CN114244588B - Big data analysis interception method and information interception system applying artificial intelligence analysis - Google Patents

Big data analysis interception method and information interception system applying artificial intelligence analysis Download PDF

Info

Publication number
CN114244588B
CN114244588B CN202111477457.8A CN202111477457A CN114244588B CN 114244588 B CN114244588 B CN 114244588B CN 202111477457 A CN202111477457 A CN 202111477457A CN 114244588 B CN114244588 B CN 114244588B
Authority
CN
China
Prior art keywords
access
interception
network
decision
activity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111477457.8A
Other languages
Chinese (zh)
Other versions
CN114244588A (en
Inventor
赵天硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Highway Engineering Consultants Corp
CHECC Data Co Ltd
Original Assignee
Suihua Chuninternet Commerce Co ltd
China Highway Engineering Consultants Corp
CHECC Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suihua Chuninternet Commerce Co ltd, China Highway Engineering Consultants Corp, CHECC Data Co Ltd filed Critical Suihua Chuninternet Commerce Co ltd
Priority to CN202111477457.8A priority Critical patent/CN114244588B/en
Priority to CN202211080829.8A priority patent/CN115174271A/en
Publication of CN114244588A publication Critical patent/CN114244588A/en
Application granted granted Critical
Publication of CN114244588B publication Critical patent/CN114244588B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Biophysics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application discloses a big data analysis interception method and an information interception system applying artificial intelligence analysis. Therefore, the interception decision accuracy of the access activity can be improved, and the network convergence optimization performance is improved.

Description

应用人工智能分析的大数据分析拦截方法及信息拦截系统Big data analysis interception method and information interception system applying artificial intelligence analysis

技术领域technical field

本申请涉及人工智能技术领域,具体而言,涉及一种应用人工智能分析的大数据分析拦截方法及信息拦截系统。The present application relates to the technical field of artificial intelligence, in particular, to a big data analysis interception method and an information interception system applying artificial intelligence analysis.

背景技术Background technique

随着在大数据时代的到来,信息安全问题始终是云计算发展的重中之重。传统安全思想难以解决云边界打破等问题,云计算在发展过程中又缺乏安全的深厚积累。基于此,针对需要拦截的访问活动,如攻击访问活动,隐私访问活动等,其拦截决策准确性关系到信息安全性能,然而相关技术中访问活动的拦截决策准确性有待提高。With the advent of the era of big data, information security issues have always been the top priority in the development of cloud computing. Traditional security thinking is difficult to solve problems such as cloud boundary breaking, and cloud computing lacks deep accumulation of security in the development process. Based on this, for access activities that need to be intercepted, such as attack access activities, privacy access activities, etc., the accuracy of interception decision-making is related to information security performance. However, the accuracy of interception decision-making for access activities in related technologies needs to be improved.

发明内容Contents of the invention

本申请提供一种应用人工智能分析的大数据分析拦截方法及信息拦截系统。The present application provides a big data analysis interception method and an information interception system applying artificial intelligence analysis.

第一方面,本申请实施例提供一种应用人工智能分析的大数据分析拦截方法,应用于信息拦截系统,包括:In the first aspect, the embodiment of the present application provides a big data analysis and interception method using artificial intelligence analysis, which is applied to an information interception system, including:

在接收到由业务服务系统进行实时状态传输的标的访问活动的访问触发事件时,生成对应的标的访问触发事件;When receiving the access trigger event of the target access activity for real-time status transmission by the business service system, generate the corresponding target access trigger event;

依据第一访问活动拦截决策网络,基于所述标的访问触发事件,决策生成所述标的访问活动关联的基础拦截决策依据;所述第一访问活动拦截决策网络是依据基础参考数据集进行网络收敛优化获得的,所述基础参考数据集包括第一参考访问触发事件以及携带的基础参考拦截依据,所述基础参考拦截依据是基于放行所述第一参考访问触发事件所对应的访问活动后访问活动维持状态是否被配置于销毁状态获得的;According to the first access activity interception decision-making network, based on the target access trigger event, decision-making and generation of the basic interception decision-making basis associated with the target access activity; the first access activity interception decision-making network is based on the basic reference data set for network convergence optimization Obtained, the basic reference data set includes the first reference access trigger event and the carried basic reference intercept basis, the basic reference intercept basis is based on the release of the access activity corresponding to the first reference access trigger event. Whether the state is configured to be obtained from the destroyed state;

依据第二访问活动拦截决策网络,基于所述标的访问触发事件,决策生成所述标的访问活动关联的进阶拦截决策依据;所述第二访问活动拦截决策网络是依据进阶参考数据集进行网络收敛优化获得的,所述进阶参考数据集包括第二参考访问触发事件以及携带的进阶参考拦截依据,所述进阶参考拦截依据代表所述第二参考访问触发事件所对应的访问活动的标签属性;According to the second access activity interception decision-making network, based on the target access trigger event, decision-making generates the advanced interception decision-making basis associated with the target access activity; the second access activity interception decision-making network is based on the advanced reference data set. Obtained by convergence optimization, the advanced reference data set includes the second reference access trigger event and the carried advanced reference intercept basis, the advanced reference intercept basis represents the access activity corresponding to the second reference access trigger event tag attribute;

基于所述基础拦截决策依据和所述进阶拦截决策依据,确定所述标的访问活动关联的目标拦截决策依据;所述目标拦截决策依据代表所述标的访问活动的威胁输出观点。Based on the basic interception decision basis and the advanced interception decision basis, a target interception decision basis associated with the target access activity is determined; the target interception decision basis represents a threat output view of the target access activity.

相比现有技术,分别使用依据基准监督训练学习进行网络收敛优化获得的第一访问活动拦截决策网络和依据进阶监督训练学习进行网络收敛优化获得的第二访问活动拦截决策网络,对标的访问活动进行进行拦截决策,从而结合两个不同训练方式的拦截决策网络各自获得的拦截决策依据,确定标的访问活动是否可以被归类于拦截访问活动。其中,第一访问活动拦截决策网络是依据通过基准依据标注策略标注的基础参考数据集进行网络收敛优化获得的,基准依据标注策略是指基于参考数据集中参考访问触发事件所对应的访问活动被放行后是否搜索到相关进程销毁访问活动维持状态,来标注该参考访问触发事件所对应的访问活动是否可以被归类于拦截访问活动,相比仅采用进阶依据标注策略,依据该基准依据标注策略标注参考数据集的标注工作量更小,可以获得更多的参考数据集,因此可以在减少标注工作量的前提下生成具有初步拦截决策性能的第一访问活动拦截决策网络。在基于第一访问活动拦截决策网络辅助决策访问活动是否可以被归类于拦截访问活动的基础上,可以降低对于第二访问活动拦截决策网络的训练数据集的要求,例如可以减少在对该第二访问活动拦截决策网络进行网络收敛优化过程中时所调用的参考数据集的数量,由此降低该第二访问活动拦截决策网络的训练工作量。如此,结合第一访问活动拦截决策网络和第二访问活动拦截决策网络决策拦截访问活动,可以提高访问活动的拦截决策准确性,并且提高网络收敛优化性能。Compared with the existing technology, the first access activity interception decision network obtained by network convergence optimization based on benchmark supervised training and learning and the second access activity interception decision network obtained by network convergence optimization based on advanced supervised training and learning are respectively used to target access The interception decision is made according to the activity, so as to combine the interception decision-making basis obtained by two interception decision-making networks with different training methods to determine whether the target access activity can be classified as an interception access activity. Among them, the first access activity interception decision network is obtained by network convergence optimization based on the basic reference data set marked by the benchmark basis labeling strategy. The benchmark basis labeling strategy means that the access activities corresponding to the reference access trigger events in the reference data set are released After searching for relevant processes, destroy the access activity maintenance status, to mark whether the access activity corresponding to the reference access trigger event can be classified as intercepted access activity, compared with only adopting the advanced basis labeling strategy, according to the benchmark basis labeling strategy Annotating reference datasets requires less labeling workload, and more reference datasets can be obtained, so the first access activity interception decision network with preliminary interception decision performance can be generated under the premise of reducing the labeling workload. Based on the first access activity interception decision-making network-assisted decision whether the access activity can be classified as interception access activity, the requirement for the training data set of the second access activity interception decision network can be reduced, for example, it can be reduced in the second access activity interception decision network. The number of reference data sets called by the second access activity interception decision-making network during the network convergence optimization process, thereby reducing the training workload of the second access activity interception decision-making network. In this way, combining the first access activity interception decision network and the second access activity interception decision network to decide to intercept access activities can improve the accuracy of access activity interception decisions and improve network convergence optimization performance.

附图说明Description of drawings

图1为本申请实施例提供的一种应用人工智能分析的大数据分析拦截方法步骤流程示意图。FIG. 1 is a schematic flow chart of the steps of a method for analyzing and intercepting big data using artificial intelligence analysis provided by an embodiment of the present application.

具体实施方式detailed description

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

步骤S101:在接收到由业务服务系统进行实时状态传输的标的访问活动的访问触发事件,确定为标的访问触发事件。Step S101: After receiving the access trigger event of the target access activity for real-time status transmission by the business service system, determine it as the target access trigger event.

步骤S102:依据第一访问活动拦截决策网络,基于所述标的访问触发事件,决策生成所述标的访问活动关联的基础拦截决策依据;所述第一访问活动拦截决策网络是依据基础参考数据集进行网络收敛优化获得的,所述基础参考数据集包括第一参考访问触发事件以及携带的基础参考拦截依据,所述基础参考拦截依据是基于放行所述第一参考访问触发事件所对应的访问活动后访问活动维持状态是否被配置于销毁状态获得的。Step S102: According to the first access activity interception decision network, based on the target access trigger event, decide to generate the basic interception decision basis associated with the target access activity; the first access activity interception decision network is based on the basic reference data set Obtained by network convergence optimization, the basic reference data set includes the first reference access trigger event and the carried basic reference intercept basis, and the basic reference intercept basis is based on releasing the access activity corresponding to the first reference access trigger event Whether the access activity maintenance state is configured in the destroyed state obtained.

信息拦截系统在获取到标的访问触发事件后,可以将该标的访问触发事件,输入满足网络部署要求的第一访问活动拦截决策网络,该第一访问活动拦截决策网络对该标的访问触发事件进行拦截预测后,将相应地输出标的访问活动关联的基础拦截决策依据,该基础拦截决策依据可以理解为标的访问活动归类于拦截访问活动的置信度。After the information interception system obtains the target access trigger event, it can input the target access trigger event into the first access activity interception decision network that meets the network deployment requirements, and the first access activity interception decision network intercepts the target access trigger event After the prediction, the basic interception decision-making basis associated with the target access activity will be correspondingly output, and the basic interception decision-making basis can be understood as the confidence level that the target access activity is classified into the interception access activity.

例如,前述第一访问活动拦截决策网络可以是基于基准监督训练学习方式依据基础参考数据集进行网络收敛优化获得的。基准监督训练学习方式可以理解为在进行网络收敛优化过程中所调用的参考数据集中的拦截决策依据可能不完全精准;例如,对所述第一访问活动拦截决策网络进行网络收敛优化时调用的基础参考数据集中的基础参考拦截依据可以理解为精准度不高的训练参考依据。前述基础参考数据集中包括第一参考访问触发事件以及携带的基础参考拦截依据;其中,第一参考访问触发事件可以是过往访问活动中的访问触发事件;第一参考访问触发事件对应的基础参考拦截依据可以是基于该第一参考访问触发事件所对应的过往访问活动被放行后、是否搜索到相关进程销毁访问活动维持状态获得的。For example, the aforementioned first access activity blocking decision network may be obtained by performing network convergence optimization based on a basic reference data set in a benchmark supervised training and learning manner. The benchmark supervised training learning method can be understood as the interception decision basis in the reference data set called during the network convergence optimization process may not be completely accurate; The basic reference intercept basis in the reference data set can be understood as a training reference basis with low accuracy. The aforementioned basic reference data set includes the first reference access trigger event and the basic reference interception basis carried; wherein, the first reference access trigger event may be an access trigger event in past access activities; the basic reference interception event corresponding to the first reference access trigger event The basis may be obtained based on whether a relevant process is found to destroy the access activity maintenance state after the past access activity corresponding to the first reference access trigger event is released.

例如,如果确定放行第一参考访问触发事件所对应的访问活动后,搜索到相关进程销毁访问活动维持状态,则该第一参考访问触发事件对应的基础参考拦截依据将对应代表该第一参考访问触发事件所对应的访问活动归类于拦截访问活动(即拦截访问活动),该第一参考访问触发事件对应的访问状态的销毁时序数据将对应代表该第一参考访问触发事件所对应的访问活动与对照访问活动之间的时序间隔信息,此处的对照访问活动是访问活动维持状态被配置于销毁状态前放行的最末个访问活动。For example, if it is determined that the access activity corresponding to the first reference access trigger event is released, and the relevant process is found to destroy the access activity maintenance state, then the basic reference intercept basis corresponding to the first reference access trigger event will correspond to the first reference access The access activity corresponding to the trigger event is classified as intercepting access activity (i.e. intercepting access activity), and the destruction time series data of the access state corresponding to the first reference access trigger event will correspond to represent the access activity corresponding to the first reference access trigger event The timing interval information between the comparison access activity, where the comparison access activity is the last access activity that is released before the maintenance state of the access activity is configured in the destroyed state.

例如,信息拦截系统在访问事件中放行访问活动前,会针对访问事件中的各个访问活动基于其对应的放行时序对应分配其对应的次序位置号码,放行时序越靠前,所对应的次序位置号码越小,放行时序越靠后,所对应的次序位置号码越大。信息拦截系统搜索到针对某访问事件触发了访问活动维持状态销毁行为后,可以先确定访问活动维持状态被配置于销毁状态前该访问事件中显示的最末个访问活动(即所对应的次序位置号码最大的访问活动)作为对照访问活动,进而针对访问活动维持状态被配置于销毁状态前访问事件包括的各个访问活动,计算对照访问活动关联的次序位置号码与该访问活动关联的次序位置号码的时序差值,确定为该访问活动关联的访问状态的销毁时序数据,也即该条访问活动中的访问触发事件对应的访问状态的销毁时序数据。For example, before the information interception system releases the access activities in the access event, it will assign the corresponding sequence position number to each access activity in the access event based on its corresponding release time sequence. The earlier the release time sequence, the corresponding sequence position number The smaller it is, the later the release sequence is, and the corresponding sequence position number is larger. After the information interception system searches for an access event that triggers the destruction of the access activity maintenance state, it can first determine the last access activity displayed in the access event before the access activity maintenance state is configured in the destroyed state (that is, the corresponding sequence position The access activity with the largest number) is used as the control access activity, and then for each access activity included in the access event before the access activity maintenance state is configured in the destroyed state, calculate the sequence position number associated with the control access activity and the sequence position number associated with the access activity The timing difference is determined as the destruction timing data of the access state associated with the access activity, that is, the destruction timing data of the access state corresponding to the access trigger event in the access activity.

如果确定放行第一参考访问触发事件所对应的访问活动后,没有搜索到相关进程销毁访问活动维持状态,则该第一参考访问触发事件对应的基础参考拦截依据将对应代表该第一参考访问触发事件所对应的访问活动归类于非拦截访问活动(即并非拦截访问活动)。此外,由于该第一参考访问触发事件所对应的访问活动被放行后没有搜索到访问活动维持状态被配置于销毁状态,则难以确定该第一参考访问触发事件对应的访问状态的销毁时序数据,由此可以直接配置该第一参考访问触发事件对应的访问状态的销毁时序数据为非拦截访问活动的时序间隔值;该非拦截访问活动的时序间隔值可以是信息拦截系统事先配置的时序间隔参考值,也可以由信息拦截系统基于其它所包括的基础参考拦截依据为属于拦截访问活动的基础参考数据集中的访问状态的销毁时序数据来确定,例如,信息拦截系统可以获取所包括的基础参考拦截依据为属于拦截访问活动的所有基础参考数据集,进而计算这些基础参考数据集中包括的访问状态的销毁时序数据的均值时序值,确定为非拦截访问活动的时序间隔值,在此不对该非拦截访问活动的时序间隔值的确定实施方式进行限定。If it is determined that the access activity corresponding to the first reference access trigger event is released, and no relevant process is found to destroy the access activity maintenance status, then the basic reference intercept basis corresponding to the first reference access trigger event will correspond to the first reference access trigger event. The access activity corresponding to the event is classified as a non-intercepted access activity (that is, not an intercepted access activity). In addition, since the access activity corresponding to the first reference access trigger event is released, no access activity maintenance state is found and configured in the destroyed state, it is difficult to determine the destruction sequence data of the access state corresponding to the first reference access trigger event, Thus, the timing data for destroying the access status corresponding to the first reference access trigger event can be directly configured as the timing interval value of the non-intercepting access activity; the timing interval value of the non-intercepting access activity can be the timing interval reference configured in advance by the information interception system The value can also be determined by the information interception system based on other included basic reference intercepts based on the destruction time series data of the access state belonging to the basic reference data set of the interception access activity, for example, the information interception system can obtain the included basic reference interception Based on all the basic reference data sets that belong to the intercepted access activities, the average time series value of the destruction time series data of the access status included in these basic reference data sets is calculated, and it is determined as the time series interval value of the non-intercepted access activities. The implementation manner of determining the time series interval value of the access activity is limited.

如此设计,在用于训练第一访问活动拦截决策网络的基础参考数据集中扩展访问状态的销毁时序数据,可以使得第一访问活动拦截决策网络具备综合考虑访问活动访问触发事件和访问状态的销毁时序数据识别访问活动是否可以被归类于拦截访问活动的能力,可以提高第一访问活动拦截决策网络决策拦截访问活动的精度。In this way, the destruction sequence data of the access state is extended in the basic reference data set used to train the first access activity interception decision network, so that the first access activity interception decision network has a destruction sequence that comprehensively considers the access activity trigger event and the access state The ability of the data to identify whether the access activity can be classified as an intercepted access activity can improve the accuracy of the first access activity interception decision network decision to intercept the access activity.

此外,如果确定训练第一访问活动拦截决策网络调用的基础参考数据集中包括访问状态的销毁时序数据,那么应用该第一访问活动拦截决策网络识别访问活动是否可以被归类于拦截访问活动时,也可以使该第一访问活动拦截决策网络同时标定的访问状态的销毁时序数据和访问活动访问触发事件,执行访问活动决策流程。即在使用第一访问活动拦截决策网络,确定标的访问活动关联的基础拦截决策依据时,应获取标定的访问状态的销毁时序数据,该标定的访问状态的销毁时序数据可以基于训练该第一访问活动拦截决策网络时调用的基础参考数据集中的访问状态的销毁时序数据来确定;进而,依据该第一访问活动拦截决策网络,基于标的访问活动中的标的访问触发事件和该标定的访问状态的销毁时序数据,生成该标的访问活动关联的基础拦截决策依据。In addition, if it is determined that the basic reference data set for training the first access activity interception decision-making network call includes access state destruction time series data, then when the first access activity interception decision-making network is used to identify whether the access activity can be classified as an interception access activity, It is also possible for the first access activity interception decision network to simultaneously calibrate the destruction time-series data of the access status and the access activity trigger event to execute the access activity decision process. That is, when using the first access activity interception decision-making network to determine the basic interception decision basis associated with the target access activity, the calibrated destruction timing data of the access state should be obtained, and the calibrated destruction timing data of the access state can be based on training the first access It is determined by the destruction timing data of the access state in the basic reference data set called when the activity intercepts the decision-making network; furthermore, according to the first access activity intercepting the decision-making network, based on the target access trigger event in the target access activity and the calibrated access state Destroy the time series data to generate the basic interception decision-making basis associated with the target access activity.

一种示例性设计思路中,前述第一访问活动拦截决策网络中可以包括第一基础描述变量挖掘单元和第一拦截决策单元,该第一访问活动拦截决策网络在具体应用过程汇总,可以先依据第一基础描述变量挖掘单元,挖掘标的访问触发事件中每个访问单位分别对应的基础描述变量;进而,依据第一拦截决策单元,基于标的访问触发事件中每个访问单位分别对应的基础描述变量,决策生成标的访问活动关联的基础拦截决策依据。In an exemplary design idea, the aforementioned first access activity interception decision-making network may include a first basic description variable mining unit and a first interception decision-making unit, and the first access activity interception decision-making network is summarized in a specific application process, and may first be based on The first basic description variable mining unit mines the basic description variables corresponding to each access unit in the target access trigger event; furthermore, according to the first interception decision-making unit, based on the basic description variables corresponding to each access unit in the target access trigger event , the basic interception decision-making basis associated with the decision-making target access activity.

例如,该第一访问活动拦截决策网络中可以包括第一基础描述变量挖掘单元A1和第一拦截决策单元A2;例如,第一基础描述变量挖掘单元A1中可以包括RNN单元和全连接单元,该RNN单元例如可以是GRU、LSTM,第一拦截决策单元A2可以包括第一全连接单元、CNN单元、降维单元和第二全连接单元。For example, the first access activity interception decision network may include a first basic description variable mining unit A1 and a first interception decision-making unit A2; for example, the first basic description variable mining unit A1 may include an RNN unit and a fully connected unit, the The RNN unit may be, for example, GRU or LSTM, and the first intercept decision unit A2 may include a first fully connected unit, a CNN unit, a dimensionality reduction unit, and a second fully connected unit.

第一访问活动拦截决策网络在应用过程中,可以依据第一基础描述变量挖掘单元A1中的RNN单元,对标的访问触发事件中包括各个访问单位进行访问描述变量挖掘,得到标的访问触发事件中各个访问单位分别对应的基础访问描述变量,再依据第一基础描述变量挖掘单元A1中的全连接单元,对标的访问触发事件中各个访问单位分别对应的基础访问描述变量进行处理,得到标的访问触发事件中各个访问单位分别对应的基础描述变量。然后,依据第一拦截决策单元A2中的第一全连接单元、CNN单元、降维单元和第二全连接单元,对标的访问触发事件中各个访问单位分别对应的基础描述变量进行依次处理,得到标的访问活动关联的基础拦截决策依据。During the application process of the first access activity interception decision network, according to the RNN unit in the first basic description variable mining unit A1, the access description variable mining of each access unit included in the target access trigger event can be carried out, and each of the target access trigger events can be obtained. The basic access description variables corresponding to the access units, and then according to the full connection unit in the first basic description variable mining unit A1, process the basic access description variables corresponding to each access unit in the target access trigger event to obtain the target access trigger event The basic description variables corresponding to each access unit in . Then, according to the first fully-connected unit, CNN unit, dimensionality reduction unit, and second fully-connected unit in the first interception decision-making unit A2, the basic description variables corresponding to each access unit in the target access trigger event are sequentially processed to obtain The basic interception decision-making basis associated with the target access activity.

步骤S103:依据第二访问活动拦截决策网络,基于所述标的访问触发事件,决策生成所述标的访问活动关联的进阶拦截决策依据;所述第二访问活动拦截决策网络是依据进阶参考数据集进行网络收敛优化获得的,所述进阶参考数据集包括第二参考访问触发事件以及携带的进阶参考拦截依据,所述进阶参考拦截依据代表所述第二参考访问触发事件所对应的访问活动的标签属性。Step S103: According to the second access activity interception decision-making network, based on the target access trigger event, make a decision to generate an advanced interception decision basis associated with the target access activity; the second access activity interception decision-making network is based on advanced reference data The advanced reference data set includes the second reference access trigger event and the carried advanced reference intercept basis, and the advanced reference intercept basis represents the second reference access trigger event corresponding to Access the label properties of the activity.

信息拦截系统获取到标的访问触发事件后,还可以将该标的访问触发事件,输入满足网络部署要求的第二访问活动拦截决策网络,该第二访问活动拦截决策网络对该标的访问触发事件进行拦截预测后,对应生成标的访问活动关联的进阶拦截决策依据,该进阶拦截决策依据例如可以为标的访问活动归类于拦截访问活动的置信度。After the information interception system obtains the target access trigger event, it can also input the target access trigger event into the second access activity interception decision network that meets the network deployment requirements, and the second access activity interception decision network intercepts the target access trigger event After the prediction, an advanced interception decision-making basis associated with the target access activity is correspondingly generated. The advanced interception decision-making basis may be, for example, the confidence level that the target access activity is classified into the intercepted access activity.

其中,前述第二访问活动拦截决策网络是基于进阶监督训练学习依据进阶参考数据集进行网络收敛优化获得的。进阶监督训练学习与前述的基准监督训练学习的区别在于,所调用的参考数据集中的拦截决策依据是全面且精确的;例如,对第二访问活动拦截决策网络进行网络收敛优化时调用的进阶参考数据集中的进阶参考拦截依据即为全面且精确的训练参考依据。前述进阶参考数据集中包括第二参考访问触发事件以及携带的进阶参考拦截依据。第二参考访问触发事件对应的进阶参考拦截依据可以是针对该第二参考访问触发事件所对应的访问活动标注的,其可以表征该第二参考访问触发事件所对应的访问活动的标签属性,即全面精确表征该第二参考访问触发事件所对应的访问活动是否可以被归类于拦截访问活动。Wherein, the aforementioned second access activity interception decision-making network is obtained based on advanced supervised training and learning and network convergence optimization based on advanced reference data sets. The difference between advanced supervised training and learning and the aforementioned benchmark supervised training and learning is that the interception decision basis in the called reference data set is comprehensive and accurate; The advanced reference intercept basis in the advanced reference data set is a comprehensive and accurate training reference basis. The aforementioned advanced reference data set includes the second reference access trigger event and the carried advanced reference intercept basis. The advanced reference intercept basis corresponding to the second reference access trigger event may be marked for the access activity corresponding to the second reference access trigger event, which may represent the label attribute of the access activity corresponding to the second reference access trigger event, That is, it fully and accurately characterizes whether the access activity corresponding to the second reference access trigger event can be classified as an intercepting access activity.

一种示例性设计思路中,前述第二访问活动拦截决策网络中可以包括第二基础描述变量挖掘单元和第二拦截决策单元,该第二访问活动拦截决策网络在应用过程中,可以先依据第二基础描述变量挖掘单元,挖掘标的访问触发事件中每个访问单位分别对应的基础描述变量;进而,依据第二拦截决策单元,基于标的访问触发事件中每个访问单位分别对应的基础描述变量,决策生成标的访问活动关联的进阶拦截决策依据。In an exemplary design idea, the aforementioned second access activity interception decision-making network may include a second basic description variable mining unit and a second interception decision-making unit, and the second access activity interception decision-making network may first be based on the first The second basic description variable mining unit mines the basic description variables corresponding to each access unit in the target access trigger event; furthermore, according to the second interception decision-making unit, based on the basic description variables corresponding to each access unit in the target access trigger event, Decision-making basis for advanced interception decisions associated with targeted access activities.

例如,该第二访问活动拦截决策网络中包括第二基础描述变量挖掘单元B01和第二拦截决策单元B02;例如,第二基础描述变量挖掘单元B01中可以包括RNN单元和全连接单元,该RNN单元具体可以是GRU或者LSTM结构,第二拦截决策单元B02可以包括第一全连接单元、CNN单元、池化单元和第二全连接单元。For example, the second access activity interception decision network includes a second basic description variable mining unit B01 and a second interception decision-making unit B02; for example, the second basic description variable mining unit B01 may include an RNN unit and a fully connected unit, and the RNN Specifically, the unit may be a GRU or LSTM structure, and the second interception decision-making unit B02 may include a first fully connected unit, a CNN unit, a pooling unit, and a second fully connected unit.

第二访问活动拦截决策网络在应用过程中,可以依据第二基础描述变量挖掘单元B01中的RNN单元,对输入的标的访问触发事件中包括各个访问单位进行访问描述变量挖掘,得到标的访问触发事件中各个访问单位分别对应的基础访问描述变量,然后再依据第二基础描述变量挖掘单元B01中的全连接单元,对标的访问触发事件中各个访问单位分别对应的基础访问描述变量进行处理,得到标的访问触发事件中各个访问单位分别对应的基础描述变量。然后,依据第二拦截决策单元B02中的第一全连接单元、CNN层、池化层和第二全连接单元,对标的访问触发事件中各个访问单位分别对应的基础描述变量进行依次处理,得到标的访问活动关联的进阶拦截决策依据。During the application process of the second access activity interception decision-making network, according to the RNN unit in the second basic description variable mining unit B01, the access description variable mining of each access unit included in the input target access trigger event can be performed to obtain the target access trigger event The basic access description variables corresponding to each access unit in , and then according to the full connection unit in the second basic description variable mining unit B01, process the basic access description variables corresponding to each access unit in the target access trigger event to obtain the target Basic description variables corresponding to each access unit in the access trigger event. Then, according to the first fully-connected unit, CNN layer, pooling layer and second fully-connected unit in the second interception decision-making unit B02, the basic description variables corresponding to each access unit in the target access trigger event are sequentially processed to obtain Advanced interception decision basis associated with targeted access activities.

其中,在第一访问活动拦截决策网络包括第一基础描述变量挖掘单元和第一拦截决策单元、且第二访问活动拦截决策网络包括第二基础描述变量挖掘单元和第二拦截决策单元的基础上,为了提高第一访问活动拦截决策网络和第二访问活动拦截决策网络的网络收敛速度,可以在第一基础变量挖掘单元和第二基础变量挖掘单元中均设置网络参数层,训练第一访问活动拦截决策网络和第二访问活动拦截决策网络时,可以使这两个拦截决策网络中包括的网络参数层相同网络权重信息,即将第一访问活动拦截决策网络中网络参数层的网络权重信息同步配置于第二访问活动拦截决策网络中的网络参数层,或者将第二访问活动拦截决策网络中网络参数层的网络权重信息同步配置于第一访问活动拦截决策网络中的网络参数层,如此使得这两个拦截决策网络的网络收敛过程可以相互借鉴,进而提高网络收敛速度和准确性。Wherein, on the basis that the first access activity interception decision-making network includes the first basic description variable mining unit and the first interception decision-making unit, and the second access activity interception decision-making network includes the second basic description variable mining unit and the second interception decision-making unit , in order to improve the network convergence speed of the first access activity interception decision network and the second access activity interception decision network, the network parameter layer can be set in both the first basic variable mining unit and the second basic variable mining unit, and train the first access activity When intercepting the decision-making network and the second access activity intercepting the decision-making network, the network weight information of the network parameter layer included in the two interception decision-making networks can be made to be the same, that is, the network weight information of the network parameter layer in the first access activity intercepting decision-making network is configured synchronously at the network parameter layer in the second access activity interception decision-making network, or synchronously configure the network weight information of the network parameter layer in the second access activity interception decision-making network at the network parameter layer in the first access activity interception decision-making network, so that this The network convergence process of the two interception decision networks can learn from each other, thereby improving the network convergence speed and accuracy.

前述网络参数层可以包括以下至少一种:第一基础描述变量挖掘单元和第二基础描述变量挖掘单元中的RNN单元、第一基础描述变量挖掘单元和第二基础描述变量挖掘单元中的全连接单元。即在模型训练阶段,信息拦截系统可以使第一基础描述变量挖掘单元中的RNN单元和第二基础描述变量挖掘单元中的RNN单元进行相同网络权重信息,也可以使第一基础描述变量挖掘单元中的全连接单元和第二基础描述变量挖掘单元中的全连接单元进行相同网络权重信息,还可以使第一基础描述变量挖掘单元中的RNN单元和全连接单元与第二基础描述变量挖掘单元中的RNN单元和全连接单元分别进行相同网络权重信息。The aforementioned network parameter layer may include at least one of the following: the RNN unit in the first basic description variable mining unit and the second basic description variable mining unit, the first basic description variable mining unit and the full connection in the second basic description variable mining unit unit. That is, in the model training phase, the information interception system can make the RNN unit in the first basic descriptive variable mining unit and the RNN unit in the second basic descriptive variable mining unit carry out the same network weight information, and can also make the first basic descriptive variable mining unit The fully connected unit in the first basic description variable mining unit and the fully connected unit in the second basic description variable mining unit carry out the same network weight information, and the RNN unit and the fully connected unit in the first basic description variable mining unit can also be connected with the second basic description variable mining unit The RNN unit and the fully connected unit in the network carry out the same network weight information respectively.

步骤S104:基于所述基础拦截决策依据和所述进阶拦截决策依据,确定所述标的访问活动关联的目标拦截决策依据;所述目标拦截决策依据代表所述标的访问活动的威胁输出观点。Step S104: Based on the basic interception decision basis and the advanced interception decision basis, determine the target interception decision basis associated with the target access activity; the target interception decision basis represents the threat output point of view of the target access activity.

信息拦截系统依据步骤S102得到标的访问活动关联的基础拦截决策依据,依据步骤S103得到标的访问活动关联的进阶拦截决策依据后,可以综合考虑该基础拦截决策依据和进阶拦截决策依据,确定标的访问活动关联的目标拦截决策依据,该目标拦截决策依据代表该标的访问活动是否可以被归类于拦截访问活动。The information interception system obtains the basic interception decision-making basis related to the target access activity according to step S102, and after obtaining the advanced interception decision-making basis related to the target access activity according to step S103, it can comprehensively consider the basic interception decision-making basis and the advanced interception decision-making basis to determine the target The target interception decision basis associated with the access activity, where the target interception decision basis represents whether the target access activity can be classified as an interception access activity.

例如,在基础拦截决策依据和进阶拦截决策依据均是标的访问活动归类于拦截访问活动的置信度的基础上,信息拦截系统可以基于设定重要性参数,对基础拦截决策依据和进阶拦截决策依据进行权重融合,获得的置信度即是标的访问活动关联的目标拦截决策依据,如果确定该置信度大于目标置信度,则可以确定该标的访问活动归类于拦截访问活动,如果确定该置信度不大于目标置信度,则可以确定该标的访问活动不属于拦截访问活动。For example, on the basis that both the basic interception decision-making basis and the advanced interception decision-making basis are based on the confidence level that the target access activity is classified as the interception access activity, the information interception system can base on the set importance parameters, and the basic interception decision-making basis and the advanced interception decision-making basis The interception decision is based on weight fusion, and the obtained confidence level is the target interception decision basis associated with the target access activity. If it is determined that the confidence level is greater than the target confidence level, it can be determined that the target access activity is classified as an interception access activity. If the target access activity is determined to be If the confidence degree is not greater than the target confidence degree, it can be determined that the target access activity does not belong to the blocking access activity.

基于以上步骤,分别使用依据基准监督训练学习进行网络收敛优化获得的第一访问活动拦截决策网络和依据进阶监督训练学习进行网络收敛优化获得的第二访问活动拦截决策网络,对标的访问活动进行进行拦截决策,从而结合两个不同训练方式的拦截决策网络各自获得的拦截决策依据,确定标的访问活动是否可以被归类于拦截访问活动。其中,第一访问活动拦截决策网络是依据通过基准依据标注策略标注的基础参考数据集进行网络收敛优化获得的,基准依据标注策略是指基于参考数据集中参考访问触发事件所对应的访问活动被放行后是否搜索到相关进程销毁访问活动维持状态,来标注该参考访问触发事件所对应的访问活动是否可以被归类于拦截访问活动,相比仅采用进阶依据标注策略,依据该基准依据标注策略标注参考数据集的标注工作量更小,可以获得更多的参考数据集,因此可以在减少标注工作量的前提下生成具有初步拦截决策性能的第一访问活动拦截决策网络。在基于第一访问活动拦截决策网络辅助决策访问活动是否可以被归类于拦截访问活动的基础上,可以降低对于第二访问活动拦截决策网络的训练数据集的要求,例如可以减少在对该第二访问活动拦截决策网络进行网络收敛优化过程中时所调用的参考数据集的数量,由此降低该第二访问活动拦截决策网络的训练工作量。如此,结合第一访问活动拦截决策网络和第二访问活动拦截决策网络决策拦截访问活动,可以提高访问活动的拦截决策准确性,并且提高网络收敛优化性能。Based on the above steps, use the first access activity interception decision network obtained by network convergence optimization based on benchmark supervised training and learning and the second access activity interception decision network obtained by network convergence optimization based on advanced supervised training and learning to conduct target access activities An interception decision is made, so as to determine whether the target access activity can be classified as an interception access activity by combining the interception decision-making basis obtained by two interception decision-making networks with different training methods. Among them, the first access activity interception decision network is obtained by network convergence optimization based on the basic reference data set marked by the benchmark basis labeling strategy. The benchmark basis labeling strategy means that the access activities corresponding to the reference access trigger events in the reference data set are released After searching for relevant processes, destroy the access activity maintenance status, to mark whether the access activity corresponding to the reference access trigger event can be classified as intercepted access activity, compared with only adopting the advanced basis labeling strategy, according to the benchmark basis labeling strategy Annotating reference datasets requires less labeling workload, and more reference datasets can be obtained, so the first access activity interception decision network with preliminary interception decision performance can be generated under the premise of reducing the labeling workload. Based on the first access activity interception decision-making network-assisted decision whether the access activity can be classified as interception access activity, the requirement for the training data set of the second access activity interception decision network can be reduced, for example, it can be reduced in the second access activity interception decision network. The number of reference data sets called by the second access activity interception decision-making network during the network convergence optimization process, thereby reducing the training workload of the second access activity interception decision-making network. In this way, combining the first access activity interception decision network and the second access activity interception decision network to decide to intercept access activities can improve the accuracy of access activity interception decisions and improve network convergence optimization performance.

一种示例性的设计思路中,前述的基础参考数据集还添加了所述第一参考访问触发事件对应的访问状态的销毁时序数据。In an exemplary design idea, the aforementioned basic reference data set is further added with destruction timing data of the access state corresponding to the first reference access trigger event.

在基于此基础上,如果确定放行所述第一参考访问触发事件所对应的访问活动后搜索到所述访问活动维持状态被配置于销毁状态,则所述基础参考拦截依据代表所述第一参考访问触发事件所对应的访问活动归类于拦截访问活动,所述访问状态的销毁时序数据代表所述第一参考访问触发事件所对应的访问活动与对照访问活动之间的时序间隔信息,所述对照访问活动是所述访问活动维持状态被配置于销毁状态前放行的最末个访问活动;On this basis, if it is determined that the access activity corresponding to the first reference access trigger event is released and the access activity maintenance state is configured in the destroyed state, then the basic reference interception basis represents the first reference The access activity corresponding to the access trigger event is classified as an interception access activity, and the destruction time series data of the access state represents the time series interval information between the access activity corresponding to the first reference access trigger event and the comparison access activity, the The control access activity is the last access activity released before the maintenance state of the access activity is configured in the destroyed state;

此外,如果确定放行所述第一参考访问触发事件所对应的访问活动后没有搜索到所述访问活动维持状态被配置于销毁状态,则所述基础参考拦截依据代表所述第一参考访问触发事件所对应的访问活动归类于非拦截访问活动,所述访问状态的销毁时序数据为非拦截访问活动的时序间隔值。In addition, if it is determined that the access activity corresponding to the first reference access trigger event is released and the access activity maintenance state is configured in the destroyed state, the basic reference interception basis represents the first reference access trigger event The corresponding access activities are classified as non-intercepted access activities, and the destruction time series data of the access state is the time series interval value of the non-intercepted access activities.

一种示例性的设计思路中,在上述添加了所述第一参考访问触发事件对应的访问状态的销毁时序数据的基础上,针对步骤S120,可以获取标定的访问状态的销毁时序数据,例如,所述标定的访问状态的销毁时序数据是基于对所述第一访问活动拦截决策网络进行网络收敛优化时调用的所述基础参考数据集中的所述访问状态的销毁时序数据获得的。而后,可以依据所述第一访问活动拦截决策网络,基于所述标的访问触发事件和所述标定的访问状态的销毁时序数据,生成所述基础拦截决策依据。In an exemplary design idea, on the basis of adding the destruction timing data of the access state corresponding to the first reference access trigger event, for step S120, the calibrated destruction timing data of the access state can be obtained, for example, The marked destruction timing data of the access state is obtained based on the destruction timing data of the access state in the basic reference data set invoked when performing network convergence optimization on the first access activity interception decision network. Then, the basic interception decision basis may be generated according to the first access activity interception decision network based on the target access trigger event and the marked destruction sequence data of the access state.

而在另一种示例性的设计思路中,所述第一访问活动拦截决策网络中包括第一基础描述变量挖掘单元和第一拦截决策单元,所述第二访问活动拦截决策网络中包括第二基础描述变量挖掘单元和第二拦截决策单元。In another exemplary design idea, the first access activity interception decision-making network includes a first basic description variable mining unit and a first interception decision-making unit, and the second access activity interception decision-making network includes a second The base describes the variable mining unit and the second interception decision unit.

在此基础上,针对步骤S120,例如可以依据所述第一基础描述变量挖掘单元,挖掘所述标的访问触发事件中每个访问单位分别对应的基础描述变量。然后,依据所述第一拦截决策单元,基于所述标的访问触发事件中每个访问单位分别对应的基础描述变量,决策生成所述基础拦截决策依据;On this basis, for step S120, for example, according to the first basic description variable mining unit, the basic description variables corresponding to each access unit in the target access trigger event may be mined. Then, according to the first interception decision-making unit, based on the basic description variables corresponding to each access unit in the target access trigger event, decide to generate the basic interception decision-making basis;

在此基础上,针对步骤S130,例如可以依据所述第二基础描述变量挖掘单元,挖掘所述标的访问触发事件中每个访问单位分别对应的基础描述变量。然后,依据所述第二拦截决策单元,基于所述标的访问触发事件中每个访问单位分别对应的基础描述变量,决策生成所述进阶拦截决策依据。On this basis, for step S130, for example, according to the second basic description variable mining unit, the basic description variables corresponding to each access unit in the target access trigger event may be mined. Then, according to the second interception decision-making unit, based on the basic description variables corresponding to each access unit in the target access trigger event, decision-making to generate the advanced interception decision-making basis is made.

其中,一种示例性的设计思路中,所述第一基础描述变量挖掘单元和所述第二基础描述变量挖掘单元可以被配置相同网络权重信息的网络参数层。其中,所述网络参数层包括以下至少一种:所述第一基础描述变量挖掘单元和所述第二基础描述变量挖掘单元中的循环神经网络层、所述第一基础描述变量挖掘单元和所述第二基础描述变量挖掘单元中的全连接单元。Wherein, in an exemplary design idea, the first basic descriptive variable mining unit and the second basic descriptive variable mining unit may be configured with the same network parameter layer of network weight information. Wherein, the network parameter layer includes at least one of the following: the cyclic neural network layer in the first basic description variable mining unit and the second basic description variable mining unit, the first basic description variable mining unit and the The second basis describes fully connected units in variable mining units.

一种示例性的设计思路中,第一访问活动拦截决策网络和所述第二访问活动拦截决策网络中包括相同网络权重信息的网络参数层。可以依据以下方式训练所述第一访问活动拦截决策网络和所述第二访问活动拦截决策网络:In an exemplary design idea, the first access activity interception decision network and the second access activity interception decision network include network parameter layers with the same network weight information. The first access activity interception decision network and the second access activity interception decision network may be trained in the following manner:

步骤S101,依据第一基础访问活动拦截决策网络,基于所述基础参考数据集中的所述第一参考访问触发事件,决策生成第一访问活动拦截决策依据;Step S101, according to the first basic access activity interception decision network, based on the first reference access trigger event in the basic reference data set, decide to generate a first access activity interception decision basis;

步骤S102,基于所述第一访问活动拦截决策依据和所述基础参考数据集中的所述基础参考拦截依据,确定第一拦截预测代价;Step S102, based on the first access activity interception decision basis and the basic reference interception basis in the basic reference data set, determine a first interception prediction cost;

步骤S103,依据所述第一拦截预测代价,对所述第一基础访问活动拦截决策网络进行网络收敛优化;Step S103, performing network convergence optimization on the first basic access activity interception decision network according to the first interception prediction cost;

步骤S104,将所述第一基础访问活动拦截决策网络中所述网络参数层的网络权重信息,同步配置于第二基础访问活动拦截决策网络中的所述网络参数层;Step S104, synchronously configuring the network weight information of the network parameter layer in the first basic access activity interception decision network to the network parameter layer in the second basic access activity interception decision network;

步骤S105,依据所述第二基础访问活动拦截决策网络,基于所述进阶参考数据集中的所述第二参考访问触发事件,决策生成第二访问活动拦截决策依据;Step S105, according to the second basic access activity interception decision network, based on the second reference access trigger event in the advanced reference data set, decide to generate a second access activity interception decision basis;

步骤S106,基于所述第二访问活动拦截决策依据和所述进阶参考数据集中的所述进阶参考拦截依据,确定第二拦截预测代价;Step S106, based on the second access activity interception decision basis and the advanced reference interception basis in the advanced reference data set, determine a second interception prediction cost;

步骤S107,依据所述第二拦截预测代价,对所述第二基础访问活动拦截决策网络进行网络收敛优化;Step S107, performing network convergence optimization on the second basic access activity interception decision network according to the second interception prediction cost;

步骤S108,将所述第二基础访问活动拦截决策网络中所述网络参数层的网络权重信息,同步配置于所述第一基础访问活动拦截决策网络中的所述网络参数层;Step S108, synchronously configuring the network weight information of the network parameter layer in the second basic access activity interception decision network to the network parameter layer in the first basic access activity interception decision network;

步骤S109,基于所述第一拦截预测代价和所述第二拦截预测代价,确定目标拦截预测代价;Step S109, determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost;

步骤S1010,依据所述目标拦截预测代价,组合对所述第一基础访问活动拦截决策网络和所述第二基础访问活动拦截决策网络进行网络收敛优化。Step S1010, according to the target interception prediction cost, combine and optimize the network convergence of the first basic access activity interception decision network and the second basic access activity interception decision network.

一种示例性的设计思路中,本申请实施例还提供一种基于人工智能的拦截决策网络训练方法,可以包括以下步骤:In an exemplary design idea, the embodiment of the present application also provides an artificial intelligence-based interception decision-making network training method, which may include the following steps:

步骤Q110,获取权重初始化的访问触发事件决策网络以及第三参考数据集;所述访问触发事件决策网络被配置于执行基础的访问触发事件决策流程,所述访问触发事件决策网络包括所述网络参数层;所述第三参考数据集包括第三参考访问触发事件以及携带的训练参考依据,所述训练参考依据代表所述第三参考访问触发事件在所述访问触发事件决策流程中的标签属性;Step Q110, obtaining a weight-initialized access trigger event decision network and a third reference data set; the access trigger event decision network is configured to execute a basic access trigger event decision process, and the access trigger event decision network includes the network parameters Layer; the third reference data set includes a third reference access trigger event and a carried training reference basis, where the training reference basis represents the label attribute of the third reference access trigger event in the access trigger event decision process;

步骤Q120,依据所述访问触发事件决策网络,基于所述第三参考数据集中的所述第三参考访问触发事件,决策生成第三访问活动拦截决策依据;基于所述第三访问活动拦截决策依据和所述第三参考数据集中的训练参考依据,确定第三拦截预测代价;Step Q120, according to the access trigger event decision network, based on the third reference access trigger event in the third reference data set, decide to generate a third access activity interception decision basis; based on the third access activity interception decision basis and the training reference basis in the third reference data set to determine a third intercept prediction cost;

步骤Q130,依据所述第三拦截预测代价,对所述访问触发事件决策网络进行网络收敛优化;Step Q130, performing network convergence optimization on the access trigger event decision network according to the third interception prediction cost;

步骤Q140,将所述访问触发事件决策网络中所述网络参数层的网络权重信息,同步配置于所述第一基础访问活动拦截决策网络或者所述第二基础访问活动拦截决策网络中的所述网络参数层;Step Q140, synchronously configure the network weight information of the network parameter layer in the access trigger event decision network in the first basic access activity interception decision network or the second basic access activity interception decision network Network parameter layer;

其中,在此基础上,针对前述的步骤S109和步骤S1010,可以基于所述第一拦截预测代价、所述第二拦截预测代价和所述第三拦截预测代价,确定所述目标拦截预测代价,依据所述目标拦截预测代价,组合对所述第一基础访问活动拦截决策网络、所述第二基础访问活动拦截决策网络和所述访问触发事件决策网络进行网络收敛优化。Wherein, on this basis, for the aforementioned step S109 and step S1010, the target interception prediction cost may be determined based on the first interception prediction cost, the second interception prediction cost and the third interception prediction cost, According to the target interception prediction cost, network convergence optimization is performed on the first basic access activity interception decision network, the second basic access activity interception decision network and the access trigger event decision network.

一种示例性的设计思路中,本申请实施例还提供一种基于人工智能的拦截决策网络训练方法,可以包括以下步骤:In an exemplary design idea, the embodiment of the present application also provides an artificial intelligence-based interception decision-making network training method, which may include the following steps:

步骤W110,获取权重初始化的描述变量挖掘网络以及第四参考数据集;所述描述变量挖掘网络被配置于挖掘访问触发事件中每个访问单位分别对应的访问描述变量,所述描述变量挖掘网络包括所述网络参数层;所述第四参考数据集包括第四参考访问触发事件;Step W110, obtaining a weight-initialized descriptive variable mining network and a fourth reference data set; the descriptive variable mining network is configured to mine access descriptive variables corresponding to each access unit in an access trigger event, and the descriptive variable mining network includes The network parameter layer; the fourth reference data set includes a fourth reference access trigger event;

步骤W120,依据所述描述变量挖掘网络,挖掘所述第四参考访问触发事件中每个访问单位分别对应的决策访问描述变量;Step W120, mining the network according to the descriptive variables, mining the decision-making visit descriptive variables corresponding to each visit unit in the fourth reference visit trigger event;

步骤W130,针对所述第四参考访问触发事件中各参考访问单位确定分别关联的前向扩展访问单元和后向扩展访问单元,基于所述第四参考访问触发事件中每个所述参考访问单位分别对应的决策访问描述变量、每个所述参考访问单位分别关联的前向扩展访问单元的决策访问描述变量、以及每个所述参考访问单位分别关联的后向扩展访问单元的决策访问描述变量,确定第四拦截预测代价;并依据所述第四拦截预测代价,对所述描述变量挖掘网络进行网络收敛优化;Step W130, for each reference access unit in the fourth reference access trigger event, determine the associated forward extension access unit and backward extension access unit, based on each of the reference access units in the fourth reference access trigger event Corresponding decision access description variables, decision access description variables of forward extension access units associated with each reference access unit, and decision access description variables of backward extension access units associated with each reference access unit , determining a fourth interception prediction cost; and performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;

步骤W140,将所述描述变量挖掘网络中所述网络参数层的网络权重信息,同步配置于所述第一基础访问活动拦截决策网络或者所述第二基础访问活动拦截决策网络中的所述网络参数层。Step W140, synchronously configuring the network weight information of the network parameter layer in the descriptive variable mining network in the first basic access activity interception decision network or the network in the second basic access activity interception decision network parameter layer.

一种示例性的设计思路中,在此基础上,针对前述的步骤S109和步骤S1010,可以基于所述第一拦截预测代价、所述第二拦截预测代价和所述第四拦截预测代价,确定所述目标拦截预测代价,依据所述目标拦截预测代价,组合对所述第一基础访问活动拦截决策网络、所述第二基础访问活动拦截决策网络和所述描述变量挖掘网络进行网络收敛优化。In an exemplary design idea, on this basis, for the aforementioned step S109 and step S1010, based on the first interception prediction cost, the second interception prediction cost and the fourth interception prediction cost, determine The target interception prediction cost is combined to perform network convergence optimization on the first basic access activity interception decision network, the second basic access activity interception decision network and the descriptive variable mining network according to the target interception prediction cost.

一种示例性的设计思路中,在步骤W130中,可以针对所述第四参考访问触发事件中每个参考访问单位,确定所述第四参考访问触发事件中除所述参考访问单位之外的其余参考访问单位,确定为所述参考访问单位关联的前向扩展访问单元,针对所述第四参考访问触发事件中每个参考访问单位,确定除所述第四参考访问触发事件之外的其余访问触发事件中的参考访问单位,确定为所述参考访问单位关联的后向扩展访问单元。In an exemplary design idea, in step W130, for each reference access unit in the fourth reference access trigger event, determine the The remaining reference access units are determined as the forward extension access units associated with the reference access unit, and for each reference access unit in the fourth reference access trigger event, other reference access units other than the fourth reference access trigger event are determined. The reference access unit in the access trigger event is determined as the backward extension access unit associated with the reference access unit.

一种示例性的设计思路中,在步骤W130中,可以通过以下示例性的步骤实现。In an exemplary design concept, step W130 may be implemented through the following exemplary steps.

步骤W131,针对所述第四参考访问触发事件中的每个参考访问单位,基于所述参考访问单位以及携带的前向扩展访问单元,构成所述参考访问单位关联的前向扩展簇,并确定所述前向扩展簇中所述前向扩展访问单元的决策访问描述变量与所述参考访问单位的决策访问描述变量之间的匹配值,确定为所述前向扩展簇关联的匹配值。Step W131, for each reference access unit in the fourth reference access trigger event, based on the reference access unit and the carried forward extension access unit, form a forward extension cluster associated with the reference access unit, and determine The matching value between the decision access description variable of the forward extension access unit and the decision access description variable of the reference access unit in the forward extension cluster is determined as the matching value associated with the forward extension cluster.

步骤W132,基于所述参考访问单位以及携带的后向扩展访问单元,构成所述参考访问单位关联的后向扩展簇,并确定所述后向扩展簇中所述后向扩展访问单元的决策访问描述变量与所述参考访问单位的决策访问描述变量之间的匹配值,确定为所述后向扩展簇关联的匹配值。Step W132, based on the reference access unit and the carried backward extension access unit, construct a backward extension cluster associated with the reference access unit, and determine the decision access of the backward extension access unit in the backward extension cluster The matching value between the description variable and the decision access description variable of the reference access unit is determined as the matching value associated with the backward expansion cluster.

步骤W133,针对所述第四参考访问触发事件中的每个参考访问单位,基于所述参考访问单位关联的每个前向扩展簇分别关联的匹配值、以及所述参考访问单位关联的各后向扩展簇分别关联的匹配值,确定所述参考访问单位关联的扩展代价。Step W133, for each reference access unit in the fourth reference access trigger event, based on the matching value associated with each forward extension cluster associated with the reference access unit and each subsequent extension cluster associated with the reference access unit The matching values associated with the extension clusters are used to determine the extension cost associated with the reference access unit.

步骤W134,基于所述第四参考访问触发事件中各参考访问单位分别关联的扩展代价,确定所述第四拦截预测代价。Step W134: Determine the fourth interception prediction cost based on the extended cost associated with each reference access unit in the fourth reference access trigger event.

一种示例性的设计思路中,在步骤W133中,可以依据所述参考访问单位关联的每个前向扩展簇和所述参考访问单位关联的各后向扩展簇,确定所述参考访问单位关联的多个正后向扩展簇;每个所述正后向扩展簇中包括一个所述前向扩展簇和一个所述后向扩展簇。In an exemplary design idea, in step W133, the association of the reference access unit may be determined according to each forward extension cluster associated with the reference access unit and each backward extension cluster associated with the reference access unit. A plurality of positive and backward expansion clusters; each of the forward and backward expansion clusters includes one forward expansion cluster and one backward expansion cluster.

在此基础上,可以针对所述参考访问单位关联的每个所述正后向扩展簇,计算所述正后向扩展簇中前向扩展簇关联的匹配值与后向扩展簇关联的匹配值的差值,确定为所述正后向扩展簇关联的扩展代价,基于所述参考访问单位关联的各个正后向扩展簇分别关联的扩展代价,确定所述参考访问单位关联的扩展代价。On this basis, for each of the forward and backward extension clusters associated with the reference access unit, the matching value associated with the forward extension cluster and the matching value associated with the backward extension cluster in the forward and backward extension clusters may be calculated The difference is determined as the extension cost associated with the forward and backward extension cluster, and the extension cost associated with the reference access unit is determined based on the extension costs associated with each forward and backward extension cluster associated with the reference access unit.

一种示例性的设计思路中,本申请实施例还提供一种基于人工智能的拦截决策网络训练方法,可以包括以下步骤:In an exemplary design idea, the embodiment of the present application also provides an artificial intelligence-based interception decision-making network training method, which may include the following steps:

步骤R110,获取权重初始化的访问触发事件决策网络和描述变量挖掘网络、以及第三参考数据集和第四参考数据集;所述访问触发事件决策网络被配置于执行基础的访问触发事件决策流程,所述描述变量挖掘网络被配置于挖掘访问触发事件中每个访问单位分别对应的访问描述变量,所述访问触发事件决策网络和所述描述变量挖掘网络均包括所述网络参数层;所述第三参考数据集包括第三参考访问触发事件以及携带的训练参考依据,所述训练参考依据代表所述第三参考访问触发事件在所述访问触发事件决策流程中的标签属性;所述第四参考数据集包括第四参考访问触发事件;Step R110, obtaining weight-initialized access trigger event decision network and descriptive variable mining network, as well as the third reference data set and the fourth reference data set; the access trigger event decision network is configured to execute the basic access trigger event decision process, The description variable mining network is configured to mine access description variables corresponding to each access unit in the access trigger event, and the access trigger event decision network and the description variable mining network both include the network parameter layer; the second The three reference data sets include the third reference access trigger event and the carried training reference basis, the training reference basis represents the label attribute of the third reference access trigger event in the access trigger event decision process; the fourth reference the data set includes a fourth reference access trigger event;

步骤R120,依据所述访问触发事件决策网络,基于所述第三参考数据集中的所述第三参考访问触发事件,决策生成第三访问活动拦截决策依据;基于所述第三访问活动拦截决策依据和所述第三参考数据集中的训练参考依据,确定第三拦截预测代价;Step R120, according to the access trigger event decision network, based on the third reference access trigger event in the third reference data set, decide to generate a third access activity interception decision basis; based on the third access activity interception decision basis and the training reference basis in the third reference data set to determine a third intercept prediction cost;

步骤R130,依据所述第三拦截预测代价,对所述访问触发事件决策网络进行网络收敛优化;Step R130, performing network convergence optimization on the access trigger event decision network according to the third interception prediction cost;

步骤R140,将所述访问触发事件决策网络中所述网络参数层的网络权重信息,同步配置于所述描述变量挖掘网络中的所述网络参数层;Step R140, synchronously configuring the network weight information of the network parameter layer in the access trigger event decision network to the network parameter layer in the descriptive variable mining network;

步骤R150,依据所述描述变量挖掘网络,挖掘所述第四参考访问触发事件中每个访问单位分别对应的决策访问描述变量;针对所述第四参考访问触发事件中各参考访问单位确定分别关联的前向扩展访问单元和后向扩展访问单元,基于所述第四参考访问触发事件中每个所述参考访问单位分别对应的决策访问描述变量、每个所述参考访问单位分别关联的前向扩展访问单元的决策访问描述变量、以及每个所述参考访问单位分别关联的后向扩展访问单元的决策访问描述变量,确定第四拦截预测代价;Step R150: Mining the network according to the description variable, mining the decision access description variable corresponding to each access unit in the fourth reference access trigger event; The forward extension access unit and the backward extension access unit are based on the decision access description variable corresponding to each reference access unit in the fourth reference access trigger event, and the forward direction associated with each reference access unit. The decision-making access description variable of the extended access unit and the decision-making access description variable of the backward extended access unit associated with each of the reference access units determine the fourth interception prediction cost;

步骤R160,依据所述第四拦截预测代价,对所述描述变量挖掘网络进行网络收敛优化;Step R160, performing network convergence optimization on the descriptive variable mining network according to the fourth interception prediction cost;

步骤R170,将所述描述变量挖掘网络中所述网络参数层的网络权重信息,同步配置于所述第一基础访问活动拦截决策网络或者所述第二基础访问活动拦截决策网络中的所述网络参数层;Step R170: Mining the network weight information of the network parameter layer in the descriptive variable mining network, and synchronously configuring the network in the first basic access activity interception decision network or the second basic access activity interception decision network parameter layer;

一种示例性的设计思路中,在此基础上,针对前述的步骤S109和步骤S1010,可以基于所述第一拦截预测代价、所述第二拦截预测代价、所述第三拦截预测代价和所述第四拦截预测代价,确定所述目标拦截预测代价,依据所述目标拦截预测代价,组合对所述第一基础访问活动拦截决策网络、所述第二基础访问活动拦截决策网络、所述访问触发事件决策网络和所述描述变量挖掘网络进行网络收敛优化。In an exemplary design idea, on this basis, for the aforementioned step S109 and step S1010, based on the first interception prediction cost, the second interception prediction cost, the third interception prediction cost and the The fourth interception prediction cost is to determine the target interception prediction cost, and according to the target interception prediction cost, combine the first basic access activity interception decision network, the second basic access activity interception decision network, the access The trigger event decision network and the description variable mining network are optimized for network convergence.

譬如一种示例性的设计思路中,在以上描述基础上,在确定标的访问活动关联的目标拦截决策依据的基础上,本申请实施例所提供的方法还可以包括以下步骤。For example, in an exemplary design idea, on the basis of the above description and on the basis of determining the target interception decision basis associated with the target access activity, the method provided by the embodiment of the present application may further include the following steps.

基于由业务服务系统进行实时状态传输的标的访问活动的标的访问活动关联的目标拦截决策依据,对所述标的访问活动进行拦截决策,获得所述标的访问活动在确定拦截后的拦截反馈流程中的拦截反馈数据;Based on the target interception decision basis associated with the target access activity of the target access activity carried out by the business service system for real-time state transmission, the target access activity is intercepted and the decision is made, and the interception feedback process of the target access activity after the interception is determined is obtained. Intercept feedback data;

将所述拦截反馈数据中的多个前向反馈知识点添加到前向反馈知识图谱中,并将所述拦截反馈数据中的多个后向反馈知识点添加到后向反馈知识图谱中;Adding multiple forward feedback knowledge points in the intercepted feedback data to the forward feedback knowledge graph, and adding multiple backward feedback knowledge points in the intercepted feedback data to the backward feedback knowledge graph;

分别对所述前向反馈知识图谱和所述后向反馈知识图谱进行关键知识实体搜寻,获得所述拦截反馈流程中每个关注反馈流程关联的前向关键知识实体和后向关键知识实体;Searching for key knowledge entities on the forward feedback knowledge map and the backward feedback knowledge map respectively, and obtaining the forward key knowledge entities and backward key knowledge entities associated with each feedback process of concern in the interception feedback process;

基于所述前向反馈知识图谱和所述后向反馈知识图谱的历史频繁项实体,将所述每个关注反馈流程关联的前向关键知识实体和后向关键知识实体进行组合,获得所述每个关注反馈流程的组合关键知识实体;Based on the historical frequent item entities of the forward feedback knowledge map and the backward feedback knowledge map, combine the forward key knowledge entities and backward key knowledge entities associated with each of the attention feedback processes to obtain the each a combined key knowledge entity focusing on the feedback process;

基于所述每个关注反馈流程的组合关键知识实体,生成对应的拦截反馈参考数据。Based on the combined key knowledge entities of each focused feedback process, corresponding intercepted feedback reference data is generated.

其中,前向反馈知识点可以是指拦截决策之后,拦截执行之前的反馈知识点,后向反馈知识点可以是指拦截决策之后,并且拦截执行之后的反馈知识点,每个反馈知识点可以是指具体针对拦截策略的拦截规则向量的反馈活动,如业务冲突反馈、拦截偏差反馈等,前向反馈知识点和后向反馈知识点可以从一定程度上反映拦截决策之后不同阶段的问题。Among them, the forward feedback knowledge point can refer to the feedback knowledge point after the interception decision and before the interception execution, and the backward feedback knowledge point can refer to the feedback knowledge point after the interception decision and after the interception execution. Each feedback knowledge point can be Refers to the feedback activities specific to the interception rule vector of the interception strategy, such as business conflict feedback, interception deviation feedback, etc. The knowledge points of forward feedback and backward feedback can reflect the problems at different stages after the interception decision to a certain extent.

如此,将拦截反馈数据中的前向反馈知识点和后向反馈知识点分别添加到不同的反馈知识图谱,并基于前向反馈知识图谱和后向反馈知识图谱的历史频繁项实体,将每个关注反馈流程关联的前向关键知识实体和后向关键知识实体进行组合,获得每个关注反馈流程的组合关键知识实体,生成对应的拦截反馈参考数据,能够实现数据搜集流程中组合关联,减少后续手动关联的操作处理,进而便于提高后续采取响应措施优化拦截策略的效率。In this way, the forward feedback knowledge points and backward feedback knowledge points in the intercepted feedback data are added to different feedback knowledge graphs, and based on the historical frequent item entities of the forward feedback knowledge graph and the backward feedback knowledge graph, each Focus on the combination of forward key knowledge entities and backward key knowledge entities associated with the feedback process, obtain the combined key knowledge entities of each attention feedback process, and generate corresponding interception feedback reference data, which can realize combination association in the data collection process and reduce follow-up The operation processing of manual association is convenient to improve the efficiency of subsequent response measures to optimize the interception strategy.

基于同一发明构思,本申请实施例还提供一种信息拦截系统,信息拦截系统100可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器(CentralProcessing Units,CPU)112(例如,一个或一个以上处理器)和存储器111,。其中,存储器111可以是短暂存储或持久存储。存储在存储器111的程序可以包括一个或一个以上模块,每个模块可以包括对信息拦截系统100中的一系列指令操作。更进一步地,中央处理器112可以设置为与存储器111通信,在信息拦截系统100上执行存储器111中的一系列指令操作。Based on the same inventive concept, the embodiment of the present application also provides an information interception system. The information interception system 100 may have relatively large differences due to different configurations or performances, and may include one or more central processing units (Central Processing Units, CPU) 112 (eg, one or more processors) and memory 111'. Wherein, the storage 111 may be a short-term storage or a persistent storage. The program stored in the memory 111 may include one or more modules, and each module may include a series of instructions to operate on the information interception system 100 . Further, the central processing unit 112 may be configured to communicate with the memory 111 , and execute a series of instruction operations in the memory 111 on the information interception system 100 .

信息拦截系统100还可以包括一个或一个以上电源,一个或一个以上通信单元113,一个或一个以上输入输出接口,和/或,一个或一个以上操作系统,例如WindowsServerTM,Mac OS XTM,UnixTM, LinuxTM,FreeBSDTM等等。The information interception system 100 can also include one or more power supplies, one or more communication units 113, one or more input and output interfaces, and/or, one or more operating systems, such as WindowsServerTM, Mac OS XTM, UnixTM, LinuxTM , FreeBSDTM and so on.

另外,本申请实施例还提供了一种存储介质,所述存储介质用于存储计算机程序,所述计算机程序用于执行上述实施例提供的方法。In addition, an embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program, and the computer program is used to execute the method provided in the foregoing embodiments.

本申请实施例还提供了一种包括指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例提供的方法。The embodiment of the present application also provides a computer program product including instructions, which, when run on a computer, causes the computer to execute the method provided in the foregoing embodiments.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质可以是下述介质中的至少一种:只读存储器(英文:Read-only Memory,缩写:ROM)、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the execution includes: The steps of the above method embodiment; and the aforementioned storage medium can be at least one of the following media: read-only memory (English: Read-only Memory, abbreviation: ROM), RAM, magnetic disk or optical disk, etc. can store medium for program code.

需要说明的是,本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于设备及系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的设备及系统实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。It should be noted that each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. place. In particular, for the device and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, please refer to part of the description of the method embodiments. The device and system embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

以上所述,仅为本申请的一种具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or Replacement should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (9)

1. A big data analysis interception method applying artificial intelligence analysis is applied to an information interception system and is characterized by comprising the following steps:
when receiving an access trigger event of a target access activity transmitted in a real-time state by a business service system, generating a corresponding target access trigger event;
according to a first access activity interception decision network, based on the target access trigger event, making a decision to generate a basic interception decision basis related to the target access activity; the first access activity interception decision network is obtained by performing network convergence optimization according to a basic reference data set, wherein the basic reference data set comprises a first reference access trigger event and a basic reference interception basis carried by the first reference access trigger event, and the basic reference interception basis is obtained based on whether an access activity maintaining state is configured in a destruction state after the access activity corresponding to the first reference access trigger event is released;
according to a second access activity interception decision network, based on the target access trigger event, making a decision to generate a further interception decision basis related to the target access activity; the second access activity interception decision network is obtained by performing network convergence optimization according to an advanced reference data set, wherein the advanced reference data set comprises a second reference access trigger event and an advanced reference interception basis carried by the second reference access trigger event, and the advanced reference interception basis represents a tag attribute of an access activity corresponding to the second reference access trigger event;
determining a target interception decision basis associated with the target access activity based on the basic interception decision basis and the advanced interception decision basis; the target interception decision is based on a threat output perspective representing the subject access activity, wherein the threat output perspective of the subject access activity represents whether the subject access activity can be classified as an intercepted access activity;
the first access activity interception decision network and the second access activity interception decision network comprise network parameter layers with the same network weight information;
training the first and second access activity interception decision networks in accordance with:
according to a first basic access activity interception decision network, based on the first reference access trigger event in the basic reference data set, making a decision to generate a first access activity interception decision basis;
determining a first interception prediction cost based on the first access activity interception decision basis and the base reference interception basis in the base reference data set;
performing network convergence optimization on the first basic access activity interception decision network according to the first interception prediction cost;
synchronously configuring the network weight information of the network parameter layer in the first basic access activity interception decision network to the network parameter layer in a second basic access activity interception decision network;
according to the second basic access activity interception decision network, based on the second reference access trigger event in the advanced reference data set, making a decision to generate a second access activity interception decision basis;
determining a second interception prediction cost based on the second access activity interception decision basis and the advanced reference interception basis in the advanced reference data set;
performing network convergence optimization on the second basic access activity interception decision network according to the second interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the second basic access activity interception decision network to the network parameter layer in the first basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost;
and combining and optimizing the network convergence of the first basic access activity interception decision network and the second basic access activity interception decision network according to the target interception prediction cost.
2. The big data analysis interception method applying artificial intelligence analysis according to claim 1, wherein the basic reference data set is further added with destruction time series data of an access state corresponding to the first reference access trigger event;
if it is determined that the access activity maintaining state is configured in a destruction state after releasing the access activity corresponding to the first reference access triggering event, classifying the basic reference interception into an interception access activity according to a criterion that the access activity corresponding to the first reference access triggering event is represented, wherein destruction time sequence data of the access state represents time sequence interval information between the access activity corresponding to the first reference access triggering event and a comparison access activity, and the comparison access activity is the last access activity released before the access activity maintaining state is configured in the destruction state;
if the access activity maintaining state is not searched to be configured in the destruction state after the access activity corresponding to the first reference access triggering event is determined to be released, the basic reference interception criterion represents that the access activity corresponding to the first reference access triggering event is classified into the non-intercepted access activity, and the destruction time sequence data of the access state is the time sequence interval value of the non-intercepted access activity.
3. The big data analysis interception method applying artificial intelligence analysis according to claim 2, wherein said decision-making a basic interception decision basis associated with said target access activity based on said target access trigger event according to a first access activity interception decision network comprises:
acquiring destruction time series data of a calibrated access state; the calibrated destruction timing sequence data of the access state is obtained based on the destruction timing sequence data of the access state in the basic reference data set, which is called when the first access activity interception decision network is optimized for network convergence;
and generating the basic interception decision basis based on the targeted access trigger event and the calibrated destruction time sequence data of the access state according to the first access activity interception decision network.
4. The big data analysis interception method applying artificial intelligence analysis according to claim 1, wherein the first access activity interception decision network comprises a first basic description variable mining unit and a first interception decision unit, and the second access activity interception decision network comprises a second basic description variable mining unit and a second interception decision unit;
the step of deciding to generate a basic interception decision basis associated with the target access activity based on the target access trigger event according to the first access activity interception decision network includes:
according to the first basic description variable mining unit, mining a basic description variable corresponding to each access unit in the target access trigger event;
according to the first interception decision unit, based on the basic description variable corresponding to each access unit in the target access trigger event, deciding to generate the basic interception decision basis;
the step of deciding to generate a further interception decision basis associated with the target access activity based on the target access trigger event according to the second access activity interception decision network includes:
according to the second basic description variable mining unit, mining a basic description variable corresponding to each access unit in the target access trigger event;
and deciding to generate the advanced interception decision basis based on the basic description variable corresponding to each access unit in the target access trigger event according to the second interception decision unit.
5. The big data analysis interception method applying artificial intelligence analysis according to claim 1, characterized in that said method further comprises:
acquiring an access trigger event decision network initialized by weight and a third reference data set; the access trigger event decision network is configured to execute a basic access trigger event decision flow, the access trigger event decision network comprising the network parameter layer; the third reference data set comprises a third reference access trigger event and a carried training reference basis, and the training reference basis represents a label attribute of the third reference access trigger event in the access trigger event decision flow;
deciding to generate a third access activity interception decision basis based on the third reference access trigger event in the third reference data set according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
performing network convergence optimization on the access triggering event decision network according to the third interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the access trigger event decision network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; and according to the target interception prediction cost, performing network convergence optimization on the first basic access activity interception decision network and the second basic access activity interception decision network in a combined mode, wherein the network convergence optimization comprises the following steps:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost and the third interception prediction cost;
and according to the target interception prediction cost, combining the first basic access activity interception decision network, the second basic access activity interception decision network and the access trigger event decision network to perform network convergence optimization.
6. The big data analysis interception method applying artificial intelligence analysis according to claim 5, further comprising:
acquiring a description variable mining network with initialized weight and a fourth reference data set; the description variable mining network is configured to mine access description variables corresponding to each access unit in an access triggering event, and comprises the network parameter layer; the fourth reference data set comprises a fourth reference access trigger event;
mining a decision access description variable corresponding to each access unit in the fourth reference access trigger event according to the description variable mining network;
determining a forward extended access unit and a backward extended access unit which are respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of the forward extended access unit associated with each reference access unit, and a decision access description variable of the backward extended access unit associated with each reference access unit; performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the description variable mining network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; and according to the target interception prediction cost, performing network convergence optimization on the first basic access activity interception decision network and the second basic access activity interception decision network in a combined mode, wherein the network convergence optimization comprises the following steps:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost and the fourth interception prediction cost;
and combining the first basic access activity interception decision network, the second basic access activity interception decision network and the description variable mining network to perform network convergence optimization according to the target interception prediction cost.
7. The big data analysis intercepting method applying artificial intelligence analysis according to claim 6, wherein the determining of the respectively associated forward extension access unit and backward extension access unit for each reference access unit in the fourth reference access triggering event comprises:
for each reference access unit in the fourth reference access trigger event, determining the remaining reference access units except the reference access unit in the fourth reference access trigger event, and determining the remaining reference access units as the forward extended access units associated with the reference access units;
for each reference access unit in the fourth reference access trigger event, determining a reference access unit in the rest access trigger events except the fourth reference access trigger event, and determining the reference access unit as a backward extension access unit associated with the reference access unit;
determining a fourth interception prediction cost based on a decision access description variable corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of a forward extension access unit associated with each reference access unit, and a decision access description variable of a backward extension access unit associated with each reference access unit, including:
for each reference access unit in the fourth reference access trigger event, forming a forward extension cluster associated with the reference access unit based on the reference access unit and a carried forward extension access unit, and determining a matching value between a decision access description variable of the forward extension access unit in the forward extension cluster and a decision access description variable of the reference access unit, and determining the matching value as a matching value associated with the forward extension cluster;
forming a backward extension cluster associated with the reference access unit based on the reference access unit and a carried backward extension access unit, and determining a matching value between a decision access description variable of the backward extension access unit in the backward extension cluster and a decision access description variable of the reference access unit, wherein the matching value is determined as the matching value associated with the backward extension cluster;
for each reference access unit in the fourth reference access trigger event, determining an extension cost associated with the reference access unit based on a matching value associated with each forward extension cluster associated with the reference access unit and a matching value associated with each backward extension cluster associated with the reference access unit;
determining a fourth interception prediction cost based on the extension cost respectively associated with each reference access unit in the fourth reference access trigger event;
the determining the extension cost associated with the reference access unit based on the matching value associated with each forward extension cluster associated with the reference access unit and the matching value associated with each backward extension cluster associated with the reference access unit includes:
determining a plurality of forward-backward extension clusters associated with the reference access unit according to each forward extension cluster associated with the reference access unit and each backward extension cluster associated with the reference access unit; each forward-backward extension cluster comprises one forward extension cluster and one backward extension cluster;
calculating a difference value between a matching value associated with a forward extension cluster and a matching value associated with a backward extension cluster in the forward and backward extension clusters aiming at each forward and backward extension cluster associated with the reference access unit, and determining the difference value as an extension cost associated with the forward and backward extension clusters;
and determining the extension cost associated with the reference access unit based on the extension costs respectively associated with the forward and backward extension clusters associated with the reference access unit.
8. The big data analysis interception method applying artificial intelligence analysis according to claim 1, characterized in that said method further comprises:
acquiring an access trigger event decision network and a description variable mining network initialized by weight, and a third reference data set and a fourth reference data set; the access trigger event decision network is configured in an access trigger event decision process of an execution basis, the description variable mining network is configured in an access description variable corresponding to each access unit in a mining access trigger event, and the access trigger event decision network and the description variable mining network both comprise the network parameter layer; the third reference data set comprises a third reference access trigger event and a carried training reference basis, and the training reference basis represents a label attribute of the third reference access trigger event in the access trigger event decision flow; the fourth reference data set comprises a fourth reference access trigger event;
deciding to generate a third access activity interception decision basis based on the third reference access trigger event in the third reference data set according to the access trigger event decision network; determining a third interception prediction cost based on the third access activity interception decision basis and a training reference basis in the third reference data set;
according to the third interception prediction cost, carrying out network convergence optimization on the access trigger event decision network;
synchronously configuring network weight information of the network parameter layer in the access trigger event decision network to the network parameter layer in the description variable mining network;
mining a decision access description variable corresponding to each access unit in the fourth reference access trigger event according to the description variable mining network; determining a forward extended access unit and a backward extended access unit which are respectively associated with each reference access unit in the fourth reference access trigger event, and determining a fourth interception prediction cost based on a decision access description variable which is respectively corresponding to each reference access unit in the fourth reference access trigger event, a decision access description variable of the forward extended access unit which is respectively associated with each reference access unit, and a decision access description variable of the backward extended access unit which is respectively associated with each reference access unit;
performing network convergence optimization on the description variable mining network according to the fourth interception prediction cost;
synchronously configuring network weight information of the network parameter layer in the description variable mining network to the network parameter layer in the first basic access activity interception decision network or the second basic access activity interception decision network;
determining a target interception prediction cost based on the first interception prediction cost and the second interception prediction cost; and according to the target interception prediction cost, performing network convergence optimization on the first basic access activity interception decision network and the second basic access activity interception decision network in a combined mode, wherein the network convergence optimization comprises the following steps:
determining the target interception prediction cost based on the first interception prediction cost, the second interception prediction cost, the third interception prediction cost and the fourth interception prediction cost;
and according to the target interception prediction cost, combining the first basic access activity interception decision network, the second basic access activity interception decision network, the access trigger event decision network and the description variable mining network to perform network convergence optimization.
9. An information interception system, comprising:
a processor;
a memory having stored therein a computer program that, when executed, implements the big data analysis intercepting method applying artificial intelligence analysis of any of claims 1-8.
CN202111477457.8A 2021-12-06 2021-12-06 Big data analysis interception method and information interception system applying artificial intelligence analysis Active CN114244588B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111477457.8A CN114244588B (en) 2021-12-06 2021-12-06 Big data analysis interception method and information interception system applying artificial intelligence analysis
CN202211080829.8A CN115174271A (en) 2021-12-06 2021-12-06 Interception decision network training method based on artificial intelligence and information interception system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111477457.8A CN114244588B (en) 2021-12-06 2021-12-06 Big data analysis interception method and information interception system applying artificial intelligence analysis

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202211080829.8A Division CN115174271A (en) 2021-12-06 2021-12-06 Interception decision network training method based on artificial intelligence and information interception system

Publications (2)

Publication Number Publication Date
CN114244588A CN114244588A (en) 2022-03-25
CN114244588B true CN114244588B (en) 2023-01-03

Family

ID=80753332

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202211080829.8A Withdrawn CN115174271A (en) 2021-12-06 2021-12-06 Interception decision network training method based on artificial intelligence and information interception system
CN202111477457.8A Active CN114244588B (en) 2021-12-06 2021-12-06 Big data analysis interception method and information interception system applying artificial intelligence analysis

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202211080829.8A Withdrawn CN115174271A (en) 2021-12-06 2021-12-06 Interception decision network training method based on artificial intelligence and information interception system

Country Status (1)

Country Link
CN (2) CN115174271A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115033715A (en) * 2021-12-07 2022-09-09 王建丰 Interception feedback processing method based on big data analysis interception and information interception system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA3104842A1 (en) * 2020-01-03 2021-07-03 Battelle Memorial Institute Blockchain applicability framework and cybersecurity vulnerability mitigation framework
CN113411342A (en) * 2021-06-25 2021-09-17 深圳市合美鑫精密电子有限公司 Big data-based information security risk identification method and artificial intelligence security system
CN113239065A (en) * 2021-06-25 2021-08-10 深圳市合美鑫精密电子有限公司 Big data based security interception rule updating method and artificial intelligence security system
CN113722719A (en) * 2021-09-01 2021-11-30 何景隆 Information generation method and artificial intelligence system for security interception big data analysis

Also Published As

Publication number Publication date
CN115174271A (en) 2022-10-11
CN114244588A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
US12079346B2 (en) Exploit prediction based on machine learning
Mohamed et al. Enhancement of an IoT hybrid intrusion detection system based on fog-to-cloud computing
US11687396B2 (en) Determining server error types
US11023295B2 (en) Utilizing a neural network model to determine risk associated with an application programming interface of a web application
US10885020B1 (en) Splitting incorrectly resolved entities using minimum cut
US20220121995A1 (en) Automatic generation of training data for anomaly detection using other user's data samples
US10157226B1 (en) Predicting links in knowledge graphs using ontological knowledge
Al-Yaseen et al. Real-time multi-agent system for an adaptive intrusion detection system
US20200412726A1 (en) Security monitoring platform for managing access rights associated with cloud applications
US9785461B2 (en) Performing server migration and dependent server discovery in parallel
US11354583B2 (en) Automatically generating rules for event detection systems
US11809460B1 (en) Systems, methods, and graphical user interfaces for taxonomy-based classification of unlabeled structured datasets
US10726123B1 (en) Real-time detection and prevention of malicious activity
EP3640826A1 (en) Utilizing heuristic and machine learning models to generate a mandatory access control policy for an application
Elbasi et al. Heart Disease Classification for Early Diagnosis based on Adaptive Hoeffding Tree Algorithm in IoMT Data.
US20210344559A1 (en) Automatically generating and provisioning a customized platform for selected applications, tools, and artificial intelligence assets
WO2023175395A1 (en) Detection and mitigation of high-risk online acivity in a computing platform
Hoang et al. A novel distributed machine learning model to detect attacks on edge computing network
Sarathkumar et al. Enhancing intrusion detection using coati optimization algorithm with deep learning on vehicular Adhoc networks
Moodi et al. A smart adaptive particle swarm optimization–support vector machine: android botnet detection application: M. Moodi et al.
CN114244588B (en) Big data analysis interception method and information interception system applying artificial intelligence analysis
CN114117079B (en) Interception feedback processing method based on big data analysis interception and information interception system
US12289325B2 (en) Blocking or allowing a file stream associated with a file based on an initial portion of the file
Kotenko et al. Machine Learning Methods of Intelligent System Event Analysis for Multistep Cyberattack Detection
US20240169269A1 (en) Deploying simplified machine learning models to resource-constrained edge devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220524

Address after: 110170 No. 214, Shangma village, Gaokan Town, Hunnan District, Shenyang City, Liaoning Province

Applicant after: Zhao Tianshuo

Address before: 152000 SUIDA Garden South business service, Beilin District, Suihua City, Heilongjiang Province

Applicant before: Suihua chuninternet commerce Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20221215

Address after: 100097 908, block a, 8th floor, 116 Zizhuyuan Road, Haidian District, Beijing

Applicant after: ZHONGZI DATA CO.,LTD.

Applicant after: CHINA HIGHWAY ENGINEERING CONSULTING Corp.

Address before: 110170 No. 214, Shangma village, Gaokan Town, Hunnan District, Shenyang City, Liaoning Province

Applicant before: Zhao Tianshuo

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant