CN117640407B - User data analysis and identification system and method based on 5G communication technology - Google Patents

Abstract

The invention discloses a user data analysis and identification system and method based on a 5G communication technology, and belongs to the technical field of data analysis. Establishing an Internet of things virtual cloud database, recording and storing sub-cloud operation data corresponding to an Internet of things end, establishing an operation archive, and classifying and counting processes of sub-cloud execution, an isolation space allocated by the Internet of things virtual cloud and a network isolation layer created by the Internet of things virtual cloud; the architecture operates an associated behavior chain identification model, records the behavior of each process for controlling access to an isolation space by means of a network isolation layer, and adds a time tag to the operation associated behavior chain to generate a behavior association group; the reliability of the process in the behavior association group is calculated by analyzing behavior characteristics of different data behaviors in the same time segment and under different time cycle periods, and the safety limit value of the same network isolation layer in the same time segment is conveniently calculated by cleaning abnormal data behaviors, so that safety early warning can be carried out on user behaviors in real time or periodically.

Description

User data analysis and identification system and method based on 5G communication technology

Technical Field

The invention relates to the technical field of data analysis, in particular to a system and a method for analyzing and identifying user data based on a 5G communication technology.

Background

With the rapid development of the internet, the problems of network attack and data leakage are increasingly prominent, the demands on network security are also becoming urgent, and the virtualized security isolation technology is being widely applied to various industries as an advanced network security protection means;

in the field of multi-scene fusion of a everything interconnection architecture, different users, applications or services can realize isolation and safe access of resources based on virtualized environments, and can realize multifunctional synchronous operation in a mutually noninterfere mode, so that not only the mutually noninterfere of program processes is needed to be considered, but also the resources are prevented from being attacked and maliciously occupied, and the process execution cannot be completed.

Disclosure of Invention

The invention aims to provide a system and a method for analyzing and identifying user data based on a 5G communication technology, so as to solve the problems in the background technology.

In order to solve the technical problems, the invention provides the following technical scheme:

A 5G communication technology based user data analysis and identification system, the system comprising: the system comprises an Internet of things virtual cloud module, a data processing module, a data analysis module and a behavior early warning module;

The virtual cloud module of the Internet of things is used for establishing a virtual cloud database of the Internet of things and recording and storing sub-cloud operation data corresponding to the end of the Internet of things; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

The data processing module is used for constructing an operation association behavior chain identification model, recording the behavior of each process for controlling access to the isolation space by means of the network isolation layer, and attaching a time tag to the operation association behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

The data analysis module calculates the credibility of the process in the behavior association group according to the classification and identification result; data cleaning and updating are carried out on the behavior association group;

The behavior early warning module calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result; and sends out an early warning prompt.

Further, the internet of things virtual cloud module further comprises a database unit and an archive unit;

The system comprises a database unit, an Internet of things virtual cloud database, a network isolation layer and a network mapping unit, wherein the database unit is used for establishing an Internet of things virtual cloud database, the Internet of things virtual cloud database stores operation data corresponding to sub-clouds connected through 5G communication, the sub-clouds are connected with each other in an interactive mode based on ports of an Internet of things terminal, the operation data comprise isolation spaces occupied by processes in the execution process of each sub-cloud and network isolation layers called by the processes in the execution process of each sub-cloud, the isolation spaces are independent memory spaces with the same size and distributed by the Internet of things virtual cloud, the network isolation layers are virtual connection mapping channels which are created by the Internet of things virtual cloud and are used for providing the sub-clouds with the execution process, and the mapping refers to corresponding software service functions which are converted into the Internet of things virtual cloud based on each hardware service function of the Internet of things terminal; one sub cloud corresponds to one Internet of things terminal;

The archive unit is used for establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as PP= { P _a |a epsilon [1, A ] }, wherein P _a represents an a-th process, and A represents the total number of processes; the space pointer set comprises isolation spaces distributed by virtual clouds of the Internet of things, and is recorded as SP= { LS _b |b epsilon [1, B ] }, wherein LS _b represents the B-th isolation space, and B represents the total number of the isolation spaces; the channel medium set comprises a network isolation layer created by the virtual cloud of the Internet of things, and is recorded as CM= { IL _d |d epsilon [1, D ] }, wherein IL _d represents the D-th network isolation layer, and D represents the total number of the network isolation layers.

Further, the data processing module further comprises a behavior chain recording unit and a classification and identification unit;

the behavior chain recording unit is used for constructing an operation association behavior chain identification model, wherein the operation association behavior chain refers to the behavior that each process accesses an isolation space by means of a network isolation layer control in the process of executing each sub-cloud execution process; dividing the time in one day into k continuous time slices by taking the day as a time cycle period, and marking any one time slice as T _c, wherein c represents the sequence number of the time slice; adding a time tag to an operation association action chain, recording the occurrence time range of the operation association action chain, and recording any operation association action chain as P _a→IL_d→LS_b, wherein the added time tag of the operation association action chain is recorded as T _c(t):P_a→IL_d→LS_b, the time tag T _c (T) indicates that the operation association action chain P _a→IL_d→LS_b occurs in a time segment T _c in the T-th time cycle period, and the operation association action chain P _a→IL_d→LS_b indicates that the process P _a accesses an isolation space LS _b and occupies the isolation space LS _b under the control of a network isolation layer IL _d;

The classification and identification unit performs classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, and the classification and identification mode is as follows:

Under the time label T _c (T), all processes and all isolation spaces for controlling interaction between the processes and the isolation spaces by means of the network isolation layer are acquired, and a behavior association group is generated and is recorded as R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ], wherein R [ T _c(t)|IL_d ] represents a behavior association group for controlling interaction process in a time segment T _c in a T-th time cycle period, PP [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], LL [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and PP [ T _c(t)|IL_d]∈PP,LL[T_c(t)|IL_d ] epsilon SP.

Further, the data analysis module further comprises a credibility analysis unit and a data cleaning unit;

The credibility analysis unit is used for comprehensively planning corresponding behavior association groups under the same network isolation layer according to the classification and identification results, generating a database to be cleaned and marking the database as Q; the process P _a is obtained in the process item set, any behavior association group R [ T _c(t)|IL_d ] is obtained in the database Q to be cleaned, if P _a∈PP[T_c(t)|IL_d ], the behavior association group R [ T _c(t)|IL_d ] is extracted, the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is calculated, and the specific calculation formula is as follows:

Where RL { P _a→R[T_c(t)|IL_d ] } represents the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ], PP [ T _c(s)|IL_d ] represents a process identification set composed of all processes in the behavior association group R [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } represents the total number of processes contained in the intersection of the process identification set PP [ T _c(t)|IL_d ] and the process identification set PP [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set PP [ T _c(t)|IL_d ], and T represents the total number of time cycle periods;

If it is NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0 if/>And/>Letting NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0;

The data cleaning unit is configured to perform data cleaning on the behavior association group, preset a reliability threshold, and if the reliability of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is less than or equal to the reliability threshold, clean the process P _a from the process identification set PP [ T _c(t)|IL_d ], and clean the isolation space LS _b occupied by the process P _a from the space identification set LL [ T _c(t)|IL_d ] and update the behavior association group R [ T _c(t)|IL_d ];

Acquiring another process in the process project set, returning to step S301, and performing cleaning iteration until all processes in the process project set participate in completing the updating of the behavior association group R [ T _c(t)|IL_d ], and stopping cleaning iteration;

The finally updated behavior association group R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ] is denoted as R [ T _c(t)|IL_d]：P[T_c(t)|IL_d]→L[T_c(t)|IL_d ], wherein P [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], L [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and P[T_c(t)|IL_d]∈PP[T_c(t)|IL_d],L[T_c(t)|IL_d]∈LL[T_c(t)|IL_d].

Further, the behavior early warning module further comprises a safety limit value analysis unit and an early warning prompt unit;

the safety limit value analysis unit calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result, and the specific calculation formula is as follows:

Wherein SLV (IL _d) represents the security threshold of the network isolation layer IL _d within the time segment T _c, NUM { L [ T _c(t)|IL_d ] } represents the total number of isolation spaces contained in the space identification set L [ T _c(t)|IL_d ], NUM { P [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set P [ T _c(t)|IL_d ];

the early warning prompt unit is used for presetting a safety limit value threshold, and sending out early warning prompt if the safety limit value SLV (IL _d|T_c) is larger than or equal to the safety limit value threshold.

A user data analysis and identification method based on 5G communication technology includes the following steps:

step S100: establishing an Internet of things virtual cloud database, and recording and storing sub-cloud operation data corresponding to an Internet of things terminal; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

Step S200: the architecture runs an associated behavior chain identification model, records the behavior of each process for controlling access to an isolation space by means of a network isolation layer, and attaches a time tag to the running associated behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

step S300: calculating the credibility of the process in the behavior association group according to the classification and identification result; data cleaning and updating are carried out on the behavior association group;

step S400: according to the data cleaning result, calculating the safety limit value of the network isolation layer in the time segment; and sends out an early warning prompt.

Further, the specific implementation process of the step S100 includes:

Step S101: establishing an Internet of things virtual cloud database, wherein operation data corresponding to sub-clouds connected through 5G communication are stored in the Internet of things virtual cloud database, the sub-clouds are connected with each other in an interactive mode based on ports of an Internet of things terminal, the operation data comprise isolation spaces occupied by processes in the process of executing each sub-cloud and network isolation layers called by the processes in the process of executing each sub-cloud, the isolation spaces are independent memory spaces with the same size and distributed by the Internet of things virtual cloud, the network isolation layers are virtual connection mapping channels which are created by the Internet of things virtual cloud and are used for providing the sub-clouds with the process of executing each sub-cloud, and mapping refers to corresponding software service functions which are realized in the Internet of things virtual cloud based on conversion of hardware service functions of the Internet of things terminal; one sub cloud corresponds to one Internet of things terminal;

step S102: establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as PP= { P _a |a epsilon [1, A ] }, wherein P _a represents an a-th process, and A represents the total number of processes; the space pointer set comprises isolation spaces distributed by virtual clouds of the Internet of things, and is recorded as SP= { LS _b |b epsilon [1, B ] }, wherein LS _b represents the B-th isolation space, and B represents the total number of the isolation spaces; the channel medium set comprises a network isolation layer created by the virtual cloud of the Internet of things, and is recorded as CM= { IL _d |d epsilon [1, D ] }, wherein IL _d represents the D-th network isolation layer, and D represents the total number of the network isolation layers.

According to the method, in the field of multi-scenario fusion based on the everything interconnection architecture, the multi-internet-of-things terminal can realize interactive access between the processes and the memory resources through the allocation interface protocol, wherein synchronous call of the multi-processes is realized through the network isolation layer, however, although the operation of each process can be effectively isolated through the network isolation layer as the middle layer, access paths of other processes still exist to be attacked or modified through implantation of malicious programs from the source, so that the execution efficiency of the processes is affected, and the use experience of everything interconnection cannot meet the user requirements; according to the application, the virtual space is established, so that the operation data of each port connected through the 5G communication is stored, and meanwhile, the independent storage spaces of a plurality of units, namely the isolation spaces, are divided, so that when the system is attacked, enough intact spaces can be ensured to be still utilized to the maximum extent.

Further, the specific implementation process of the step S200 includes:

Step S201: the method comprises the steps of constructing an operation association behavior chain identification model, wherein the operation association behavior chain refers to the behavior that each process accesses an isolation space by means of a network isolation layer control in the process of executing each sub-cloud; dividing the time in one day into k continuous time slices by taking the day as a time cycle period, and marking any one time slice as T _c, wherein c represents the sequence number of the time slice; adding a time tag to an operation association action chain, recording the occurrence time range of the operation association action chain, and recording any operation association action chain as P _a→IL_d→LS_b, wherein the added time tag of the operation association action chain is recorded as T _c(t):P_a→IL_d→LS_b, the time tag T _c (T) indicates that the operation association action chain P _a→IL_d→LS_b occurs in a time segment T _c in the T-th time cycle period, and the operation association action chain P _a→IL_d→LS_b indicates that the process P _a accesses an isolation space LS _b and occupies the isolation space LS _b under the control of a network isolation layer IL _d;

Step S202: and carrying out classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, wherein the classification and identification mode is as follows:

Under the time label T _c (T), all processes and all isolation spaces for controlling interaction between the processes and the isolation spaces by means of the network isolation layer are acquired, and a behavior association group is generated and is recorded as R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ], wherein R [ T _c(t)|IL_d ] represents a behavior association group for controlling interaction process in a time segment T _c in a T-th time cycle period, PP [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], LL [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and PP [ T _c(t)|IL_d]∈PP,LL[T_c(t)|IL_d ] epsilon SP.

According to the method, the process controls access to the isolation space by means of the network isolation layer, a behavior chain is generated in the process, meanwhile, the advantage of dividing continuous time slices is that a large number of behavior chains can be subjected to micro-quantitative segment analysis, in a everything interconnection scene, behavior habits of users in one day are inevitably irregular to a great extent, and the micro-quantitative time segment analysis can grasp the behavior rules of the users from details.

Further, the implementation process of the step S300 includes:

Step S301: according to the classification and identification result, corresponding behavior association groups under the same network isolation layer are comprehensively organized, a database to be cleaned is generated, and the database is marked as Q; the process P _a is obtained in the process item set, any behavior association group R [ T _c(t)|IL_d ] is obtained in the database Q to be cleaned, if P _a∈PP[T_c(t)|IL_d ], the behavior association group R [ T _c(t)|IL_d ] is extracted, the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is calculated, and the specific calculation formula is as follows:

Where RL { P _a→R[T_c(t)|IL_d ] } represents the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ], PP [ T _c(s)|IL_d ] represents a process identification set composed of all processes in the behavior association group R [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } represents the total number of processes contained in the intersection of the process identification set PP [ T _c(t)|IL_d ] and the process identification set PP [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set PP [ T _c(t)|IL_d ], and T represents the total number of time cycle periods;

If it is NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0 if/>And/>Letting NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0;

Step S302: carrying out data cleaning on the behavior association group, presetting a credibility threshold, if the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is smaller than or equal to the credibility threshold, clearing the process P _a from a process identification set PP [ T _c(t)|IL_d ], clearing an isolation space LS _b occupied by the process P _a from a space identification set LL [ T _c(t)|IL_d ], and updating the behavior association group R [ T _c(t)|IL_d ];

Acquiring another process in the process project set, returning to step S301, and performing cleaning iteration until all processes in the process project set participate in completing the updating of the behavior association group R [ T _c(t)|IL_d ], and stopping cleaning iteration;

The finally updated behavior association group R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ] is denoted as R [ T _c(t)|IL_d]：P[T_c(t)|IL_d]→L[T_c(t)|IL_d ], wherein P [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], L [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and P[T_c(t)|IL_d]∈PP[T_c(t)|IL_d],L[T_c(t)|IL_d]∈LL[T_c(t)|IL_d].

According to the method, a large amount of behavior data are accumulated in different time cycle periods in the same time segment, the running rule of a process in the same time segment is obtained through quantitative analysis, namely the reliability is obtained, meanwhile, the reliability is obtained based on pairwise comparison analysis of the same time segment in different time cycle periods, long-term behavior habit data analysis is convenient for finding out regularity characteristics, for one process, if the process is simultaneously present in the same time segment in two different time cycle periods, a plurality of processes in the same time segment can be mutually supervised, so that the greater the reliability is, the fact that a certain process is approved by most processes in the same time segment is obtained, namely the process is mutually familiar, namely the process is normal by means of resource access behavior of the process by a network isolation layer, otherwise, the process is extremely likely to be an abnormal malicious process; the effect of the data cleaning is then to clean up the operational data of these abnormal processes so that subsequent digital analysis can be quantified under normal circumstances.

Further, the specific implementation process of the step S400 includes:

step S401: according to the data cleaning result, calculating the safety limit value of the network isolation layer in the time segment, wherein the specific calculation formula is as follows:

Wherein SLV (IL _d) represents the security threshold of the network isolation layer IL _d within the time segment T _c, NUM { L [ T _c(t)|IL_d ] } represents the total number of isolation spaces contained in the space identification set L [ T _c(t)|IL_d ], NUM { P [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set P [ T _c(t)|IL_d ];

step S402: and presetting a safety limit value threshold, and sending out an early warning prompt if the safety limit value SLV (IL _d|T_c) is larger than or equal to the safety limit value threshold.

According to the method, the safety limit value is analyzed under normal environment, and the formulaThe method is characterized in that the single process is used for obtaining a process behavior stability value which can be borne by the network isolation layer in the same time segment through carrying out occupied memory volume by the network isolation layer and carrying out long-term time cycle period accumulated calculation, namely, a safety limit value is obtained, and the larger the safety limit value is, the larger the process behavior fluctuation which can be borne by the network isolation layer in the same time segment is, and further the risk is also larger.

Compared with the prior art, the invention has the following beneficial effects: in the user data analysis and identification system and method based on the 5G communication technology, an Internet of things virtual cloud database is established, sub-cloud operation data corresponding to an Internet of things end is recorded and stored, an operation archive is established, and the progress of sub-cloud execution, the isolation space allocated by the Internet of things virtual cloud and the network isolation layer created by the Internet of things virtual cloud are classified and counted; the architecture operates an associated behavior chain identification model, records the behavior of each process for controlling access to an isolation space by means of a network isolation layer, and adds a time tag to the operation associated behavior chain to generate a behavior association group; the reliability of the process in the behavior association group is calculated by analyzing behavior characteristics of different data behaviors in the same time segment and under different time cycle periods, and the safety limit value of the same network isolation layer in the same time segment is conveniently calculated by cleaning abnormal data behaviors, so that safety early warning can be carried out on user behaviors in real time or periodically. .

Drawings

The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:

FIG. 1 is a schematic diagram of a system for analyzing and identifying user data based on 5G communication technology according to the present invention;

fig. 2 is a schematic diagram of steps of a method for analyzing and identifying user data based on a 5G communication technology according to the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1-2, the present invention provides the following technical solutions:

Referring to fig. 1, in a first embodiment: there is provided a 5G communication technology-based user data analysis and identification system, the system comprising: the system comprises an Internet of things virtual cloud module, a data processing module, a data analysis module and a behavior early warning module;

The virtual cloud module of the Internet of things is used for establishing a virtual cloud database of the Internet of things and recording and storing sub-cloud operation data corresponding to the Internet of things terminal; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

the virtual cloud module of the Internet of things further comprises a database unit and an archive unit;

The system comprises a database unit, a network isolation unit and a network management unit, wherein the database unit is used for establishing an Internet of things virtual cloud database, the Internet of things virtual cloud database stores operation data corresponding to sub-clouds connected through 5G communication, the sub-clouds are used for carrying out the interconnection of the Internet of things virtual clouds based on ports of an Internet of things terminal, the operation data comprises an isolation space occupied by processes in the execution process of each sub-cloud and a network isolation layer called by the processes in the execution process of each sub-cloud, the isolation space is an independent memory space with the same size and distributed by the Internet of things virtual cloud, the network isolation layer is a virtual connection mapping channel which is created by the Internet of things virtual cloud and is used for providing the execution process of each sub-cloud, and mapping refers to conversion of each hardware service function based on the Internet of things terminal into a corresponding software service function realized in the Internet of things virtual cloud; one sub cloud corresponds to one Internet of things terminal;

the archive unit is used for establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as PP= { P _a |a epsilon [1, A ] }, wherein P _a represents an a-th process, and A represents the total number of processes; the space pointer set comprises isolation spaces distributed by virtual clouds of the Internet of things, and the space pointer set is marked as SP= { LS _b |b epsilon [1, B ] }, wherein LS _b represents the B-th isolation space, and B represents the total number of the isolation spaces; the channel medium set comprises a network isolation layer created by the virtual cloud of the Internet of things, and the channel medium set is recorded as CM= { IL _d |d epsilon [1, D ] }, wherein IL _d represents the D-th network isolation layer, and D represents the total number of the network isolation layers.

The data processing module is used for constructing an operation association behavior chain identification model, recording the behavior of each process for controlling access to the isolation space by means of the network isolation layer, and attaching a time tag to the operation association behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

the data processing module further comprises a behavior chain recording unit and a classification and identification unit;

The behavior chain recording unit is used for constructing an operation association behavior chain identification model, wherein the operation association behavior chain refers to the behavior of each process for controlling access to an isolation space by means of a network isolation layer in the process of executing each sub-cloud; dividing the time in one day into k continuous time slices by taking the day as a time cycle period, and marking any one time slice as T _c, wherein c represents the sequence number of the time slice; adding a time tag to an operation association action chain, recording the occurrence time range of the operation association action chain, and recording any operation association action chain as P _a→IL_d→LS_b, wherein the added time tag of the operation association action chain is recorded as T _c(t):P_a→IL_d→LS_b, the time tag T _c (T) indicates that the operation association action chain P _a→IL_d→LS_b occurs in a time segment T _c in the T-th time cycle period, and the operation association action chain P _a→IL_d→LS_b indicates that the process P _a accesses an isolation space LS _b and occupies the isolation space LS _b under the control of a network isolation layer IL _d;

The classification and identification unit performs classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, and the classification and identification mode is as follows:

Under the time label T _c (T), all processes and all isolation spaces for controlling interaction between the processes and the isolation spaces by means of the network isolation layer are acquired, and a behavior association group is generated and is recorded as R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ], wherein R [ T _c(t)|IL_d ] represents a behavior association group for controlling interaction process in a time segment T _c in a T-th time cycle period, PP [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], LL [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and PP [ T _c(t)|IL_d]∈PP,LL[T_c(t)|IL_d ] epsilon SP.

The data analysis module is used for calculating the credibility of the process in the behavior association group according to the classification and identification results; data cleaning and updating are carried out on the behavior association group;

the data analysis module further comprises a credibility analysis unit and a data cleaning unit;

The credibility analysis unit is used for comprehensively planning a corresponding behavior association group under the same network isolation layer according to the classification and identification result, generating a database to be cleaned and marking the database as Q; the process P _a is obtained in the process item set, any behavior association group R [ T _c(t)|IL_d ] is obtained in the database Q to be cleaned, if P _a∈PP[T_c(t)|IL_d ], the behavior association group R [ T _c(t)|IL_d ] is extracted, the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is calculated, and the specific calculation formula is as follows:

Where RL { P _a→R[T_c(t)|IL_d ] } represents the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ], PP [ T _c(s)|IL_d ] represents a process identification set composed of all processes in the behavior association group R [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } represents the total number of processes contained in the intersection of the process identification set PP [ T _c(t)|IL_d ] and the process identification set PP [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set PP [ T _c(t)|IL_d ], and T represents the total number of time cycle periods;

If it is NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0 if/>And/>Letting NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0;

the data cleaning unit is used for cleaning data of the behavior association group, presetting a reliability threshold, if the reliability of the process P _a in the behavior association group R [ T _c(T)|IL_d ] is smaller than or equal to the reliability threshold, cleaning the process P _a from the process identification set PP [ T _c(t)|IL_d ], cleaning an isolation space LS _b occupied by the process P _a from the space identification set LL [ T _c(t)|IL_d ], and updating the behavior association group R [ T _c(t)|IL_d ];

Acquiring another process in the process project set, returning to step S301, and performing cleaning iteration until all processes in the process project set participate in completing the updating of the behavior association group R [ T _c(t)|IL_d ], and stopping cleaning iteration;

The finally updated behavior association group R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ] is denoted as R [ T _c(t)|IL_d]：P[T_c(t)|IL_d]→L[T_c(t)|IL_d ], wherein P [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], L [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and P[T_c(t)|IL_d]∈PP[T_c(t)|IL_d],L[T_c(t)|IL_d]∈LL[T_c(t)|IL_d].

The behavior early warning module calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result; and sending out an early warning prompt;

The behavior early warning module further comprises a safety limit value analysis unit and an early warning prompt unit;

The safety limit value analysis unit calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result, and the specific calculation formula is as follows:

Wherein SLV (IL _d) represents the security threshold of the network isolation layer IL _d within the time segment T _c, NUM { L [ T _c(t)|IL_d ] } represents the total number of isolation spaces contained in the space identification set L [ T _c(t)|IL_d ], NUM { P [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set P [ T _c(t)|IL_d ];

The early warning prompt unit is used for presetting a safety limit value threshold, and sending out early warning prompt if the safety limit value SLV (IL _d|T_c) is larger than or equal to the safety limit value threshold.

Referring to fig. 2, in the second embodiment: the method for analyzing and identifying the user data based on the 5G communication technology comprises the following steps:

step S100: establishing an Internet of things virtual cloud database, and recording and storing sub-cloud operation data corresponding to an Internet of things terminal; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

specifically, an Internet of things virtual cloud database is established, operation data corresponding to sub-clouds connected through 5G communication are stored in the Internet of things virtual cloud database, the sub-clouds are connected with each other in an interactive mode based on ports of an Internet of things terminal, the operation data comprise isolation spaces occupied by processes in the process of executing each sub-cloud and network isolation layers called by the processes in the process of executing each sub-cloud, the isolation spaces are independent memory spaces with the same size and distributed by the Internet of things virtual cloud, the network isolation layers are virtual connection mapping channels which are created by the Internet of things virtual cloud and are used for providing the sub-clouds with the process of executing each sub-cloud, and mapping refers to conversion of each hardware service function based on the Internet of things terminal into corresponding software service functions realized in the Internet of things virtual cloud; one sub cloud corresponds to one Internet of things terminal;

Establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as PP= { P _a |a epsilon [1, A ] }, wherein P _a represents an a-th process, and A represents the total number of processes; the space pointer set comprises isolation spaces distributed by virtual clouds of the Internet of things, and the space pointer set is marked as SP= { LS _b |b epsilon [1, B ] }, wherein LS _b represents the B-th isolation space, and B represents the total number of the isolation spaces; the channel medium set comprises a network isolation layer created by the virtual cloud of the Internet of things, and the channel medium set is recorded as CM= { IL _d |d epsilon [1, D ] }, wherein IL _d represents the D-th network isolation layer, and D represents the total number of the network isolation layers.

For example, for the case of everything interconnection in the smart home field, each smart home can be allocated a dedicated sub-cloud space docking interaction.

Step S200: the architecture runs an associated behavior chain identification model, records the behavior of each process for controlling access to an isolation space by means of a network isolation layer, and attaches a time tag to the running associated behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

Specifically, the architecture runs an associated behavior chain identification model, and the associated behavior chain is run in the process of executing processes of all sub-clouds, and all processes control the behavior of accessing an isolation space by means of a network isolation layer; dividing the time in one day into k continuous time slices by taking the day as a time cycle period, and marking any one time slice as T _c, wherein c represents the sequence number of the time slice; adding a time tag to an operation association action chain, recording the occurrence time range of the operation association action chain, and recording any operation association action chain as P _a→IL_d→LS_b, wherein the added time tag of the operation association action chain is recorded as T _c(t):P_a→IL_d→LS_b, the time tag T _c (T) indicates that the operation association action chain P _a→IL_d→LS_b occurs in a time segment T _c in the T-th time cycle period, and the operation association action chain P _a→IL_d→LS_b indicates that the process P _a accesses an isolation space LS _b and occupies the isolation space LS _b under the control of a network isolation layer IL _d;

And carrying out classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, wherein the classification and identification mode is as follows:

Under the time label T _c (T), all processes and all isolation spaces for controlling interaction between the processes and the isolation spaces by means of the network isolation layer are acquired, and a behavior association group is generated and is recorded as R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ], wherein R [ T _c(t)|IL_d ] represents a behavior association group for controlling interaction process in a time segment T _c in a T-th time cycle period, PP [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], LL [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and PP [ T _c(t)|IL_d]∈PP,LL[T_c(t)|IL_d ] epsilon SP.

Step S300: calculating the credibility of the process in the behavior association group according to the classification and identification result; data cleaning and updating are carried out on the behavior association group;

Specifically, according to the classification and identification result, corresponding behavior association groups under the same network isolation layer are comprehensively organized, a database to be cleaned is generated, and the database is marked as Q; the process P _a is obtained in the process item set, any behavior association group R [ T _c(t)|IL_d ] is obtained in the database Q to be cleaned, if P _a∈PP[T_c(t)|IL_d ], the behavior association group R [ T _c(t)|IL_d ] is extracted, the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is calculated, and the specific calculation formula is as follows:

Where RL { P _a→R[T_c(t)|IL_d ] } represents the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ], PP [ T _c(s)|IL_d ] represents a process identification set composed of all processes in the behavior association group R [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } represents the total number of processes contained in the intersection of the process identification set PP [ T _c(t)|IL_d ] and the process identification set PP [ T _c(s)|IL_d ], NUM { PP [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set PP [ T _c(t)|IL_d ], and T represents the total number of time cycle periods;

If it is NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0 if/>And/>Letting NUM { PP [ T _c(t)|IL_d]∩PP[T_c(s)|IL_d ] } =0;

Carrying out data cleaning on the behavior association group, presetting a credibility threshold, if the credibility of the process P _a in the behavior association group R [ T _c(t)|IL_d ] is smaller than or equal to the credibility threshold, clearing the process P _a from a process identification set PP [ T _c(t)|IL_d ], clearing an isolation space LS _b occupied by the process P _a from a space identification set LL [ T _c(t)|IL_d ], and updating the behavior association group R [ T _c(t)|IL_d ];

Acquiring another process in the process project set, returning to step S301, and performing cleaning iteration until all processes in the process project set participate in completing the updating of the behavior association group R [ T _c(t)|IL_d ], and stopping cleaning iteration;

The finally updated behavior association group R [ T _c(t)|IL_d]：PP[T_c(t)|IL_d]→LL[T_c(t)|IL_d ] is denoted as R [ T _c(t)|IL_d]：P[T_c(t)|IL_d]→L[T_c(t)|IL_d ], wherein P [ T _c(t)|IL_d ] represents a process identification set formed by all processes in the behavior association group R [ T _c(t)|IL_d ], L [ T _c(t)|IL_d ] represents a space identification set formed by all isolation spaces in the behavior association group R [ T _c(t)|IL_d ], and P[T_c(t)|IL_d]∈PP[T_c(t)|IL_d],L[T_c(t)|IL_d]∈LL[T_c(t)|IL_d].

Step S400: according to the data cleaning result, calculating the safety limit value of the network isolation layer in the time segment; and sending out an early warning prompt;

specifically, according to the data cleaning result, the safety limit value of the network isolation layer in the time segment is calculated, and the specific calculation formula is as follows:

Wherein SLV (IL _d) represents the security threshold of the network isolation layer IL _d within the time segment T _c, NUM { L [ T _c(t)|IL_d ] } represents the total number of isolation spaces contained in the space identification set L [ T _c(t)|IL_d ], NUM { P [ T _c(t)|IL_d ] } represents the total number of processes contained in the process identification set P [ T _c(t)|IL_d ];

And presetting a safety limit value threshold, and sending out an early warning prompt if the safety limit value SLV (IL _d|T_c) is larger than or equal to the safety limit value threshold.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Finally, it should be noted that: the foregoing description is only a preferred embodiment of the present invention and is not intended to limit the present invention, but although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for some of the technical features thereof. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (2)

1. A 5G communication technology-based user data analysis and identification method, comprising the steps of:

step S100: establishing an Internet of things virtual cloud database, and recording and storing sub-cloud operation data corresponding to an Internet of things terminal; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

Step S200: the architecture runs an associated behavior chain identification model, records the behavior of each process for controlling access to an isolation space by means of a network isolation layer, and attaches a time tag to the running associated behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

step S300: calculating the credibility of the process in the behavior association group according to the classification and identification result; data cleaning and updating are carried out on the behavior association group;

Step S400: according to the data cleaning result, calculating the safety limit value of the network isolation layer in the time segment; and sending out an early warning prompt;

The specific implementation process of the step S100 includes:

Step S101: establishing an Internet of things virtual cloud database, wherein operation data corresponding to sub-clouds connected through 5G communication are stored in the Internet of things virtual cloud database, the sub-clouds are connected with each other in an interactive mode based on ports of an Internet of things terminal, the operation data comprise isolation spaces occupied by processes in the process of executing each sub-cloud and network isolation layers called by the processes in the process of executing each sub-cloud, the isolation spaces are independent memory spaces with the same size and distributed by the Internet of things virtual cloud, the network isolation layers are virtual connection mapping channels which are created by the Internet of things virtual cloud and are used for providing the sub-clouds with the process of executing each sub-cloud, and mapping refers to corresponding software service functions which are realized in the Internet of things virtual cloud based on conversion of hardware service functions of the Internet of things terminal; one sub cloud corresponds to one Internet of things terminal;

Step S102: establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as Wherein/>Represents an a-th process, A represents the total number of processes; the space pointer set comprises an isolation space distributed by the virtual cloud of the Internet of things, and the space pointer set is recorded as/>Wherein, the method comprises the steps of, wherein,Represents the B-th isolation space, and B represents the total number of isolation spaces; the channel medium set comprises a network isolation layer created by virtual cloud of the Internet of things, and the channel medium set is recorded as/>Wherein/>Represents the D-th network isolation layer, D represents the total number of network isolation layers;

The specific implementation process of the step S200 includes:

step S201: the method comprises the steps of constructing an operation association behavior chain identification model, wherein the operation association behavior chain refers to the behavior that each process accesses an isolation space by means of a network isolation layer control in the process of executing each sub-cloud; dividing the time in one day into k continuous time slices by taking the day as the time cycle period, and recording any one time slice as Wherein c represents the sequence number of the time segment; adding a time tag to the operation association action chain, recording the time range of the occurrence of the operation association action chain, and recording any operation association action chain as/>The time tag attached to the operation association action chain is recorded asTime tag/>Representing run-associated behavior chain/>Time segment/>, within the t-th time cycle periodIn (c) occurs, run associative behavior chain/>Representing progress/>By means of a network isolation layer/>Control access to isolated space/>And occupy isolated space/>；

Step S202: and carrying out classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, wherein the classification and identification mode is as follows:

at time tag Acquiring all processes and all isolation spaces for realizing control interaction between processes and the isolation spaces by means of network isolation layers, generating a behavior association group, and recording as/>Wherein/>Representing the time segment/>, within the t-th time cycle periodBy isolating the layers by means of a networkBehavior association group for realizing control of interaction process,/>Representing behavioral association groups/>Process identification set composed of all processes in (a)/>, andRepresenting behavioral association groups/>A space recognition set consisting of all isolation spaces, and/>，/>;

The specific implementation process of the step S300 includes:

Step S301: according to the classification and identification result, corresponding behavior association groups under the same network isolation layer are comprehensively organized, a database to be cleaned is generated, and the database is marked as Q; acquiring processes in a process project set Any behavior association group/>' is obtained from a database Q to be cleanedIf/>Extracting behavior association group/>Computing Process/>In behavior association group/>The specific calculation formula is as follows:

Wherein, Representing progress/>In behavior association group/>Reliability in/>Representing behavioral association groups/>A process identification set consisting of all processes in the hierarchy,Representing process identification set/>And process identification setTotal number of processes contained in intersection of,/>Representing process identification setsThe total number of processes contained in the process, T represents the total number of time cycle periods;

If it is Let/>If/>And/>Order in principle;

Step S302: data cleaning is carried out on the behavior association group, a credibility threshold value is preset, and if a process is carried outIn the behavior association groupIf the credibility in the process is smaller than or equal to the credibility threshold value, the process/>Identifying collections from processes/>While cleaning up the process/>Occupied isolation space/>Identifying collections from space/>And associate groups of actions/>Updating;

acquiring another process in the process item set, returning to step S301, and performing cleaning iteration until all processes in the process item set participate in the completion behavior association group Is updated, and the iteration is cleared;

Correlating groups of actions to be updated finally Is marked asWherein/>Representing behavioral association groups/>Process identification set composed of all processes in (a)/>, andRepresenting behavioral association groups/>A space recognition set consisting of all isolation spaces, and/>,/>;

The specific implementation process of the step S400 includes:

step S401: according to the data cleaning result, calculating the safety limit value of the network isolation layer in the time segment, wherein the specific calculation formula is as follows:

Wherein/> Representing the network isolation layer/>At time slice/>Internal safety margin,/>Representing spatially identified collections/>Total number of isolation spaces contained in/(Representing process identification set/>The total number of processes involved;

step S402: presetting a safety threshold value if And if the safety threshold value is greater than or equal to the safety threshold value, sending out an early warning prompt.

2. A 5G communication technology based user data analysis and identification system, the system comprising: the system comprises an Internet of things virtual cloud module, a data processing module, a data analysis module and a behavior early warning module;

The virtual cloud module of the Internet of things is used for establishing a virtual cloud database of the Internet of things and recording and storing sub-cloud operation data corresponding to the end of the Internet of things; establishing an operation archive, and classifying and counting processes executed by the sub-cloud, an isolation space allocated by the virtual cloud of the Internet of things and a network isolation layer created by the virtual cloud of the Internet of things;

The data processing module is used for constructing an operation association behavior chain identification model, recording the behavior of each process for controlling access to the isolation space by means of the network isolation layer, and attaching a time tag to the operation association behavior chain; classifying and identifying the operation association behavior chains according to the time labels to generate a behavior association group;

The data analysis module calculates the credibility of the process in the behavior association group according to the classification and identification result; data cleaning and updating are carried out on the behavior association group;

the behavior early warning module calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result; and sending out an early warning prompt;

The virtual cloud module of the Internet of things further comprises a database unit and an archive unit;

The system comprises a database unit, an Internet of things virtual cloud database, a network isolation layer and a network mapping unit, wherein the database unit is used for establishing an Internet of things virtual cloud database, the Internet of things virtual cloud database stores operation data corresponding to sub-clouds connected through 5G communication, the sub-clouds are connected with each other in an interactive mode based on ports of an Internet of things terminal, the operation data comprise isolation spaces occupied by processes in the execution process of each sub-cloud and network isolation layers called by the processes in the execution process of each sub-cloud, the isolation spaces are independent memory spaces with the same size and distributed by the Internet of things virtual cloud, the network isolation layers are virtual connection mapping channels which are created by the Internet of things virtual cloud and are used for providing the sub-clouds with the execution process, and the mapping refers to corresponding software service functions which are converted into the Internet of things virtual cloud based on each hardware service function of the Internet of things terminal; one sub cloud corresponds to one Internet of things terminal;

The archive unit is used for establishing an operation archive, wherein the operation archive comprises a process item set, a space pointer set and a channel medium set; the process item set comprises processes executed by all sub-clouds, and is recorded as Wherein/>Represents an a-th process, A represents the total number of processes; the space pointer set comprises an isolation space distributed by the virtual cloud of the Internet of things, and the space pointer set is recorded as/>Wherein, the method comprises the steps of, wherein,Represents the B-th isolation space, and B represents the total number of isolation spaces; the channel medium set comprises a network isolation layer created by virtual cloud of the Internet of things, and the channel medium set is recorded as/>Wherein/>Represents the D-th network isolation layer, D represents the total number of network isolation layers;

the data processing module further comprises a behavior chain recording unit and a classification and identification unit;

The behavior chain recording unit is used for constructing an operation association behavior chain identification model, wherein the operation association behavior chain refers to the behavior that each process accesses an isolation space by means of a network isolation layer control in the process of executing each sub-cloud execution process; dividing the time in one day into k continuous time slices by taking the day as the time cycle period, and recording any one time slice as Wherein c represents the sequence number of the time segment; adding a time tag to the operation association action chain, recording the time range of the occurrence of the operation association action chain, and recording any operation association action chain as/>The time tag attached to the operation association action chain is recorded as/>Time tag/>Representing run-associated behavior chain/>Time segment/>, within the t-th time cycle periodIn (c) occurs, run associative behavior chain/>Representing progress/>By means of a network isolation layer/>Control access to isolated space/>And occupy isolated space/>;

The classification and identification unit performs classification and identification on the operation association behavior chain according to the time segment and the network isolation layer, and the classification and identification mode is as follows:

at time tag Acquiring all processes and all isolation spaces for realizing control interaction between processes and the isolation spaces by means of network isolation layers, generating a behavior association group, and recording asWherein/>Representing the time segment/>, within the t-th time cycle periodBy isolating layer/>, by means of a networkA behavioral association group is implemented that controls the interaction process,Representing behavioral association groups/>Process identification set composed of all processes in (a)/>, andRepresenting behavioral association groups/>A space recognition set composed of all the isolated spaces, and;

The data analysis module further comprises a credibility analysis unit and a data cleaning unit;

The credibility analysis unit is used for comprehensively planning corresponding behavior association groups under the same network isolation layer according to the classification and identification results, generating a database to be cleaned and marking the database as Q; acquiring processes in a process project set Any behavior association group/>' is obtained from a database Q to be cleanedIf/>Extracting behavior association group/>Computing Process/>In behavior association group/>The specific calculation formula is as follows:

Wherein, Representing progress/>In behavior association group/>Reliability in/>Representing behavioral association groups/>A process identification set consisting of all processes in the hierarchy,Representing process identification set/>And process identification setTotal number of processes contained in intersection of,/>Representing process identification setsThe total number of processes contained in the process, T represents the total number of time cycle periods;

If it is If/>Order in principle;

The data cleaning unit is used for cleaning the data of the behavior association group, presetting a credibility threshold value, and if the process is performedIn behavior association group/>If the credibility in the process is smaller than or equal to the credibility threshold value, the process/>Identifying a collection from a processWhile cleaning up the process/>Occupied isolation space/>Identifying collections from space/>And associate groups of actions/>Updating;

Acquiring another process in the process project set, returning to the credibility analysis unit for processing, and performing cleaning iteration until all processes in the process project set participate in completing the behavior association group Is updated, and the iteration is cleared;

Correlating groups of actions to be updated finally Is marked asWherein/>Representing behavioral association groupsProcess identification set composed of all processes in (a)/>, andRepresenting behavioral association groups/>A space recognition set composed of all the isolated spaces, and;

The behavior early warning module further comprises a safety limit value analysis unit and an early warning prompt unit;

the safety limit value analysis unit calculates the safety limit value of the network isolation layer in the time segment according to the data cleaning result, and the specific calculation formula is as follows:

Wherein/> Representing the network isolation layer/>At time slice/>Internal safety margin,/>Representing spatially identified collections/>Total number of isolation spaces contained in/(Representing process identification set/>The total number of processes involved;

The early warning prompt unit is used for presetting a safety limit value threshold value if the safety limit value is And if the safety threshold value is greater than or equal to the safety threshold value, sending out an early warning prompt.