CN115344880B - Information security analysis method and server applied to digital cloud - Google Patents
Information security analysis method and server applied to digital cloud Download PDFInfo
- Publication number
- CN115344880B CN115344880B CN202211118052.XA CN202211118052A CN115344880B CN 115344880 B CN115344880 B CN 115344880B CN 202211118052 A CN202211118052 A CN 202211118052A CN 115344880 B CN115344880 B CN 115344880B
- Authority
- CN
- China
- Prior art keywords
- knowledge
- user behavior
- behavior log
- digital cloud
- cloud user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/02—Knowledge representation; Symbolic representation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides an information security analysis method and a server applied to digital cloud, wherein an intention knowledge decision optimization model of the embodiment of the invention is used for optimizing and excavating attack intention knowledge fields, and the attack intention knowledge fields of a first knowledge unit are optimized according to the attack intention knowledge fields of a second knowledge unit of the first knowledge unit by considering the intention knowledge decision optimization model, so that the attack intention knowledge fields of a first digital cloud user behavior log absorbed by deduction analysis can reflect abnormal characteristic information of the first digital cloud user behavior log as accurately as possible, and the anti-interference performance and the processing precision of an information attack protection process are further ensured.
Description
Technical Field
The invention relates to the technical field of information security, in particular to an information security analysis method and a server applied to digital cloud.
Background
In the period of global economy entering digital transformation, digital transformation becomes a necessary issue for traditional enterprises to take actions, and digital transformation has penetrated the aspects of daily clothes and food residences, work and life, production service and the like. At present, the digitization and the cloud service are deeply integrated, so that the service handling can realize the digitization handling (namely, the digital cloud service), the time and region limitation can be broken, and the flexibility of service interaction is improved. However, with the proliferation of the scale of digital cloud services, the problem of information security caused by the digital cloud services cannot be ignored.
Disclosure of Invention
The invention provides an information security analysis method and a server applied to digital cloud, and adopts the following technical scheme in order to achieve the technical purpose.
The first aspect is an information security analysis method applied to a digital cloud, which is applied to a digital cloud server, and the method comprises the following steps:
if an abnormal behavior analysis instruction is detected in a set information protection period, acquiring first expert decision knowledge distribution according to the abnormal behavior analysis instruction; the first expert decision knowledge distribution comprises a first knowledge unit and at least one second knowledge unit, the characteristic variable of the first knowledge unit reflects an attack intention knowledge field of a first digital cloud user behavior log, the characteristic variable of the second knowledge unit reflects an attack intention knowledge field of a second digital cloud user behavior log, and the second digital cloud user behavior log is a digital cloud user behavior log meeting a set relationship with the first digital cloud user behavior log;
loading the first expert decision knowledge distribution to an intent knowledge decision optimization model; the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the first expert decision knowledge distribution to obtain attack intention knowledge fields of the optimized first digital cloud user behavior log.
Under some design ideas which can be independently implemented, the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the first expert decision knowledge distribution to obtain an attack intention knowledge field of a first digital cloud user behavior log which is optimized, and the method comprises the following steps:
determining an importance coefficient between the first knowledge unit and each of the second knowledge units in the first expert decision knowledge distribution;
connecting attack intention knowledge fields of the second knowledge units based on the importance coefficients to obtain linkage attack intention knowledge fields of the first knowledge units;
and obtaining the attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field.
Under some design considerations which can be implemented independently, before the step of acquiring the first expert decision knowledge distribution according to the abnormal behavior analysis instruction if the abnormal behavior analysis instruction is detected in the set information protection period, the method further includes: and acquiring a second digital cloud user behavior log with a set score reached by the common score of the second digital cloud user behavior log and the first digital cloud user behavior log from a cloud shared storage space based on the first digital cloud user behavior log.
Under some design ideas which can be independently implemented, the obtaining, based on the first digital cloud user behavior log, a second digital cloud user behavior log whose commonality score reaches a set score with the first digital cloud user behavior log from a cloud shared storage space includes:
respectively mining attack intention knowledge fields of the first digital cloud user behavior log and attack intention knowledge fields of all shared user behavior logs in the cloud shared storage space through an AI knowledge refinement model;
and determining a second digital cloud user behavior log with a common score reaching a set score with the first digital cloud user behavior log from the cloud shared storage space based on the word vector common degree between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log in the cloud shared storage space.
Under some design ideas which can be independently implemented, the determining a second digital cloud user behavior log whose commonality score reaches a set score based on a word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log in a cloud shared storage space includes:
sorting the word vector commonality between the first digital cloud user behavior log and each shared user behavior log according to a rule of numerical value descending of the word vector commonality;
and screening the shared user behavior logs corresponding to the word vector commonalities with the set number and in the front sequence as second digital cloud user behavior logs with the commonalities scores reaching the set scores of the first digital cloud user behavior logs.
Under some design considerations which can be independently implemented, the determining, from the cloud shared storage space, a second digital cloud user behavior log whose commonality score with the first digital cloud user behavior log reaches a set score based on a word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log in the cloud shared storage space includes:
obtaining a first candidate user behavior log associated with the first digital cloud user behavior log from each shared user behavior log based on word vector commonality between attack intention knowledge fields of the first digital cloud user behavior log and attack intention knowledge fields of each shared user behavior log;
obtaining a second candidate user behavior log associated with the first candidate user behavior log from each shared user behavior log based on word vector commonality between the attack intention knowledge field of the first candidate user behavior log and the attack intention knowledge field of the shared user behavior log;
and taking the first candidate user behavior log and the second candidate user behavior log as a second digital cloud user behavior log of the first digital cloud user behavior log.
Under some independently implementable design ideas, the number of the intention knowledge decision optimization models is one, or a plurality of the intention knowledge decision optimization models are in a cascade structure; wherein, when the number of the intention knowledge decision optimization models is plural: the input information of any intention knowledge decision optimization model is the first expert decision knowledge distribution generated by the last connected intention knowledge decision optimization model.
Under some design ideas which can be independently implemented, the connecting attack intention knowledge fields of the second knowledge units based on the importance coefficients to obtain linkage attack intention knowledge fields of the first knowledge units comprises: and performing global operation on the attack intention knowledge fields of the second knowledge units based on the importance coefficients to obtain the linkage attack intention knowledge fields of the first knowledge units.
Under some design ideas which can be independently implemented, obtaining the attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field comprises:
fusing an attack intention knowledge field of the first knowledge unit with the linkage attack intention knowledge field;
and carrying out first feature transformation processing on the fused knowledge field to obtain an attack intention knowledge field of the optimized first digital cloud user behavior log.
In some independently implementable design considerations, the determining an importance coefficient between the first knowledge unit and each of the second knowledge units in the first expert decision knowledge distribution comprises:
performing second feature transformation processing on the first knowledge unit and the second knowledge unit;
determining a binary operation result between the first knowledge unit and the second knowledge unit after the second feature transformation processing;
and determining the importance coefficient according to the binary operation result after the first feature transformation.
Under some independently implementable design considerations, the first digital cloud user behavior log includes: target user behavior logs to be identified and shared user behavior logs in the cloud shared storage space; after obtaining the attack intention knowledge field of the first digital cloud user behavior log corresponding to the first knowledge unit, the method further includes:
and acquiring associated digital cloud user behavior logs of the first digital cloud user behavior log from the shared user behavior log as a log identification report based on word vector commonality between the attack intention knowledge fields of the optimized first digital cloud user behavior log and the attack intention knowledge fields of the shared user behavior logs.
In addition, under some design ideas which can be independently implemented, the intention knowledge decision optimization model is used for optimizing attack intention knowledge fields of a digital cloud user behavior log, and the debugging step of the intention knowledge decision optimization model comprises the following steps:
acquiring a second expert decision knowledge distribution, wherein the second expert decision knowledge distribution comprises a first knowledge unit example and at least one second knowledge unit example, the characteristic variable of the first knowledge unit example reflects an attack intention knowledge field of a first digital cloud user behavior log example, the characteristic variable of the second knowledge unit example reflects an attack intention knowledge field of a second digital cloud user behavior log example, and the second digital cloud user behavior log example is a digital cloud user behavior log which meets a set relationship with the first digital cloud user behavior log example;
loading the second expert decision knowledge distribution to an intent knowledge decision optimization model that optimizes feature variables of the first knowledge units based on feature variables of second knowledge unit instances in the second expert decision knowledge distribution;
obtaining a regression analysis result of the first digital cloud user behavior log example according to an attack intention knowledge field of the first digital cloud user behavior log example which is optimized;
improving model configuration variables of the intention knowledge decision optimization model based on the regression analysis result;
the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the second expert decision knowledge distribution to obtain an attack intention knowledge field of the optimized first digital cloud user behavior log, and the method comprises the following steps:
determining an importance coefficient between the first knowledge unit and each of the second knowledge units in the second expert decision knowledge distribution;
based on the importance coefficient, connecting attack intention knowledge fields of the second knowledge units to obtain linkage attack intention knowledge fields of the first knowledge units;
and obtaining the attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field.
In some independently implementable design considerations, before the obtaining the second expert decision knowledge distribution, the method further comprises: based on the first digital cloud user behavior log example, obtaining, by the authenticated cloud shared storage space, the second digital cloud user behavior log example associated with the first digital cloud user behavior log example.
In some independently implementable design considerations, before the obtaining, from the authenticated cloud shared storage space, the second digital cloud user behavior log example associated with the first digital cloud user behavior log example based on the first digital cloud user behavior log example, the method further includes: extracting an attack intention knowledge field of a first digital cloud user behavior log example through an AI knowledge extraction model; obtaining a regression analysis result of the first digital cloud user behavior log example based on an attack intention knowledge field of the first digital cloud user behavior log example; improving model configuration variables of the AI knowledge refinement model based on regression analysis results and prior annotations of the first digital cloud user behavior log example;
the obtaining, from the authenticated cloud shared storage space, the second digital cloud user behavior log instance associated with the first digital cloud user behavior log instance based on the first digital cloud user behavior log instance, includes: respectively mining an attack intention knowledge field of the first digital cloud user behavior log example and an attack intention knowledge field of each shared user behavior log in the authenticated cloud shared storage space through the AI knowledge refinement model; and determining the second digital cloud user behavior log examples associated with the first digital cloud user behavior log examples based on word vector commonality between the attack intention knowledge fields of the first digital cloud user behavior log examples and the attack intention knowledge fields of the respective shared user behavior logs.
A second aspect is a digital cloud server comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the digital cloud server to perform the method of the first aspect.
A third aspect is a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method of the first aspect.
According to the information security analysis method applied to the digital cloud, the intention knowledge decision optimization model is used for optimizing and excavating attack intention knowledge fields, and the attack intention knowledge fields of the first knowledge unit are optimized according to the attack intention knowledge fields of the second knowledge unit of the first knowledge unit by considering the intention knowledge decision optimization model, so that the attack intention knowledge fields of the first digital cloud user behavior log absorbed by deduction analysis can reflect abnormal characteristic information of the first digital cloud user behavior log as accurately as possible, and the anti-interference performance and the processing accuracy of an information attack protection process are further guaranteed.
In addition, in the process of model debugging, the attack intention knowledge field of the first digital cloud user behavior log example is learned by combining the second digital cloud user behavior log with the commonality score of the first digital cloud user behavior log example reaching the set score, so that the interference resistance and the feature recognition degree of the attack intention knowledge field of the first digital cloud user behavior log example absorbed by deduction and analysis are higher, and the accuracy and the reliability of information attack protection based on the attack intention knowledge field are guaranteed.
Drawings
Fig. 1 is a schematic flowchart of an information security analysis method applied to a digital cloud according to an embodiment of the present invention.
Fig. 2 is a block diagram of an information security analysis apparatus applied to a digital cloud according to an embodiment of the present invention.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second" or "third", etc., may explicitly or implicitly include one or more of the features.
Fig. 1 is a schematic flowchart illustrating an information security analysis method applied to a digital cloud according to an embodiment of the present invention, where the information security analysis method applied to the digital cloud may be implemented by a digital cloud server, and the digital cloud server may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the digital cloud server to perform the following steps.
S100, if an abnormal behavior analysis instruction is detected in a set information protection period, acquiring first expert decision knowledge distribution according to the abnormal behavior analysis instruction.
In the embodiment of the invention, the set information protection period can be flexibly set according to the actual situation, the abnormal behavior analysis instruction can be initiated by an authorized third party, and further, the corresponding first expert decision knowledge distribution can be determined according to the abnormal behavior analysis instruction matching.
In the embodiment of the invention, the first expert decision knowledge distribution comprises a first knowledge unit and at least one second knowledge unit, the characteristic variable of the first knowledge unit reflects an attack intention knowledge field of a first digital cloud user behavior log, the characteristic variable of the second knowledge unit reflects an attack intention knowledge field of a second digital cloud user behavior log, and the second digital cloud user behavior log is a digital cloud user behavior log meeting a set relationship with the first digital cloud user behavior log.
Further, the expert decision knowledge distribution may be a feature distribution or a feature relationship network, distinct knowledge units may be understood as members in the expert decision knowledge distribution, and knowledge units may be units constituting the expert decision knowledge distribution, based on which feature variables may be understood as feature values or descriptive values of the indicating units.
On the basis of the above contents, the first digital cloud user behavior log is a digital cloud user behavior log to be processed, or a digital cloud user behavior log with a risk hidden danger. The second digital cloud user behavior log is a digital cloud user behavior log associated with the first digital cloud user behavior log. In other words, meeting the set relationship may be understood as the similarity or commonality between the first digital cloud user behavior log and the second digital cloud user behavior log.
In addition, the expert decision knowledge distribution can be obtained through expert model mining analysis, the attack intention knowledge field is used for reflecting the preference characteristics or the tendency characteristics of information attack/data attack in different digital cloud user behavior logs or the attack interest points of the information attack/data attack, and the attack intention knowledge field can be represented in the form of a characteristic vector or a characteristic array.
For S100, the first digital cloud user behavior log is a digital cloud user behavior log of an attack intention knowledge field to be mined, the digital cloud user behavior log may be a digital cloud user behavior log in a different service session, for example, a digital cloud user behavior log to be identified in an e-commerce session, and the cloud shared storage space may be used to store a shared and callable digital cloud user behavior log.
For example, the second digital cloud user behavior log may be obtained by obtaining, according to the first digital cloud user behavior log, a second digital cloud user behavior log whose commonality score reaches a set score from a cloud shared storage space before obtaining the first expert decision knowledge distribution according to the abnormal behavior analysis instruction if the abnormal behavior analysis instruction is detected within the set information protection period. For example, the second digital cloud user behavior log may be determined according to similarity of attack intention knowledge fields, for example, an AI knowledge refinement model is used to respectively mine the attack intention knowledge fields of the first digital cloud user behavior log and the attack intention knowledge fields of each shared user behavior log in the cloud shared storage space, and based on word vector similarity (such as a feature similarity value, which may be calculated by a cosine distance or a euclidean distance) between the attack intention knowledge fields of the first digital cloud user behavior log and the attack intention knowledge fields of each shared user behavior log in the cloud shared storage space, the second digital cloud user behavior log whose similarity score with the first digital cloud user behavior log reaches a set score is determined from the cloud shared storage space.
In some possible embodiments, the word vector commonality between the first digital cloud user behavior log and each shared user behavior log may be sorted according to a numerical descending rule of the word vector commonality, and the shared user behavior logs corresponding to the first X word vector commonalities are screened as the second digital cloud user behavior log in which the commonality score of the first digital cloud user behavior log reaches a set score. The X is a set number, such as the first 20.
In other possible embodiments, a first candidate user behavior log associated with the first digital cloud user behavior log may be obtained according to a cosine similarity value between attack intention knowledge fields, a second candidate user behavior log associated with the first candidate user behavior log may be obtained, and both the first candidate user behavior log and the second candidate user behavior log may be used as the second digital cloud user behavior log of the first digital cloud user behavior log.
S102, loading the first expert decision knowledge distribution to an intention knowledge decision optimization model, wherein the intention knowledge decision optimization model optimizes the characteristic variables of the first knowledge unit based on the characteristic variables of the second knowledge unit in the first expert decision knowledge distribution to obtain an attack intention knowledge field of the optimized first digital cloud user behavior log.
For example, the intention knowledge decision optimization model may be an expert system based deep learning model DNN, or may be another type of neural network model.
Taking the deep learning model as an example, the deep learning model in S102 may optimize the feature variables of the first knowledge unit according to the feature variables of the second knowledge units, for example, may determine importance coefficients (for example, weight values) between the first knowledge unit and each of the second knowledge units in the first expert decision knowledge distribution, connect the attack intention knowledge fields of each of the second knowledge units according to the importance coefficients to obtain a linkage attack intention knowledge field of the first knowledge unit, and obtain the attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field. The attack intention knowledge field connection can realize the merging processing of the attack intention knowledge fields, so that the weighted attack intention knowledge fields are obtained, namely the attack intention knowledge fields are linked, and the attack intention knowledge fields of the first digital cloud user behavior log can be updated. By means of integration processing of the similar attack intention knowledge fields, expression of risk hidden danger of the attack intention knowledge fields on the first digital cloud user behavior log can be enriched, and therefore targeted information attack protection processing can be conducted in the later period conveniently.
In some possible examples, the number of the deep learning models may be one, or a plurality having a cascade structure. For example, when the number of the deep learning models is two, the first expert decision knowledge distribution is input into a first deep learning model, the first deep learning model optimizes the attack intention knowledge field of the first knowledge unit according to the attack intention knowledge field of each second knowledge unit, and the first expert decision knowledge distribution generated by the first deep learning model is the optimized first expert decision knowledge distribution in which the attack intention knowledge field of the first knowledge unit is optimized. And inputting the optimized first expert decision knowledge distribution into a second deep learning model again, optimizing the attack intention knowledge field of the first knowledge unit by the second deep learning model based on the attack intention knowledge field of each second knowledge unit again, and generating the optimized first expert decision knowledge distribution again, wherein the attack intention knowledge field of the first knowledge unit is optimized twice.
The first expert decision knowledge distribution in the embodiment of the invention comprises a plurality of knowledge units (such as a first knowledge unit and a second knowledge unit), wherein the characteristic variable of each knowledge unit reflects an attack intention knowledge field of a digital cloud user behavior log reflected by the knowledge unit. And each knowledge unit in the first expert decision knowledge distribution can be used as a first knowledge unit, and the attack intention knowledge field of the digital cloud user behavior log corresponding to the knowledge unit is optimized through the idea of the embodiment of the invention, for example, when the knowledge unit is used as the first knowledge unit, the first expert decision knowledge distribution using the knowledge unit as the first knowledge unit is obtained, and the first expert decision knowledge distribution is loaded to an intention knowledge decision optimization model to optimize the attack intention knowledge field of the knowledge unit.
According to the information security analysis method applied to the digital cloud, the intention knowledge decision optimization model is used for optimizing and excavating the attack intention knowledge field, and the attack intention knowledge field of the first knowledge unit is optimized according to the attack intention knowledge field of the second knowledge unit of the first knowledge unit by the intention knowledge decision optimization model, so that the attack intention knowledge field of the first digital cloud user behavior log absorbed by deduction and analysis can reflect abnormal characteristic information of the first digital cloud user behavior log as accurately as possible, and further the anti-interference performance and the processing accuracy of the information attack protection process are guaranteed.
The following is a processing scheme of an intention knowledge decision optimization model in yet another embodiment that introduces how the intention knowledge decision optimization model optimizes attack intention knowledge fields of a digital cloud user behavior log loaded to the model. Illustratively, the intention knowledge decision optimization model is exemplified by a deep learning model, and the method may include the following.
S200, determining an importance coefficient between the first knowledge unit and the second knowledge unit according to attack intention knowledge fields of the first knowledge unit and the second knowledge unit.
For S200, the first knowledge unit may be a first digital cloud user behavior log of a model usage link, and the second knowledge unit may be a second digital cloud user behavior log of the first digital cloud user behavior log. For example, a second feature transformation process (such as linear transformation) may be performed on the attack intention knowledge field attack interaction 1 of the first knowledge unit and the attack intention knowledge field attack interaction 2 of the second knowledge unit. And then determining a binary operation result (such as a dot product operation result) for the attack intention knowledge fields of the first knowledge unit and the second knowledge unit after the second feature transformation. Further, a first feature transformation process (such as a nonlinear process) is realized through a related activation function, and finally, an importance coefficient is obtained after a normalization operation is performed.
It should be understood that the processing of the importance coefficient between the first knowledge unit and the second knowledge unit of the present scheme may also be to use a cosine similarity value of an attack intention knowledge field between the first knowledge unit and the second knowledge unit as the importance coefficient between the first knowledge unit and the second knowledge unit.
S202, based on the importance coefficient, globally calculating the attack intention knowledge field of the second knowledge unit to obtain the linkage attack intention knowledge field of the first knowledge unit.
For example, the first feature transformation process may be performed on the attack intention knowledge field of each second knowledge unit of the first knowledge unit, and then the attack intention knowledge fields of the respective second knowledge units after the first feature transformation process are subjected to global operation (for example, weighted summation) based on the importance coefficients obtained in S200, and the obtained attack intention knowledge fields may be understood as linkage attack intention knowledge fields.
S204, obtaining the optimized characteristics of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field.
For S204, the attack intention knowledge field of the first knowledge unit in the expert decision knowledge distribution obtained right from the beginning and the linkage attack intention knowledge field may be fused, then the first feature transformation processing is performed, and finally the normalization processing is performed to obtain the final attack intention knowledge field of the first knowledge unit that has been optimized
Based on S200-S204, the first expert decides that the characteristic variables of the first knowledge unit in the knowledge distribution are optimized, and obtains the attack intention knowledge field of the optimized first knowledge unit.
According to the information security analysis method applied to the digital cloud, the attack intention knowledge field of the first knowledge unit is determined by performing global operation according to the attack intention knowledge field of the second knowledge unit of the first knowledge unit through the deep learning model, so that the attack intention knowledge field of the first digital cloud user behavior log example and the attack intention knowledge fields of other associated digital cloud user behavior logs can be analyzed in an all-around manner, the interference resistance and the feature recognition degree of the attack intention knowledge field example absorbed by deduction and analysis are higher, and the precision and the reliability of subsequent attack protection are improved.
In some embodiments that may be independent, the following is a debugging concept for an intent knowledge decision optimization model that introduces a debugging scheme for the intent knowledge decision optimization model, examples of which may include the following.
S300, according to a first digital cloud user behavior log example for debugging the intention knowledge decision optimization model, obtaining a second digital cloud user behavior log example associated with the first digital cloud user behavior log example from an authenticated cloud shared storage space.
It can be understood that, in the embodiment of the present invention, the "authenticated cloud shared storage space" and the "second digital cloud user behavior log example" are used to characterize that this is a debugging step of the application in the model, and are distinguished from the second digital cloud user behavior log and the cloud shared storage space mentioned in the model using step in terms of naming. Similarly, the subsequently mentioned "first knowledge unit example" and "second knowledge unit example" may be a distinguishing process from the corresponding technical features in the model using link. Further, examples may be understood as training samples or debugging samples.
It can be appreciated that asynchronous debugging concepts can be employed in debugging the intent knowledge decision optimization model. For example, the set of debugging examples can be divided into a plurality of local example sets, each time the debugging is cycled, one local example set is introduced into the intention knowledge decision optimization model, and the model configuration variables are improved by combining rules of loss function feedback in combination with model cost indexes (such as arithmetic function values) of the first digital cloud user behavior log examples included in the local example sets. After one cycle debugging is completed, the next local example set can be loaded to the intention knowledge decision optimization model to perform the next cycle debugging.
For the embodiment of the present invention, each digital cloud user behavior log in one local example set sample may be understood as one first digital cloud user behavior log example, and each first digital cloud user behavior log example may perform the following processing from S300 to S306, and may obtain a model cost index cost function according to a regression analysis result and a priori annotation.
Further, obtaining a digital cloud user behavior log that satisfies a set relationship with the first digital cloud user behavior log instance may be understood as a "second digital cloud user behavior log instance". For example, the determining concept of the second digital cloud user behavior log example may be that the digital cloud user behavior log with a higher word vector commonality is determined as the second digital cloud user behavior log example according to the word vector commonality between the digital cloud user behavior logs.
S302, obtaining a second expert decision knowledge distribution, wherein the second expert decision knowledge distribution comprises a first knowledge unit example and at least one second knowledge unit example, the characteristic variable of the first knowledge unit example reflects an attack intention knowledge field of a first digital cloud user behavior log example, the characteristic variable of the second knowledge unit example reflects an attack intention knowledge field of a second digital cloud user behavior log example, and the second digital cloud user behavior log example is a digital cloud user behavior log which meets a set relationship with the first digital cloud user behavior log example.
For example, the expert decision knowledge distribution in the model debugging stage may be understood as a second expert decision knowledge distribution, and the expert decision knowledge distribution in the model using stage may be understood as a first expert decision knowledge distribution.
Further, the second expert decision knowledge distribution may include a plurality of knowledge units therein. Wherein the knowledge unit may include: one first knowledge unit instance, and no less than one second knowledge unit instance. The first knowledge unit examples reflect first digital cloud user behavior log examples, and each second knowledge unit example reflects one second digital cloud user behavior log example determined in S300. The feature variable of each knowledge unit is an attack intention knowledge field, for example, the feature variable of a first knowledge unit example is an attack intention knowledge field of a first digital cloud user behavior log example, and the feature variable of a second knowledge unit example is an attack intention knowledge field of a second digital cloud user behavior log example.
S304, loading the second expert decision knowledge distribution to an intention knowledge decision optimization model, wherein the intention knowledge decision optimization model optimizes the characteristic variables of the first knowledge unit examples based on the characteristic variables of the second knowledge unit examples in the second expert decision knowledge distribution.
For example, the intent knowledge decision optimization model may be a deep learning model. The deep learning model is based on an expert system, and the deep learning model DNN is configured to optimize an attack intention knowledge field of a first knowledge unit example according to an attack intention knowledge field of a second knowledge unit example in the second expert decision knowledge distribution, for example, the attack intention knowledge field of the first knowledge unit example may be optimized after global operation according to the attack intention knowledge field of each second knowledge unit example.
In some possible examples, the number of deep learning models may be one, or a plurality having a cascade structure. For example, when the number of the deep learning models is two, the expert decision knowledge distribution is loaded into a first deep learning model, the first deep learning model optimizes the attack intention knowledge field of the first knowledge unit according to the attack intention knowledge field of each second knowledge unit, and the first deep learning model generates the expert decision knowledge distribution in which the attack intention knowledge field of the first knowledge unit is optimized. And inputting the optimized expert decision knowledge distribution into a second deep learning model again, optimizing the attack intention knowledge field of the first knowledge unit by the second deep learning model based on the attack intention knowledge field of each second knowledge unit again, and generating the attack intention knowledge field of the first knowledge unit which is optimized again.
S306, according to attack intention knowledge fields of the first digital cloud user behavior log example extracted by the intention knowledge decision optimization model, obtaining a regression analysis result of the first digital cloud user behavior log example.
For S306, a regression analysis result of the first digital cloud user behavior log example may be further determined according to the attack intention knowledge field mined by the deep learning model. For example, the deep learning model may be connected to a multiple regression analysis model (e.g., a classifier), and the multiple regression analysis model obtains, according to the attack intention knowledge field, the possibility that the first digital cloud user behavior log examples belong to the respective set risk topic.
And S308, improving model configuration variables of the intention knowledge decision optimization model based on the regression analysis result.
For S308, a model cost index cost function corresponding to the first digital cloud user behavior log example may be determined according to a comparison result of the regression analysis result generated by the intention knowledge decision optimization model and the prior annotation. In combination with the above, taking a deep learning model as an example, in a multiple sample asynchronous debugging mode, a model cost index according to each first digital cloud user behavior log example in one sample can be comprehensively fed back to improve a model configuration variable of the deep learning model, so that the deep learning model can more accurately extract an attack intention knowledge field according to the improved model configuration variable.
For example, when the model configuration variables of the deep learning model are improved according to the feedback of the model cost index cost function, various model parameters or weight coefficients of the deep learning model may be improved, which is not limited herein.
According to the method for debugging the intention knowledge decision optimization model, in the process of debugging the model, attack intention knowledge fields of the first digital cloud user behavior log example are absorbed and learned by combining the associated digital cloud user behavior log of the first digital cloud user behavior log example, so that the attack intention knowledge fields of the first digital cloud user behavior log example and the knowledge fields of other associated user behavior logs can be comprehensively fused, the interference resistance and the feature recognition degree of the absorbed attack intention knowledge field example are deduced and analyzed to be higher, and the precision and the reliability of subsequent attack protection are improved.
Under other independently implementable design ideas, an attack intention knowledge field can be mined/refined through a pre-debugged feature extraction network (which can be understood as an AI knowledge refinement model), and a second digital cloud user behavior log example associated with the first digital cloud user behavior log example is obtained from the authenticated cloud shared storage space according to the similarity of the attack intention knowledge field.
S400, pre-debugging a feature extraction network by using debugging example records.
For example, the pre-tuned feature extraction network may be understood as an AI knowledge refinement model, including but not limited to CNN, RNN, FPN, etc.
The digital cloud user behavior log in the debugging example record may be understood as a first digital cloud user behavior log example. The debugging process of the AI knowledge refinement model can comprise the following steps: extracting an attack intention knowledge field of a first digital cloud user behavior log example through an AI knowledge extraction model; obtaining a regression analysis result of the first digital cloud user behavior log example based on an attack intention knowledge field of the first digital cloud user behavior log example; improving model configuration variables of the AI knowledge refinement model based on regression analysis results and prior annotations of the first digital cloud user behavior log example.
It is understood that the above first digital cloud user behavior log example refers to a digital cloud user behavior log used for debugging the AI knowledge refinement model, and the aforementioned first digital cloud user behavior log example may be understood as a debugging process to be applied to the intention knowledge decision optimization model after the AI knowledge refinement model is debugged, for example, the attack intention knowledge fields of the first digital cloud user behavior log example and each shared user behavior log in the authenticated cloud shared storage space are extracted by the pre-debugged AI knowledge refinement model, and are loaded to the intention decision optimization model for attack intention knowledge field optimization after expert decision knowledge distribution is generated, and input information used in the intention decision optimization model debugging process is the first digital cloud user behavior log example. The first digital cloud user behavior log example and the first digital cloud user behavior log example may be identical or may be different.
S402, respectively mining attack intention knowledge fields of the first digital cloud user behavior log example and each shared user behavior log in the authenticated cloud shared storage space through an AI knowledge extraction model.
S404, obtaining a first candidate user behavior log associated with the first digital cloud user behavior log example from each shared user behavior log based on word vector commonality between the first digital cloud user behavior log example and the attack intention knowledge field of each shared user behavior log.
The shared user behavior log is a digital cloud user behavior log in a cloud shared storage space.
For example, word vector commonalities between the attack intention knowledge field of the first digital cloud user behavior log example and the attack intention knowledge field of each shared user behavior log may be determined, and each shared user behavior log may be sorted according to the word vector commonalities, for example, sorted according to a descending rule of the word vector commonalities. And then selecting the top Y shared user behavior logs from the sorting results (sorting results) as first candidate user behavior logs of the first digital cloud user behavior log example. For example, the knowledge unit31 reflects a first digital cloud user behavior log example, and the shared user behavior logs reflected by the knowledge unit32, the knowledge unit33, and the knowledge unit34 are all first candidate user behavior logs of the first digital cloud user behavior log example.
S406, according to the word vector commonality between the attack intention knowledge fields of the first candidate user behavior log and the shared user behavior log, obtaining a second candidate user behavior log associated with the first candidate user behavior log from the shared user behavior log.
And then determining word vector commonality between the attack intention knowledge fields of the first candidate user behavior log and the shared user behavior log, and obtaining the shared user behavior log associated with the first candidate user behavior log from the shared user behavior log as a second candidate user behavior log. For example, through the word vector commonality of the attack intention knowledge field, the knowledge units unit35 to unit37 are shared user behavior logs associated with the knowledge unit32, and the knowledge units unit35 to unit37 are second candidate user behavior logs of the knowledge unit 31. Further, the knowledge units 38 to 40 associated with the knowledge unit34 are also second candidate user behavior logs of the knowledge unit 31.
In some possible examples, a first candidate user behavior log of the first knowledge unit corresponding to the first digital cloud user behavior log example may be found, and the determination of the second digital cloud user behavior log may be terminated. Alternatively, a greater number of second digital cloud user behavior logs, such as a third candidate user behavior log, or a fourth image, may also be found. Continuing to traverse several second digital cloud user behavior logs may be determined according to actual needs in the distinct service sessions. The first candidate user behavior log, the second candidate user behavior log and the like can be understood as a second digital cloud user behavior log, and can be understood as an example of the second digital cloud user behavior log in a model debugging link; in the model using link, the user behavior log can be understood as a second digital cloud user behavior log.
It will also be appreciated that the second digital cloud user behavior log may be obtained based on other concepts besides the scenario example. For example, a preset commonality may be set, and all or part of the shared user behavior log with the word vector commonality higher than the preset commonality may be used as the second digital cloud user behavior log of the first digital cloud user behavior log example. For another example, instead of mining the attack intention knowledge field using the AI knowledge refinement model, the attack intention knowledge field may be determined by characterizing the digital cloud user behavior log at multiple levels.
S408, generating a second expert decision knowledge distribution according to the first digital cloud user behavior log example and the second digital cloud user behavior log, wherein knowledge units in the second expert decision knowledge distribution comprise: the method comprises a first knowledge unit example used for reflecting the first digital cloud user behavior log example and no less than one second knowledge unit example used for reflecting a second digital cloud user behavior log, and the characteristic variable of the knowledge unit is an attack intention knowledge field of the first digital cloud user behavior log example or the second digital cloud user behavior log.
The generated second expert decision knowledge distribution is a feature relationship network including a plurality of knowledge units, the knowledge unit31 is an example of a first knowledge unit, and all other knowledge units are examples of a second knowledge unit. The feature variable may be an attack intention knowledge field of the digital cloud user behavior log reflected by the knowledge unit, and the attack intention knowledge field may be extracted from S202, for example.
S410, loading the second expert decision knowledge distribution to an intention knowledge decision optimization model, optimizing an attack intention knowledge field of a first knowledge unit example based on an attack intention knowledge field of a second knowledge unit example in the second expert decision knowledge distribution by the intention knowledge decision optimization model, extracting the attack intention knowledge field of the first digital cloud user behavior log example, and obtaining a regression analysis result of the first digital cloud user behavior log example according to the attack intention knowledge field.
S412, according to the regression analysis result of the first digital cloud user behavior log example, improving the model configuration variables of the intention knowledge decision optimization model and the model configuration variables of the AI knowledge extraction model.
The model configuration variable improvement can improve the model configuration variable of the AI knowledge extraction model, and can also not improve the model configuration variable of the AI knowledge extraction model, and the improvement can be determined according to the actual debugging requirement.
According to the adjusting thought of the intention knowledge decision optimization model, in the process of model adjusting, the attack intention knowledge field of the first digital cloud user behavior log example is learned by combining the associated digital cloud user behavior log of the first digital cloud user behavior log example, so that the attack intention knowledge field of the first digital cloud user behavior log example and the knowledge field of other associated user behavior logs can be comprehensively considered, the interference resistance and the feature recognition degree of the attack intention knowledge field example absorbed by deduction and analysis are higher, and the accuracy and the reliability of subsequent attack protection are improved; moreover, the attack intention knowledge field is extracted by the AI knowledge extraction model, so that the mining timeliness of the attack intention knowledge field can be improved, the model debugging timeliness can be further improved, the model configuration variable of the AI knowledge extraction model can be improved according to the model cost index, and the mining knowledge field of the AI knowledge extraction model is more accurate.
Under other possibly independent design considerations, a digital cloud user behavior log that satisfies a set relationship with the first digital cloud user behavior log may also be identified from the cloud shared storage space, and examples may include the following.
S700, a first digital cloud user behavior log to be identified is obtained.
If a digital cloud user behavior log identical to the abnormal behavior event included in the digital cloud user behavior log journal is to be identified from the cloud shared storage space, the digital cloud user behavior log journal may be referred to as a first digital cloud user behavior log. Namely, digital cloud user behavior logs having a relationship with the first digital cloud user behavior log are to be identified from the cloud shared storage space, where the relationship may include the same abnormal behavior event or belong to an associated risk topic.
S702, extracting an attack intention knowledge field of the first digital cloud user behavior log.
The information security analysis method applied to the digital cloud can be applied to any embodiment of the invention.
And S704, extracting attack intention knowledge fields of behavior logs of all the shared users in the cloud shared storage space.
The information security analysis method applied to the digital cloud according to any embodiment of the present invention, for example, the related technical solutions described above, may be used to extract attack intention knowledge fields of behavior logs of each shared user in the cloud shared storage space.
S7706, obtaining relevant digital cloud user behavior logs of the first digital cloud user behavior log as log recognition reports based on word vector commonalities between the attack intention knowledge fields of the first digital cloud user behavior log and the attack intention knowledge fields of the shared user behavior logs.
And performing word vector commonality measurement between the attack intention knowledge fields of the first digital cloud user behavior log and the attack intention knowledge fields of the shared user behavior logs, so that the associated shared user behavior logs are used as log identification reports.
According to the digital cloud user behavior log identification method, due to the fact that the extracted attack intention knowledge field example is higher in anti-interference performance and feature identification degree, the accuracy of log identification reports is improved.
In addition, in the model debugging stage, an asynchronous debugging idea may be adopted, for example, the debugging example set may be divided into a plurality of local example sets (samples), each time of loop debugging loads each first digital cloud user behavior log example in one sample to the intention knowledge decision optimization model to be debugged one by one, and the model configuration variable of the intention knowledge decision optimization model is improved by combining the model cost index of each first digital cloud user behavior log example included in the local example set.
Taking a first digital cloud user behavior log example as an example, how to obtain a model cost index corresponding to the first digital cloud user behavior log example is described below. The example81 of the first digital cloud user behavior log includes one risk potential event case82, and an object identified by the risk potential event in the embodiment of the present invention is a shared user behavior log that includes the same risk potential event case82 and is queried in a cloud shared storage space.
For example, a model for extracting attack intention knowledge fields, such as a CNN model, may be understood as an AI knowledge refinement model, which has been pre-debugged. And respectively mining attack intention knowledge fields of the first digital cloud user behavior log example sample 81 and each shared user behavior log in the cloud shared storage space through the AI knowledge refinement model. Then, word vector commonalities of the first digital cloud user behavior log instance example sample 81 and each shared user behavior log are determined, and sorted according to the word vector commonalities, a preset number in front is selected (for example, sorted in descending order according to the word vector commonalities, and the top 20 sorted results) as a digital cloud user behavior log satisfying a set relationship with the first digital cloud user behavior log example81, a second digital cloud user behavior log, which may be understood as a first digital cloud user behavior log example 81. Further, the shared user behavior log record83, the shared user behavior log record84, and up to the shared user behavior log record85 are all second digital cloud user behavior logs. The risk potential events included in the second digital cloud user behavior logs may be exactly the same as the risk potential event case82, or may be associated with the risk potential event case 82.
Furthermore, taking ten second digital cloud user behavior logs including the shared user behavior log record83, the shared user behavior log record84 and up to the shared user behavior log record85 as references, and identifying the shared user behavior logs respectively associated with each second digital cloud user behavior log in the cloud shared storage space. For example, taking the shared user behavior log record83 as an example, according to the word vector commonality of the attack intention knowledge field, 20 shared user behavior logs with the top word vector commonality in the order of the shared user behavior logs are selected from the shared user behavior logs as 20 second digital cloud user behavior logs of the shared user behavior log record 83. sample91 includes 20 shared user behavior logs, which are 20 second digital cloud user behavior logs of shared user behavior log record 83. Likewise, ten second digital cloud user behavior logs associated with the sharing user behavior log record84, such as sample92 described above, may be re-identified. The secondary query of the same associated digital cloud user behavior log is carried out from the shared user behavior log record83, the shared user behavior log record84 to ten second digital cloud user behavior logs of the shared user behavior log record 85. The above shared user behavior log record83, shared user behavior log record84, etc., a first candidate user behavior log of first example digital cloud user behavior log example81 may be understood, and the shared user behavior logs in sample91 and sample92 can be understood as the second candidate user behavior log of the first example digital cloud user behavior log example sample 81. In the embodiment of the present invention, the first candidate user behavior log and the second candidate user behavior log are taken as an example, and in another example, a third candidate user behavior log associated with the second candidate user behavior log may be further identified.
Further, an expert decision knowledge distribution may be generated from the first digital cloud user behavior log example and the identified second digital cloud user behavior log. The expert decision knowledge distribution includes a first knowledge unit and a plurality of second knowledge units. The first knowledge unit reflects a first digital cloud user behavior log example81, each second knowledge unit reflects a second digital cloud user behavior log, and the second knowledge units comprise first candidate user behavior logs and second candidate user behavior logs. The feature variable of each knowledge unit is an attack intention knowledge field of the digital cloud user behavior log reflected by the feature variable, and the attack intention knowledge field is an attack intention knowledge field mined and used when the second digital cloud user behavior log is obtained for word vector commonality comparison analysis, for example, the attack intention knowledge field may be mined by the AI knowledge refinement model.
In other possible embodiments, the model architecture for mining the attack intention knowledge field may include an AI knowledge refinement model M1, the AI knowledge refinement model M1 extracts the first digital cloud user behavior log example and the attack intention knowledge field F2 of each shared user behavior log in the cloud shared storage space, respectively, and obtains the expert decision knowledge distribution N3 according to word vector commonality comparison and other operations of the attack intention knowledge field. The expert decision knowledge distribution N3 may be input into a joint model M4, where the joint model M4 includes a plurality of joint models D5 in cascade, and each joint model D5 may optimize an attack intention knowledge field of the first knowledge unit according to the above-mentioned correlation scheme.
The joint model M4 may output the attack intention knowledge field of the final optimization of the first knowledge unit as the attack intention knowledge field of the first digital cloud user behavior log example, and may determine the regression analysis result corresponding to the first digital cloud user behavior log example again based on the attack intention knowledge field, and calculate the model cost index cost function corresponding to the first digital cloud user behavior log example according to the regression analysis result and the prior annotation of the first digital cloud user behavior log example.
Further, each first digital cloud user behavior log example may determine to obtain a model cost index according to the above processing procedure, and finally, model configuration variables of the intention knowledge decision optimization model, such as model variables in a deep learning model and model variables of an AI knowledge refinement model, may be improved according to the model cost indexes of the first digital cloud user behavior log examples. In other embodiments, the AI knowledge refinement model may not be included in the model, and the expert decision knowledge distribution may be obtained in other manners.
On the basis of the above contents, the risk hidden danger event can be identified by using the debugged model.
1. Attack intention knowledge fields of each shared user behavior log in the cloud shared storage space can be extracted through the AI knowledge refinement model M1, and the mined attack intention knowledge fields are cached.
2. When a first digital cloud user behavior log to be identified is received, for example, the first digital cloud user behavior log is a digital cloud user behavior log with a risk potential. Attack intention knowledge fields of the first digital cloud user behavior log may be extracted according to the following thought routing intention knowledge decision optimization model: extracting the first digital cloud user behavior log to an attack intention knowledge field through the AI knowledge extraction model M1; and obtaining a second digital cloud user behavior log of the first digital cloud user behavior log based on the word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log. Expert decision knowledge distribution can be obtained according to the first digital cloud user behavior log and the second digital cloud user behavior log, and the expert decision knowledge distribution can comprise a first knowledge unit reflecting the first digital cloud user behavior log and a plurality of second knowledge units reflecting the second digital cloud user behavior log. And inputting the expert decision knowledge distribution into the joint model M4, optimizing the attack intention knowledge field of the first knowledge unit in the expert decision knowledge distribution through a deep learning model, and understanding the obtained attack intention knowledge field of the first knowledge unit as the attack intention knowledge field of the mined first digital cloud user behavior log.
3. For each shared user behavior log, the attack intention knowledge field of the shared user behavior log finally generated by the federated model may also be obtained according to an implementation similar to the second step.
4. Determining word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log, and sorting according to the word vector commonality to obtain a final log identification report. For example, several shared user behavior logs with high word vector commonality can be used as log recognition reports.
According to the digital cloud user behavior log identification method, when the attack intention knowledge field is mined, the attack intention knowledge fields of other second digital cloud user behavior logs related to the first digital cloud user behavior log are analyzed in an all-around manner, so that the attack intention knowledge fields absorbed by deduction and analysis have anti-interference performance and characteristic identification degree, and the accuracy and reliability of attack intention analysis and attack protection are improved. And the deep learning model can be cascaded and has strong expansibility. When asynchronous debugging is carried out, each first digital cloud user behavior log example in one sample can be flexibly processed and analyzed, so that the timeliness of model debugging can be ensured.
Under some independently implementable design ideas, after obtaining the attack intention knowledge field of the optimized first digital cloud user behavior log, the method may further include the following contents: predicting the risk event based on the attack intention knowledge field of the optimized first digital cloud user behavior log to obtain a risk event prediction result; and determining an information security protection scheme aiming at the first digital cloud user behavior log according to the risk event prediction result.
For example, by analyzing and processing the hidden danger of the risk event, an accurate risk event prediction result can be obtained, and then an information security protection scheme is determined in a targeted manner based on the risk event prediction result, so that the data information security in the operation process of the digital cloud service is ensured.
Under some design ideas which can be independently implemented, risk event prediction is performed based on an attack intention knowledge field of a first digital cloud user behavior log which is optimized, and a risk event prediction result is obtained, wherein the risk event prediction result can include the following contents: generating a target risk behavior relation network by using the attack intention knowledge field of the optimized first digital cloud user behavior log; carrying out attack hidden danger prediction processing on the target risk behavior relation network by using the configured multiple regression analysis model to obtain attack hidden danger prediction fields of multiple dimensions and credibility information corresponding to each dimension; and obtaining a risk event prediction result related to the target risk behavior relationship network based on the attack hidden danger prediction fields of the multiple dimensions and the credibility information corresponding to each dimension.
By means of the design, the attack hidden danger prediction is comprehensively carried out from different dimensions, and the credibility is introduced for guidance, so that the accuracy and the reliability of the risk event prediction result can be ensured.
Under some design ideas which can be independently implemented, obtaining a risk event prediction result for the target risk behavior relationship network based on the attack risk prediction fields of the multiple dimensions and the credibility information corresponding to each dimension, including: carrying out field simplification based on the attack hidden danger prediction fields with multiple dimensions to obtain the attack hidden danger prediction fields with the dimensions smaller than unreduced dimensions after the fields are simplified; carrying out field derivation on the basis of the attack hidden danger prediction field with the simplified field to obtain an attack hidden danger prediction field with dimensionality equal to the unreduced dimensionality after field derivation; and determining a risk event prediction result aiming at the target risk behavior relation network based on the attack hidden danger prediction field after the field derivation and the credibility information corresponding to each dimensionality.
Under some independently implementable design considerations, the multivariate regression analysis model includes a regression analysis unit for performing an event prediction process; the obtaining of the risk event prediction result for the target risk behavior relationship network based on the attack hidden danger prediction fields of the multiple dimensions and the credibility information corresponding to each dimension includes: determining an attack hidden danger prediction field for completing feature summation based on the attack hidden danger prediction fields of the multiple dimensions and a feature summation result between the credibility information corresponding to each dimension; and transmitting the attack hidden danger prediction field for completing the feature summation to a regression analysis unit included in the multivariate regression analysis model to obtain the risk event prediction result output by the regression analysis unit.
Based on the same inventive concept, fig. 2 shows a block diagram of an information security analysis apparatus applied to a digital cloud according to an embodiment of the present invention, and the information security analysis apparatus applied to the digital cloud may include a knowledge acquisition module 21 for implementing the relevant method steps shown in fig. 1, and is configured to: if an abnormal behavior analysis instruction is detected in a set information protection period, acquiring first expert decision knowledge distribution according to the abnormal behavior analysis instruction; the first expert decision knowledge distribution comprises a first knowledge unit and at least one second knowledge unit, the characteristic variable of the first knowledge unit reflects an attack intention knowledge field of a first digital cloud user behavior log, the characteristic variable of the second knowledge unit reflects an attack intention knowledge field of a second digital cloud user behavior log, and the second digital cloud user behavior log is a digital cloud user behavior log meeting a set relationship with the first digital cloud user behavior log; a knowledge optimization module 22 for loading the first expert decision knowledge distribution into an intent knowledge decision optimization model; the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the first expert decision knowledge distribution to obtain attack intention knowledge fields of the optimized first digital cloud user behavior log.
The foregoing is only illustrative of the present invention. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided by the present invention, and all such changes or substitutions are intended to be included within the scope of the present invention.
Claims (7)
1. An information security analysis method applied to a digital cloud is characterized by being applied to a digital cloud server, and the method comprises the following steps:
if an abnormal behavior analysis instruction is detected in a set information protection period, acquiring first expert decision knowledge distribution according to the abnormal behavior analysis instruction; the first expert decision knowledge distribution comprises a first knowledge unit and at least one second knowledge unit, the characteristic variable of the first knowledge unit reflects an attack intention knowledge field of a first digital cloud user behavior log, the characteristic variable of the second knowledge unit reflects an attack intention knowledge field of a second digital cloud user behavior log, and the second digital cloud user behavior log is a digital cloud user behavior log meeting a set relationship with the first digital cloud user behavior log;
loading the first expert decision knowledge distribution to an intent knowledge decision optimization model; wherein the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the first expert decision knowledge distribution to obtain attack intention knowledge fields of the first digital cloud user behavior log that is optimized;
the intention knowledge decision optimization model optimizes the feature variables of the first knowledge unit based on the feature variables of the second knowledge unit in the first expert decision knowledge distribution to obtain attack intention knowledge fields of the first digital cloud user behavior log after optimization, and the attack intention knowledge fields comprise: determining an importance coefficient between the first knowledge unit and each of the second knowledge units in the first expert decision knowledge distribution; based on the importance coefficient, connecting attack intention knowledge fields of the second knowledge units to obtain linkage attack intention knowledge fields of the first knowledge units; obtaining an attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field;
wherein the number of the intention knowledge decision optimization models is one or more than one with a cascade structure; wherein, when the number of intent knowledge decision optimization models is plural: the input information of any intention knowledge decision optimization model is first expert decision knowledge distribution generated by the last connected intention knowledge decision optimization model;
before the step of acquiring a first expert decision knowledge distribution according to an abnormal behavior analysis instruction if the abnormal behavior analysis instruction is detected in a set information protection period, the method further includes: based on the first digital cloud user behavior log, acquiring a second digital cloud user behavior log of which the common score with the first digital cloud user behavior log reaches a set score from a cloud shared storage space;
the method for acquiring the second digital cloud user behavior log with the common score reaching the set score with the first digital cloud user behavior log from the cloud shared storage space based on the first digital cloud user behavior log comprises the following steps: respectively mining attack intention knowledge fields of the first digital cloud user behavior log and attack intention knowledge fields of all shared user behavior logs in the cloud shared storage space through an AI knowledge refining model; determining a second digital cloud user behavior log with a common score reaching a set score with the first digital cloud user behavior log from the cloud shared storage space based on word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log in the cloud shared storage space;
the determining a second digital cloud user behavior log with a commonality score reaching a set score based on a word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each shared user behavior log in the cloud shared storage space includes:
sorting word vector commonalities between the first digital cloud user behavior log and each shared user behavior log according to a rule of descending word vector commonalities;
and screening the shared user behavior logs corresponding to the word vector commonalities with the set number and in the front sequence as second digital cloud user behavior logs with the commonalities scores reaching the set scores of the first digital cloud user behavior logs.
2. The method of claim 1, wherein determining a second digital cloud user behavior log from the cloud shared storage space having a commonality score with the first digital cloud user behavior log that reaches a set score based on a word vector commonality between the attack intention knowledge field of the first digital cloud user behavior log and the attack intention knowledge field of each of the shared user behavior logs in the cloud shared storage space comprises:
obtaining a first candidate user behavior log associated with the first digital cloud user behavior log from each shared user behavior log based on word vector commonality between attack intention knowledge fields of the first digital cloud user behavior log and attack intention knowledge fields of each shared user behavior log;
obtaining a second candidate user behavior log associated with the first candidate user behavior log from each shared user behavior log based on word vector commonality between the attack intention knowledge field of the first candidate user behavior log and the attack intention knowledge field of the shared user behavior log;
and taking the first candidate user behavior log and the second candidate user behavior log as a second digital cloud user behavior log of the first digital cloud user behavior log.
3. The method according to claim 1, wherein the connecting the attack intention knowledge fields of the second knowledge units based on the importance coefficients to obtain the linkage attack intention knowledge field of the first knowledge unit comprises: and performing global operation on the attack intention knowledge fields of the second knowledge units based on the importance coefficients to obtain the linkage attack intention knowledge fields of the first knowledge units.
4. The method according to claim 1, wherein obtaining the attack intention knowledge field of the optimized first digital cloud user behavior log based on the attack intention knowledge field of the first knowledge unit and the linkage attack intention knowledge field comprises:
fusing an attack intention knowledge field of the first knowledge unit with the linkage attack intention knowledge field;
and carrying out first feature transformation processing on the fused knowledge field to obtain an attack intention knowledge field of the optimized first digital cloud user behavior log.
5. The method of claim 1, wherein determining an importance coefficient between the first knowledge unit and each of the second knowledge units in the first expert decision knowledge distribution comprises:
performing second feature transformation processing on the first knowledge unit and the second knowledge unit;
determining a binary operation result between the first knowledge unit and the second knowledge unit after the second feature transformation processing;
and determining the importance coefficient according to the binary operation result after the first feature transformation.
6. The method of claim 1, wherein the first digital cloud user behavior log comprises: target user behavior logs to be identified and shared user behavior logs in the cloud shared storage space; after obtaining the attack intention knowledge field of the first digital cloud user behavior log corresponding to the first knowledge unit, the method further includes: and acquiring associated digital cloud user behavior logs of the first digital cloud user behavior log from the shared user behavior log as a log identification report based on word vector commonality between the attack intention knowledge fields of the optimized first digital cloud user behavior log and the attack intention knowledge fields of the shared user behavior logs.
7. A digital cloud server, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the digital cloud server to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211118052.XA CN115344880B (en) | 2022-09-14 | 2022-09-14 | Information security analysis method and server applied to digital cloud |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211118052.XA CN115344880B (en) | 2022-09-14 | 2022-09-14 | Information security analysis method and server applied to digital cloud |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115344880A CN115344880A (en) | 2022-11-15 |
| CN115344880B true CN115344880B (en) | 2023-04-07 |
Family
ID=83955162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211118052.XA Active CN115344880B (en) | 2022-09-14 | 2022-09-14 | Information security analysis method and server applied to digital cloud |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115344880B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114218568A (en) * | 2021-12-10 | 2022-03-22 | 萍乡市圣迈互联网科技有限公司 | Big data attack processing method and system applied to cloud service |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112667714B (en) * | 2021-03-17 | 2021-06-01 | 腾讯科技(深圳)有限公司 | User portrait optimization method and device based on deep learning and storage medium |
| CN113468338A (en) * | 2021-06-16 | 2021-10-01 | 杨绍顺 | Big data analysis method for digital cloud service and big data server |
| CN113472860A (en) * | 2021-06-16 | 2021-10-01 | 杨绍顺 | Service resource allocation method and server under big data and digital environment |
| CN114491282B (en) * | 2022-03-03 | 2022-10-04 | 中软数智信息技术(武汉)有限公司 | Abnormal user behavior analysis method and system based on cloud computing |
| CN114548947B (en) * | 2022-03-08 | 2024-01-12 | 杨建鑫 | Online office security processing method and server applied to digitization |
| CN114625606A (en) * | 2022-03-11 | 2022-06-14 | 刘虎 | Big data intelligent service information optimization method based on digitization and server |
| CN114726654B (en) * | 2022-05-25 | 2022-12-06 | 北京徽享科技有限公司 | Data analysis method and server for coping with cloud computing network attack |
-
2022
- 2022-09-14 CN CN202211118052.XA patent/CN115344880B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114218568A (en) * | 2021-12-10 | 2022-03-22 | 萍乡市圣迈互联网科技有限公司 | Big data attack processing method and system applied to cloud service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115344880A (en) | 2022-11-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110221965B (en) | Test case generation method, test case generation device, test case testing method, test case testing device, test equipment and test system | |
| CN109684554B (en) | Method for determining potential users of news and news pushing method | |
| Fletcher | Regularizing matrix factorization with implicit user preference embeddings for web API recommendation | |
| CN114638234B (en) | Big data mining method and system applied to online business handling | |
| CN109829320B (en) | Information processing method and device | |
| US20220019916A1 (en) | Apparatus and method for recommending federated learning based on tendency analysis of recognition model and method for federated learning in user terminal | |
| CN113722719A (en) | Information generation method and artificial intelligence system for security interception big data analysis | |
| Rahmawati et al. | Hoax news detection analysis using indobert deep learning methodology | |
| CN114676423A (en) | Data processing method and server for dealing with cloud computing office threats | |
| CN115344880B (en) | Information security analysis method and server applied to digital cloud | |
| Wen et al. | A cross-project defect prediction model based on deep learning with self-attention | |
| CN111198991A (en) | Collaborative filtering recommendation method based on trust level and expert user | |
| CN115827944A (en) | Big data analysis method and server based on Internet platform system optimization | |
| CN113486191B (en) | Secret-related electronic file fixed decryption method | |
| CN115282606A (en) | Cloud game big data mining method and system based on intelligent visualization | |
| CN115238170A (en) | User portrait processing method and system based on block chain finance | |
| CN114978765A (en) | Big data processing method serving information attack defense and AI attack defense system | |
| CN114661998A (en) | Big data processing method and system based on Internet hot topics | |
| CN113298504A (en) | Service big data grouping identification method and system based on artificial intelligence | |
| CN113327154A (en) | E-commerce user message pushing method and system based on big data | |
| Salama et al. | A Novel Feature Selection Measure Partnership-Gain. | |
| CN114219516B (en) | Information flow session recommendation method based on big data and deep learning service system | |
| CN116319050B (en) | Network attack AI detection analysis method and server based on intelligent Internet | |
| CN117217392B (en) | Method and device for determining general equipment guarantee requirement | |
| CN115563657B (en) | Data information security processing method, system and cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230301 Address after: 156 Shop, Fukang Road, Xintiandi Commercial Plaza, Sucheng District, Suqian City, Jiangsu Province, 223800 Applicant after: Ding Yuehui Address before: No. 21, Dongfeng South Road, Hongta District, Yuxi, Yunnan 653100 Applicant before: Chen Cheng |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |