Detailed Description
Fig. 1 shows a block schematic diagram of a big data attack processing system 10 according to an embodiment of the present application. The big data attack processing system 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the big data attack processing system 10 includes: the system comprises a memory 11, a processor 12, a network module 13 and a big data attack processing device 20 applied to cloud services. An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running. Fig. 2 shows a flowchart of a big data attack processing method applied to a cloud service according to an embodiment of the present application. The method steps defined by the flow related to the method are applied to the big data attack processing system 10 and can be realized by the processor 12, and the method comprises the technical scheme recorded by step11-step 13.
step11, determining user operation behavior information of the target smart cloud service item, wherein the user operation behavior information is intended to reflect the feature recognition degree updating condition of the target smart cloud service item in the first feature recognition degree interval.
step12, performing attack behavior intention mining on the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item.
step13, conducting attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, wherein the feature recognition degree of the optimized attack intention knowledge graph is located in a second feature recognition degree interval, and the second feature recognition degree interval is larger than the first feature recognition degree interval.
In an independently implementable embodiment, the target smart cloud service item may be a business scenario including a smart cloud service item for online payment, group purchase business, government and enterprise business, and the like. Under the condition that the target smart cloud service item is possibly in a low feature recognition degree, the attack intention knowledge graph of the target smart cloud service item acquired through the item operation terminal (such as an item recognition module or an information acquisition thread) is not sufficient in recognition degree, and the integrity of the attack intention knowledge graph is relatively poor. In the above case, for step11, the user operation behavior information of the target smart cloud service item is determined in the first feature recognition degree interval corresponding to the low feature recognition degree condition through the user operation behavior acquisition terminal (for example, the user operation behavior acquisition thread), and the user operation behavior information is intended to reflect the feature recognition degree update condition of the target smart cloud service item in the first feature recognition degree interval. The method and the device do not limit the real value of the first characteristic identification degree interval too much.
It can be understood that attack intention mining (such as feature extraction) on the user operation behavior information described in step12 to obtain the first user attack intention of the target smart cloud service item can be described in the following relevant contents. In an embodiment of the present application, the first user attack intention at least covers information representing a transaction distribution of the target smart cloud service item. For example: the attack behavior intention of the user operation behavior information is extracted through a big data attack analysis model (such as a convolutional neural network), the big data attack analysis model can comprise a plurality of information extraction units (such as convolutional layers), a plurality of information optimization units (such as residual layers) and the like, and the model architecture of the big data attack analysis model is not limited by the application.
It can be understood that, for the attack intention knowledge graph optimization of the first user attack behavior intention described in step13 to obtain the optimized attack intention knowledge graph of the target smart cloud service item, the following relevant contents can be illustrated. In the embodiment of the present application, the optimized attack intention knowledge graph may be, for example, a visual knowledge base, and the feature recognition degree of the optimized attack intention knowledge graph is within a second feature recognition degree interval corresponding to a high feature recognition degree condition, where the second feature recognition degree interval is greater than the first feature recognition degree interval.
In the embodiment of the application, the attack intention knowledge graph optimization can be carried out on the first user attack behavior intention through a transposition attack analysis model (such as an deconvolution neural network). Further, the transposition attack analysis model may include a plurality of transposition information extraction units (e.g., deconvolution layers), a plurality of information optimization units, an information extraction unit, and the like, and the present application does not limit the true value of the second feature recognition interval and the model architecture of the transposition attack analysis model.
In conclusion, the user operation behavior information of the target smart cloud service item in the relatively low first feature recognition degree interval can be determined; carrying out attack behavior intention mining on the user operation behavior information to obtain a user attack behavior intention; attack intention knowledge graph optimization is carried out on the attack behavior intention of the user, an optimized attack intention knowledge graph of the target smart cloud service item in a relatively high second feature recognition degree interval is obtained, the attack intention knowledge graph which is as rich and complete as possible under the condition of high feature recognition degree is obtained through the user operation behavior optimization under the condition of low feature recognition degree, the optimization quality of the attack intention knowledge graph is guaranteed to a certain extent, accurate and reliable big data attack analysis and identification can be achieved through the optimized attack intention knowledge graph, and accurate and reliable analysis basis is provided for subsequent attack protection.
In an independently implementable embodiment, step13 performs attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, which may exemplarily include technical solutions recorded by step131-step 133.
step131, according to the disturbance data of the first user behavior and the attack behavior intention of the first user, performing local significance processing on the attack behavior intention of the first user to obtain an attack behavior intention of a second user.
step132, splicing the first user attack behavior intention with the second user attack behavior intention to obtain an attack behavior intention splicing result.
step133, performing attack intention knowledge graph optimization on the attack behavior intention splicing result to obtain an optimized attack intention knowledge graph of the target smart cloud service item.
For example, the user operation behavior information determined under the condition of low feature recognition degree may have more user behavior disturbance influence and partial transaction distribution information is poor. Under the condition, the first user attack behavior intention can be optimized, and more information with higher attention can be restored conveniently.
In the embodiment of the application, any first user behavior disturbance data (such as noise data) can be set, and redundant disturbance threads are added to the first user attack behavior intention according to the first user behavior disturbance data. And importing the first user attack behavior intention added with the disturbance thread into a local significance processing submodel for local significance processing to obtain a second user attack behavior intention. The local saliency processing sub-model may be resnet, and includes an information extraction unit and a plurality of information optimization units. The method and the device for determining the first user behavior disturbance data and the actual model architecture of the local significance processing sub-model are not limited.
It can be understood that the first user attack behavior intention and the second user attack behavior intention can be spliced (for example, fused) to obtain an attack behavior intention splicing result (for example, a fusion characteristic); and importing the splicing result of the attack behavior intention into the transposed attack analysis model to optimize the attack intention knowledge graph to obtain the optimized attack intention knowledge graph of the target smart cloud service item. Therefore, the local information in the first user attack behavior intention can be obviously improved, and the quality of the optimized attack intention knowledge graph is further improved.
In an independently implementable embodiment, the big data attack processing method applied to the cloud service according to the embodiment of the present application can be implemented by a knowledge base analysis model, the knowledge base analysis model at least includes a first attack behavior intention mining submodel and an attack intention knowledge graph optimizing submodel, and the first attack behavior intention mining submodel is used for performing attack behavior intention mining on the user operation behavior information, for example, is a big data attack analysis model; and the attack intention knowledge graph optimization sub-model is used for carrying out attack intention knowledge graph optimization on the first user attack behavior intention, such as a transposed attack analysis model. The knowledge base analysis model can adopt other types of networks or models, and can be set according to real requirements in actual implementation, which is not limited by the application. The knowledge base analysis model may be debugged prior to applying the knowledge base analysis model.
On the basis of the above, the big data attack processing method applied to the cloud service according to the embodiment of the present application may further include: and debugging the knowledge base analysis model according to a specified model debugging set, wherein the model debugging set comprises first example user operation behavior information of a plurality of first example smart cloud service items, second example user operation behavior information of a plurality of second example smart cloud service items and example attack intention knowledge maps corresponding to the example smart cloud service items.
In an embodiment of the present application, the first example user operation behavior information is determined within a third feature recognition interval, the second example user operation behavior information is determined within a fourth feature recognition interval, the example attack intention knowledge graph corresponding to the example smart cloud service item is determined within the fourth feature recognition interval, and the fourth feature recognition interval is greater than the third feature recognition interval.
For example, a model debugging set may be preset, and the model debugging set includes a plurality of example smart cloud service items, such as: and smart cloud service items such as online payment, group purchase business, government and enterprise business and the like. Example smart cloud services can be divided into smart cloud services corresponding to low feature recognition (referred to as a first example smart cloud service) and smart cloud services corresponding to normal feature recognition (referred to as a second example smart cloud service). Each first example smart cloud service item comprises first example user operation behavior information; each second example smart cloud service item includes second example user operation behavior information and an example attack intention knowledge graph corresponding to the example smart cloud service item. The first example smart cloud service project and the second example smart cloud service project may be the same or different smart cloud service projects, which is not limited in this application.
In an independently implemented embodiment, when the first example smart cloud service item is located in the third feature recognition degree interval corresponding to the low feature recognition degree condition, the feature recognition degree updating condition of the first example smart cloud service item may be determined by the user operation behavior obtaining terminal (e.g., the user operation behavior collecting thread), so as to obtain the first example user operation behavior information, so as to be used as the import of the knowledge base analysis model. The first example user operational behavior information includes information reflecting a global event distribution of the first example smart cloud service. The third feature recognition degree interval may be the same as or different from the first feature recognition degree interval, and the present application does not limit this.
It is understood that the first example user action information in the case of low feature recognition includes information reflecting the global event distribution of the first example smart cloud service item, but does not include significance information (e.g., feature recognition information of attack intention knowledge graph). In the above case, the user operation behavior information of the second example smart cloud service item (which may be referred to as second example user operation behavior information) in the case of high feature recognition may be imported, so as to learn the significance information in the second example user operation behavior information through the knowledge base analysis model.
It can be understood that when the second example smart cloud service item is located in the fourth feature recognition degree interval corresponding to the high feature recognition degree condition, the feature recognition degree updating condition of the second example smart cloud service item can be determined through the user operation behavior acquisition terminal, and the second example user operation behavior information is obtained. The fourth feature recognition degree interval is larger than the third feature recognition degree interval. The fourth feature recognition degree interval may be the same as or different from the second feature recognition degree interval, which is not limited in the present application. The determination method of the first example user operation behavior information of the first example smart cloud service item and the second example user operation behavior information of the second example smart cloud service item may be similar to the determination idea of the user operation behavior information of the target smart cloud service item, and will not be further described herein.
In addition, for the first example smart cloud service item under the condition of low feature recognition degree, the integrity of the attack intention knowledge graph of the target smart cloud service item acquired through the item operation terminal is relatively poor and cannot be used as the annotation information. In the above case, a knowledge graph of example attack intention corresponding to the example smart cloud service item of the second example smart cloud service item with high feature recognition may be imported as the annotation information of the knowledge base analysis model. An example attack intention knowledge graph corresponding to the example smart cloud service item can be determined within a fourth feature recognition degree interval corresponding to a high feature recognition degree condition through an item operation terminal (such as an information acquisition thread). Therefore, the debugging effect of the knowledge base analysis model can be improved.
In an independently implementable embodiment, the knowledge base analysis model further comprises a support vector machine, and the step of debugging the knowledge base analysis model according to a specified model debugging set can exemplarily comprise the contents recorded by step201-step 203.
step201, importing the first example user operation behavior information of the first example smart cloud service item and the second example user operation behavior information of the second example smart cloud service item into the first attack behavior intention mining submodel respectively to obtain the first example user attack behavior intention and the second example user attack behavior intention.
step202, importing the first example user attack behavior intention and the second example user attack behavior intention into the support vector machine respectively to obtain a first type analysis situation and a second type analysis situation.
step203, debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the second category analysis condition.
For example, a support vector machine (e.g., an authentication network) in the knowledge base analysis model is used to classify the content derived from the first attack behavior intention mining submodel. It is simply understood that the first aggression intention mining submodel (e.g., the feature extraction network) can be debugged by adopting a robustness enhancement policy (e.g., a countermeasure policy) to enable the first aggression intention mining submodel to learn common description information between the first example user operation behavior information under the condition of low feature recognition degree and the second example user operation behavior information under the condition of high feature recognition degree.
In the embodiment of the application, the first example user operation behavior information of the first example smart cloud service item (such as a sample item) and the second example user operation behavior information of the second example smart cloud service item can be respectively imported into the first attack behavior intention mining sub-model for processing, and the first example user attack behavior intention and the second example user attack behavior intention are derived; respectively importing the attack behavior intention of the first example user and the attack behavior intention of the second example user into a support vector machine to obtain a first type analysis condition (such as an identification result) and a second type analysis condition; and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the second category analysis condition.
It is understood that in the course of debugging with the robustness enhancing strategy, the first attack behavior intent mining submodel tends to obscure the first example user attack behavior intent and the second example user attack behavior intent, the support vector machine tends to recognize the first example user attack behavior intent and the second example user attack behavior intent, and through the above-mentioned countertraining, the first attack behavior intention mining submodel can be prompted to extract the common intention description between the behavior intention description under the condition of high characteristic identification degree and the behavior intention description under the condition of low characteristic identification degree, the attack behavior intention of the first example user under the condition of low feature recognition degree has the global characteristic of the user operation behavior information under the condition of high feature recognition degree, and the attack behavior intention of the second example user under the condition of high feature recognition degree has the global characteristic of the user operation behavior information under the condition of low feature recognition degree. In other words, through the idea of transfer learning, the first attack behavior intention mining submodel is simultaneously suitable for attack behavior intention mining of data in two different states. The selection of the cost function debugged by adopting the robustness enhancement strategy is not limited.
By the design, the first attack behavior intention mining submodel can more comprehensively and completely mine the user attack behavior intention under the condition of low characteristic recognition degree, so that the accuracy and the anti-interference degree of the first attack behavior intention mining submodel are improved, and efficient attack intention knowledge map optimization is realized by using the user operation behavior information under the condition of low characteristic recognition degree.
In an independently implementable embodiment, the step of debugging the knowledge base analysis model according to the specified model debugging set may further include the recorded contents of step301 and step302, for example.
step301, importing the attack behavior intention of the second example user into the attack intention knowledge graph optimization submodel to obtain a first optimized attack intention knowledge graph of the second example smart cloud service item.
step302, debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, after the robustness enhancement strategy is adopted for debugging, the second example user attack behavior intention mined by the first attack behavior intention mining submodel has the global characteristics of the user operation behavior information under the condition of low feature recognition, and the corresponding second example user operation behavior information has the label information (in other words, the example attack intention knowledge graph corresponding to the example smart cloud service item under the condition of high feature recognition).
In the embodiment of the application, the attack behavior intention of the second example user can be guided into the attack intention knowledge graph optimization submodel for processing, and a first optimized attack intention knowledge graph of the second example smart cloud service item is derived; according to the comparison information (such as difference information) between the first optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item, the model difference (which can be understood as network loss) of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be determined, and further the model variables of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be improved according to the model difference feedback, so that the debugging of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel is realized.
In the actual debugging process, the cycle debugging can be carried out. In other words, during each loop process, the feedback improves the model variables of the support vector machine in accordance with the countervailing model difference (countervailing network loss). And feeding back and improving model variables of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel according to model differences of the first attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel, wherein the output of the support vector machine can still be obtained in the debugging of the current round to be used as guidance, but the variables of the support vector machine are not optimized. Thus, after multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as the set indexes). Therefore, the debugging process of the whole knowledge base analysis model can be realized, and a relatively complete knowledge base analysis model can be obtained.
In an independently implementable embodiment, the knowledge base analysis model further comprises a second attack behavior intention mining submodel, and the step of debugging the knowledge base analysis model according to the specified model debugging set further comprises the recorded contents of step401-step 404.
step401, importing the second example user operation behavior information and the second user behavior disturbance data of the second example smart cloud service item into the second attack behavior intention mining sub-model to obtain a third example user attack behavior intention.
step402, the attack behavior intention of the second example user is spliced with the attack behavior intention of the third example user to obtain a splicing result of the attack behavior intention of the first example.
step403, importing the splicing result of the first example attack behavior intention into the support vector machine to obtain a third category analysis condition.
step404, debugging the knowledge base analysis model by using a robustness enhancement strategy according to the first category analysis condition and the third category analysis condition.
For example, the first example user operation behavior information may have a certain user behavior perturbation effect under the condition of low feature recognition, and the user behavior perturbation is low in the second example user operation behavior information under the condition of high feature recognition. In the above case, redundant disturbance threads may be introduced for the second example user operation behavior information, so as to improve the robustness of the model.
The knowledge base analysis model further comprises a second attack behavior intention mining submodel which comprises a plurality of information extraction units and a plurality of information optimization units, and the model architecture of the second attack behavior intention mining submodel is not limited in the application.
In this embodiment, any second user behavior disturbance data may be set, and a disturbance thread is added to the second example user operation behavior information according to the second user behavior disturbance data. Importing the operation behavior information of the second example user added with the perturbation thread into a second attack behavior intention mining submodel for attack behavior intention mining, and exporting attack behavior intention of the third example user; and splicing the attack behavior intention of the second example user with the attack behavior intention of the third example user to obtain a splicing result of the attack behavior intention of the first example. In this way, the behavior intention enhancement processing of the second example user attack behavior intention can be realized.
In the embodiment of the application, the first example attack behavior intention splicing result is imported into a support vector machine, so that a third type analysis condition can be obtained; and debugging the knowledge base analysis model by adopting a robustness enhancement strategy according to the first category analysis condition and the third category analysis condition. The actual flow of debugging with the robustness-enhancing strategy is not described too much. Thus, the accuracy of the first attack behavior intention mining submodel can be further improved.
In an independently implementable embodiment, the knowledge base analysis model further comprises a second attack behavior intention mining submodel, and the step of debugging the knowledge base analysis model according to the specified model debugging set further comprises contents recorded by step501 and step 502.
step501, importing the first example attack behavior intention splicing result into the attack intention knowledge graph optimization submodel to obtain a second optimized attack intention knowledge graph of the second example smart cloud service item.
step502, debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, after the robustness enhancement strategy is adopted for debugging, the concatenation result of the first example attack behavior intention excavated by the first attack behavior intention excavation sub-model and the second attack behavior intention excavation sub-model has the global characteristic of the user operation behavior information under the condition of low feature recognition, and the corresponding second example user operation behavior information has the label information (in other words, the example attack intention knowledge graph corresponding to the example smart cloud service item under the condition of high feature recognition).
In the embodiment of the application, the splicing result of the first example attack behavior intention can be led into an attack intention knowledge graph optimization sub-model for processing, and a second optimized attack intention knowledge graph of a second example smart cloud service item is led out; according to the comparison content (difference) between the second optimized attack intention knowledge graph of the second example smart cloud service item and the example attack intention knowledge graph corresponding to the example smart cloud service item, the model difference of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be determined; and further, model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel can be improved according to the model difference feedback, so that the debugging of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel is realized.
In the actual debugging process, the cycle debugging can be carried out. In other words, during each loop process, the model variables of the improved support vector machine are fed back according to the confrontation model difference; and feeding back and improving model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel according to model differences of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel and the attack intention knowledge graph optimization submodel, wherein derived information of the support vector machine can still be obtained in the current debugging process to serve as guidance, but variables of the support vector machine are not optimized. In this way, by performing the loop processing a plurality of times, the debugged knowledge base analysis model can be obtained on the basis of matching the debugging index (for example, the setting index). Therefore, the debugging process of the whole knowledge base analysis model can be realized, and the relatively complete knowledge base analysis model is obtained.
In an independently implementable embodiment, the knowledge base analysis model further comprises a local saliency processing sub-model, and the step of debugging the knowledge base analysis model according to a specified model debugging set can further comprise the recorded contents of step601-step 604.
step601, importing the second example user attack behavior intention and the third user behavior disturbance data into the local significance processing sub-model to obtain a fourth example user attack behavior intention.
step602, concatenating the attack behavior intention of the second example user with the attack behavior intention of the fourth example user to obtain a concatenation result of the attack behavior intention of the second example.
step603, importing the second example attack behavior intention splicing result into the attack intention knowledge graph optimization sub-model to obtain a third optimized attack intention knowledge graph of the second example smart cloud service item.
step604, debugging the knowledge base analysis model according to the first optimized attack intention knowledge graph, the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item of the second example smart cloud service item.
For example, the local saliency processing sub-model may be introduced to perform local saliency processing on the attack behavior intention of the user, so as to restore more local information (e.g., local event distribution information) corresponding to the attack intention knowledge graph. The local saliency processing sub-model may be, for example, resnet, and includes an information extraction unit and a plurality of information optimization units, and the present application does not limit the model architecture of the local saliency processing sub-model.
In an independently implementable embodiment, the second exemplary user attack behavior intent may be directly used for local saliency processing without importing a second attack behavior intent mining submodel. Any third user behavior disturbance data may be set, and a disturbance thread (such as a disturbance channel) may be added to the second example user attack behavior intention according to the third user behavior disturbance data. Importing the attack behavior intention of the second example user added with the disturbance thread into a local significance processing submodel for processing to obtain the attack behavior intention of the fourth example user; splicing the attack behavior intention of the second example user with the attack behavior intention of the fourth example user to obtain a splicing result of the attack behavior intention of the second example; and importing the splicing result of the second example attack behavior intention into the attack intention knowledge graph optimization submodel to obtain a third optimized attack intention knowledge graph of the second example smart cloud service item.
In an embodiment of the application, the knowledge base analysis model is debugged according to the first optimized attack intention knowledge-graph, the third optimized attack intention knowledge-graph and the corresponding example attack intention knowledge-graph of the example smart cloud service item.
According to the comparison content (difference) between the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the first cost of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be determined; according to the comparison content (difference) between the third optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project and the comparison content (difference) between the first optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the second cost of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be determined. The second cost can ensure that the quality of the third optimized attack intention knowledge graph after the local significance processing is introduced is higher than that of the first optimized attack intention knowledge graph when the local significance processing is not introduced, and the local significance processing sub-model can meet the actual requirement.
For example, the global model performance evaluation of the first attack behavior intention mining submodel, the local saliency processing submodel, and the attack intention knowledge graph optimization submodel may be determined according to the first cost and the second cost, such as: determining a global processing result of the first cost and the second cost as a global model performance evaluation (such as overall loss); and further, model variables of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel can be improved according to the performance evaluation feedback of the global model, and debugging of the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimization submodel is achieved.
During the actual debugging process, the cycle debugging can be carried out as well. In other words, in the process of each cycle processing, a robustness enhancement strategy is adopted to debug the support vector machine; and then debugging the first attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel, wherein the derived information of the support vector machine is used as guidance, but the variable of the support vector machine is not optimized. After multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as set indexes). Therefore, local significance processing of the optimized attack intention knowledge graph can be achieved, and the quality of the optimized attack intention knowledge graph obtained by the debugged knowledge base analysis model is further improved.
In an independently implementable embodiment, the step of debugging the knowledge base analysis model according to the specified model debugging set may further include contents recorded by step701-step 704.
step701, importing the splicing result of the first example attack behavior intention and fourth user behavior disturbance data into the local significance processing sub-model to obtain a fifth example user attack behavior intention.
step702, concatenating the first example attack behavior intention concatenation result and the fifth example user attack behavior intention concatenation result to obtain a third example attack behavior intention concatenation result.
step703, importing the third example attack behavior intention splicing result into the attack intention knowledge graph optimization sub-model to obtain a fourth optimized attack intention knowledge graph of the second example smart cloud service item.
step704, debugging the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item.
For example, the local saliency processing may be performed by the first example attack behavior intention concatenation result on the basis that the second attack behavior intention mining submodel has been introduced. Any fourth user behavior disturbance data can be set, and a disturbance thread can be added to the splicing result of the first example attack behavior intention according to the fourth user behavior disturbance data. Importing the splicing result of the attack behavior intention of the first example after the disturbance thread is added into a local significance processing submodel for processing to obtain the attack behavior intention of the fifth example user; splicing the splicing result of the first example attack behavior intention with the splicing result of the attack behavior intention of the fifth example user to obtain a splicing result of the third example attack behavior intention; and importing the splicing result of the attack intention of the third example into the attack intention knowledge graph optimization submodel to obtain a fourth optimized attack intention knowledge graph of the smart cloud service item of the second example.
In an independently implementable embodiment, a knowledge base analysis model is adapted according to the second optimized attack intention knowledge-graph of the second example smart cloud service item, the fourth optimized attack intention knowledge-graph and the example attack intention knowledge-graph corresponding to the example smart cloud service item. This step may include the content recorded by step801-step 803.
step801, determining global model performance evaluation of the knowledge base analysis model according to the second optimized attack intention knowledge graph of the second example smart cloud service item, the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service item.
step802, determining the performance change data of the knowledge base analysis model according to the global model performance evaluation.
step803, according to the performance change data, improving the model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge graph optimizing submodel, wherein the performance change data of the local significance processing submodel is not transmitted to the second attack behavior intention mining submodel.
For example, according to the comparison content (difference) between the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the third cost of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined; according to the comparison content (difference) between the fourth optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project and the comparison content (difference) between the second optimized attack intention knowledge graph and the example attack intention knowledge graph corresponding to the example smart cloud service project, the fourth cost of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined. The fourth cost can ensure that the quality of the fourth optimized attack intention knowledge graph after the local significance processing is introduced is superior to that of the second optimized attack intention knowledge graph without the local significance processing, and the local significance processing submodel can meet the actual requirement.
In the embodiment of the application, the global model performance evaluation of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local saliency processing submodel and the attack intention knowledge graph optimization submodel can be determined according to the third cost and the fourth cost, for example, the global processing result of the third cost and the fourth cost is determined as the global model performance evaluation; according to the performance evaluation of the global model, the performance change data of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel can be determined, furthermore, the performance change data can be fed back and transmitted in the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimizing submodel, therefore, model variables of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel are improved, and debugging of the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimization submodel is achieved.
In the embodiment of the application, because disturbance threads are added to the introduction of the second attack behavior intention mining submodel and the local significance processing submodel, in order to avoid interference with a debugging result in an early debugging stage, when transmission performance change data (such as gradient information) is fed back, change characteristic transmission (such as gradient transmission) is stopped between the local significance processing submodel and the second attack behavior intention mining submodel, so that mutual interference between the local significance processing submodel and the second attack behavior intention mining submodel is avoided, and the stability of the models is guaranteed.
During the actual debugging process, the cycle debugging can be carried out as well. In other words, in the process of each loop processing, the robustness enhancement strategy is adopted to debug the support vector machine. And then debugging the first attack behavior intention mining submodel, the second attack behavior intention mining submodel, the local significance processing submodel and the attack intention knowledge map optimizing submodel, wherein the output of the support vector machine is used as guidance, but the variable of the support vector machine is not optimized. After multiple times of circulation processing, the debugged knowledge base analysis model can be obtained on the basis of meeting the debugging indexes (such as set indexes). Therefore, local significance processing of the optimized attack intention knowledge graph can be achieved, and the quality of the optimized attack intention knowledge graph obtained by the debugged knowledge base analysis model is further improved.
It can be understood that according to the big data attack processing method applied to the cloud service in the embodiment of the application, the migration learning method is combined with the user operation behavior acquisition thread, the attack intention knowledge graph is optimized by using the user operation behavior information under the condition of low characteristic identification degree, the attack intention knowledge graph which is as rich and complete as possible under the condition of high characteristic identification degree is obtained, and the optimization quality of the attack intention knowledge graph is ensured to a certain extent, so that the accurate and reliable big data attack analysis and identification can be realized through the optimized attack intention knowledge graph, and the accurate and reliable analysis basis is provided for the subsequent attack protection.
On the basis of the above contents, under some design ideas which can be independently implemented, after obtaining the optimized attack intention knowledge graph of the target smart cloud service item, the method can further include the following contents: determining an intelligent service session log with a privacy information stealing risk according to the optimized attack intention knowledge graph; and determining privacy threat information in the intelligent service session log with the risk of privacy information stealing by means of session activity interest mining processing.
In the embodiment of the application, the corresponding intelligent service session log with the privacy information stealing risk can be determined through the attribute tags corresponding to the key map nodes in the optimized attack intention knowledge graph. Based on this, determining privacy threat information in the intelligent service session log with privacy information stealing risk by means of session activity interest mining processing can be achieved through the following implementation mode.
Step 101, performing session activity interest mining on the intelligent service session log with the risk of privacy information stealing to obtain abnormal activity interest description features 1 in a plurality of service states.
102, updating the interest description attributes based on the abnormal activity interest description feature1 to obtain an abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state; the interest description attributes of the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in different business states are consistent.
And 103, updating the interest description attributes of the abnormal activity interest description feature2 in each service state one by one to obtain an abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, wherein the quantitative analysis result of the stage level index of the abnormal activity interest description feature3 in each service state is matched with the set quantitative analysis result.
And step 104, determining privacy threat information in the intelligent service session log with privacy information stealing risk based on the abnormal activity interest description feature 3.
Implementing the technical solutions recorded in steps 101 to 104, based on executing interest description attribute update on the abnormal activity interest description feature1, obtaining the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state, and updating the stage level index of the abnormal activity interest description feature2 in each service state, so that the obtained stage level index of the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state has quantitative correlation, further based on the different abnormal activity interest description features 3 in different stage levels (different focus points of privacy threats are reflected by different stage levels, further privacy features under different focus points are obtained), determining the privacy threat information in the intelligent service session log with privacy information stealing risk, and implementing the intelligent service session log with privacy information stealing risk based on initial session distribution, the method includes the steps that privacy threat information of the intelligent service session logs with the privacy information stealing risks is determined, in view of the fact that the session distribution structure of the intelligent service session logs with the privacy information stealing risks does not need to be modified, the software and hardware resource overhead of privacy threat information detection is reduced while the privacy threat information detection precision is guaranteed, and the privacy threat detection efficiency is improved to a certain extent.
The technical solutions described in steps 101 to 104 can be specifically explained by the following descriptions.
It can be understood that, for the intelligent business session log with privacy information stealing risk described in step 101, session activity interest mining is performed to obtain the abnormal activity interest description feature1 in multiple business states.
In the embodiment of the present application, the abnormal activity interest description feature1 in the first business state is obtained by performing session activity interest mining on an intelligent business session log with a risk of stealing privacy information, and the abnormal activity interest description feature1 in the latter business state of the abnormal activity interest description features 1 in the two associated business states is obtained by performing session activity interest mining on the abnormal activity interest description feature1 in the former business state of the abnormal activity interest description features 1 in the two associated business states.
It is understood that the determination of the existence of the risk of stealing the privacy information may be implemented according to a preset rule, such as a time period condition or a service type condition. Therefore, the intelligent service session log with the risk of stealing private information can be understood as the intelligent service session log to be processed, and the session log can be log text or image-text information of streaming record. Further, conversational interaction interest mining may be understood as feature extraction (corresponding to the extraction of abnormal activity interest descriptions).
In the embodiment of the application, when session activity interest mining is performed on the intelligent service session logs with the risk of stealing privacy information to obtain abnormal activity interest description features 1 in a plurality of service states, session activity interest mining is performed on the intelligent service session logs with the risk of stealing privacy information through a first AI machine learning model (such as a CNN) in the plurality of service states to obtain abnormal activity interest description features 1 derived from the first AI machine learning model in each service state. Further, the machine learning model formed by the first AI machine learning models in multiple service states may be understood as one of the machine learning models for detecting privacy threat information included in an intelligent service session log with a risk of privacy information theft, and in actual implementation, the machine learning model for detecting the privacy threat information included in the intelligent service session log to be detected may be divided (split or divided) into AI machine learning models of multiple processes (multiple stages), and the AI machine learning model of each process corresponds to the first AI machine learning model in one service state. The structure of the first AI machine learning model in multiple service states may be set according to real service requirements, and this embodiment of the present application is not described herein further.
For example, if the first AI machine learning models in the multiple service states include a first AI machine learning model in a first service state, a first AI machine learning model in a second service state, and a first AI machine learning model in a third service state, the first AI machine learning model in the first service state may perform interest feature analysis on an intelligent service session log with a risk of privacy information stealing to obtain an abnormal activity interest description feature1 derived by the first AI machine learning model in the first service state; transmitting the abnormal activity interest description feature1 derived by the first AI machine learning model in the first service state to the first AI machine learning model in the second service state, and performing interest feature analysis on the obtained abnormal activity interest description feature1 by the first AI machine learning model in the second service state to obtain an abnormal activity interest description feature1 derived by the first AI machine learning model in the second service state; and then, the abnormal activity interest description feature1 derived by the first AI machine learning model in the second service state is transmitted to the first AI machine learning model in the third service state, and the first AI machine learning model in the third service state performs interest feature analysis on the obtained abnormal activity interest description feature1 to obtain the abnormal activity interest description feature1 derived by the first AI machine learning model in the third service state, and further obtain the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state. The abnormal activity interest description feature1 derived by the first AI machine learning model in the first business state is subjected to less interest feature analysis times, so that the abnormal activity interest description feature1 derived by the first AI machine learning model in the first business state has richer local description and less global description; and the number of times of interest feature analysis of the abnormal activity interest description feature1 derived by the first AI machine learning model in the third business state is large, so that the abnormal activity interest description feature1 derived by the first AI machine learning model in the third business state has a large global description (i.e. the description content related to privacy threat information contained in the abnormal activity interest description feature1 is rich) and a poor local description.
In the embodiment of the application, the intelligent service session log with the risk of stealing the privacy information may be any intelligent service session log covering privacy threat information. The duration of the intelligent service session log with the risk of stealing private information may be a random duration, for example: the duration of the intelligent service session log with the risk of stealing the private information can be 15min, 25min and the like. In practical implementation, the detection duration period of the intelligent service session log can be determined based on the first AI machine learning model in a plurality of service states, and when the duration period of the intelligent service session log with the risk of stealing privacy information exceeds the detection duration period of the intelligent service session log, the intelligent service session log with the risk of stealing privacy information can be divided into a plurality of intelligent service session logs, so that the duration period of each divided intelligent service session log is consistent with the detection duration period of the intelligent service session log. Such as: if the duration of the intelligent service session log with the risk of stealing the privacy information is 1.5 hours, and the determined duration of the intelligent service session log is 15min, the intelligent service session log with the risk of stealing the privacy information can be divided into 6 intelligent service session logs with the duration of 15min, a first AI machine learning model in a plurality of service states respectively executes session activity interest mining on each intelligent service session log with the duration of 15min, the privacy threat information corresponding to each intelligent service session log with the duration of 15min is determined, and then the privacy threat information of the intelligent service session log with the risk of stealing the privacy information is obtained.
In the embodiment of the present application, the abnormal activity interest description feature1 may include four levels of interest description attributes (e.g., parameter information). For example, if the first AI machine learning model in the multiple service states is an AI machine learning model in three layers (which may also be a convolutional neural network), an abnormal activity interest description feature1 of the intelligent service session log with a risk of stealing privacy information may be obtained, where the abnormal activity interest description feature1 may include interest description attributes in four layers; if the first AI machine learning models in the multiple service states are AI machine learning models in two layers, session activity interest mining can be executed through the first AI machine learning models in the multiple service states to obtain abnormal activity interest descriptions corresponding to each group of session events in the intelligent service session log with the risk of stealing privacy information, and the abnormal activity interest descriptions of each group of session event keywords in the obtained intelligent service session log with the risk of stealing privacy information are integrated according to a staged layer to obtain abnormal activity interest description feature1 corresponding to the intelligent service session log with the risk of stealing privacy information.
It can be understood that, for the step 102, based on performing the interest description attribute update on the abnormal activity interest description feature1, the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each business state is obtained.
For example, the interest description attribute of the abnormal activity interest description feature1 in the first business state, the interest description attribute of the abnormal activity interest description feature1 in the second business state, and the interest description attribute of the abnormal activity interest description feature1 in the third business state are updated to be the same.
For an independently implementable technical solution, the updating of the interest description attribute recorded in step 102 based on the abnormal activity interest description feature1 is performed to obtain an abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state, which may exemplarily include the following contents: determining an abnormal activity interest description feature1 with the least quantization constraint in the interest description attributes corresponding to the abnormal activity interest description feature1 in each service state, updating the rest abnormal activity interest description features 1 except the abnormal activity interest description feature1 with the least quantization constraint into an abnormal activity interest description with the same interest description attribute as the abnormal activity interest description feature1 with the least quantization constraint, and updating the abnormal activity interest description feature1 with the least quantization constraint and the abnormal activity interest description with the same interest description attribute as the abnormal activity interest description feature2 with the least quantization constraint and the abnormal activity interest description feature1 with the same interest description attribute as the abnormal activity interest description feature 8584; or, the abnormal activity interest description feature1 in each business state is updated to be the abnormal activity interest description under the set interest description attribute, and the abnormal activity interest description under the set interest description attribute is taken as the abnormal activity interest description feature 2.
In this embodiment of the application, if the abnormal activity interest description feature1 in the multiple service states includes the abnormal activity interest description feature1 in the first service state, the abnormal activity interest description feature1 in the second service state, and the abnormal activity interest description feature1 in the third service state, then the abnormal activity interest description feature1 in the first service state, the abnormal activity interest description feature1 in the second service state, and the abnormal activity interest description feature1 in the third service state, where the abnormal activity interest description feature1 with the least quantization constraint is determined, then the least quantization constraint is determined in the interest description attributes corresponding to the abnormal activity interest description feature1 in the third service state, and then the interest description attributes of the abnormal activity interest description feature1 in the first service state and the abnormal activity interest description feature1 in the second service state are updated, so that the updated interest description attributes of the abnormal activity interest description features 2 in each service state are updated to make the updated interest description attributes of the abnormal activity description features 2 in each service state mutually update There is consistency between.
Or, determining a set interest description attribute, updating the abnormal activity interest description feature1 in each service state to the abnormal activity interest description under the set interest description attribute, and taking the abnormal activity interest description under the set interest description attribute as the abnormal activity interest description feature 2. It can be understood that the quantization constraint in the interest description attribute is set not greater than the interest description attribute of the abnormal activity interest description feature1 with the least quantization constraint in the interest description attribute corresponding to the abnormal activity interest description feature1 derived by the first AI machine learning model in each business state.
By the design, the first abnormal activity interest description feature1 in each service state is updated to be less quantization constraint, and when the privacy threat information covered in the intelligent service session log with the risk of privacy information stealing is detected, the software and hardware resource overhead of privacy threat information detection can be reduced, so that the efficiency of privacy threat detection is improved to a certain extent.
For an independently implementable technical solution, the performing, in step 101, session activity interest mining on the intelligent business session log with the risk of privacy information theft to obtain an abnormal activity interest description feature1 in a plurality of business states may exemplarily include: session activity interest mining is performed on intelligent service session logs with privacy information stealing risks through the first AI machine learning models in a plurality of service states, and abnormal activity interest descriptions 1 derived by the first AI machine learning models in each service state are obtained.
On the basis of the above, the updating of the interest description attribute recorded in step 102 based on the abnormal activity interest description feature1 is performed to obtain the abnormal activity interest description feature2 corresponding to the abnormal activity interest description feature1 in each service state, which may exemplarily include the technical solutions recorded in step201 and step 202.
Step201, determining model variable data of a second AI machine learning model corresponding to the first AI machine learning model in each service state according to the determined updated interest description attribute and the interest description attribute of the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state.
Step202, performing interest feature analysis on the abnormal activity interest description feature1 derived from the first AI machine learning model corresponding to the second AI machine learning model in the service state in combination with the second AI machine learning model in each service state covering the determined model variable data, to obtain an abnormal activity interest description feature2 derived from the second AI machine learning model in the service state.
In this embodiment, according to the determined updated interest description attribute and the interest description attribute of the abnormal activity interest description feature1 derived from the first AI machine learning model in each service state, model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the first service state, model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the second service state, and model variable data of the second AI machine learning model corresponding to the first AI machine learning model in the third service state may be respectively determined.
For example, the second AI machine learning model corresponding to the first AI machine learning model in the first service state and covering model variable data (for example, model parameter information) performs interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the first service state, so as to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state. And analogizing one by one, performing interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the second service state by using a second AI machine learning model covering model variable data corresponding to the first AI machine learning model in the second service state to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state. And performing interest feature analysis on the abnormal activity interest description feature1 corresponding to the first AI machine learning model in the third service state to obtain an abnormal activity interest description feature2 derived by the second AI machine learning model in the service state.
By means of the design, the interest feature analysis is performed on the corresponding abnormal activity interest description feature1 by determining the model variable data of the second AI machine learning model in each service state and combining the second AI machine learning model in each service state covering the determined model variable data, so that the quantitative constraint in the interest description attribute of the abnormal activity interest description feature1 derived by the first AI machine learning model in each service state is updated to be less quantitative constraint, further, when the intelligent service session log with the risk of privacy information stealing is analyzed, the software and hardware resource overhead is reduced, and the efficiency of privacy threat detection is improved to a certain extent.
It will be appreciated that for step 103: in the embodiment of the present application, the interest description attribute of the abnormal activity interest description feature2 in each service state may be updated, and the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is obtained, so that the quantitative analysis result of the stage level index of the abnormal activity interest description feature3 in each service state is matched with the set quantitative analysis result. Wherein, the abnormal activity interest description feature3 in each business state has a stage level index (such as a time dimension value) related to its coverage. In practical implementation, the less the times of interest characteristic analysis of abnormal activity interest description is, the smaller the coverage area is, and the larger the corresponding stage level index setting is, the privacy threat information in the intelligent service session log with privacy information stealing risk can be relatively accurately determined; on the contrary, the more times of interest feature analysis of abnormal activity description, the larger the coverage area, in order to reduce software and hardware resource overhead, the less the corresponding stage level indexes, so as to reduce the software and hardware resource overhead, and reduce the software and hardware resource overhead as much as possible while ensuring the accuracy of intelligent service session log detection with privacy information stealing risk, and improve the privacy threat detection efficiency. For example, the result of the quantitative analysis of the stage level index between the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description feature3 in the second service state may be set as 2: 6 or 4: 16, etc.
For an independently implementable technical solution, the step 103 may update the interest description attribute of the abnormal activity interest description 2 in each service state one by one to obtain the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, which may exemplarily include the technical solutions recorded in the steps 301 to 303.
Step301, determining the stage level indexes of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in each service state respectively based on the quantitative analysis result of the stage level indexes between the first AI machine learning models in different service states and the stage level indexes of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state.
Step302, determining model variable data of a third AI machine learning model corresponding to the first AI machine learning model in each service state according to the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in each service state and the stage level index of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state.
And step 303, performing interest feature analysis on the abnormal activity interest description feature2 corresponding to the third AI machine learning model in the service state in combination with the third AI machine learning model in each service state covering the determined model variable data to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state.
In the embodiment of the present application, quantitative analysis results of stage level indexes between the first AI machine learning models in different service states may be set according to real service requirements, for example: if the first AI machine learning models in the multiple service states include a first AI machine learning model in a first service state, a first AI machine learning model in a second service state, and a first AI machine learning model in a third service state, the quantitative analysis result (for example, a ratio) of the periodic level index between the first AI machine learning models in different service states may be 1: 4: 6, may be 1: 5: 10, etc. Further, if the stage level index (for example, the time dimension value) of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state is 32, the quantitative analysis result of the stage level index is 1: 4: 6, it may be determined that the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is 8, the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state is 16, and the stage level index of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the third service state is 32.
In this embodiment of the application, the model variable data of the third AI machine learning model corresponding to the first AI machine learning model in each service state may be determined according to the above-mentioned related content. For example, different time-dimension intervals can be set for the third AI machine learning model in each business state, so that the stage level indexes of the abnormal activity interest description feature3 derived by the third AI machine learning model in each business state are the same as the set quantitative analysis result.
Illustratively, the third AI machine learning model covering model variable data corresponding to the first AI machine learning model in the first business state performs interest feature analysis on the corresponding abnormal activity interest description feature2 in the business state, so as to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the business state. Deducing one by one, correspondingly carrying out a third AI machine learning model covering model variable data on the first AI machine learning model in the second service state, and carrying out interest characteristic analysis on the corresponding abnormal activity interest description feature2 in the service state to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state. And carrying out interest feature analysis on the corresponding abnormal activity interest description feature2 in the service state by using a third AI machine learning model covering model variable data corresponding to the first AI machine learning model in the third service state to obtain an abnormal activity interest description feature3 derived by the third AI machine learning model in the service state.
By modifying the stage level index of the abnormal activity interest description feature2 corresponding to the first AI machine learning model in each service state, the content recorded in the steps 301 to 303 is implemented, so that the stage level index of the abnormal activity interest description feature3 derived from the third AI machine learning model in each service state is matched with the set quantitative analysis result (corresponding to the modification of the focus point of the privacy threat information included in the intelligent service session log with the risk of privacy information stealing), and the abnormal activity interest description feature3 after updating the stage level index can relatively accurately identify the privacy threat information included in the intelligent service session log with the risk of privacy information stealing, thereby improving the accuracy of privacy threat detection to a certain extent.
It is to be understood that for step 104: in the embodiment of the application, the abnormal activity interest descriptions 3 corresponding to the first AI machine learning model in each service state may be connected, and the abnormal activity interest descriptions obtained after the abnormal activity interest descriptions 3 are connected are imported into the test machine learning model, so as to obtain the privacy threat information included in the intelligent service session log with the risk of privacy information stealing. If the intelligent service session log with the risk of stealing the privacy information comprises a plurality of privacy threat information, each piece of privacy threat information included in the intelligent service session log with the risk of stealing the privacy information can be obtained.
For an independently implementable technical solution, the abnormal activity interest description feature3 recorded in step 104 is used to determine privacy threat information in the intelligent business session log at risk of privacy information stealing, which may illustratively include the contents recorded in step401 and step 402.
Step401, performing connection processing on the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state to obtain an abnormal activity interest description feature4 with the connection completed.
Step402, based on the abnormal activity interest description feature4, determining privacy threat information in the intelligent service session log with privacy information stealing risk.
In the embodiment of the application, after obtaining the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state, the abnormal activity interest description feature3 in each service state may be connected to obtain the abnormal activity interest description feature4 that completes the connection, and based on the abnormal activity interest description feature4, the privacy threat information in the intelligent service session log where the privacy information stealing risk exists is determined.
The contents recorded in the step401 and the step402 are implemented, and the abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is subjected to connection processing, so that the obtained abnormal activity interest description feature4 can include the features of the abnormal activity interest description feature3 with different stage-level indexes, and when the privacy threat information in the intelligent service session log with the privacy information stealing risk is determined based on the abnormal activity interest description feature4, the accuracy of privacy threat detection can be improved.
For an independently implementable technical solution, the connecting processing is performed on the abnormal activity interest description 3 corresponding to the abnormal activity interest description 2 in each service state recorded in the above step401, so as to obtain the abnormal activity interest description feature4 completing the connection, which may exemplarily include the following contents: according to a preset connection mode, the abnormal activity interest description 3 corresponding to the abnormal activity interest description 2 in each service state is connected one by one to obtain transition abnormal activity interest descriptions of which the connection is completed in each round; and obtaining an abnormal activity interest description feature4 based on the transition abnormal activity interest description of each round of completed connection.
In the embodiment of the present application, a connection manner (which may be understood as a fusion sequence) of the abnormal activity interest description feature3 may be set, and the abnormal activity interest description features 3 corresponding to the abnormal activity interest description features 2 in each service state are connected one by one according to a preset connection manner, so as to obtain transition abnormal activity interest descriptions that are completed in each round.
For example, if the predetermined connection method is: if the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, and the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the third service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain the first round of transition abnormal activity interest description for completing the connection; and connecting the obtained transition abnormal activity interest description completing the connection with the abnormal activity interest description 3 corresponding to the first AI machine learning model in the third service state to obtain a second round of transition abnormal activity interest description completing the connection. The abnormal activity interest description feature4 is derived from the transitional abnormal activity interest description that can complete the connection on a per-turn basis.
It can be understood that, when the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be sampled, and the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is connected to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain the transition abnormal activity interest description for which the connection is completed in the first round. In each round of connection process, reference may be made to a process of connecting the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state with the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, which is not described herein in detail in this embodiment of the present application.
For example, if the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state is value1, and the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state is value2, the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state may be first up-sampled, and the interest description attribute of the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is value 2; then, the description value of each activity interest description item in the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the first service state after the up-sampling operation is integrated with the description value of the activity interest description item corresponding to the abnormal activity interest description feature3 corresponding to the first AI machine learning model in the second service state, so as to obtain a transition abnormal activity interest description for completing connection in the first round, wherein the interest description attribute of the transition abnormal activity interest description for completing connection in the first round is value 2.
For an independently implementable technical solution, an abnormal activity interest description feature3 corresponding to the abnormal activity interest description feature2 in each service state is used as the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the xth service state, wherein a stage level index of the abnormal activity interest description feature3 in the xth service state is greater than a stage level index of the abnormal activity interest description feature3 in the xth service state, and X is a positive integer greater than 1. According to a preset connection mode, the abnormal activity interest descriptions 3 corresponding to the abnormal activity interest description 2 in each service state are connected one by one, so that a transition abnormal activity interest description completing connection in each round is obtained, wherein the transition abnormal activity interest description includes one of the following design ideas.
The first design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the xth service state, the abnormal activity interest description features 3 in each service state are connected one by one to obtain the abnormal activity interest description of which the connection is completed in each round, and the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description of which the connection is completed in each round are used as the obtained transitional abnormal activity interest description.
The second design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state, the abnormal activity interest description features 3 in each service state are connected one by one to respectively obtain abnormal activity interest descriptions of which the connection is completed in each round, and the abnormal activity interest description feature3 in the Xth service state and the abnormal activity interest description of which the connection is completed in each round are used as the interest descriptions of transitional abnormal activities.
The third design idea is as follows: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in each service state is connected to obtain the abnormal activity interest description of each connection when the connection processing is performed from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description of each connection are subjected to interest feature analysis to obtain the connection abnormal activity interest description from the abnormal activity interest description in the first service state to the connection abnormal activity interest description in the Xth service state, the interest description attribute of the connection abnormal activity interest description in each service state is consistent with the interest description attribute of the corresponding abnormal activity interest description before the interest characteristic analysis; according to the connection mode from the connection abnormal activity interest description in the Xth service state to the connection abnormal activity interest description in the first service state, connection processing is carried out on the connection abnormal activity interest descriptions in each service state one by one, abnormal activity interest descriptions of connection completion in each round when the connection abnormal activity interest description in the Xth service state is connected to the connection abnormal activity interest description in the first service state are obtained respectively, and the abnormal activity interest descriptions of connection completion in each round and the connection abnormal activity interest descriptions in the Xth service state are used as the obtained transition abnormal activity interest descriptions.
The fourth design idea: according to the connection mode from the abnormal activity interest description feature3 in the first service state to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description feature3 in each service state is connected to obtain the abnormal activity interest description of each round of connection completion, the abnormal activity interest description feature3 in the first service state and the abnormal activity interest description feature3 in the first service state are connected to the abnormal activity interest description feature3 in the Xth service state, the abnormal activity interest description of each round of connection completion is used as the obtained first transition abnormal activity interest description, and the abnormal activity interest description feature3 in each service state is connected according to the connection mode from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state, respectively obtaining abnormal activity interest description of each round of completed connection, and taking the abnormal activity interest description 3 in the Xth service state and the abnormal activity interest description in each round of completed connection when performing connection processing from the abnormal activity interest description feature3 in the Xth service state to the abnormal activity interest description feature3 in the first service state as obtained second transition abnormal activity interest description; and taking the first transition abnormal activity interest description and the second transition abnormal activity interest description as the obtained transition abnormal activity interest description.
Based on the above, for some design ideas that can be implemented independently, after determining the privacy threat information in the intelligent service session log where there is a risk of privacy information theft, the method may further include the following: and executing corresponding privacy threat protection measures according to the privacy threat information.
Based on the above, for some design ideas that can be implemented independently, executing corresponding privacy threat protection measures according to the privacy threat information may include the following: determining target individual user information to be subjected to anonymization processing according to the privacy threat information; respectively carrying out shared use demand analysis and exclusive use demand analysis on a plurality of individual user information segments in the target individual user information to obtain a shared use demand analysis result set and an exclusive use demand analysis result set; performing first adjustment processing on the shared use requirement analysis result set through a first specified adjustment strategy to obtain a first user information cluster comprising shared use requirements; performing second adjustment processing on the exclusive use requirement analysis result set through a second specified adjustment strategy to obtain a second user information cluster comprising the exclusive use requirement; performing downsampling processing on the basis of the first individual user information cluster and the second individual user information cluster to obtain a target individual user information cluster matched with a target use requirement in the target individual user information; the target use requirement comprises at least one of a shared use requirement and an exclusive use requirement, and the target individual user information cluster is used for anonymizing the target individual user information; and anonymizing at least part of the target individual user information based on the target individual user information cluster. By the design, targeted information anonymization processing can be realized by considering different use requirements, so that accurate and reliable privacy threat protection is realized.
Based on the same inventive concept, there is also provided a big data attack processing apparatus 20 applied to a cloud service, which is applied to a big data attack processing system 10, and the apparatus includes:
the behavior information determining module 21 is configured to determine user operation behavior information of a target smart cloud service item, where the user operation behavior information is intended to reflect a feature recognition degree update condition of the target smart cloud service item in a first feature recognition degree interval;
the behavior intention mining module 22 is used for mining the attack behavior intention of the user operation behavior information to obtain a first user attack behavior intention of the target smart cloud service item;
the knowledge graph optimizing module 23 is configured to perform attack intention knowledge graph optimization on the first user attack behavior intention to obtain an optimized attack intention knowledge graph of the target smart cloud service item, where a feature recognition degree of the optimized attack intention knowledge graph is within a second feature recognition degree interval, and the second feature recognition degree interval is greater than the first feature recognition degree interval.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.