimension, and a first set of key content for a third dimension, wherein the first dimension is higher than the second dimension, and the second dimension is higher than the third dimension.

Based on the above content, the first key content set of the third dimension (it can be understood that the first key content set of the first dimension) may be used as a key content set to be processed, and key content adjustment (for example, sliding average operation may be performed through an information extraction layer, or key content expansion may also be performed through a feature expansion layer) is performed on the key content set to be processed (the first key content set of the third dimension) to obtain a second key content set after the first round of operation, where the dimension of the second key content set after the first round of operation may be the third dimension. The second key content set after the first round of operation and the first key content set (which may be understood as the first key content set in the third dimension) having the same dimension as the second key content set may also be sorted to obtain a third key content set after the first round of operation. And the dimension of the third key content set after the first round of operation can be the third dimension.

For example, the second key content set after the first round of operation (i.e., the second key content set of the third dimension) and the first key content set of the third dimension may be bound one by one to obtain a third key content set after the first round of operation; or, the second key content set of the third dimension and the first key content set of the third dimension may be bound one by one, and the bound key content sets are subjected to a moving average operation to obtain a third key content set after the first round of operation; or, the quantization difference of the description values in the same state in the second key content set of the third dimension and the first key content set of the third dimension may also be determined to obtain a convolution key content set, and the convolution key content set is determined to be the third key content set after the first round of operation.

The third key content set after the first round of operation may also be used as a to-be-processed key content set after the adjustment is completed, and key content adjustment is performed on the to-be-processed key content set after the adjustment is completed (for example, the key content adjustment may include at least one of a moving average operation and key content expansion) to obtain a second key content set after the second round of operation, where it is understood that the dimension of the second key content set after the second round of operation may be the second dimension. And sorting the second key content set after the second round of operation and the first key content set in the second dimension to obtain a third key content set after the second round of operation. And the dimension of the third key content set after the second round of operation can be the second dimension.

And then, the third key content set after the second round of operation may be used as the adjusted to-be-processed key content set, and the key content of the adjusted to-be-processed key content set is adjusted to obtain the second key content set after the third round of operation. The third set of key content after the third round of operation may be obtained based on the second set of key content after the third round of operation and the first set of key content in the first dimension. Wherein, the dimension of the third key content set after the third round of operation may be the first dimension. As can be seen, if the first dimension is a second dimension corresponding to the first key content set, the third key content set corresponding to the second dimension is determined as a target key content set, and the third key content set of the first dimension is determined as a target key content set.

For example, after the first key content sets of several different dimensions are determined, key content adjustment may be performed on the first key content set of the first dimension (third dimension) to obtain a second key content set of the second dimension; the second key content set of the second dimension is bound with the first key content set of the second dimension one by one, key content mining is carried out on the bound second key content set of the second dimension to obtain a second key content set of the first dimension, the second key content set of the first dimension is bound with the first key content set of the first dimension one by one, key content mining is carried out on the bound first key content set of the first dimension to obtain a second key content set of the first dimension, and the second key content set of the first dimension (the second dimension) can be a target key content set.

It can be understood that after a plurality of first key content sets with different dimensions are determined, key content adjustment can be performed on a key content set to be processed to obtain a second key content set, and a third key content set can be obtained based on the second key content set and the first key content set with the dimension consistent with that of the second key content set.

In the embodiment of the present invention, the representation form of the key content set may be a feature map, and based on this, the representation form of the key content may be a feature, such as a feature vector or a description vector.

For step 1032, the target set of key content may be content combined with the knowledge base of behavioral preferences for which there is an update requirement to obtain an updated knowledge base of behavioral preferences. Or not less than one round of key content mining can be carried out on the target key content set, and the key content set subjected to not less than one round of key content mining is combined with the behavior preference knowledge base with the updating requirement to obtain the updated behavior preference knowledge base. For example, the process of content composition may be statistics of the description values of the target key content set and the behavior preference knowledge base in the same state where the update requirement exists; or the target key content set and the behavior preference knowledge base with the updating requirement can be bound one by one, and the bound key content set is subjected to moving average operation and the like through the information extraction layer.

It is to be appreciated that setting the artificial intelligence model can include a parallel AI model and a knowledge base update model. The model architecture for setting the knowledge base updating model in the artificial intelligence model can be LSTM. The knowledge base updating model can expand the state category of the key content set through the information extraction layer and/or the feature reduction layer, so that the significance of the key content can be reduced, and key content sets with different feature recognition degrees are obtained and are marked as key content set sets (feature _0, feature \u1, … and feature _ n). Performing moving average operation and/or feature expansion processing on the mined key content sets through an information extraction layer and/or a feature expansion layer, wherein before each round of feature expansion and moving average operation, the current key content sets can be combined with the key content sets with the same feature recognition degree in the key content set sets (feature _0, feature \u1, … and feature _ n), so that errors caused by feature simplification can be reduced; the knowledge base updating model can obtain a single state feature with feature identification degree (dimensionality) consistent with the abnormal user behavior log to be processed, and the single state feature is used as mining content (namely a target key content set). And finally, weighting the input basic behavior preference knowledge base (the behavior preference knowledge base with the updating requirement) and the mining content to obtain the updated behavior preference knowledge base in the embodiment of the invention.

It can be understood that, by exemplarily describing the abnormal behavior analysis method in combination with artificial intelligence, the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed are loaded into the parallel AI model with the artificial intelligence model set, the key content mining network in the parallel AI model performs key content mining on the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain a second transitional key content set, and the second transitional key content set is loaded into the first analysis unit corresponding to the knowledge base updating indication information to obtain the knowledge base updating indication information. The system comprises a configuration process for setting an artificial intelligence model, a first analysis unit corresponding to behavior characteristic category distribution and a second analysis unit corresponding to threat event label distribution.

Loading the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement into a knowledge base updating model, wherein the knowledge base updating model can perform key content mining on the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement to obtain a plurality of first key content sets with different dimensions, such as a first key content set feature _ set _021 of a first dimension, a first key content set feature _ set _022 of a second dimension and a first key content set feature _ set _023 of a third dimension; performing key content mining on a first key content set feature _ set _023 of a third dimension to obtain a second key content set feature _ set _024 of the third dimension, binding the second key content set feature _ set _024 of the third dimension with the first key content set feature _ set _023 of the third dimension one by one, and performing sliding average operation and feature expansion processing on the bound key content set of the third dimension to obtain a second key content set feature _ set _025 of a second dimension; binding a second key content set feature _ set _025 of a second dimension with a first key content set feature _ set _022 of a second dimension one by one, performing moving average operation and feature expansion processing on the bound second dimension key content set to obtain a second key content set feature _ set _026 of a first dimension, binding the second key content set feature _ set _026 of the first dimension with the first dimension key content set feature _ set _021 of the first dimension one by one, and performing moving average operation and feature expansion processing on the bound first dimension key content set to obtain a target key content set; and finally, fusing the target key content set with the behavior preference knowledge base with the updating requirement to obtain an updated behavior preference knowledge base.

For one possible embodiment, the configuration of the artificial intelligence model may be performed by the following steps, specifically including step 201 and step 202.

Step 201, receiving a reference example for model configuration, wherein the reference example for model configuration includes an example abnormal user behavior log, and a first behavior preference knowledge base and a second behavior preference knowledge base corresponding to the example abnormal user behavior log, and a quality evaluation of the first behavior preference knowledge base is higher than a quality evaluation of the second behavior preference knowledge base.

Step 202, configuring the initial artificial intelligence model through a reference example for model configuration to obtain a set artificial intelligence model.

In the embodiment of the present invention, the example abnormal user behavior log may be an office user behavior log or a payment user behavior log, and the first behavior preference knowledge base and the second behavior preference knowledge base corresponding to the example abnormal user behavior log, where the quality evaluation of the first behavior preference knowledge base is higher than that of the second behavior preference knowledge base, and it can be understood that the second behavior preference knowledge base may be regarded as the actual value of the first behavior preference knowledge base.

It is to be understood that the example abnormal user behavior log may further include an example threat event label distribution and an example behavior feature category distribution corresponding to the example abnormal user behavior log. Wherein the tag topic of each threat event tag in the example threat event tag distribution characterizes an indicative feature of the threat event tag in the example abnormal user behavior log under the same tag localization result.

For example, the example abnormal user behavior log may be loaded into the configured behavior feature parsing model to obtain the example behavior feature type distribution corresponding to the example abnormal user behavior log.

For a possible embodiment, on the premise that the reference example for model configuration further includes example threat event label distribution and example behavior feature category distribution corresponding to the example abnormal user behavior log, and the setting artificial intelligence model includes a parallel AI model and a knowledge base update model, the initial artificial intelligence model is configured through the reference example for model configuration recorded in step 202, resulting in the setting artificial intelligence model, which may exemplarily include the following.

Step 2021, loading the second behavior preference knowledge base and the example abnormal user behavior log into the parallel AI model to obtain test type knowledge base update indication information, test type behavior feature type distribution and test type threat event label distribution corresponding to the example abnormal user behavior log.

At step 2022, the test-type knowledge base update indication information and the second behavior preference knowledge base are loaded into the knowledge base update model to obtain a test-type behavior preference knowledge base.

Step 2023, configuring an initial artificial intelligence model according to at least one knowledge base set of the distribution of the test type behavior feature types and the distribution of the example behavior feature types, the distribution of the test type threat event labels and the distribution of the example threat event labels, the test type behavior preference knowledge base and the first behavior preference knowledge base, and the test type behavior preference knowledge base and the second behavior preference knowledge base, so as to obtain a set artificial intelligence model.

The reference example for model configuration comprises example behavior feature type distribution and example threat event label distribution, the example behavior feature type distribution and the example threat event label distribution are expanded, so that the configured set artificial intelligence model can relatively accurately dig out feature types and label distribution in an abnormal user behavior log, and the configured set artificial intelligence model can obtain an updated behavior preference knowledge base with high-quality evaluation based on the feature types and the label distribution because behavior preference knowledge features have certain relation with the feature types and the label distribution. The implementation manner of step 2021 and step 2022 may be combined with the above description of setting the artificial intelligence model, and the present invention is not further described herein.

For step 2023, the distribution of the test type behavior feature categories and the distribution of the example behavior feature categories are combined into a knowledge base set, the distribution of the test type threat event labels and the distribution of the example threat event labels are combined into a knowledge base set, the test type behavior preference knowledge base and the first behavior preference knowledge base are combined into a knowledge base set, the test type behavior preference knowledge base and the second behavior preference knowledge base are combined into a knowledge base set, so as to obtain four knowledge base sets, and the initial artificial intelligence model can be configured based on at least one knowledge base set of the four knowledge base sets, so as to obtain the set artificial intelligence model.

For one possible embodiment, the step 2023 may be configured to configure an initial artificial intelligence model according to at least one knowledge base set of the distribution of the test-type behavior feature classes and the distribution of the example behavior feature classes, the distribution of the test-type threat event labels and the distribution of the example threat event labels, the knowledge base of the test-type behavior preferences and the knowledge base of the first behavior preferences, the knowledge base of the test-type behavior preferences and the knowledge base of the second behavior preferences, and may exemplarily include the following steps 20231-20233.

Step 20231, determining a first quantization model cost for reflecting behavior preference knowledge characteristic disturbance and a second quantization model cost for reflecting behavior preference significance disturbance based on the test type behavior preference knowledge base and the first behavior preference knowledge base; determining a third quantitative model cost for reflecting the characteristic category disturbance based on the test type behavior characteristic category distribution and the example behavior characteristic category distribution; determining a fourth quantitative model cost for reflecting label distribution disturbance based on the test type threat event label distribution and the example threat event label distribution; and determining a fifth quantitative model cost for reflecting the fuzzy condition of the knowledge base by means of the second behavior preference knowledge base and the test type behavior preference knowledge base.

Step 20232, determining a target quantization model cost based on one or more of the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost, and the fifth quantization model cost.

Step 20233, configuring the initial artificial intelligence model based on the target quantization model cost to obtain a set artificial intelligence model.

In the embodiment of the present invention, the cost of the quantization model can be understood as a loss value. The method has the advantages that multiple quantization model costs are set, the target quantization model cost can be determined through one or more quantization model costs, and when the artificial intelligent model is trained through the target quantization model cost, the obtained set artificial intelligent model can be evaluated in a high quality mode.

For one possible embodiment, on the premise that the target quantized model cost includes the second quantized model cost, the second quantized model cost for reflecting the behavior preference significance perturbation is determined based on the test-type behavior preference knowledge base and the first behavior preference knowledge base, and the example may include the recorded contents of steps 301 to 303.

Step 301, determining a first tag change index of each threat event tag in the test-type behavior preference knowledge base in the single-side user behavior state and a second tag change index of each threat event tag in the multi-side user behavior state.

Step 302, determining a third label change index of each threat event label in the first behavior preference knowledge base in the single-side user behavior state and a fourth label change index of each threat event label in the multi-side user behavior state.

Step 303, determining a second quantization model cost based on a first tag change indicator and a second tag change indicator respectively corresponding to each third threat event tag in the test-type behavior preference knowledge base, and a third tag change indicator and a fourth tag change indicator corresponding to a fourth threat event tag bound to the third threat event tag in the first behavior preference knowledge base.

For example, the third quantization model cost may be determined by means of a support vector machine idea. Wherein, the third quantitative model cost can be used to analyze similarities and differences between the obtained test type behavior feature class distribution and the example behavior feature class distribution.

For one possible embodiment, the exemplary method may include determining a fourth quantitative model cost reflecting a perturbation of the distribution of the labels based on the distribution of the test-type threat event labels and the distribution of the example threat event labels on the premise that the target quantitative model cost includes the fourth quantitative model cost, and may include steps 401 and 402.

Step 401, based on the distribution of the test-type threat event tags and the distribution of the example threat event tags, a word vector distance (which may be understood as cosine similarity) between a first tag topic of each first threat event tag in the distribution of the test-type threat event tags and a second tag topic of a second threat event tag bound to the first threat event tag in the distribution of the example threat event tags is determined.

Step 402, determining a fourth quantization model cost according to the word vector distance corresponding to each first threat event label and the number of the first threat event labels.

In an embodiment of the present invention, a fourth quantitative model cost may be used to analyze the dissimilarity between the distribution of the test-type threat event signatures and the distribution of the paradigm threat event signatures.

As such, the first threat event tag may identify each threat event tag in the distribution of test-type threat event tags, and the second threat event tag may be a threat event tag in the distribution of example threat event tags that is consistent with the tag localization result of the first threat event tag.

For a possible embodiment, on the premise that the target quantization model cost includes a fifth quantization model cost, the fifth quantization model cost for reflecting the knowledge base ambiguity (feature recognition missing) is determined based on the second behavior preference knowledge base and the test-type behavior preference knowledge base, and the exemplary case may include the contents recorded in step 501 and step 502.

And step 501, performing key content mining on the test type behavior preference knowledge base and the second behavior preference knowledge base respectively through the configured key content mining model to obtain a first target key content set corresponding to the test type behavior preference knowledge base and a second target key content set corresponding to the second behavior preference knowledge base.

Step 502, a fifth quantization model cost is determined based on the first set of target key content and the second set of target key content.

For one possible embodiment, the step 502 of determining a fifth quantization model cost based on the first set of target key content and the second set of target key content may illustratively comprise steps 5021 and 5022.

Step 5021, a quantitative difference between a first description value of each first key content in the first target key content set and a second description value of a second key content bound with the first key content in the second target key content set is determined.

Step 5022, determining the global processing result of the quantization difference corresponding to each first key content as a fifth quantization model cost.

In the embodiment of the present invention, the configured key content mining model may be a CNN model. And respectively mining key contents of the test type behavior preference knowledge base and the second behavior preference knowledge base through the configured CNN model to obtain a first target key content set corresponding to the test type behavior preference knowledge base and a second target key content set corresponding to the second behavior preference knowledge base.

It is understood that a quantitative difference (which may be understood as a difference) between the first description value of each first key content in the first target key content set and the second description value of the second key content in the second target key content set bound to the first key content is determined. And calculating a global processing result of the quantization difference corresponding to each first key content (or second key content), and determining the global processing result as a fifth quantization model cost. The first key content may be each key content in the first target key content set, and the second key content may be understood as a key content in the second target key content set consistent with the content status information of the first key content.

For steps 20232 and 20233, in practical implementation, one of the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost, and the fifth quantization model cost may be used as the target quantization model cost; or, multiple quantization model costs in the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost and the fifth quantization model cost may be counted to obtain a target quantization model cost; for example, the first quantization model cost and the second quantization model cost statistic may be used as target quantization model costs, and the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost, and the fifth quantization model cost statistic may be used as target quantization model costs. And configuring an initial artificial intelligence model at the cost of passing a target quantization model to obtain a set artificial intelligence model.

For one possible embodiment, before loading the second behavior preference knowledge base and the example abnormal user behavior log into the parallel AI model to obtain test knowledge base update indication information, test behavior feature class distribution and test threat event label distribution corresponding to the example abnormal user behavior log, the method further includes: and matching the example abnormal user behavior log and the second behavior preference knowledge base to obtain the example abnormal user behavior log and the second behavior preference knowledge base which are matched, wherein threat event labels with consistent label positioning results in the example abnormal user behavior log and the second behavior preference knowledge base which are matched correspond to the same service type in the cloud service interaction environment.

It can be understood that the example abnormal user behavior log and the second behavior preference knowledge base can be matched through a sampling analysis model, a log text matching model and the like, so that the example abnormal user behavior log and the second behavior preference knowledge base which are matched are obtained. There may be many matching processing ideas, which are not limited herein.

For a possible embodiment, on the premise that the to-be-processed abnormal user behavior log includes a cloud service abnormal user behavior log crawled by a dynamic user behavior processing thread, after obtaining the updated behavior preference knowledge base, the method may further include the following steps.

Step 601, based on the updated behavior preference knowledge base, determining the behavior preference knowledge characteristics of at least one first target behavior event included in the abnormal user behavior log to be processed.

And step 602, determining threat transfer conditions between the reference behavior event and the first target behavior event through the behavior preference knowledge characteristics of each first target behavior event and the safety state description of the reference behavior event determined in advance.

Step 603, obtaining a target abnormal user behavior log carrying the reference behavior event based on the threat transfer condition and the abnormal user behavior log to be processed, and controlling the dynamic user behavior processing thread to display the target abnormal user behavior log.

In specific implementation, the updated behavior preference knowledge base can be applied to an information security analysis task, after the obtained updated behavior preference knowledge base is obtained, the behavior preference knowledge characteristics of each first target behavior event in an abnormal user behavior log to be processed can be determined based on the updated behavior preference knowledge base, and threat transfer conditions between the reference behavior event and the first target behavior event are determined according to the behavior preference knowledge characteristics of the first target behavior event and the security state description of the reference behavior event, wherein the behavior preference knowledge characteristics of the first target behavior event and the security state description of the reference behavior event correspond to the same mapping space.

And further, a target abnormal user behavior log carrying a reference behavior event can be obtained based on the threat transfer condition and the abnormal user behavior log to be processed, and a dynamic user behavior processing thread can be instructed to output the corresponding target abnormal user behavior log.

Due to the design, the updated behavior preference knowledge base has high-quality evaluation, so that the threat transfer condition between the reference behavior event and the first target behavior event can be relatively accurately and comprehensively determined through the updated behavior preference knowledge base with high-quality evaluation, and the integrity and the reliability of the generated target abnormal user behavior log can be ensured when the target abnormal user behavior log carrying the reference behavior event is obtained based on the threat transfer condition and the abnormal user behavior log to be processed.

For one possible embodiment, on the premise that the to-be-processed abnormal user behavior log includes no less than one group of stage-type abnormal user behavior logs, after obtaining the updated behavior preference knowledge base, the method further includes: and determining a global stage knowledge base based on at least one group of stage type abnormal user behavior logs and the updated behavior preference knowledge base corresponding to each group of stage type abnormal user behavior logs.

In practical implementation, a plurality of key contents can be extracted from each group of stage-type abnormal user behavior logs, and a preference quantization result of each key content is determined according to an updated behavior preference knowledge base corresponding to the group of stage-type abnormal user behavior logs, so that description expressions and preference quantization results of a plurality of key contents corresponding to at least one group of stage-type abnormal user behavior logs can be obtained; and determining a global stage knowledge base (such as a dynamically variable knowledge base) through description expression and preference quantification results (such as a heat value or a feature recognition value) of a plurality of key contents.

In this way, since the updated behavior preference knowledgebase has a high quality rating, the determined global stage-type knowledgebase can be made to have a high quality rating by the updated behavior preference knowledgebase having a high quality rating.

For one possible embodiment, on the premise that the to-be-processed abnormal user behavior log includes an online abnormal user behavior log crawled by an abnormal log capture thread deployed in a big data security protection terminal, after obtaining an updated behavior preference knowledge base, the method further includes: determining behavior preference knowledge characteristics of at least one second target behavior event included in the abnormal user behavior log to be processed based on the updated behavior preference knowledge base; and indicating the big data security protection terminal to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event.

In the embodiment of the invention, when the abnormal user behavior log to be processed comprises an online abnormal user behavior log crawled by an abnormal log capturing thread deployed in a big data security protection terminal, an updated behavior preference knowledge base corresponding to the online abnormal user behavior log can be obtained, and behavior preference knowledge characteristics of at least one second target behavior event included in the abnormal user behavior log to be processed can be determined based on the updated behavior preference knowledge base corresponding to the online abnormal user behavior log; and the big data security protection terminal can be instructed to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event.

Due to the design, the updated behavior preference knowledge base has high-quality evaluation, the behavior preference knowledge characteristics of the second target behavior event can be determined through the high-quality evaluation, and then the large data safety protection terminal can be indicated more accurately through the behavior preference knowledge characteristics of each second target behavior event, so that the information safety protection processing effect is improved.

Further, on the basis of the above contents, the big data security protection terminal is instructed to perform information security protection processing through behavior preference knowledge characteristics of each second target behavior event, and the following technical solutions may be implemented: determining local data attack intents and global data attack intents in the behavior preference knowledge characteristics; combining the local data attack intention and the global data attack intention in the behavior preference knowledge characteristic to obtain an intention combination result based on intention derivative conditions between the local data attack intention and the global data attack intention in the behavior preference knowledge characteristic; determining the combined abnormal global data attack intention as a candidate global data attack intention, and determining a data destruction label corresponding to the candidate global data attack intention according to an intention semantic distance between the global data attack intention and the candidate global data attack intention in the intention combination result; combining the data destruction labels corresponding to the candidate global data attack intents and the candidate global data attack intents to obtain label combination results; determining an active attack intention in the behavior preference knowledge characteristic and a data destruction label corresponding to the active attack intention according to the label combination result and the intention combination result; and determining a control strategy aiming at the big data security protection terminal by combining the active attack intention and the data destruction label, and issuing the control strategy to the big data security protection terminal.

In the embodiment of the invention, the intention derivation condition can be understood as intention relevance, the intention semantic distance can be understood as intention similarity, the active attack intention can be understood as an attack intention with higher heat or an attack intention with higher trigger probability, and in addition, the data destruction label is used for characterizing the type corresponding to the adverse effect caused by the corresponding data attack. Based on the method, the control strategy can be generated in a targeted manner by combining the active attack intention and the data destruction label, so that the information security protection processing quality of the big data security protection terminal is guaranteed.

Based on the same inventive concept, fig. 2 shows a block diagram of an abnormal behavior analysis apparatus with artificial intelligence according to an embodiment of the present invention, and the abnormal behavior analysis apparatus with artificial intelligence may include the following modules for implementing the steps of the related method shown in fig. 1.

The log receiving module 21 is configured to receive the abnormal user behavior log to be processed and a behavior preference knowledge base corresponding to the abnormal user behavior log to be processed and having an update requirement.

And the content mining module 22 is used for mining key contents of the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information by completing the configured set artificial intelligence model with the behavior preference knowledge base updating function.

And the knowledge base updating module 23 is configured to update the behavior preference knowledge base with the updating requirement by setting the artificial intelligence model and the knowledge base updating indication information, so as to obtain an updated behavior preference knowledge base.

The related embodiment applied to the invention can achieve the following technical effects: by setting an artificial intelligence model, key content mining is carried out on a behavior preference knowledge base with an updating requirement and an abnormal user behavior log to be processed to obtain knowledge base updating indication information, the knowledge base updating indication information can be used for reflecting at least one of to-be-corrected knowledge content and to-be-supplemented full knowledge content covered in the behavior preference knowledge base with the updating requirement, and then the behavior preference knowledge base with the updating requirement can be updated by setting the artificial intelligence model and the knowledge base updating indication information, for example, the to-be-corrected knowledge content in the behavior preference knowledge base with the updating requirement can be filtered, incomplete preference knowledge characteristics in the behavior preference knowledge base with the updating requirement are perfected, and the updated behavior preference knowledge base with high quality evaluation is obtained.

The foregoing is only illustrative of the present application. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided in the present application, and all such changes or substitutions are intended to be included within the scope of the present application.

Claims

1. An abnormal behavior analysis method combined with artificial intelligence is applied to a cloud computing service system, and the method at least comprises the following steps:

on the premise that the abnormal user behavior log to be processed comprises an online abnormal user behavior log crawled by an abnormal log capturing thread deployed in a big data security protection terminal, after an updated behavior preference knowledge base is obtained, behavior preference knowledge characteristics of at least one second target behavior event included in the abnormal user behavior log to be processed are determined based on the updated behavior preference knowledge base;

and indicating the big data security protection terminal to perform information security protection processing through the behavior preference knowledge characteristics of each second target behavior event.

2. The method according to claim 1, wherein the instructing, by the behavior preference knowledge characteristics of each second target behavior event, the big data security protection terminal to perform information security protection processing comprises:

determining local data attack intents and global data attack intents in the behavior preference knowledge characteristics;

combining the local data attack intention and the global data attack intention in the behavior preference knowledge characteristic to obtain an intention combination result based on intention derivative conditions between the local data attack intention and the global data attack intention in the behavior preference knowledge characteristic;

determining the combined abnormal global data attack intention as a candidate global data attack intention, and determining a data destruction label corresponding to the candidate global data attack intention according to an intention semantic distance between the global data attack intention and the candidate global data attack intention in the intention combination result;

combining the data destruction labels corresponding to the candidate global data attack intents and the candidate global data attack intents to obtain label combination results;

determining an active attack intention in the behavior preference knowledge characteristic and a data destruction label corresponding to the active attack intention according to the label combination result and the intention combination result;

and determining a control strategy aiming at the big data security protection terminal by combining the active attack intention and the data destruction label, and issuing the control strategy to the big data security protection terminal.

3. The method of claim 1, further comprising:

receiving an abnormal user behavior log to be processed and a behavior preference knowledge base which is corresponding to the abnormal user behavior log to be processed and has an updating requirement; performing key content mining on the behavior preference knowledge base with the updating requirement and the abnormal user behavior log to be processed to obtain knowledge base updating indication information through a set artificial intelligence model which is configured and has a behavior preference knowledge base updating function; the knowledge base updating indication information is used for reflecting at least one of knowledge content to be corrected and knowledge content to be supplemented corresponding to the behavior preference knowledge base with the updating requirement;

and updating the behavior preference knowledge base with the updating requirement through the set artificial intelligence model and the knowledge base updating indication information to obtain an updated behavior preference knowledge base.

4. The method according to claim 3, wherein the updating the behavior preference knowledge base with the update requirement through the setting artificial intelligence model and the knowledge base update indication information to obtain an updated behavior preference knowledge base comprises:

performing key content mining on the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement through the set artificial intelligence model to obtain a target key content set; wherein the target key content set has at least one of the following functions: aiming at indicating and filtering the knowledge content to be corrected in the behavior preference knowledge base with the updating requirement, and aiming at indicating and perfecting the behavior preference knowledge characteristics in the behavior preference knowledge base with the updating requirement;

and updating the behavior preference knowledge base with the updating requirement through the target key content set to obtain the updated behavior preference knowledge base.

5. The method of claim 4, wherein the performing key content mining on the knowledge base update indication information and the behavior preference knowledge base with the update requirement through the set artificial intelligence model to obtain a target key content set comprises:

performing key content mining on the knowledge base updating indication information and the behavior preference knowledge base with the updating requirement through the set artificial intelligence model to obtain a plurality of first key content sets with different dimensions;

taking a first key content set of a first dimension as a key content set to be processed, and performing key content adjustment on the key content set to be processed to obtain a second key content set; wherein the key content adjustment comprises at least one of a moving average operation and a key content extension;

obtaining a third key content set according to the second key content set and the first key content set which is consistent with the second key content set in dimension;

taking the third key content set as a to-be-processed key content set which is adjusted, skipping to a step of performing key content adjustment on the to-be-processed key content set to obtain a second key content set until the dimension of the obtained third key content set is the same as the second dimension corresponding to the first key content set, and determining the third key content set corresponding to the second dimension as the target key content set; the configuration mode of the artificial intelligence model is set as follows: receiving a reference example for model configuration, wherein the reference example for model configuration comprises an example abnormal user behavior log, a first behavior preference knowledge base and a second behavior preference knowledge base corresponding to the example abnormal user behavior log, and the quality evaluation of the first behavior preference knowledge base is higher than that of the second behavior preference knowledge base; and configuring an initial artificial intelligence model through the reference example for model configuration to obtain the set artificial intelligence model.

6. The method of claim 5, wherein, on the premise that the reference case for model configuration further includes case threat event label distribution and case behavior feature class distribution corresponding to case abnormal user behavior logs, and the set artificial intelligence model includes a parallel AI model and a knowledge base update model, configuring an initial artificial intelligence model by the reference case for model configuration to obtain the set artificial intelligence model comprises:

loading the second behavior preference knowledge base and the example abnormal user behavior log into the parallel AI model to obtain test knowledge base updating indication information, test behavior characteristic type distribution and test threat event label distribution corresponding to the example abnormal user behavior log;

loading the test-type knowledge base update indication information and the second behavior preference knowledge base into the knowledge base update model to obtain the test-type behavior preference knowledge base;

and configuring the initial artificial intelligence model according to at least one knowledge base set in the test type behavior feature type distribution and the example behavior feature type distribution, the test type threat event label distribution and the example threat event label distribution, the test type behavior preference knowledge base and the first behavior preference knowledge base, and the test type behavior preference knowledge base and the second behavior preference knowledge base to obtain the set artificial intelligence model.

7. The method of claim 6, wherein configuring the initial artificial intelligence model to obtain the set artificial intelligence model according to at least one knowledge base set of the distribution of the test-type behavior feature classes and the distribution of the example behavior feature classes, the distribution of the test-type threat event labels and the distribution of the example threat event labels, the knowledge base of the test-type behavior preferences and the knowledge base of the first behavior preferences, the knowledge base of the test-type behavior preferences and the knowledge base of the second behavior preferences comprises:

determining a first quantization model cost for reflecting behavior preference knowledge characteristic disturbance and a second quantization model cost for reflecting behavior preference significance disturbance according to the test type behavior preference knowledge base and the first behavior preference knowledge base;

determining a third quantitative model cost for reflecting characteristic type disturbance according to the test type behavior characteristic type distribution and the example behavior characteristic type distribution;

determining a fourth quantitative model cost for reflecting label distribution disturbance according to the test type threat event label distribution and the example threat event label distribution;

determining a fifth quantitative model cost for reflecting the fuzzy condition of the knowledge base by means of a second behavior preference knowledge base and the test type behavior preference knowledge base;

determining a target quantization model cost according to one or more quantization model costs of the first quantization model cost, the second quantization model cost, the third quantization model cost, the fourth quantization model cost and the fifth quantization model cost;

and configuring the initial artificial intelligence model according to the target quantization model cost to obtain the set artificial intelligence model.

8. The method of claim 7, wherein, on a premise that the target quantitative model cost includes a fourth quantitative model cost, the determining a fourth quantitative model cost reflecting a tag distribution perturbation from the test-type threat event tag distribution and the example threat event tag distribution comprises:

determining a word vector distance between a first tag topic of each first threat event tag in the distribution of test-type threat event tags and a second tag topic of a second threat event tag bound to the first threat event tag in the distribution of example threat event tags according to the distribution of test-type threat event tags and the distribution of example threat event tags;

and determining the fourth quantitative model cost according to the word vector distance corresponding to each first threat event label and the number of the first threat event labels.

9. The method according to claim 7, wherein, on the premise that the target quantized model cost includes a second quantized model cost, the determining a second quantized model cost reflecting behavior preference significance perturbation from the test-type behavior preference knowledge base and the first behavior preference knowledge base comprises:

determining a first label change index of each threat event label in the test type behavior preference knowledge base under the single-side user behavior state and a second label change index under the multi-side user behavior state;

determining a third label change index of each threat event label in the first behavior preference knowledge base in a single-side user behavior state and a fourth label change index of each threat event label in a multi-side user behavior state;

and determining the second quantitative model cost according to the first label change index and the second label change index which correspond to each third threat event label in the test type behavior preference knowledge base respectively, and the third label change index and the fourth label change index which correspond to a fourth threat event label bound with the third threat event label in the first behavior preference knowledge base.

10. A cloud computing service system, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud computing service system to perform the method of any of claims 1-9.