WO2021159834A1 - Abnormal information processing node analysis method and apparatus, medium and electronic device - Google Patents

Abnormal information processing node analysis method and apparatus, medium and electronic device Download PDF

Info

Publication number
WO2021159834A1
WO2021159834A1 PCT/CN2020/134941 CN2020134941W WO2021159834A1 WO 2021159834 A1 WO2021159834 A1 WO 2021159834A1 CN 2020134941 W CN2020134941 W CN 2020134941W WO 2021159834 A1 WO2021159834 A1 WO 2021159834A1
Authority
WO
WIPO (PCT)
Prior art keywords
information processing
processing node
association relationship
label
node
Prior art date
Application number
PCT/CN2020/134941
Other languages
French (fr)
Chinese (zh)
Inventor
侯方舟
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021159834A1 publication Critical patent/WO2021159834A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • This application relates to the field of computer technology, and specifically, to an abnormal information processing node analysis method, device, medium, and electronic equipment.
  • Anomaly information processing node analysis is to perform information processing nodes in related entities (such as enterprises).
  • an abnormal information processing event such as information leakage, loss, management error, etc.
  • it is analyzed to determine the suspicion in all abnormal information processing events The joint relationship between nodes.
  • the inventor realizes that when analyzing abnormal information processing nodes, the risk analysis of security incidents only stays at non-quantitative analysis such as empirical theory and scattered case induction analysis, and cannot dig out the hidden risk rules and abnormal information processing.
  • the analysis efficiency of nodes is low, and there is no foresight of abnormal events that occur.
  • the purpose of this application is to provide a solution for analyzing abnormal information processing nodes, so as to achieve efficient and accurate analysis of the relationship between abnormal information processing nodes at least to a certain extent.
  • an abnormal information processing node analysis method which includes: when receiving an abnormal node analysis request in an abnormal information processing event, associating all information processing nodes in the abnormal information processing node database according to the abnormal information
  • the attributes of the processing event are classified to obtain multiple types of information processing node groups; the abnormal feature labels of all information processing nodes in the information processing node group are obtained, and the node label set of the information processing node group is constructed;
  • a label whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold is obtained, and a frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group,
  • the same label in the frequent item label set of the information processing node group corresponding to the associated class is obtained, and the same label subset is obtained; according to the association relationship between the associated classes corresponding to the same label subset, the same label is Collect the associated group association feature tags to obtain an association relationship tag set, where
  • an abnormal information processing node analysis device which includes: a classification module for, when receiving an abnormal node analysis request in an abnormal information processing event, associate abnormal information with all information in the processing node database
  • the processing nodes are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups;
  • the building module is used to obtain the abnormal feature labels of all the information processing nodes in the information processing node group to construct the information Processing the node label set of the node group;
  • the elimination module is used to eliminate the labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain the frequent item label set of each information processing node group
  • Obtaining module used to obtain the same label in the frequent item label set of the information processing node group corresponding to the associated class according to the predetermined class association relationship of the category of the information processing node group, to obtain the same label subset; associating module , Used to obtain an association relationship tag set according to the association relationship between the associated classes
  • a computer-readable storage medium on which an abnormal information processing node analysis program is stored, wherein the abnormal information processing node analysis program is executed by a processor to implement the following method:
  • an abnormal node in an information processing event analyzes a request
  • all information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups; to obtain the information processing node
  • the abnormal feature labels of all information processing nodes in the group are constructed to construct the node label set of the information processing node group; the labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold are removed, and each node label set is obtained.
  • the frequent item label set of the information processing node group according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained to obtain the same label Subset; according to the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the same tag subset association group to obtain an association relationship tag set, wherein the group association feature tags do not belong to The node label set; the related information of the abnormal information processing event in the abnormal node analysis request and the association relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
  • an electronic device which includes: a processor; and a memory for storing an abnormal information processing node analysis program of the processor; wherein the processor is configured to execute the The abnormal information processing node analysis program executes the following method: when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain Multiple categories of information processing node groups; acquiring the abnormal feature labels of all information processing nodes in the information processing node group, and constructing the node label set of the information processing node group; removing the node label of each information processing node group Collect labels whose occurrence probability is lower than a predetermined threshold to obtain the frequent item label set of each information processing node group; obtain the information corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group Process the same labels in the frequent item label set of the node group to obtain the same label subset; according to the association relationship between the
  • This application can efficiently and accurately analyze the abnormal information processing node relationship based on the related information of the abnormal information processing event and the corresponding association relationship label set of the constructed node, and the risk node analysis model can be used to efficiently and accurately analyze.
  • Fig. 1 schematically shows a flow chart of an abnormal information processing node analysis method.
  • Fig. 2 schematically shows an example diagram of an application scenario of an abnormal information processing node analysis method.
  • Fig. 3 schematically shows a flow chart of a method for obtaining an association relationship label set.
  • Fig. 4 schematically shows a block diagram of an abnormal information processing node analysis device.
  • Fig. 5 schematically shows an example block diagram of an electronic device for implementing the above-mentioned abnormal information processing node analysis method.
  • Fig. 6 schematically shows a computer-readable storage medium for implementing the above-mentioned abnormal information processing node analysis method.
  • the technical solution of this application can be applied to the fields of artificial intelligence, smart city, blockchain and/or big data technology to realize intelligent information recommendation.
  • the data involved in this application such as tags and/or abnormal information processing node relationships, can be stored in a database, or can be stored in a blockchain, such as distributed storage through a blockchain, which is not limited in this application.
  • This example embodiment first provides an abnormal information processing node analysis method.
  • the abnormal information processing node analysis method can be run on a server, a server cluster or a cloud server, etc.
  • the platform runs the method of this application, which is not particularly limited in this exemplary embodiment.
  • the method for analyzing abnormal information processing nodes may include the following steps.
  • Step S110 When receiving the abnormal node analysis request in the abnormal information processing event, classify all the information processing nodes in the abnormal information association processing node database according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups .
  • Step S120 Obtain abnormal feature labels of all information processing nodes in the information processing node group, and construct a node label set of the information processing node group.
  • step S130 the labels whose probability of appearing in the node label set of each information processing node group are lower than a predetermined threshold are removed, and a frequent item label set of each information processing node group is obtained.
  • Step S140 Obtain the same label in the frequent item label set of the information processing node group corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group, and obtain the same label subset.
  • Step S150 According to the association relationship between the associated classes corresponding to the same tag subset, associate feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group association feature tags do not belong to The set of node labels.
  • Step S160 Input the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
  • abnormal information processing node analysis method first, when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information association processing node library are classified according to the attributes of the abnormal information processing event, and multiple information processing nodes are obtained. Category of information processing node group; realize the classification of nodes according to their attributes in abnormal information processing events. Then, the abnormal feature labels of all the information processing nodes in the information processing node group are acquired, and the node label set of the information processing node group is constructed; the node label sets of the abnormal characteristics of the information processing node group of different categories can be constructed.
  • the frequent item label set of each information processing node group is obtained; the high probability corresponding to each type of information processing node group can be obtained.
  • the set of labels for the unusual characteristics of the is obtained, according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained to obtain the same label subset;
  • the association relationship of obtains the labels that are between multiple information processing node groups that have an association relationship, that is, a subset of the same labels.
  • the association relationship between the associated classes corresponding to the same tag subset associating feature tags for the same tag subset association group to obtain an association relationship tag set, where the group association feature tags do not belong to the node tag set;
  • the group association feature tags can be supplemented for the same tag subset according to the association relationship to obtain association relationship tag sets with multiple strong association features.
  • the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship. Realize that the related information of abnormal information processing events is constrained through the association relationship tag set of strong association characteristics, and the relationship between abnormal information processing nodes in abnormal information processing events is efficiently and accurately analyzed based on the risk node analysis model.
  • step S110 when the abnormal node analysis request in the abnormal information processing event is received, all the information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing Node group.
  • the server 201 when the server 201 receives the abnormal node analysis request in the abnormal information processing event sent by the server 202, it associates all the information processing nodes in the abnormal information processing node database on the server 201 according to the abnormal information processing The attributes of the event are classified, and multiple types of information processing node groups are obtained. In this way, in subsequent steps, the server 201 analyzes the relationship between abnormal information processing nodes according to multiple types of information processing node groups. It can be understood that the server 201 and the server 202 may be any devices with processing capabilities, such as computers, microprocessors, etc., which are not specifically limited herein.
  • the abnormal information association processing node database stores the work records of all information processing nodes when an abnormal information processing event occurs.
  • the relational information database stores each node identification and related information corresponding to each information processing event. Abnormal information processing events such as information leakage events, information processing error events, etc.
  • An information processing node is, for example, an information storage node of an enterprise or any node that has a task association relationship with the enterprise information storage node.
  • the node can be any node with information processing functions such as a server, an application, or a computer.
  • the attributes of the abnormal information processing event are the attributes of the nodes associated with the event in different abnormal events. For example, leakage incidents are classified according to attributes: preliminary attribute classification, such as: first-level management nodes, second-level management nodes, information conversion nodes, information sending nodes, information receiving nodes, etc.; information fusion error events are classified according to attributes: information acquisition Nodes, information processing nodes, information storage nodes, information management nodes, etc. Corresponding node attributes can be set for different events to ensure that the nodes corresponding to each event are accurately classified according to each event.
  • step S120 the abnormal feature labels of all the information processing nodes in the information processing node group are acquired, and the node label set of the information processing node group is constructed.
  • abnormal feature label can be all the keyword features corresponding to the analysis of the abnormal node, for example, information management authority (type A information), node joint time (1 year-2 years), etc.
  • the node label set of the information processing node group for example, determine the information node category: secondary management node.
  • the feature label is quantified and disassembled: the information management authority (type A information) is quantified as 1, the information management authority (type B information) is quantified as 2, the internal node of the enterprise is 3, the external enterprise node is 4, and the node joint time (1 year-2 Year) 5, etc., and obtain the feature set ⁇ 1...25 ⁇ based on the quantitative disassembly of the label.
  • node A ⁇ 1,4,6,8,13,15,17,18,20 ⁇
  • node B ⁇ 2,5 ,7,9,11,12,17,19,21 ⁇
  • node C ⁇ 1,3,6,8,10,13,16 ⁇ .
  • step S130 the labels whose probability of occurrence in the node label set of each information processing node group are lower than a predetermined threshold are removed, and the frequent item label set of each information processing node group is obtained.
  • tags whose probability of occurrence in the node tag set of each information processing node group is lower than a predetermined threshold can be eliminated, and tags with low occurrence probability can be eliminated to ensure the accuracy of the tag analysis for abnormal events. For example, you can scan and count the frequency of occurrence of items in the node label set: ⁇ 1 ⁇ 65; ⁇ 2 ⁇ 35; ⁇ 3 ⁇ 10; ⁇ 4 ⁇ 30; ⁇ 5 ⁇ 60; ⁇ 6 ⁇ 90; ⁇ 7 ⁇ 10, etc. , And then eliminate items with a probability of less than 50% to get: ⁇ 1 ⁇ 65; ⁇ 5 ⁇ 60; ⁇ 6 ⁇ 90, etc. In this way, a frequent item label set with high representation accuracy for abnormal features of each information processing node group can be obtained.
  • the tags whose probability of appearing in the node label set of each information processing node group are lower than a predetermined threshold are removed to obtain the frequent item label set of each information processing node group.
  • the method includes: removing the labels whose occurrence probability of the node label set of the information processing node group is lower than a predetermined threshold to obtain a second node label set; after calculating the occurrence probability of each label in the second node label set, removing the labels lower than all the labels.
  • the label of the predetermined threshold is used to obtain a third node label set, and when the occurrence probability of all labels in the third node label set is higher than the predetermined threshold, the frequent item label set of the information processing node group is obtained.
  • the second node label set is obtained after the above items whose occurrence probability is less than 50% are eliminated: ⁇ 1 ⁇ 65; ⁇ 5 ⁇ 60; ⁇ 6 ⁇ 90, etc. Then, for each label in the second node label set, calculate the probability of appearing in the second label set, and continue to eliminate items with an appearance probability of less than 50% to obtain the third node label set. At this time, the probability of each label in the third label set is calculated.
  • the frequent item label set of the information processing node group is obtained. It can be understood that if there are less than 50% of the labels in the third label set, then continue to eliminate until the frequent item label set is obtained.
  • step S140 the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained according to the predetermined category association relationship of the category of the information processing node group, and the same label subset is obtained.
  • the predetermined association relationship is the joint relationship of information processing nodes in the information processing event between different information processing node groups.
  • the information processing event usually consists of two or more information processing node groups.
  • the information processing nodes cooperate with each other to complete information processing events.
  • the cooperative information processing nodes will have the same core characteristics in terms of information processing node characteristics, for example, complete the theft of a certain type of information It needs to go from the first-level management node to the second-level management node and then to the information sending node.
  • these nodes need to have information management authority (type A information), internal nodes of the enterprise, and node management time 3-5 years, etc.
  • the information processing node characteristic label of the core of the information processing node group corresponding to the associated class can be determined.
  • the core label is obtained based on the association relationship of the risk information processing node group, which reduces the number of labels while ensuring the accuracy of analysis.
  • step S150 according to the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags Does not belong to the node label set.
  • association relationship between the associated classes corresponding to the same label subset For example, if the associated classes corresponding to the same label subset include first-level management nodes, second-level management nodes, and information fusion nodes, the association relationship is the first-level management node- Secondary management node-information fusion node.
  • the group association feature label is the information processing node joint label between different information processing node groups, which is used to instruct the information processing node to cooperate to complete the joint relationship characteristic label of the risk event, such as controlling the lower-level node, controlling the upper-level node, cooperating with each other, Being attacked (for example, only one of the two nodes is attacked to reveal information), etc.
  • the associated feature tag can be found from the related information of the information processing node recorded in the information association processing node database. In this way, by associating group feature labels for the same label subset corresponding to the core information processing node labels, it is possible to accurately describe the relatively complete association relationship label set of abnormal information processing events, and ensure the accuracy and reliability of the analysis of abnormal information processing nodes. .
  • the feature tags are associated with the association group of the same tag subset to obtain the association relationship tag set, refer to FIG. 3 As shown, it includes: step S310, obtaining an association relationship label template corresponding to the association relationship between the associated classes corresponding to the same tag subset, and the association relationship label template includes group association feature tags and characteristics of information processing nodes Label; step S320, search for an association relationship label template that includes feature tags consistent with the same tag subset from the association relationship label template library, to obtain a matching association relationship label template; step S330, based on the matched association relationship The label template obtains the association relationship label set.
  • the association relationship label template corresponding to each association relationship is preset.
  • the association relationship label template can include group association feature tags and feature tags of information processing nodes, that is, the association relationship template includes feature tags of multiple information processing nodes, and the multiple features
  • the information processing node represented by the tag cooperates to complete the typical group association feature tag corresponding to the joint relationship feature of the risk event.
  • the obtaining an association relationship label set based on the matched association relationship label template includes: obtaining an association relationship whose number of tags exceeds a predetermined threshold from the matched association relationship label template The label template is used as the association relationship label set.
  • association relationship label template whose number of tags exceeds a predetermined threshold is obtained.
  • an association relationship label template containing at least 50 tags is obtained as an association relationship label.
  • the association relationship label set includes A subset of the same tags is included, and group association feature tags are included.
  • obtaining an association relationship label set based on the matched association relationship label template includes: obtaining an association relationship label template containing the least number of tags from the matched association relationship label templates , As the association relationship label set.
  • step S160 the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
  • the association relationship label set can simply and accurately describe the association relationship of relatively complete node information in which historical abnormal information processing events occur.
  • Information related to the abnormal information processing event may include: suspect node information of the abnormal information processing event, for example, information about all nodes that may participate in the event; information related content in the event, for example, enterprise nodes that the information may involve.
  • the abnormal information processing node relationship is the joint relationship between multiple nodes with risks in the predicted abnormal information processing event. For example, the first-level management node cooperates with the external node to attack the second-level management node in the internal management node.
  • the association relationship label set is the information processing node corresponding to each category, that is, the association relationship label set of the input risk node analysis model is at least one.
  • the abnormal information processing node relationship of the abnormal event can be quickly and accurately predicted based on the abnormal information processing event under the constraints of the corresponding association relationship label set.
  • the training method of the risk node analysis model may include: collecting an abnormal information processing event information sample set, where the abnormal information processing event information sample includes an association relationship label set and the association relationship label set correspondence The abnormal information processing node relationship; input the association relationship label set of each sample in the sample set into the risk node analysis model to obtain the predicted abnormal information processing node relationship corresponding to each sample; when there are samples in the risk node analysis model The predicted abnormal information processing node relationship corresponding to the obtained sample is inconsistent with the abnormal information processing node relationship calibrated in advance for the sample, then adjust the coefficients of the business risk node analysis model until they are consistent; when all samples are entered into the risk node analysis model, the results are obtained When the similarity between the predicted abnormal information processing node relationship and the abnormal information processing node relationship calibrated in advance for the sample is greater than a predetermined threshold, the training ends.
  • the method further includes: determining the target risk information according to the association relationship tag set corresponding to the target risk information processing node group and the frequent item tag set The risk information processing node of the processing node group.
  • the target risk information processing node group is the node group that one or more users want to analyze among the information processing node groups of multiple categories obtained after classification according to the attributes of the abnormal information processing event.
  • Each information processing node group can obtain the corresponding association relationship label set and frequent item label set after processing. In this way, it is possible to analyze the risk information processing nodes in the target group that have the risk of the abnormal information processing event according to the associated relationship label set and the frequent item label set corresponding to the target risk information processing node group.
  • determining the risk information processing node of the target risk information processing node group according to the association relationship label set and the frequent item label set corresponding to the target risk information processing node group includes: Determine the first set of risk information processing nodes in the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group; The frequent item label set determines the second risk information processing node set of the target risk information processing node group; obtains the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group The third risk information processing node set of the risk information processing node group corresponding to the class associated with the class; the intersection of the risk information processing nodes of the first risk information processing node set and the second risk information processing node set is obtained The third risk information processing node is a centralized risk information processing node with a risk information processing node that has a risk connection, and serves as a risk information processing node of the target risk information processing node group.
  • the information processing nodes in the target risk information processing node group that have all or a predetermined number of labels in the association relationship label set can be determined according to the association relationship label set, to obtain the first risk information processing node set; in this way, it can be determined based on the association relationship label set
  • the first set of suspected risk information processing nodes with complete abnormal information processing features can be determined according to the frequent item label set corresponding to the target risk information processing node group.
  • the information processing nodes in the target risk information processing node group that have all or a predetermined number of labels in the frequent item label set can be determined to obtain the second risk information processing node set ;
  • the second set of risk information processing nodes with strong abnormal information processing characteristics can be determined based on the frequent item tag set.
  • the suspected information processing node having both strong features and complete abnormal information processing features can be determined.
  • the risk information processing node group corresponding to the class associated with the target risk information processing node group is obtained (that is, the risk information processing node group that has a predetermined class association relationship with the target information processing node group
  • the third risk information processing node set of the node group can obtain the complete abnormal information processing characteristics characterized by the association relationship label set corresponding to the target risk information processing node group in other risk information processing node groups with predetermined association relationships.
  • the third set of risk information processing nodes can obtain the complete abnormal information processing characteristics characterized by the association relationship label set corresponding to the target risk information processing node group in other risk information processing node groups with predetermined association relationships.
  • the risk information processing nodes that have a risk connection with the third risk information processing node centralized risk information processing node that is, through
  • the risk information processing nodes of the target risk information processing node group can be determined.
  • the application also provides an abnormal information processing node analysis device.
  • the abnormal information processing node analysis device may include a classification module 410, a construction module 420, a rejection module 430, an acquisition module 440, an association module 450, and an analysis module 460.
  • the classification module 410 is configured to classify all the information processing nodes in the abnormal information association processing node database according to the attributes of the abnormal information processing event when receiving the abnormal node analysis request in the abnormal information processing event, to obtain multiple types of information processing Node group.
  • the construction module 420 is configured to obtain the abnormal feature labels of all the information processing nodes in the information processing node group, and construct the node label set of the information processing node group.
  • the removing module 430 is used to remove labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group.
  • the obtaining module 440 is configured to obtain the same label in the frequent item label set of the information processing node group corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group, to obtain the same label subset.
  • the associating module 450 is configured to associate feature tags for the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags Does not belong to the node label set.
  • the analysis module 460 is configured to input the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
  • modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory.
  • the features and functions of two or more modules or units described above may be embodied in one module or unit.
  • the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
  • the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present application.
  • a non-volatile storage medium which can be a CD-ROM, U disk, mobile hard disk, etc.
  • Including several instructions to make a computing device which can be a personal computer, a server, a mobile terminal, or a network device, etc.
  • an electronic device capable of implementing the above method.
  • the electronic device may include a processor and a memory.
  • the memory is used to store a program such as an abnormal information processing node analysis program; the processor is configured to execute part or all of the steps in the above method by executing the abnormal information processing node analysis program.
  • the memory may also be referred to as a storage unit, and the processor may also be referred to as a processing unit.
  • the electronic device 500 according to this embodiment of the present application will be described below with reference to FIG. 5.
  • the electronic device 500 shown in FIG. 5 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present application.
  • the electronic device 500 is represented in the form of a general-purpose computing device.
  • the components of the electronic device 500 may include, but are not limited to: the aforementioned at least one processing unit 510, the aforementioned at least one storage unit 520, and a bus 530 connecting different system components (including the storage unit 520 and the processing unit 510).
  • the storage unit stores program code, and the program code can be executed by the processing unit 510, so that the processing unit 510 executes the various exemplary methods described in the “Exemplary Method” section of this specification. Steps of implementation.
  • the processing unit 510 may perform the steps shown in FIG. 1.
  • the processor or initial unit is configured to execute the following method via the execution program: when receiving an abnormal node analysis request in an abnormal information processing event, associate the abnormal information with all the information processing nodes in the processing node library according to the abnormal information
  • the attributes of the processing event are classified to obtain multiple types of information processing node groups; the abnormal feature labels of all information processing nodes in the information processing node group are obtained, and the node label set of the information processing node group is constructed; A label whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold is obtained, and a frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group, The same label in the frequent item label set of the information processing node group corresponding to the associated class is obtained, and the same label subset is obtained; according to the association relationship between the associated classes corresponding to the same label subset, the same label is Collect the associated group association feature tags to obtain an association relationship tag set, wherein the
  • the storage unit 520 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 5201 and/or a cache storage unit 5202, and may further include a read-only storage unit (ROM) 5203.
  • RAM random access storage unit
  • ROM read-only storage unit
  • the storage unit 520 may also include a program/utility tool 5204 having a set of (at least one) program module 5205.
  • program module 5205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
  • the bus 530 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
  • the electronic device 500 can also communicate with one or more external devices 700 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable customers to interact with the electronic device 500, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 500 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 550.
  • the electronic device 500 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 560. As shown in the figure, the network adapter 560 communicates with other modules of the electronic device 500 through the bus 530.
  • LAN local area network
  • WAN wide area network
  • public network such as the Internet
  • the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiment of the present application.
  • a computing device which can be a personal computer, a server, a terminal device, or a network device, etc.
  • a computer-readable storage medium is also provided, on which is stored a program product (such as an abnormal information processing node analysis program) that can implement the above-mentioned method in this specification.
  • a program product such as an abnormal information processing node analysis program
  • each aspect of the present application can also be implemented in the form of a program product, which includes program code.
  • the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
  • the following method when the program code is executed, the following method can be implemented: when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information association processing node library are classified according to the attributes of the abnormal information processing event , Obtain multiple types of information processing node groups; obtain the abnormal feature labels of all the information processing nodes in the information processing node group, construct the node label set of the information processing node group; remove the information processing node group of each information processing node group If the probability of occurrence in the node label set is lower than the predetermined threshold, the frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group, all the corresponding categories of the information processing node group are obtained.
  • the same tags in the frequent item tag set of the information processing node group are obtained to obtain the same tag subset; according to the association relationship between the associated classes corresponding to the same tag subset, the associated feature tags are associated with the association group of the same tag subset , Obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set; input the related information of the abnormal information processing event in the abnormal node analysis request and the association relationship tag set into the risk node analysis model , Get the relationship between abnormal information processing nodes.
  • the storage medium involved in this application such as a computer-readable storage medium, may be non-volatile or volatile.
  • a program product 600 for implementing the above method according to an embodiment of the present application is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer.
  • CD-ROM compact disk read-only memory
  • the program product of this application is not limited to this.
  • the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an instruction execution system, device, or device.
  • the program product can use any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • the computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
  • the program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
  • the program code used to perform the operations of the present application can be written in any combination of one or more programming languages.
  • the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language-such as "C" language or similar programming language.
  • the program code can be executed entirely on the client computing device, partly executed on the client device, executed as an independent software package, partly executed on the client computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
  • the remote computing device can be connected to a client computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (for example, using Internet service providers). Business to connect via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service providers for example, using Internet service providers

Abstract

The present application relates to an abnormal information processing node analysis method and apparatus, a medium and an electronic device, and belongs to the technical field of computers. The method comprises the steps of: classifying information processing nodes according to attributes of abnormal information processing events; obtaining abnormal feature tags of all information processing nodes, and constructing node tag sets; eliminating tags having the occurrence probability lower than a preset threshold in the node tag sets to obtain frequent item tag sets; according to a predetermined class association relationship of the classes of the information processing node groups, obtaining the same tags in the frequent item tag sets of the information processing node groups corresponding to the associated classes to obtain same tag subsets; associating group association feature tags for the same tag subsets to obtain association relationship tag sets; and inputting related information of the abnormal information processing events in an abnormal node analysis request and the association relationship tag sets into a risk node analysis model to obtain an abnormal information processing node relationship. The present application can efficiently and accurately analyze the abnormal information processing node relationship.

Description

异常信息处理节点分析方法、装置、介质及电子设备Abnormal information processing node analysis method, device, medium and electronic equipment
本申请要求于2020年2月14日提交中国专利局、申请号为202010092140.1,发明名称为“异常信息处理节点分析方法、装置、介质及电子设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on February 14, 2020, the application number is 202010092140.1, and the invention title is "Analysis methods, devices, media and electronic equipment for abnormal information processing nodes". The entire content of the application is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及计算机技术领域,具体而言,涉及一种异常信息处理节点分析方法、装置、介质及电子设备。This application relates to the field of computer technology, and specifically, to an abnormal information processing node analysis method, device, medium, and electronic equipment.
背景技术Background technique
异常信息处理节点分析就是对相关主体(如企业)中进行信息处理的节点,在发生异常信息处理事件时(如信息泄露、遗失、管理出错等)进行分析,确定所有异常信息处理事件中的嫌疑节点之间的联合关系。Anomaly information processing node analysis is to perform information processing nodes in related entities (such as enterprises). When an abnormal information processing event occurs (such as information leakage, loss, management error, etc.), it is analyzed to determine the suspicion in all abnormal information processing events The joint relationship between nodes.
发明人意识到,目前在进行异常信息处理节点分析时,针对安全事件风险分析仅停留在经验论及零散的个案归纳分析这类非定量分析,不能够挖掘其中隐含的风险规律,异常信息处理节点的分析效率低,对发生的异常事件缺乏预见性。The inventor realizes that when analyzing abnormal information processing nodes, the risk analysis of security incidents only stays at non-quantitative analysis such as empirical theory and scattered case induction analysis, and cannot dig out the hidden risk rules and abnormal information processing. The analysis efficiency of nodes is low, and there is no foresight of abnormal events that occur.
需要说明的是,在上述背景技术部分公开的信息仅用于加强对本申请的背景的理解,因此可以包括不构成对本领域普通技术人员已知的现有技术的信息。It should be noted that the information disclosed in the background art section above is only used to enhance the understanding of the background of the application, and therefore may include information that does not constitute the prior art known to those of ordinary skill in the art.
技术问题technical problem
本申请的目的在于提供一种异常信息处理节点分析方案,进而至少在一定程度上实现高效、准确地分析异常信息处理节点关系。The purpose of this application is to provide a solution for analyzing abnormal information processing nodes, so as to achieve efficient and accurate analysis of the relationship between abnormal information processing nodes at least to a certain extent.
技术解决方案Technical solutions
根据本申请的一个方面,提供一种异常信息处理节点分析方法,包括:当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。According to one aspect of the present application, an abnormal information processing node analysis method is provided, which includes: when receiving an abnormal node analysis request in an abnormal information processing event, associating all information processing nodes in the abnormal information processing node database according to the abnormal information The attributes of the processing event are classified to obtain multiple types of information processing node groups; the abnormal feature labels of all information processing nodes in the information processing node group are obtained, and the node label set of the information processing node group is constructed; A label whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold is obtained, and a frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group, The same label in the frequent item label set of the information processing node group corresponding to the associated class is obtained, and the same label subset is obtained; according to the association relationship between the associated classes corresponding to the same label subset, the same label is Collect the associated group association feature tags to obtain an association relationship tag set, wherein the group association feature tags do not belong to the node tag set; analyze the related information of the abnormal information processing event in the abnormal node request and the association relationship tag Set the input risk node analysis model to obtain the abnormal information processing node relationship.
根据本申请的一个方面,提供一种异常信息处理节点分析装置,其中,包括:分类模块,用于当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;构建模块,用于获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除模块,用于剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;获取模块,用于根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;关联模块,用于根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;分析模块,用于将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。According to one aspect of the present application, an abnormal information processing node analysis device is provided, which includes: a classification module for, when receiving an abnormal node analysis request in an abnormal information processing event, associate abnormal information with all information in the processing node database The processing nodes are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups; the building module is used to obtain the abnormal feature labels of all the information processing nodes in the information processing node group to construct the information Processing the node label set of the node group; the elimination module is used to eliminate the labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain the frequent item label set of each information processing node group Obtaining module, used to obtain the same label in the frequent item label set of the information processing node group corresponding to the associated class according to the predetermined class association relationship of the category of the information processing node group, to obtain the same label subset; associating module , Used to obtain an association relationship tag set according to the association relationship between the associated classes corresponding to the same tag subset, for the association group association of the same tag subset to obtain an association relationship tag set, wherein the group association feature tags do not belong to The node label set; an analysis module for inputting the relevant information of the abnormal information processing event in the abnormal node analysis request and the association relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
根据本申请的一个方面,提供一种计算机可读存储介质,其上存储有异常信息处理节点分析程序,其中,所述异常信息处理节点分析程序被处理器执行时实现以下方法:当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。According to one aspect of the present application, there is provided a computer-readable storage medium on which an abnormal information processing node analysis program is stored, wherein the abnormal information processing node analysis program is executed by a processor to implement the following method: When an abnormal node in an information processing event analyzes a request, all information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups; to obtain the information processing node The abnormal feature labels of all information processing nodes in the group are constructed to construct the node label set of the information processing node group; the labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold are removed, and each node label set is obtained. The frequent item label set of the information processing node group; according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained to obtain the same label Subset; according to the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the same tag subset association group to obtain an association relationship tag set, wherein the group association feature tags do not belong to The node label set; the related information of the abnormal information processing event in the abnormal node analysis request and the association relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
根据本申请的一个方面,提供一种电子设备,其中,包括:处理器;以及存储器,用于存储所述处理器的异常信息处理节点分析程序;其中,所述处理器配置为经由执行所述异常信息处理节点分析程序来执行以下方法:当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。According to one aspect of the present application, there is provided an electronic device, which includes: a processor; and a memory for storing an abnormal information processing node analysis program of the processor; wherein the processor is configured to execute the The abnormal information processing node analysis program executes the following method: when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain Multiple categories of information processing node groups; acquiring the abnormal feature labels of all information processing nodes in the information processing node group, and constructing the node label set of the information processing node group; removing the node label of each information processing node group Collect labels whose occurrence probability is lower than a predetermined threshold to obtain the frequent item label set of each information processing node group; obtain the information corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group Process the same labels in the frequent item label set of the node group to obtain the same label subset; according to the association relationship between the associated classes corresponding to the same label subset, associate the feature labels for the association group of the same label subset to obtain The association relationship tag set, wherein the group association feature tag does not belong to the node tag set; the related information of the abnormal information processing event in the abnormal node analysis request and the association relationship tag set are input into the risk node analysis model to obtain Abnormal information processing node relationship.
有益效果Beneficial effect
本申请能够基于异常信息处理事件的相关信息及构建的节点相应的关联关系标签集,利用风险节点分析模型可以高效、准确地分析出异常信息处理节点关系。This application can efficiently and accurately analyze the abnormal information processing node relationship based on the related information of the abnormal information processing event and the corresponding association relationship label set of the constructed node, and the risk node analysis model can be used to efficiently and accurately analyze.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and cannot limit the application.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The drawings herein are incorporated into the specification and constitute a part of the specification, show embodiments that conform to the application, and are used together with the specification to explain the principle of the application. Obviously, the drawings in the following description are only some embodiments of the application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1示意性示出一种异常信息处理节点分析方法的流程图。Fig. 1 schematically shows a flow chart of an abnormal information processing node analysis method.
图2示意性示出一种异常信息处理节点分析方法的应用场景示例图。Fig. 2 schematically shows an example diagram of an application scenario of an abnormal information processing node analysis method.
图3示意性示出一种关联关系标签集获取的方法流程图。Fig. 3 schematically shows a flow chart of a method for obtaining an association relationship label set.
图4示意性示出一种异常信息处理节点分析装置的方框图。Fig. 4 schematically shows a block diagram of an abnormal information processing node analysis device.
图5示意性示出一种用于实现上述异常信息处理节点分析方法的电子设备示例框图。Fig. 5 schematically shows an example block diagram of an electronic device for implementing the above-mentioned abnormal information processing node analysis method.
图6示意性示出一种用于实现上述异常信息处理节点分析方法的计算机可读存储介质。Fig. 6 schematically shows a computer-readable storage medium for implementing the above-mentioned abnormal information processing node analysis method.
本发明的实施方式Embodiments of the present invention
现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本申请将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施方式中。在下面的描述中,提供许多具体细节从而给出对本申请的实施方式的充分理解。然而,本领域技术人员将意识到,可以实践本申请的技术方案而省略所述特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知技术方案以避免喧宾夺主而使得本申请的各方面变得模糊。Example embodiments will now be described more fully with reference to the accompanying drawings. However, the example embodiments can be implemented in various forms, and should not be construed as being limited to the examples set forth herein; on the contrary, the provision of these embodiments makes this application more comprehensive and complete, and fully conveys the concept of the example embodiments To those skilled in the art. The described features, structures or characteristics can be combined in one or more embodiments in any suitable way. In the following description, many specific details are provided to give a sufficient understanding of the embodiments of the present application. However, those skilled in the art will realize that the technical solutions of the present application can be practiced without one or more of the specific details, or other methods, components, devices, steps, etc. can be used. In other cases, the well-known technical solutions are not shown or described in detail to avoid overwhelming the crowd and obscure all aspects of the present application.
此外,附图仅为本申请的示意性图解,并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。附图中所示的一些方框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。In addition, the drawings are only schematic illustrations of the application and are not necessarily drawn to scale. The same reference numerals in the figures denote the same or similar parts, and thus their repeated description will be omitted. Some of the block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in the form of software, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor devices and/or microcontroller devices.
本申请的技术方案可应用于人工智能、智慧城市、区块链和/或大数据技术领域,以实现智能化信息推荐。可选的,本申请涉及的数据如标签和/或异常信息处理节点关系等可存储于数据库中,或者可以存储于区块链中,比如通过区块链分布式存储,本申请不做限定。The technical solution of this application can be applied to the fields of artificial intelligence, smart city, blockchain and/or big data technology to realize intelligent information recommendation. Optionally, the data involved in this application, such as tags and/or abnormal information processing node relationships, can be stored in a database, or can be stored in a blockchain, such as distributed storage through a blockchain, which is not limited in this application.
本示例实施方式中首先提供了异常信息处理节点分析方法,该异常信息处理节点分析方法可以运行于服务器,也可以运行于服务器集群或云服务器等,当然,本领域技术人员也可以根据需求在其他平台运行本申请的方法,本示例性实施例中对此不做特殊限定。参考图1所示,该异常信息处理节点分析方法可以包括以下步骤。This example embodiment first provides an abnormal information processing node analysis method. The abnormal information processing node analysis method can be run on a server, a server cluster or a cloud server, etc. Of course, those skilled in the art can also use other methods according to their needs. The platform runs the method of this application, which is not particularly limited in this exemplary embodiment. Referring to FIG. 1, the method for analyzing abnormal information processing nodes may include the following steps.
步骤S110,当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群。Step S110: When receiving the abnormal node analysis request in the abnormal information processing event, classify all the information processing nodes in the abnormal information association processing node database according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups .
步骤S120,获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集。Step S120: Obtain abnormal feature labels of all information processing nodes in the information processing node group, and construct a node label set of the information processing node group.
步骤S130,剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集。In step S130, the labels whose probability of appearing in the node label set of each information processing node group are lower than a predetermined threshold are removed, and a frequent item label set of each information processing node group is obtained.
步骤S140,根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集。Step S140: Obtain the same label in the frequent item label set of the information processing node group corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group, and obtain the same label subset.
步骤S150,根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集。Step S150: According to the association relationship between the associated classes corresponding to the same tag subset, associate feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group association feature tags do not belong to The set of node labels.
步骤S160,将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。Step S160: Input the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
上述异常信息处理节点分析方法中,首先,当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;实现按照节点在异常信息处理事件的属性对节点分类。然后,获取信息处理节点群中所有信息处理节点的异常特征标签,构建信息处理节点群的节点标签集;可以构建出不同类别的信息处理节点群的异常特征的节点标签集。然后,通过剔除每个信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个信息处理节点群的频繁项标签集;可以得到对应于每类信息处理节点群的高概率的异常特征的标签集。然后,根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;可以根据信息处理节点群之间的关联关系,获取到具有关联关系的多个信息处理节点群之间都具有的标签,即相同标签子集。然后,根据所述根据相同标签子集对应的关联的类之间的关联关系,为相同标签子集关联群关联特征标签,得到关联关系标签集,其中,群关联特征标签不属于节点标签集;可以对相同标签子集根据关联关系补充群关联特征标签,得到多个强关联特征的关联关系标签集。最后将异常节点分析请求中异常信息处理事件的相关信息及关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。实现通过强关联特征的关联关系标签集约束异常信息处理事件的相关信息下,基于风险节点分析模型,高效准确分析异常信息处理事件中异常信息处理节点关系。In the above-mentioned abnormal information processing node analysis method, first, when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information association processing node library are classified according to the attributes of the abnormal information processing event, and multiple information processing nodes are obtained. Category of information processing node group; realize the classification of nodes according to their attributes in abnormal information processing events. Then, the abnormal feature labels of all the information processing nodes in the information processing node group are acquired, and the node label set of the information processing node group is constructed; the node label sets of the abnormal characteristics of the information processing node group of different categories can be constructed. Then, by removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold, the frequent item label set of each information processing node group is obtained; the high probability corresponding to each type of information processing node group can be obtained The set of labels for the unusual characteristics of the Then, according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained to obtain the same label subset; The association relationship of, obtains the labels that are between multiple information processing node groups that have an association relationship, that is, a subset of the same labels. Then, according to the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the same tag subset association group to obtain an association relationship tag set, where the group association feature tags do not belong to the node tag set; The group association feature tags can be supplemented for the same tag subset according to the association relationship to obtain association relationship tag sets with multiple strong association features. Finally, the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship. Realize that the related information of abnormal information processing events is constrained through the association relationship tag set of strong association characteristics, and the relationship between abnormal information processing nodes in abnormal information processing events is efficiently and accurately analyzed based on the risk node analysis model.
下面,将结合附图对本示例实施方式中上述异常信息处理节点分析方法中的各步骤进行详细的解释以及说明。Hereinafter, each step in the above-mentioned abnormal information processing node analysis method in this exemplary embodiment will be explained and described in detail with reference to the accompanying drawings.
在步骤S110中,当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群。In step S110, when the abnormal node analysis request in the abnormal information processing event is received, all the information processing nodes in the abnormal information associated processing node library are classified according to the attributes of the abnormal information processing event to obtain multiple types of information processing Node group.
本示例的实施方式中,参考图2所示,服务器201接收服务器202发送的异常信息处理事件中异常节点分析请求时,将服务器201上异常信息关联处理节点库中所有信息处理节点按照异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群。这样可以在后续步骤中,由服务器201根据多个类别的信息处理节点群分析异常信息处理节点关系。可以理解,其中,服务器201和服务器202可以是任何具有处理能力的设备,例如,电脑、微处理器等,在此不做特殊限定。In the embodiment of this example, referring to FIG. 2, when the server 201 receives the abnormal node analysis request in the abnormal information processing event sent by the server 202, it associates all the information processing nodes in the abnormal information processing node database on the server 201 according to the abnormal information processing The attributes of the event are classified, and multiple types of information processing node groups are obtained. In this way, in subsequent steps, the server 201 analyzes the relationship between abnormal information processing nodes according to multiple types of information processing node groups. It can be understood that the server 201 and the server 202 may be any devices with processing capabilities, such as computers, microprocessors, etc., which are not specifically limited herein.
异常信息关联处理节点库存储有所有信息处理节点在出现异常信息处理事件时的工作记录,例如通过关系型信息库关联存储每个节点标识与对应每个信息处理事件的相关信息。异常信息处理事件例如信息泄露事件、信息处理出错事件等。The abnormal information association processing node database stores the work records of all information processing nodes when an abnormal information processing event occurs. For example, the relational information database stores each node identification and related information corresponding to each information processing event. Abnormal information processing events such as information leakage events, information processing error events, etc.
信息处理节点就是例如与一个企业的信息存储节点或者与该企业信息存储节点具有任务关联关系的任意节点,该节点可以是服务器、应用或者电脑等任意具有信息处理功能的节点。异常信息处理事件的属性是不同的异常事件中与事件关联的节点的属性。例如泄露事件中按照属性进行分类:初步属性分类,如:一级管理节点、二级管理节点、信息转换节点、信息发送节点、信息接收节点等;信息融合错误事件中按照属性进行分类:信息获取节点、信息加工节点、信息存储节点、信息管理节点等。可以对于不同事件设置对应的节点属性,以保证根据每个事件准确地将对应于每个事件的节点进行分类。An information processing node is, for example, an information storage node of an enterprise or any node that has a task association relationship with the enterprise information storage node. The node can be any node with information processing functions such as a server, an application, or a computer. The attributes of the abnormal information processing event are the attributes of the nodes associated with the event in different abnormal events. For example, leakage incidents are classified according to attributes: preliminary attribute classification, such as: first-level management nodes, second-level management nodes, information conversion nodes, information sending nodes, information receiving nodes, etc.; information fusion error events are classified according to attributes: information acquisition Nodes, information processing nodes, information storage nodes, information management nodes, etc. Corresponding node attributes can be set for different events to ensure that the nodes corresponding to each event are accurately classified according to each event.
在步骤S120中,获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集。In step S120, the abnormal feature labels of all the information processing nodes in the information processing node group are acquired, and the node label set of the information processing node group is constructed.
本示例的实施方式中,通过爬取每个节点的相关信息中的关键字(异常特征标签),可以获得每个节点进行信息处理时相关信息中是否存在该特征标签,以及存在的次数。异常特征标签可以是对于异常节点进行分析相应的所有关键词特征,例如,信息管理权限(A类信息)、节点联合时间(1年-2年)等。In the implementation of this example, by crawling the keyword (abnormal feature tag) in the related information of each node, it is possible to obtain whether the feature tag exists in the related information and the number of times when each node performs information processing. The abnormal feature label can be all the keyword features corresponding to the analysis of the abnormal node, for example, information management authority (type A information), node joint time (1 year-2 years), etc.
构建信息处理节点群的节点标签集,例如,确定信息节点类别:二级管理节点。然后,特征标签量化拆解:信息管理权限(A类信息)量化为1,信息管理权限(B类信息)量化为2,企业内部节点3,外部企业节点4,节点联合时间(1年-2年)5等,得到基于标签量化拆解的特征集合{1…25}。针对往期所有异常信息处理事件中二级管理节点构建节点标签集合,例如:节点A:{1,4,6,8,13,15,17,18,20},节点B:{2,5,7,9,11,12,17,19,21},节点C:{1,3,6,8,10,13,16}。这样可以构建出不同类别的信息处理节点群的异常特征的节点标签集。Construct the node label set of the information processing node group, for example, determine the information node category: secondary management node. Then, the feature label is quantified and disassembled: the information management authority (type A information) is quantified as 1, the information management authority (type B information) is quantified as 2, the internal node of the enterprise is 3, the external enterprise node is 4, and the node joint time (1 year-2 Year) 5, etc., and obtain the feature set {1...25} based on the quantitative disassembly of the label. Construct a node label set for the secondary management nodes in all abnormal information processing events in the past, for example: node A: {1,4,6,8,13,15,17,18,20}, node B: {2,5 ,7,9,11,12,17,19,21}, node C: {1,3,6,8,10,13,16}. In this way, it is possible to construct a node label set of abnormal characteristics of different types of information processing node groups.
在步骤S130中,剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集。In step S130, the labels whose probability of occurrence in the node label set of each information processing node group are lower than a predetermined threshold are removed, and the frequent item label set of each information processing node group is obtained.
本示例的实施方式中,剔除每个信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,可以将出现概率低的标签剔除,保证标签对于异常事件分析的精度。例如,可以扫描统计节点标签集内各项发生的频率:{1}65;{2}35;{3}10;{4}30;{5}60;{6}90;{7}10等,然后对出现概率低于50%的项进行剔除后得到:{1}65;{5}60;{6}90等。这样可以得到每个信息处理节点群的对于异常特征具有较高表征精度的频繁项标签集。In the implementation of this example, tags whose probability of occurrence in the node tag set of each information processing node group is lower than a predetermined threshold can be eliminated, and tags with low occurrence probability can be eliminated to ensure the accuracy of the tag analysis for abnormal events. For example, you can scan and count the frequency of occurrence of items in the node label set: {1}65; {2}35; {3}10; {4}30; {5}60; {6}90; {7}10, etc. , And then eliminate items with a probability of less than 50% to get: {1}65; {5}60; {6}90, etc. In this way, a frequent item label set with high representation accuracy for abnormal features of each information processing node group can be obtained.
在本示例的一种实施方式中,所述剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集,包括:剔除所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到第二节点标签集;计算所述第二节点标签集中每个标签出现的概率后,剔除低于所述预定阈值的标签,得到第三节点标签集,当所述第三节点标签集中所有标签出现的概率高于所述预定阈值时,得到所述信息处理节点群的频繁项标签集。In an implementation manner of this example, the tags whose probability of appearing in the node label set of each information processing node group are lower than a predetermined threshold are removed to obtain the frequent item label set of each information processing node group, The method includes: removing the labels whose occurrence probability of the node label set of the information processing node group is lower than a predetermined threshold to obtain a second node label set; after calculating the occurrence probability of each label in the second node label set, removing the labels lower than all the labels. The label of the predetermined threshold is used to obtain a third node label set, and when the occurrence probability of all labels in the third node label set is higher than the predetermined threshold, the frequent item label set of the information processing node group is obtained.
例如,对于上述对出现概率低于50%的项进行剔除后得到第二节点标签集:{1}65;{5}60;{6}90等。然后对于第二节点标签集中每个标签计算在第二标签集中出现的概率,继续将出现概率低于50%的项进行剔除后,得到第三节点标签集。此时,计算第三标签集中每个标签出现的概率,当第三标签集中没有出现概率低于50%的标签得到信息处理节点群的频繁项标签集。可以理解如果第三标签集中有低于50%的标签则继续剔除,直到得到频繁项标签集。For example, the second node label set is obtained after the above items whose occurrence probability is less than 50% are eliminated: {1}65; {5}60; {6}90, etc. Then, for each label in the second node label set, calculate the probability of appearing in the second label set, and continue to eliminate items with an appearance probability of less than 50% to obtain the third node label set. At this time, the probability of each label in the third label set is calculated. When there is no label in the third label set with a probability of less than 50%, the frequent item label set of the information processing node group is obtained. It can be understood that if there are less than 50% of the labels in the third label set, then continue to eliminate until the frequent item label set is obtained.
在步骤S140中,根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集。In step S140, the same label in the frequent item label set of the information processing node group corresponding to the associated category is obtained according to the predetermined category association relationship of the category of the information processing node group, and the same label subset is obtained.
本示例的实施方式中,预定类关联关系即不同的信息处理节点群之间的信息处理事件中信息处理节点联合关系,例如,信息处理事件中通常由属于两个或者多个信息处理节点群中的信息处理节点相互配合完成信息处理事件。而属于不同信息处理节点群的信息处理节点之间的配合完成风险事件时,配合的信息处理节点之间在信息处理节点特征方面会具有核心的相同特征,例如,完成某个类型的信息的窃取需要从一级管理节点到二级管理节点再到信息发送节点等,同时这些节点都需要具有信息管理权限(A类信息)、企业内部节点,节点管理时间3-5年等。In the embodiment of this example, the predetermined association relationship is the joint relationship of information processing nodes in the information processing event between different information processing node groups. For example, the information processing event usually consists of two or more information processing node groups. The information processing nodes cooperate with each other to complete information processing events. When information processing nodes belonging to different information processing node groups cooperate to complete a risk event, the cooperative information processing nodes will have the same core characteristics in terms of information processing node characteristics, for example, complete the theft of a certain type of information It needs to go from the first-level management node to the second-level management node and then to the information sending node. At the same time, these nodes need to have information management authority (type A information), internal nodes of the enterprise, and node management time 3-5 years, etc.
这样通过获取关联的类对应的信息处理节点群的频繁项标签集中的相同标签,可以确定出关联的类对应的信息处理节点群核心的信息处理节点特征标签。通过基于风险信息处理节点群的关联关系获得核心化标签,减少标签数量的同时确保分析准确性。In this way, by obtaining the same label in the frequent item label set of the information processing node group corresponding to the associated class, the information processing node characteristic label of the core of the information processing node group corresponding to the associated class can be determined. The core label is obtained based on the association relationship of the risk information processing node group, which reduces the number of labels while ensuring the accuracy of analysis.
在步骤S150中,根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集。In step S150, according to the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags Does not belong to the node label set.
相同标签子集对应的关联的类之间的关联关系,例如,相同标签子集对应的关联的类包括一级管理节点、二级管理节点、信息融合节点,则关联关系为一级管理节点-二级管理节点-信息融合节点。The association relationship between the associated classes corresponding to the same label subset. For example, if the associated classes corresponding to the same label subset include first-level management nodes, second-level management nodes, and information fusion nodes, the association relationship is the first-level management node- Secondary management node-information fusion node.
群关联特征标签即不同的信息处理节点群之间的信息处理节点联合标签,用于指示信息处理节点配合完成风险事件的联合关系特征标签,例如控制下级节点、受控于上级节点、相互配合、被攻击(如两个节点之间只有一方被攻击才会泄露信息)等。关联特征标签可以从信息关联处理节点库中记录的信息处理节点相关信息中查找到。这样通过为核心信息处理节点标签对应的相同标签子集关联群特征标签,可以准确地描述出异常信息处理事件发生的较为完整的关联关系标签集,保证异常信息处理节点分析的准确性和可靠性。The group association feature label is the information processing node joint label between different information processing node groups, which is used to instruct the information processing node to cooperate to complete the joint relationship characteristic label of the risk event, such as controlling the lower-level node, controlling the upper-level node, cooperating with each other, Being attacked (for example, only one of the two nodes is attacked to reveal information), etc. The associated feature tag can be found from the related information of the information processing node recorded in the information association processing node database. In this way, by associating group feature labels for the same label subset corresponding to the core information processing node labels, it is possible to accurately describe the relatively complete association relationship label set of abnormal information processing events, and ensure the accuracy and reliability of the analysis of abnormal information processing nodes. .
在本示例的一种实施方式中,根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,参考图3所示,包括:步骤S310,获取所述相同标签子集对应的关联的类之间的关联关系对应的关联关系标签模板,所述关联关系标签模板中包括群关联特征标签及信息处理节点的特征标签;步骤S320,从关联关系标签模板库中查找包括了与所述相同标签子集一致的特征标签的关联关系标签模板,得到匹配的关联关系标签模板;步骤S330,基于所述匹配的关联关系标签模板获取关联关系标签集。In an implementation of this example, according to the association relationship between the associated classes corresponding to the same tag subset, the feature tags are associated with the association group of the same tag subset to obtain the association relationship tag set, refer to FIG. 3 As shown, it includes: step S310, obtaining an association relationship label template corresponding to the association relationship between the associated classes corresponding to the same tag subset, and the association relationship label template includes group association feature tags and characteristics of information processing nodes Label; step S320, search for an association relationship label template that includes feature tags consistent with the same tag subset from the association relationship label template library, to obtain a matching association relationship label template; step S330, based on the matched association relationship The label template obtains the association relationship label set.
预设每种关联关系对应的关联关系标签模板,关联关系标签模板可以包括群关联特征标签及信息处理节点的特征标签,即关联关系模板包括多个信息处理节点的特征标签,以及该多个特征标签表征的信息处理节点配合完成风险事件的联合关系特征对应的典型的群关联特征标签。进而,可以从关联关系标签模板库中查找包括了与相同标签子集一致的特征标签的关联关系标签模板,得到匹配的关联关系标签模板;基于匹配的关联关系标签模板获取异常信息处理事件发生的较为完整的关联关系标签集。The association relationship label template corresponding to each association relationship is preset. The association relationship label template can include group association feature tags and feature tags of information processing nodes, that is, the association relationship template includes feature tags of multiple information processing nodes, and the multiple features The information processing node represented by the tag cooperates to complete the typical group association feature tag corresponding to the joint relationship feature of the risk event. Furthermore, it is possible to search for an association relationship label template that includes feature tags consistent with the same tag subset from the association relationship label template library to obtain a matching association relationship label template; obtain abnormal information based on the matched association relationship label template and handle the event occurrence A relatively complete set of association relationship labels.
在本示例的一种实施方式中,所述基于所述匹配的关联关系标签模板获取关联关系标签集,包括:从所述匹配的关联关系标签模板中,获取标签个数超过预定阈值的关联关系标签模板,作为所述关联关系标签集。In an implementation manner of this example, the obtaining an association relationship label set based on the matched association relationship label template includes: obtaining an association relationship whose number of tags exceeds a predetermined threshold from the matched association relationship label template The label template is used as the association relationship label set.
匹配的关联关系标签模板可以是多个,获取标签个数超过预定阈值的关联关系标签模板,例如获取包含了至少50个标签的关联关系标签模板,作为关联关系标签,该关联关系标签集即包括了相同标签子集,又包括了群关联特征标签。There can be multiple matching association relationship label templates. The association relationship label template whose number of tags exceeds a predetermined threshold is obtained. For example, an association relationship label template containing at least 50 tags is obtained as an association relationship label. The association relationship label set includes A subset of the same tags is included, and group association feature tags are included.
在本示例的一种实施方式中,基于所述匹配的关联关系标签模板获取关联关系标签集,包括:从所述匹配的关联关系标签模板中,获取包含了标签个数最少的关联关系标签模板,作为所述关联关系标签集。In an implementation of this example, obtaining an association relationship label set based on the matched association relationship label template includes: obtaining an association relationship label template containing the least number of tags from the matched association relationship label templates , As the association relationship label set.
在步骤S160中,将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。In step S160, the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
关联关系标签集可以简单、准确地描述出历史异常信息处理事件发生的较为完整的节点信息的关联关系。异常信息处理事件的相关信息可以包括:异常信息处理事件的嫌疑节点信息,例如,事件中所有可能参与的节点信息;事件中信息相关内容,例如,该信息可能涉及到的企业节点等。异常信息处理节点关系就是预测的异常信息处理事件中具有风险的多个节点之间的联合关系,例如,一级管理节点配合外部节点攻击内部管理节点中的二级管理节点等。其中关联关系标签集是对应于每个类别的信息处理节点,也就是输入风险节点分析模型的关联关系标签集是至少一个。The association relationship label set can simply and accurately describe the association relationship of relatively complete node information in which historical abnormal information processing events occur. Information related to the abnormal information processing event may include: suspect node information of the abnormal information processing event, for example, information about all nodes that may participate in the event; information related content in the event, for example, enterprise nodes that the information may involve. The abnormal information processing node relationship is the joint relationship between multiple nodes with risks in the predicted abnormal information processing event. For example, the first-level management node cooperates with the external node to attack the second-level management node in the internal management node. The association relationship label set is the information processing node corresponding to each category, that is, the association relationship label set of the input risk node analysis model is at least one.
通过预先训练好的风险节点分析模型,可以根据异常信息处理事件在对应的关联关系标签集的约束下快速准确的预测出异常事件的异常信息处理节点关系。Through the pre-trained risk node analysis model, the abnormal information processing node relationship of the abnormal event can be quickly and accurately predicted based on the abnormal information processing event under the constraints of the corresponding association relationship label set.
在本示例的一种实施方式中,风险节点分析模型的训练方法可以包括:收集异常信息处理事件信息样本集,所述异常信息处理事件信息样本包括关联关系标签集及所述关联关系标签集对应的异常信息处理节点关系;将所述样本集中每个样本的关联关系标签集输入风险节点分析模型,得到每个样本对应的预测异常信息处理节点关系;当存在有样本在输入风险节点分析模型后得到的样本对应的预测异常信息处理节点关系,与对样本事先标定的异常信息处理节点关系不一致,则调整业务风险节点分析模型的系数,直到一致;当所有的样本在输入风险节点分析模型后得到的预测异常信息处理节点关系与对样本事先标定的异常信息处理节点关系的相似度大于预定阈值时,训练结束。In an implementation of this example, the training method of the risk node analysis model may include: collecting an abnormal information processing event information sample set, where the abnormal information processing event information sample includes an association relationship label set and the association relationship label set correspondence The abnormal information processing node relationship; input the association relationship label set of each sample in the sample set into the risk node analysis model to obtain the predicted abnormal information processing node relationship corresponding to each sample; when there are samples in the risk node analysis model The predicted abnormal information processing node relationship corresponding to the obtained sample is inconsistent with the abnormal information processing node relationship calibrated in advance for the sample, then adjust the coefficients of the business risk node analysis model until they are consistent; when all samples are entered into the risk node analysis model, the results are obtained When the similarity between the predicted abnormal information processing node relationship and the abnormal information processing node relationship calibrated in advance for the sample is greater than a predetermined threshold, the training ends.
在本示例的一种实施方式中,在所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集之后,所述方法还包括:根据目标风险信息处理节点群对应的关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点。In an implementation of this example, in the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the association group of the same tag subset to obtain an association relationship tag set, Wherein, after the group association feature tag does not belong to the node tag set, the method further includes: determining the target risk information according to the association relationship tag set corresponding to the target risk information processing node group and the frequent item tag set The risk information processing node of the processing node group.
目标风险信息处理节点群即按照异常信息处理事件的属性进行分类后,得到的多个类别的信息处理节点群中某个或者多个用户想要进行分析的节点群。每个信息处理节点群在处理后都可以得到相应的关联关系标签集和频繁项标签集。这样可以根据目标风险信息处理节点群对应的关联关系标签集及频繁项标签集分析该目标群中具有该异常信息处理事件风险的风险信息处理节点。The target risk information processing node group is the node group that one or more users want to analyze among the information processing node groups of multiple categories obtained after classification according to the attributes of the abnormal information processing event. Each information processing node group can obtain the corresponding association relationship label set and frequent item label set after processing. In this way, it is possible to analyze the risk information processing nodes in the target group that have the risk of the abnormal information processing event according to the associated relationship label set and the frequent item label set corresponding to the target risk information processing node group.
在本示例的一种实施方式中,根据目标风险信息处理节点群对应的所述关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点,包括:根据所述目标风险信息处理节点群对应的所述关联关系标签集确定出所述目标风险信息处理节点群中的第一风险信息处理节点集;根据所述目标风险信息处理节点群对应的所述频繁项标签集确定出所述目标风险信息处理节点群的第二风险信息处理节点集;根据所述目标风险信息处理节点群对应的所述关联关系标签集,获取所述目标风险信息处理节点群的类关联的类对应的风险信息处理节点群的第三风险信息处理节点集;获取所述第一风险信息处理节点集与所述第二风险信息处理节点集的风险信息处理节点交集中与所述第三风险信息处理节点集中风险信息处理节点具有风险联系的风险信息处理节点,作为所述目标风险信息处理节点群的风险信息处理节点。In an implementation of this example, determining the risk information processing node of the target risk information processing node group according to the association relationship label set and the frequent item label set corresponding to the target risk information processing node group includes: Determine the first set of risk information processing nodes in the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group; The frequent item label set determines the second risk information processing node set of the target risk information processing node group; obtains the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group The third risk information processing node set of the risk information processing node group corresponding to the class associated with the class; the intersection of the risk information processing nodes of the first risk information processing node set and the second risk information processing node set is obtained The third risk information processing node is a centralized risk information processing node with a risk information processing node that has a risk connection, and serves as a risk information processing node of the target risk information processing node group.
可以根据关联关系标签集确定出目标风险信息处理节点群中具有关联关系标签集中所有或者预定个数个标签的信息处理节点,得到第一风险信息处理节点集;这样可以基于关联关系标签集确定出具有完整的异常信息处理特征嫌疑的第一风险信息处理节点集。然后,根据目标风险信息处理节点群对应的频繁项标签集可以确定出目标风险信息处理节点群中具有频繁项标签集中所有或者预定个数个标签的信息处理节点,得到第二风险信息处理节点集;这样可以基于频繁项标签集确定出具有强的异常信息处理特征的第二风险信息处理节点集。然后,基于第一风险信息处理节点集与第二风险信息处理节点集的交集可以确定出同时具有强特征和完整的异常信息处理特征嫌疑的信息处理节点。The information processing nodes in the target risk information processing node group that have all or a predetermined number of labels in the association relationship label set can be determined according to the association relationship label set, to obtain the first risk information processing node set; in this way, it can be determined based on the association relationship label set The first set of suspected risk information processing nodes with complete abnormal information processing features. Then, according to the frequent item label set corresponding to the target risk information processing node group, the information processing nodes in the target risk information processing node group that have all or a predetermined number of labels in the frequent item label set can be determined to obtain the second risk information processing node set ; In this way, the second set of risk information processing nodes with strong abnormal information processing characteristics can be determined based on the frequent item tag set. Then, based on the intersection of the first risk information processing node set and the second risk information processing node set, the suspected information processing node having both strong features and complete abnormal information processing features can be determined.
通过目标风险信息处理节点群对应的关联关系标签集,获取目标风险信息处理节点群的类关联的类对应的风险信息处理节点群(即与目标信息处理节点群具有预定类关联关系的风险信息处理节点群)的第三风险信息处理节点集,可以得到其它具有预定类关联关系的风险信息处理节点群中同样具有目标风险信息处理节点群对应的关联关系标签集表征的完整的异常信息处理特征嫌疑的第三风险信息处理节点集。此时,通过获取第一风险信息处理节点集与第二风险信息处理节点集的风险信息处理节点交集中与第三风险信息处理节点集中风险信息处理节点具有风险联系的风险信息处理节点,即通过查找异常信息处理事件中具有交互关系的节点,可以确定出目标风险信息处理节点群的风险信息处理节点。Through the association relationship label set corresponding to the target risk information processing node group, the risk information processing node group corresponding to the class associated with the target risk information processing node group is obtained (that is, the risk information processing node group that has a predetermined class association relationship with the target information processing node group The third risk information processing node set of the node group) can obtain the complete abnormal information processing characteristics characterized by the association relationship label set corresponding to the target risk information processing node group in other risk information processing node groups with predetermined association relationships. The third set of risk information processing nodes. At this time, by obtaining the intersection of the risk information processing nodes of the first risk information processing node set and the second risk information processing node set, the risk information processing nodes that have a risk connection with the third risk information processing node centralized risk information processing node, that is, through By searching for nodes with interactive relationships in abnormal information processing events, the risk information processing nodes of the target risk information processing node group can be determined.
本申请还提供了一种异常信息处理节点分析装置。参考图4所示,该异常信息处理节点分析装置可以包括分类模块410、构建模块420、剔除模块430、获取模块440、关联模块450及分析模块460。The application also provides an abnormal information processing node analysis device. Referring to FIG. 4, the abnormal information processing node analysis device may include a classification module 410, a construction module 420, a rejection module 430, an acquisition module 440, an association module 450, and an analysis module 460.
分类模块410用于当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群。The classification module 410 is configured to classify all the information processing nodes in the abnormal information association processing node database according to the attributes of the abnormal information processing event when receiving the abnormal node analysis request in the abnormal information processing event, to obtain multiple types of information processing Node group.
构建模块420用于获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集。The construction module 420 is configured to obtain the abnormal feature labels of all the information processing nodes in the information processing node group, and construct the node label set of the information processing node group.
剔除模块430用于剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集。The removing module 430 is used to remove labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group.
获取模块440用于根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集。The obtaining module 440 is configured to obtain the same label in the frequent item label set of the information processing node group corresponding to the associated category according to the predetermined category association relationship of the category of the information processing node group, to obtain the same label subset.
关联模块450用于根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集。The associating module 450 is configured to associate feature tags for the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags Does not belong to the node label set.
分析模块460用于将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。The analysis module 460 is configured to input the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
上述异常信息处理节点分析装置中各模块的具体细节已经在对应的异常信息处理节点分析方法中进行了详细的描述,因此此处不再赘述。The specific details of each module in the above-mentioned abnormal information processing node analysis device have been described in detail in the corresponding abnormal information processing node analysis method, so it will not be repeated here.
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本申请的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present application, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
此外,尽管在附图中以特定顺序描述了本申请中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。In addition, although the various steps of the method in the present application are described in a specific order in the drawings, this does not require or imply that these steps must be performed in the specific order, or that all the steps shown must be performed to achieve the desired result. Additionally or alternatively, some steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the above embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present application.
在本申请的示例性实施例中,还提供了一种能够实现上述方法的电子设备。该电子设备可包括:处理器以及存储器。其中,存储器,用于存储程序如异常信息处理节点分析程序;处理器配置为经由执行所述异常信息处理节点分析程序来执行上述方法中的部分或全部步骤。可选的,该存储器还可称为存储单元,处理器还可称为处理单元。In an exemplary embodiment of the present application, an electronic device capable of implementing the above method is also provided. The electronic device may include a processor and a memory. Wherein, the memory is used to store a program such as an abnormal information processing node analysis program; the processor is configured to execute part or all of the steps in the above method by executing the abnormal information processing node analysis program. Optionally, the memory may also be referred to as a storage unit, and the processor may also be referred to as a processing unit.
所属技术领域的技术人员能够理解,本申请的各个方面可以实现为系统、方法或程序产品。因此,本申请的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present application can be implemented as a system, a method, or a program product. Therefore, each aspect of the present application can be specifically implemented in the following forms, namely: complete hardware implementation, complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "Circuit", "Module" or "System".
例如,下面参照图5来描述根据本申请的这种实施方式的电子设备500。图5显示的电子设备500仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。For example, the electronic device 500 according to this embodiment of the present application will be described below with reference to FIG. 5. The electronic device 500 shown in FIG. 5 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present application.
如图5所示,电子设备500以通用计算设备的形式表现。电子设备500的组件可以包括但不限于:上述至少一个处理单元510、上述至少一个存储单元520、连接不同系统组件(包括存储单元520和处理单元510)的总线530。As shown in FIG. 5, the electronic device 500 is represented in the form of a general-purpose computing device. The components of the electronic device 500 may include, but are not limited to: the aforementioned at least one processing unit 510, the aforementioned at least one storage unit 520, and a bus 530 connecting different system components (including the storage unit 520 and the processing unit 510).
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元510执行,使得所述处理单元510执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。例如,所述处理单元510可以执行如图1中所示的步骤。Wherein, the storage unit stores program code, and the program code can be executed by the processing unit 510, so that the processing unit 510 executes the various exemplary methods described in the “Exemplary Method” section of this specification. Steps of implementation. For example, the processing unit 510 may perform the steps shown in FIG. 1.
示例的,该处理器或初期单元配置为经由执行程序来执行以下方法:当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。可选的,该处理器或处理单元还可执行上述实施例中方法的其他步骤,这里不再赘述。For example, the processor or initial unit is configured to execute the following method via the execution program: when receiving an abnormal node analysis request in an abnormal information processing event, associate the abnormal information with all the information processing nodes in the processing node library according to the abnormal information The attributes of the processing event are classified to obtain multiple types of information processing node groups; the abnormal feature labels of all information processing nodes in the information processing node group are obtained, and the node label set of the information processing node group is constructed; A label whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold is obtained, and a frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group, The same label in the frequent item label set of the information processing node group corresponding to the associated class is obtained, and the same label subset is obtained; according to the association relationship between the associated classes corresponding to the same label subset, the same label is Collect the associated group association feature tags to obtain an association relationship tag set, wherein the group association feature tags do not belong to the node tag set; analyze the related information of the abnormal information processing event in the abnormal node request and the association relationship tag Set the input risk node analysis model to obtain the abnormal information processing node relationship. Optionally, the processor or processing unit may also execute other steps of the method in the foregoing embodiment, which will not be repeated here.
存储单元520可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)5201和/或高速缓存存储单元5202,还可以进一步包括只读存储单元(ROM)5203。The storage unit 520 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 5201 and/or a cache storage unit 5202, and may further include a read-only storage unit (ROM) 5203.
存储单元520还可以包括具有一组(至少一个)程序模块5205的程序/实用工具5204,这样的程序模块5205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 520 may also include a program/utility tool 5204 having a set of (at least one) program module 5205. Such program module 5205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
总线530可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。The bus 530 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
电子设备500也可以与一个或多个外部设备700(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得客户能与该电子设备500交互的设备通信,和/或与使得该电子设备500能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口550进行。并且,电子设备500还可以通过网络适配器560与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器560通过总线530与电子设备500的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备500使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device 500 can also communicate with one or more external devices 700 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable customers to interact with the electronic device 500, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 500 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 550. In addition, the electronic device 500 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 560. As shown in the figure, the network adapter 560 communicates with other modules of the electronic device 500 through the bus 530. It should be understood that although not shown in the figure, other hardware and/or software modules can be used in conjunction with the electronic device 500, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the above embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiment of the present application.
在本申请的示例性实施例中,还提供了一种计算机可读存储介质,其上存储有能够实现本说明书上述方法的程序产品(如异常信息处理节点分析程序)。在一些可能的实施方式中,本申请的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。示例的,程序代码被执行时可以实现以下方法:当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。In the exemplary embodiment of the present application, a computer-readable storage medium is also provided, on which is stored a program product (such as an abnormal information processing node analysis program) that can implement the above-mentioned method in this specification. In some possible implementation manners, each aspect of the present application can also be implemented in the form of a program product, which includes program code. When the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification. For example, when the program code is executed, the following method can be implemented: when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information association processing node library are classified according to the attributes of the abnormal information processing event , Obtain multiple types of information processing node groups; obtain the abnormal feature labels of all the information processing nodes in the information processing node group, construct the node label set of the information processing node group; remove the information processing node group of each information processing node group If the probability of occurrence in the node label set is lower than the predetermined threshold, the frequent item label set of each information processing node group is obtained; according to the predetermined category association relationship of the category of the information processing node group, all the corresponding categories of the information processing node group are obtained. The same tags in the frequent item tag set of the information processing node group are obtained to obtain the same tag subset; according to the association relationship between the associated classes corresponding to the same tag subset, the associated feature tags are associated with the association group of the same tag subset , Obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set; input the related information of the abnormal information processing event in the abnormal node analysis request and the association relationship tag set into the risk node analysis model , Get the relationship between abnormal information processing nodes.
可选的,该程序代码被执行时还可实现上述实施例中方法的其他步骤,这里不再赘述。进一步可选的,本申请涉及的存储介质如计算机可读存储介质可以是非易失性的,也可以是易失性的。Optionally, when the program code is executed, other steps of the method in the foregoing embodiment can also be implemented, which will not be repeated here. Further optionally, the storage medium involved in this application, such as a computer-readable storage medium, may be non-volatile or volatile.
参考图6所示,描述了根据本申请的实施方式的用于实现上述方法的程序产品600,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本申请的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Referring to FIG. 6, a program product 600 for implementing the above method according to an embodiment of the present application is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer. However, the program product of this application is not limited to this. In this document, the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an instruction execution system, device, or device.
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。The computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在客户计算设备上执行、部分地在客户设备上执行、作为一个独立的软件包执行、部分在客户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到客户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。The program code used to perform the operations of the present application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language-such as "C" language or similar programming language. The program code can be executed entirely on the client computing device, partly executed on the client device, executed as an independent software package, partly executed on the client computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device can be connected to a client computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (for example, using Internet service providers). Business to connect via the Internet).
此外,上述附图仅是根据本申请示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。In addition, the above-mentioned drawings are merely schematic illustrations of the processing included in the method according to the exemplary embodiments of the present application, and are not intended for limitation. It is easy to understand that the processing shown in the above drawings does not indicate or limit the time sequence of these processings. In addition, it is easy to understand that these processes can be executed synchronously or asynchronously in multiple modules, for example.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其他实施例。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由权利要求指出。After considering the specification and practicing the invention disclosed herein, those skilled in the art will easily think of other embodiments of the present application. This application is intended to cover any variations, uses, or adaptive changes of this application. These variations, uses, or adaptive changes follow the general principles of this application and include common knowledge or customary technical means in the technical field that are not disclosed in this application. . The description and the embodiments are only regarded as exemplary, and the true scope and spirit of the application are pointed out by the claims.

Claims (20)

  1. 一种异常信息处理节点分析方法,其中,包括:An abnormal information processing node analysis method, which includes:
    当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;When receiving an abnormal node analysis request in an abnormal information processing event, classify all information processing nodes in the abnormal information associated processing node library according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups;
    获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;Acquiring abnormal feature labels of all information processing nodes in the information processing node group, and constructing a node label set of the information processing node group;
    剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;Removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group;
    根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;Acquiring, according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category to obtain the same label subset;
    根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;According to the association relationship between the associated classes corresponding to the same tag subset, associate feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags do not belong to the node Label set
    将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。The related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
  2. 根据权利要求1所述的方法,其中,所述剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集,包括: The method according to claim 1, wherein said removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold is obtained to obtain a frequent item label set of each information processing node group ,include:
    剔除所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到第二节点标签集;Removing labels whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold to obtain a second node label set;
    计算所述第二节点标签集中每个标签出现的概率后,剔除低于所述预定阈值的标签,得到第三节点标签集,当所述第三节点标签集中所有标签出现的概率高于所述预定阈值时,得到所述信息处理节点群的频繁项标签集。After calculating the occurrence probability of each label in the second node label set, the labels below the predetermined threshold are removed to obtain the third node label set. When the probability of all the labels in the third node label set is higher than the When a predetermined threshold is set, the frequent item label set of the information processing node group is obtained.
  3. 根据权利要求1所述的方法,其中,所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,包括: 2. The method according to claim 1, wherein the associating feature tags for the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset, to obtain an association relationship tag set, include:
    获取所述相同标签子集对应的关联的类之间的关联关系对应的关联关系标签模板,所述关联关系标签模板中包括群关联特征标签及信息处理节点的特征标签;Acquiring an association relationship label template corresponding to an association relationship between associated classes corresponding to the same tag subset, where the association relationship label template includes group association feature tags and feature tags of information processing nodes;
    从关联关系标签模板库中查找包括了与所述相同标签子集一致的特征标签的关联关系标签模板,得到匹配的关联关系标签模板;Searching for an association relationship tag template that includes a feature tag consistent with the same tag subset from the association relationship tag template library, to obtain a matching association relationship tag template;
    基于所述匹配的关联关系标签模板获取关联关系标签集。Obtain an association relationship label set based on the matched association relationship label template.
  4. 根据权利要求3所述的方法,其中,所述基于所述匹配的关联关系标签模板获取关联关系标签集,包括: The method according to claim 3, wherein the obtaining an association relationship label set based on the matched association relationship label template comprises:
    从所述匹配的关联关系标签模板中,获取标签个数超过预定阈值的关联关系标签模板,作为所述关联关系标签集。From the matched association relationship label templates, obtain association relationship label templates with the number of tags exceeding a predetermined threshold as the association relationship label set.
  5. 根据权利要求3所述的方法,其中,所述基于所述匹配的关联关系标签模板获取关联关系标签集,包括: The method according to claim 3, wherein the obtaining an association relationship label set based on the matched association relationship label template comprises:
    从所述匹配的关联关系标签模板中,获取包含了标签个数最少的关联关系标签模板,作为所述关联关系标签集。From the matched association relationship label templates, obtain an association relationship label template containing the least number of tags as the association relationship label set.
  6. 根据权利要求1所述的方法,其中,在所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集之后,所述方法还包括: The method according to claim 1, wherein, in the association relationship between the associated classes corresponding to the same tag subset, the feature tags are associated with the association group of the same tag subset to obtain an association relationship tag set , Wherein, after the group associated feature label does not belong to the node label set, the method further includes:
    根据目标风险信息处理节点群对应的关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点。The risk information processing node of the target risk information processing node group is determined according to the association relationship label set corresponding to the target risk information processing node group and the frequent item label set.
  7. 根据权利要求6所述的方法,其中,所述根据目标风险信息处理节点群对应的所述关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点,包括: The method according to claim 6, wherein the risk information processing node of the target risk information processing node group is determined according to the association relationship label set and the frequent item label set corresponding to the target risk information processing node group ,include:
    根据所述目标风险信息处理节点群对应的所述关联关系标签集确定出所述目标风险信息处理节点群中的第一风险信息处理节点集;Determining the first set of risk information processing nodes in the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述频繁项标签集确定出所述目标风险信息处理节点群的第二风险信息处理节点集;Determining a second set of risk information processing nodes of the target risk information processing node group according to the frequent item label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述关联关系标签集,获取所述目标风险信息处理节点群的类关联的类对应的风险信息处理节点群的第三风险信息处理节点集;Acquiring, according to the association relationship label set corresponding to the target risk information processing node group, a third risk information processing node set of the risk information processing node group corresponding to the class associated with the target risk information processing node group;
    获取所述第一风险信息处理节点集与所述第二风险信息处理节点集的风险信息处理节点交集中与所述第三风险信息处理节点集中风险信息处理节点具有风险联系的风险信息处理节点,作为所述目标风险信息处理节点群的风险信息处理节点。Acquiring the risk information processing nodes in the intersection of the first risk information processing node set and the risk information processing nodes of the second risk information processing node set that have a risk connection with the third risk information processing node centralized risk information processing node, As the risk information processing node of the target risk information processing node group.
  8. 一种异常信息处理节点分析装置,其中,包括: An abnormal information processing node analysis device, which includes:
    分类模块,用于当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;The classification module is used to classify all the information processing nodes in the abnormal information association processing node database according to the attributes of the abnormal information processing event when receiving the abnormal node analysis request in the abnormal information processing event to obtain multiple types of information processing Node group
    构建模块,用于获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;The construction module is used to obtain the abnormal feature labels of all the information processing nodes in the information processing node group, and construct the node label set of the information processing node group;
    剔除模块,用于剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;A removing module, configured to remove labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group;
    获取模块,用于根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;An obtaining module, configured to obtain the same label in the frequent item label set of the information processing node group corresponding to the associated class according to the predetermined class association relationship of the category of the information processing node group, to obtain the same label subset;
    关联模块,用于根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;The associating module is configured to associate feature labels for the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags Does not belong to the node label set;
    分析模块,用于将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。The analysis module is used to input the related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set into the risk node analysis model to obtain the abnormal information processing node relationship.
  9. 一种计算机可读存储介质,其上存储有异常信息处理节点分析程序,其中,所述异常信息处理节点分析程序被处理器执行时实现以下方法: A computer-readable storage medium having an abnormal information processing node analysis program stored thereon, wherein the abnormal information processing node analysis program is executed by a processor to implement the following method:
    当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;When receiving an abnormal node analysis request in an abnormal information processing event, classify all information processing nodes in the abnormal information associated processing node library according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups;
    获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;Acquiring abnormal feature labels of all information processing nodes in the information processing node group, and constructing a node label set of the information processing node group;
    剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;Removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group;
    根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;Acquiring, according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category to obtain the same label subset;
    根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;According to the association relationship between the associated classes corresponding to the same tag subset, associate feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags do not belong to the node Label set
    将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。The related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
  10. 根据权利要求9所述的计算机可读存储介质,其中,所述剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集时,具体实现: 8. The computer-readable storage medium according to claim 9, wherein said removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold is obtained to obtain the information processing node group In the case of frequent item tag set, the specific implementation is as follows:
    剔除所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到第二节点标签集;Removing labels whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold to obtain a second node label set;
    计算所述第二节点标签集中每个标签出现的概率后,剔除低于所述预定阈值的标签,得到第三节点标签集,当所述第三节点标签集中所有标签出现的概率高于所述预定阈值时,得到所述信息处理节点群的频繁项标签集。After calculating the occurrence probability of each label in the second node label set, the labels below the predetermined threshold are removed to obtain the third node label set. When the probability of all the labels in the third node label set is higher than the When a predetermined threshold is set, the frequent item label set of the information processing node group is obtained.
  11. 根据权利要求9所述的计算机可读存储介质,其中,所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集时,具体实现: The computer-readable storage medium according to claim 9, wherein the associated feature tags are associated with the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain the association When the relationship label set, the specific realization:
    获取所述相同标签子集对应的关联的类之间的关联关系对应的关联关系标签模板,所述关联关系标签模板中包括群关联特征标签及信息处理节点的特征标签;Acquiring an association relationship label template corresponding to an association relationship between associated classes corresponding to the same tag subset, where the association relationship label template includes group association feature tags and feature tags of information processing nodes;
    从关联关系标签模板库中查找包括了与所述相同标签子集一致的特征标签的关联关系标签模板,得到匹配的关联关系标签模板;Searching for an association relationship tag template that includes a feature tag consistent with the same tag subset from the association relationship tag template library, to obtain a matching association relationship tag template;
    基于所述匹配的关联关系标签模板获取关联关系标签集。Obtain an association relationship label set based on the matched association relationship label template.
  12. 根据权利要求11所述的计算机可读存储介质,其中,所述基于所述匹配的关联关系标签模板获取关联关系标签集时,具体实现: 11. The computer-readable storage medium according to claim 11, wherein, when obtaining the association relationship label set based on the matched association relationship label template, the specific implementation is as follows:
    从所述匹配的关联关系标签模板中,获取标签个数超过预定阈值的关联关系标签模板,作为所述关联关系标签集;或者,From the matched association relationship label templates, obtain the association relationship label templates with the number of tags exceeding a predetermined threshold as the association relationship label set; or,
    从所述匹配的关联关系标签模板中,获取包含了标签个数最少的关联关系标签模板,作为所述关联关系标签集。From the matched association relationship label templates, obtain an association relationship label template containing the least number of tags as the association relationship label set.
  13. 根据权利要求9所述的计算机可读存储介质,其中,在所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集之后,所述异常信息处理节点分析程序被处理器执行时还用于实现: 8. The computer-readable storage medium according to claim 9, wherein, in the association relationship between the associated classes corresponding to the same tag subset, associating feature tags for the association group of the same tag subset, to obtain The association relationship tag set, wherein after the group association feature tag does not belong to the node tag set, the abnormal information processing node analysis program is also used to realize when the abnormal information processing node analysis program is executed by the processor:
    根据目标风险信息处理节点群对应的关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点。The risk information processing node of the target risk information processing node group is determined according to the association relationship label set corresponding to the target risk information processing node group and the frequent item label set.
  14. 根据权利要求13所述的计算机可读存储介质,其中,所述根据目标风险信息处理节点群对应的所述关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点时,具体实现: The computer-readable storage medium according to claim 13, wherein said determining the value of said target risk information processing node group based on said association relationship label set corresponding to said target risk information processing node group and said frequent item label set When the risk information processing node, the specific realization:
    根据所述目标风险信息处理节点群对应的所述关联关系标签集确定出所述目标风险信息处理节点群中的第一风险信息处理节点集;Determining the first set of risk information processing nodes in the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述频繁项标签集确定出所述目标风险信息处理节点群的第二风险信息处理节点集;Determining a second set of risk information processing nodes of the target risk information processing node group according to the frequent item label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述关联关系标签集,获取所述目标风险信息处理节点群的类关联的类对应的风险信息处理节点群的第三风险信息处理节点集;Acquiring, according to the association relationship label set corresponding to the target risk information processing node group, a third risk information processing node set of the risk information processing node group corresponding to the class associated with the target risk information processing node group;
    获取所述第一风险信息处理节点集与所述第二风险信息处理节点集的风险信息处理节点交集中与所述第三风险信息处理节点集中风险信息处理节点具有风险联系的风险信息处理节点,作为所述目标风险信息处理节点群的风险信息处理节点。Acquiring the risk information processing nodes in the intersection of the first risk information processing node set and the risk information processing nodes of the second risk information processing node set that have a risk connection with the third risk information processing node centralized risk information processing node, As the risk information processing node of the target risk information processing node group.
  15. 一种电子设备,其中,包括: An electronic device, including:
    处理器;以及Processor; and
    存储器,用于存储所述处理器的异常信息处理节点分析程序;其中,所述处理器配置为经由执行所述异常信息处理节点分析程序来执行以下方法:The memory is used to store the abnormal information processing node analysis program of the processor; wherein the processor is configured to execute the following method by executing the abnormal information processing node analysis program:
    当接收到异常信息处理事件中异常节点分析请求时,将异常信息关联处理节点库中所有信息处理节点按照所述异常信息处理事件的属性进行分类,得到多个类别的信息处理节点群;When receiving an abnormal node analysis request in an abnormal information processing event, classify all information processing nodes in the abnormal information associated processing node library according to the attributes of the abnormal information processing event to obtain multiple types of information processing node groups;
    获取所述信息处理节点群中所有信息处理节点的异常特征标签,构建所述信息处理节点群的节点标签集;Acquiring abnormal feature labels of all information processing nodes in the information processing node group, and constructing a node label set of the information processing node group;
    剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集;Removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold to obtain a frequent item label set of each information processing node group;
    根据所述信息处理节点群的类别的预定类关联关系,获取关联的类对应的所述信息处理节点群的频繁项标签集中的相同标签,得到相同标签子集;Acquiring, according to the predetermined category association relationship of the category of the information processing node group, the same label in the frequent item label set of the information processing node group corresponding to the associated category to obtain the same label subset;
    根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集;According to the association relationship between the associated classes corresponding to the same tag subset, associate feature tags for the association group of the same tag subset to obtain an association relationship tag set, wherein the group associated feature tags do not belong to the node Label set
    将所述异常节点分析请求中异常信息处理事件的相关信息及所述关联关系标签集输入风险节点分析模型,得到异常信息处理节点关系。The related information of the abnormal information processing event in the abnormal node analysis request and the associated relationship label set are input into the risk node analysis model to obtain the abnormal information processing node relationship.
  16. 根据权利要求15所述的电子设备,其中,所述剔除每个所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到每个所述信息处理节点群的频繁项标签集时,具体执行: The electronic device according to claim 15, wherein said removing labels whose probability of occurrence in the node label set of each information processing node group is lower than a predetermined threshold is obtained to obtain the frequent item label of each information processing node group When set, the specific implementation:
    剔除所述信息处理节点群的节点标签集中出现的概率低于预定阈值的标签,得到第二节点标签集;Removing labels whose probability of occurrence in the node label set of the information processing node group is lower than a predetermined threshold to obtain a second node label set;
    计算所述第二节点标签集中每个标签出现的概率后,剔除低于所述预定阈值的标签,得到第三节点标签集,当所述第三节点标签集中所有标签出现的概率高于所述预定阈值时,得到所述信息处理节点群的频繁项标签集。After calculating the occurrence probability of each label in the second node label set, the labels below the predetermined threshold are removed to obtain the third node label set. When the probability of all the labels in the third node label set is higher than the When a predetermined threshold is set, the frequent item label set of the information processing node group is obtained.
  17. 根据权利要求15所述的电子设备,其中,所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集时,具体执行: The electronic device according to claim 15, wherein the associated feature tags are associated with the association group of the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set When, the specific implementation:
    获取所述相同标签子集对应的关联的类之间的关联关系对应的关联关系标签模板,所述关联关系标签模板中包括群关联特征标签及信息处理节点的特征标签;Acquiring an association relationship label template corresponding to an association relationship between associated classes corresponding to the same tag subset, where the association relationship label template includes group association feature tags and feature tags of information processing nodes;
    从关联关系标签模板库中查找包括了与所述相同标签子集一致的特征标签的关联关系标签模板,得到匹配的关联关系标签模板;Searching for an association relationship tag template that includes a feature tag consistent with the same tag subset from the association relationship tag template library, to obtain a matching association relationship tag template;
    基于所述匹配的关联关系标签模板获取关联关系标签集。Obtain an association relationship label set based on the matched association relationship label template.
  18. 根据权利要求17所述的电子设备,其中,所述基于所述匹配的关联关系标签模板获取关联关系标签集时,具体执行: The electronic device according to claim 17, wherein, when obtaining an association relationship label set based on the matched association relationship label template, specifically executes:
    从所述匹配的关联关系标签模板中,获取标签个数超过预定阈值的关联关系标签模板,作为所述关联关系标签集;或者,From the matched association relationship label templates, obtain the association relationship label templates with the number of tags exceeding a predetermined threshold as the association relationship label set; or,
    从所述匹配的关联关系标签模板中,获取包含了标签个数最少的关联关系标签模板,作为所述关联关系标签集。From the matched association relationship label templates, obtain an association relationship label template containing the least number of tags as the association relationship label set.
  19. 根据权利要求15所述的电子设备,其中,在所述根据所述相同标签子集对应的关联的类之间的关联关系,为所述相同标签子集关联群关联特征标签,得到关联关系标签集,其中,所述群关联特征标签不属于所述节点标签集之后,所述处理器还用于执行: The electronic device according to claim 15, wherein the association relationship between the associated classes corresponding to the same tag subset is associated with a feature tag for the association group of the same tag subset, and an association relationship tag is obtained The processor is further configured to execute: after the group associated feature label does not belong to the node label set,
    根据目标风险信息处理节点群对应的关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点。The risk information processing node of the target risk information processing node group is determined according to the association relationship label set corresponding to the target risk information processing node group and the frequent item label set.
  20. 根据权利要求19所述的电子设备,其中,所述根据目标风险信息处理节点群对应的所述关联关系标签集及所述频繁项标签集确定出所述目标风险信息处理节点群的风险信息处理节点时,具体执行: The electronic device according to claim 19, wherein the risk information processing of the target risk information processing node group is determined based on the association relationship label set corresponding to the target risk information processing node group and the frequent item label set When node, the specific execution:
    根据所述目标风险信息处理节点群对应的所述关联关系标签集确定出所述目标风险信息处理节点群中的第一风险信息处理节点集;Determining the first set of risk information processing nodes in the target risk information processing node group according to the association relationship label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述频繁项标签集确定出所述目标风险信息处理节点群的第二风险信息处理节点集;Determining a second set of risk information processing nodes of the target risk information processing node group according to the frequent item label set corresponding to the target risk information processing node group;
    根据所述目标风险信息处理节点群对应的所述关联关系标签集,获取所述目标风险信息处理节点群的类关联的类对应的风险信息处理节点群的第三风险信息处理节点集;Acquiring, according to the association relationship label set corresponding to the target risk information processing node group, a third risk information processing node set of the risk information processing node group corresponding to the class associated with the target risk information processing node group;
    获取所述第一风险信息处理节点集与所述第二风险信息处理节点集的风险信息处理节点交集中与所述第三风险信息处理节点集中风险信息处理节点具有风险联系的风险信息处理节点,作为所述目标风险信息处理节点群的风险信息处理节点。Acquiring the risk information processing nodes in the intersection of the first risk information processing node set and the risk information processing nodes of the second risk information processing node set that have a risk connection with the third risk information processing node centralized risk information processing node, As the risk information processing node of the target risk information processing node group.
PCT/CN2020/134941 2020-02-14 2020-12-09 Abnormal information processing node analysis method and apparatus, medium and electronic device WO2021159834A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010092140.1A CN111343161B (en) 2020-02-14 2020-02-14 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
CN202010092140.1 2020-02-14

Publications (1)

Publication Number Publication Date
WO2021159834A1 true WO2021159834A1 (en) 2021-08-19

Family

ID=71186867

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/134941 WO2021159834A1 (en) 2020-02-14 2020-12-09 Abnormal information processing node analysis method and apparatus, medium and electronic device

Country Status (2)

Country Link
CN (1) CN111343161B (en)
WO (1) WO2021159834A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (en) * 2021-09-23 2021-12-28 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN114039744A (en) * 2021-09-29 2022-02-11 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user characteristic label
CN114528005A (en) * 2021-11-29 2022-05-24 深圳市千源互联网科技服务有限公司 Grab tag updating method, device, equipment and storage medium
CN114697143A (en) * 2022-06-02 2022-07-01 苏州英博特力信息科技有限公司 Information processing method based on fingerprint attendance system and fingerprint attendance service system
CN115277163A (en) * 2022-07-22 2022-11-01 杭州安司源科技有限公司 Mimicry transformation method based on label
CN115829192A (en) * 2023-02-23 2023-03-21 中建安装集团有限公司 Digital management system and method for realizing engineering information safety supervision
CN116503023A (en) * 2023-05-06 2023-07-28 国网浙江省电力有限公司 Power abnormality information checking method based on power marketing management system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343161B (en) * 2020-02-14 2021-12-10 平安科技(深圳)有限公司 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
CN113992429B (en) * 2021-12-22 2022-04-29 支付宝(杭州)信息技术有限公司 Event processing method, device and equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190065738A1 (en) * 2017-08-31 2019-02-28 Entit Software Llc Detecting anomalous entities
US20190102553A1 (en) * 2017-09-30 2019-04-04 Oracle International Corporation Distribution-Based Analysis Of Queries For Anomaly Detection With Adaptive Thresholding
CN110210227A (en) * 2019-06-11 2019-09-06 百度在线网络技术(北京)有限公司 Risk checking method, device, equipment and storage medium
CN110659799A (en) * 2019-08-14 2020-01-07 深圳壹账通智能科技有限公司 Attribute information processing method and device based on relational network, computer equipment and storage medium
CN110716868A (en) * 2019-09-16 2020-01-21 腾讯科技(深圳)有限公司 Abnormal program behavior detection method and device
CN111343161A (en) * 2020-02-14 2020-06-26 平安科技(深圳)有限公司 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376193B (en) * 2014-08-15 2019-06-04 中国电信股份有限公司 The intelligent association analysis method and device of security incident
US10121000B1 (en) * 2016-06-28 2018-11-06 Fireeye, Inc. System and method to detect premium attacks on electronic networks and electronic devices
JP6786960B2 (en) * 2016-08-26 2020-11-18 富士通株式会社 Cyber attack analysis support program, cyber attack analysis support method and cyber attack analysis support device
CN107276851B (en) * 2017-06-26 2019-12-13 中国信息安全测评中心 Node abnormity detection method and device, network node and console
CN107454089A (en) * 2017-08-16 2017-12-08 北京科技大学 A kind of network safety situation diagnostic method based on multinode relevance
CN109462646B (en) * 2018-11-12 2021-11-19 平安科技(深圳)有限公司 Abnormal response method and equipment
CN109617887B (en) * 2018-12-21 2021-06-15 咪咕文化科技有限公司 Information processing method, device and storage medium
CN110022311B (en) * 2019-03-18 2021-09-24 北京工业大学 Attack graph-based automatic generation method for cloud outsourcing service data leakage safety test case
CN110442498B (en) * 2019-06-28 2022-11-25 平安科技(深圳)有限公司 Abnormal data node positioning method and device, storage medium and computer equipment
CN110365674B (en) * 2019-07-11 2021-09-03 武汉思普崚技术有限公司 Method, server and system for predicting network attack surface
CN110602101B (en) * 2019-09-16 2021-01-01 北京三快在线科技有限公司 Method, device, equipment and storage medium for determining network abnormal group

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190065738A1 (en) * 2017-08-31 2019-02-28 Entit Software Llc Detecting anomalous entities
US20190102553A1 (en) * 2017-09-30 2019-04-04 Oracle International Corporation Distribution-Based Analysis Of Queries For Anomaly Detection With Adaptive Thresholding
CN110210227A (en) * 2019-06-11 2019-09-06 百度在线网络技术(北京)有限公司 Risk checking method, device, equipment and storage medium
CN110659799A (en) * 2019-08-14 2020-01-07 深圳壹账通智能科技有限公司 Attribute information processing method and device based on relational network, computer equipment and storage medium
CN110716868A (en) * 2019-09-16 2020-01-21 腾讯科技(深圳)有限公司 Abnormal program behavior detection method and device
CN111343161A (en) * 2020-02-14 2020-06-26 平安科技(深圳)有限公司 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (en) * 2021-09-23 2021-12-28 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113850499B (en) * 2021-09-23 2024-04-09 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN114039744A (en) * 2021-09-29 2022-02-11 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user characteristic label
CN114039744B (en) * 2021-09-29 2024-02-27 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user feature labels
CN114528005A (en) * 2021-11-29 2022-05-24 深圳市千源互联网科技服务有限公司 Grab tag updating method, device, equipment and storage medium
CN114697143A (en) * 2022-06-02 2022-07-01 苏州英博特力信息科技有限公司 Information processing method based on fingerprint attendance system and fingerprint attendance service system
CN114697143B (en) * 2022-06-02 2022-08-23 苏州英博特力信息科技有限公司 Information processing method based on fingerprint attendance system and fingerprint attendance service system
CN115277163A (en) * 2022-07-22 2022-11-01 杭州安司源科技有限公司 Mimicry transformation method based on label
CN115829192A (en) * 2023-02-23 2023-03-21 中建安装集团有限公司 Digital management system and method for realizing engineering information safety supervision
CN116503023A (en) * 2023-05-06 2023-07-28 国网浙江省电力有限公司 Power abnormality information checking method based on power marketing management system
CN116503023B (en) * 2023-05-06 2024-01-05 国网浙江省电力有限公司 Power abnormality information checking method based on power marketing management system

Also Published As

Publication number Publication date
CN111343161B (en) 2021-12-10
CN111343161A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
WO2021159834A1 (en) Abnormal information processing node analysis method and apparatus, medium and electronic device
US20220147405A1 (en) Automatically scalable system for serverless hyperparameter tuning
US11190562B2 (en) Generic event stream processing for machine learning
CN103513983B (en) method and system for predictive alert threshold determination tool
CN111612041B (en) Abnormal user identification method and device, storage medium and electronic equipment
US9299031B2 (en) Active learning on statistical server name extraction from information technology (IT) service tickets
CN111199474B (en) Risk prediction method and device based on network map data of two parties and electronic equipment
KR20060045783A (en) Mining service requests for product support
US20170109636A1 (en) Crowd-Based Model for Identifying Executions of a Business Process
CN111627552B (en) Medical streaming data blood-edge relationship analysis and storage method and device
CN110197207B (en) Method and related device for classifying unclassified user group
WO2021174812A1 (en) Data cleaning method and apparatus for profile, and medium and electronic device
CN110391936A (en) A kind of novel clustering algorithm based on timing alarm
CN110727740B (en) Correlation analysis method and device, computer equipment and readable medium
CN111242387A (en) Talent departure prediction method and device, electronic equipment and storage medium
CN114968727A (en) Database through infrastructure fault positioning method based on artificial intelligence operation and maintenance
US20170109640A1 (en) Generation of Candidate Sequences Using Crowd-Based Seeds of Commonly-Performed Steps of a Business Process
CN114003600A (en) Data processing method, system, electronic device and storage medium
Jan et al. A statistical machine learning approach for ticket mining in IT service delivery
US11675764B2 (en) Learned data ontology using word embeddings from multiple datasets
Zubi et al. Using data mining techniques to analyze crime patterns in the libyan national crime data
CN112306820A (en) Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium
CN113918577B (en) Data table identification method and device, electronic equipment and storage medium
CN111311352A (en) Goods source matching method, system, equipment and storage medium
CN114090601B (en) Data screening method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20919135

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20919135

Country of ref document: EP

Kind code of ref document: A1