CN115168848B - Interception feedback processing method based on big data analysis interception - Google Patents

Abstract

The invention relates to an artificial intelligence technology, and discloses an interception feedback processing method based on big data analysis interception, which comprises the following steps: acquiring an interception decision basis based on an interception log of a business service system; extracting core decision semantics of an interception decision basis according to the vector interception decision basis; constructing a first sub-decision tree cluster according to the core decision semantics, and aggregating the first sub-decision tree cluster into a decision tree model; acquiring access information in real time, and performing interception scoring on the access information by using a decision tree model; intercepting the access information with the interception score larger than the score threshold, and extracting the core information semantics of the access information with the interception score larger than the score threshold; and constructing a second sub-decision tree cluster by utilizing the core information semantics, and performing feedback adjustment on the decision tree model by utilizing the second sub-decision tree cluster. The invention also provides an interception feedback processing device based on big data analysis, electronic equipment and a storage medium. The invention can improve the information interception accuracy.

Description

Interception feedback processing method based on big data analysis interception

technical field

The present invention relates to the technical field of artificial intelligence, in particular to an interception feedback processing method, device, electronic equipment and computer-readable storage medium based on big data analysis and interception.

Background technique

With the advent of the era of big data, the fields involved in big data are becoming more and more extensive. However, in order to ensure the security of the network environment where big data resides and improve the reliability of network security, it is necessary to intercept illegal information in the network to Ensure network security.

Existing information interception technologies mostly intercept information based on firewalls, for example, access activities that need to be intercepted, including attack access activities, privacy access activities, and the like. In practical applications, not every interception decision meets the needs of actual business scenarios. Only considering fixed interception decisions may lead to failure to intercept information in time, resulting in low accuracy when intercepting information.

Contents of the invention

The present invention provides an interception feedback processing method, device and computer-readable storage medium based on big data analysis interception, the main purpose of which is to solve the problem of low accuracy in information interception.

In order to achieve the above object, the present invention provides an interception feedback processing method based on big data analysis interception, including:

S1. Obtain the interception decision basis of the business service system based on the interception log of the target interception by the business service system;

S2. Perform vector conversion on the interception decision basis to obtain a vector interception decision basis, and extract core decision semantics of the interception decision basis according to the vector interception decision basis;

S3. Construct a first sub-decision tree cluster according to the core decision semantics, and aggregate the first sub-decision tree cluster into a decision tree model;

S4. Obtain the access information of the access subject of the business service system in real time, and use the decision tree model to intercept and score the access information, wherein the use of the decision tree model to intercept and score the access information includes: :

S41. Input the pre-acquired training data set into the decision tree model to obtain a score data set;

S42. Calculate the loss value of the decision tree model according to the score data set and a preset loss function, wherein the preset loss function includes:

为损失值，

为所述得分数据集中的得分数据，

为预设的真实得分数据，

为决策树的棵数，

为反余弦函数，

为对数函数；in,

is the loss value,

is the score data in the score dataset,

is the preset real score data,

is the number of decision trees,

is the inverse cosine function,

is a logarithmic function;

S43. When the loss value is greater than or equal to the preset loss threshold, perform a decision tree addition processing operation on the decision tree model until the loss value is less than the loss threshold, output the current decision tree model as intercept scoring model;

S44. Input the access information into the intercept scoring model to obtain the intercept score of the access information;

S5. Intercept the access information whose interception score is greater than the preset scoring threshold, and extract the core information semantics of the access information whose interception score is greater than the preset scoring threshold;

S6. Construct a second sub-decision tree cluster by using the semantics of the core information, and use the second sub-decision tree cluster to perform feedback adjustment on the decision tree model.

Optionally, the acquisition of the interception decision basis of the business service system includes:

extracting interception parameters in the interception log;

An interception decision basis of the business service system is generated according to the interception parameters.

Optionally, the extracting the core decision semantics of the interception decision basis according to the vector interception decision basis includes:

Utilize the preset Bert model to extract the first attention weight of each decision word vector in the vector intercept decision basis;

According to the position coding of each decision word vector, the first attention weight of the same decision word vector is added to obtain the second attention weight;

Select the decision word vector with the highest second attention weight as the core decision semantics.

Optionally, the constructing the first sub-decision tree cluster according to the core decision semantics includes:

Classifying and labeling the core decision semantics to obtain the decision label corresponding to the core decision semantics;

Selecting the decision labels one by one as the first root node, splitting the first left node and the first right node on the first root node;

assigning the core decision semantics to the first left node and the first right node to obtain a sub-decision tree;

Aggregating the sub-decision trees into the first cluster of sub-decision trees.

Optionally, the aggregating the first sub-decision tree cluster into a decision tree model includes:

Using the following information gain algorithm to calculate the first information gain corresponding to the decision label of the sub-decision tree root node in the first sub-decision tree cluster:

为所述第一信息增益，

为第

类决策标注所占的比例，

为对数函数，

为所述核心决策语义的决策语义样本数量，

为第

类决策标注中决策语义样本数量，

为所述决策标注对应属性的数量；in,

is the first information gain,

for the first

The proportion of class decision labels,

is a logarithmic function,

is the number of decision semantic samples of the core decision semantics,

for the first

The number of decision semantic samples in class decision annotation,

Annotate the number of attributes corresponding to the decision;

Selecting the first decision label with the largest first information gain as the second root node of the decision tree model, splitting the first left node and the second right node on the attribute corresponding to the first decision label;

Selecting the second decision label with the largest information gain from the unselected decision labels one by one and assigning them to the first left node and the second right node;

When the decision labels are all selected, the decision tree model is obtained.

Optionally, the intercepting the access information whose interception score is greater than a preset score threshold includes:

Extracting access parameters of the access information;

The access parameter is intercepted by using a preset interceptor.

Optionally, using the second sub-decision tree cluster to perform feedback adjustment on the decision tree model includes:

calculating a second information gain for a second decision label in the second sub-decision tree cluster;

Select the decision label corresponding to the largest information gain among the first information gain and the second information gain as the third root node of the decision tree model, and split the attribute node on the attribute corresponding to the third root node ;

Utilize the following splitting algorithm to determine the optimal splitting node of the attribute node:

为所述最佳分裂节点的增益值，

为划分搭配左子树中所有样本的梯度之和，

为划分搭配右子树中所有样本的梯度之和，

为划分搭配左子树中所有样本的二阶导数之和，

为划分搭配右子树中所有样本的二阶导数之和，

为正则化常数；in,

is the gain value of the best split node,

is the sum of the gradients of all samples in the left subtree for the partition collocation,

is the sum of the gradients of all samples in the right subtree of the partition collocation,

is the sum of the second derivatives of all samples in the left subtree of the partition collocation,

is the sum of the second derivatives of all samples in the right subtree of the partition collocation,

is a regularization constant;

Allocating the maximum value of the first information gain corresponding to the first decision label and the second information gain corresponding to the second decision label to the optimal split node;

When there are unselected decision labels in the first sub-decision tree and the second sub-decision tree, iterate the decision tree model until all the decision labels are selected, and complete the decision tree model feedback adjustments.

The embodiment of the present invention uses the interception log of the business service system, and then obtains the interception decision-making basis according to the interception log, which is beneficial to provide interception basis for information interception, and makes the target interception more accurate; extracts the core decision semantics in the interception decision-making basis, and according to the core decision-making Semantic construction of a decision tree is conducive to scoring the access information of the business system, and then judging whether to intercept the access information according to the scoring result; when the intercept score value is greater than the scoring threshold, intercept the access information and extract the core information semantics of the access information , according to the core information semantics, the decision tree can be adjusted by feedback, and a more accurate decision tree model can be obtained, which can more accurately realize the interception and judgment of access information, and ensure the security of the business service system. Therefore, the interception feedback processing method, device, electronic equipment, and computer-readable storage medium proposed by the present invention based on big data analysis and interception can solve the problem of low accuracy in information interception.

Description of drawings

FIG. 1 is a schematic flow diagram of an interception feedback processing method based on big data analysis interception provided by an embodiment of the present invention;

FIG. 2 is a schematic flow diagram of extracting core decision semantics provided by an embodiment of the present invention;

Fig. 3 is a schematic flow chart of constructing the first sub-decision tree cluster provided by an embodiment of the present invention;

FIG. 4 is a functional block diagram of an interception feedback processing device based on big data analysis provided by an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of an electronic device implementing the interception feedback processing method based on big data analysis interception provided by an embodiment of the present invention.

The realization of the purpose of the present invention, functional characteristics and advantages will be further described in conjunction with the embodiments and with reference to the accompanying drawings.

detailed description

It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

An embodiment of the present application provides an interception feedback processing method based on big data analysis interception. The subject of execution of the interception feedback processing method based on big data analysis interception includes but is not limited to at least one of electronic devices such as a server end and a terminal that can be configured to execute the method provided by the embodiment of the present application. In other words, the interception feedback processing method based on big data analysis interception can be executed by software or hardware installed on the terminal device or server device, and the software can be a block chain platform. The server includes, but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server can be an independent server, or it can provide cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, content distribution network (Content Delivery Network) Network, CDN), and cloud servers for basic cloud computing services such as big data and artificial intelligence platforms.

Referring to FIG. 1 , it is a schematic flowchart of an interception feedback processing method based on big data analysis interception provided by an embodiment of the present invention. In this embodiment, the interception feedback processing method based on big data analysis interception includes:

S1. Obtain the interception decision basis of the business service system based on the interception log of the target interception by the business service system;

In one of the actual application scenarios of the present invention, there will be illegal access requests in the business service system. In order to ensure the security of the business service system, it is necessary to intercept the illegal access requests. If the parameters of the access requests contain preset password files The name of the file, indicating that the request parameter is abnormal data, it is necessary to intercept the access request, and record the access request obtained by intercepting the target in the interception log. When the same situation occurs next time, the intercepted request parameter will be directly The access request will be intercepted.

In the embodiment of the present invention, the interception log is when there is an access exception in the business service system, the access request is intercepted by the target and recorded in the system log to obtain the interception log.

In the embodiment of the present invention, the acquisition of the interception decision-making basis of the business service system includes:

extracting interception parameters in the interception log;

An interception decision basis of the business service system is generated according to the interception parameters.

In detail, script codes can be used to extract the interception parameters in the interception log, and the interception parameters are the attack parameters associated with the attack event, wherein the script code is the automated code logic pre-written by the operation and maintenance personnel for the vulnerability risk interception rules.

Specifically, the interception parameters in the interception log include the address information of the internal business system that requests access to the business service system and the system function information that requests access to the business service system. For example, the request to access the system function information of the business service system may be to read the deposit amount of any customer's bank deposit and request to inquire about the deposit record.

Further, the interception decision-making basis of the business service system is generated according to the interception parameters, that is, when the access parameters of the requested access are consistent with the interception parameters in the interception log, the access request will be intercepted. When requesting access to the business service system, the access parameters of the access request will be matched with the interception parameters in the interception log according to the interception decision basis. If the match is successful, it indicates that the access request is an illegal access, and the access request needs to be to intercept.

Exemplarily, if the first interception parameter in the interception log is the address information containing the storage path of the system security configuration file of the business service system, then the first interception parameter will be used as a basis for interception decision; if the interception log in If the second interception parameter is a regular expression associated with sensitive words, the second interception parameter will also be used as a basis for interception decisions, and the access parameters for subsequent requests will be judged based on the interception decision data, and then based on The judgment result determines whether to intercept the access parameters.

S2. Perform vector conversion on the interception decision basis to obtain a vector interception decision basis, and extract core decision semantics of the interception decision basis according to the vector interception decision basis;

In the embodiment of the present invention, the vector interception decision-making basis is to vectorize the interception decision-making, so that the vector interception decision-making basis is used as the input of the Bert model, and is used to extract the core decision semantics of the interception decision-making basis through the Bert model .

In detail, in the embodiment of the present invention, the interception decision-making basis may be vector-transformed through a preset vector-transformation model to obtain the vector-intercepting decision-making basis, and the vector transformation model is a Bert model. Among them, the Bert model introduces position encoding (position encoding) to describe the position information of the sequence, and a random initialization word vector is given for each element in the sequence to record the position information of the element in the sequence.

In the embodiment of the present invention, the core decision semantics refers to the key semantics that can reflect the basis of the interception decision, that is, feature information that can reflect the basis of the interception decision.

In the embodiment of the present invention, as shown in FIG. 2, the core decision semantics of the interception decision-making basis extracted according to the vector interception decision-making basis include:

S21. Using the preset Bert model to extract the first attention weight of each decision word vector in the vector intercept decision basis;

S22. Add the first attention weights of the same decision word vector according to the position code of each decision word vector to obtain a second attention weight;

S23. Select the decision word vector with the highest second attention weight as the core decision semantics.

In detail, in the Bert model, each vector conversion is performed on the interception decision basis, and each decision word vector has an attention weight, and the attention of the decision word vector is generated according to the last layer of encoder in the Bert model Weights. There is an attention mechanism (self-Attention) in the Bert model. The core logic of the attention mechanism is from focusing on the whole to focusing on the focus. When facing a scene, it often observes and pays attention to a specific part as needed. The Bert model uses self-attention The force mechanism is concerned with the expression of its own sequence.

Specifically, in the document encoding representations generated by different layers of the BERT model, the vectorized representation output by the last layer of encoders has higher-level semantics, syntax, and other information than the outputs of other layer encoders, so the last layer of encoders The generated word vector attention weight matrix is more in line with the semantic similarity than other layers. Since the self-attention mechanism in the BERT model uses a multi-head attention method, each head will generate an attention weight matrix, so the last layer of encoder will generate multiple attention weight matrices, and each attention weight matrix represents the corresponding head. The similarity between the captured word vectors, extract the row corresponding to the "[CLS]" tag from the attention weight matrix corresponding to each head, which represents the pair of "[CLS]" tags captured by the head at all positions in the document The attention weights of the word vectors of .

Exemplarily, when the interception decision is based on the address information of the storage path of the system security configuration file and the address information of the user password, the attention weights are: "system": 0.1, "file": 0.2, "storage" :0.3, "path": 0.3, "address": 0.3, "info": 0.1, "user": 0.1, "password": 0.5, "address": 0.3, "info": 0.1, same decision The attention weights of the word vectors are added, that is, "address": 0.6, "address": 0.2, then the core decision semantics in the interception decision basis are address and password.

S3. Construct a first sub-decision tree cluster according to the core decision semantics, and aggregate the first sub-decision tree cluster into a decision tree model;

In the embodiment of the present invention, the first sub-decision tree cluster is a set of multiple sub-decision trees constructed according to the core decision semantics, the decision tree is a tree structure, and each internal node of the decision tree represents an attribute In the test on , each branch represents a test output, and each leaf node represents a category. A decision tree is a predictive model that represents a mapping relationship between object attributes and object values.

In the embodiment of the present invention, as shown in FIG. 3, the construction of the first sub-decision tree cluster according to the core decision semantics includes:

S31. Classify and label the core decision semantics to obtain decision labels corresponding to the core decision semantics;

S32. Select the decision labels one by one as the first root node, and split the first left node and the first right node on the first root node;

S33. Assign the core decision semantics to the first left node and the first right node to obtain a sub-decision tree;

S34. Gather the sub-decision trees into the first sub-decision tree cluster.

In detail, the classification and labeling of the decision semantics is because the key to decision tree learning is to classify attributes. Generally, in the process of classification, it is hoped that the samples contained in the branch nodes of the decision tree belong to the same category as much as possible. For example, in banking system services, if the core semantics contained in the core decision semantics include account, accounting, and accrual, etc., then according to the classification of the account, it is marked with account password, account balance, and account code; according to the classification of accounting, it is marked with Transaction records, accounting codes; classified according to accruals and marked with accrued expenses, accrued interest, and accrued loan amount.

Specifically, after classifying and annotating the core decision semantics in the banking system, three decision annotations of account, accounting, and accrual can be obtained, and account, accounting, and accrual are selected as root nodes one by one, and the corresponding core The account attributes in the decision semantics are assigned to the left and right nodes of the account as the root node, that is, the account password, account balance, and account code are assigned to the left and right nodes of the account as the root node, and the core decision semantics corresponding to the accounting office The accounting attributes in the accountant are assigned to the left node and the right node of the accountant as the root node, that is, the transaction records and accounting codes are assigned to the left node and the right node of the accountant as the root node; The attribute is assigned to the left node and the right node of the accrual as the root node, that is, the accrual fee, the accrual interest, and the accrual loan amount are assigned to the left node and the right node of the accrual as the root node, and the three child The decision trees are pooled together to obtain the first sub-cluster of decision trees.

In the embodiment of the present invention, the decision tree model is a tree-like decision set composed of individual decisions, and events can be predicted through the decision tree model, and a reasonable prediction result can be obtained.

In the embodiment of the present invention, the aggregating the first sub-decision tree cluster into a decision tree model includes:

Using the following information gain algorithm to calculate the first information gain corresponding to the decision label of the sub-decision tree root node in the first sub-decision tree cluster:

为所述第一信息增益，

为第

类决策标注所占的比例，

为对数函数，

为所述核心决策语义的决策语义样本数量，

为第

类决策标注中决策语义样本数量，

为所述决策标注对应属性的数量；in,

is the first information gain,

for the first

The proportion of class decision labels,

is a logarithmic function,

is the number of decision semantic samples of the core decision semantics,

for the first

The number of decision semantic samples in class decision annotation,

Annotate the number of attributes corresponding to the decision;

Selecting the first decision label with the largest first information gain as the second root node of the decision tree model, splitting the first left node and the second right node on the attribute corresponding to the first decision label;

Selecting the second decision label with the largest information gain from the unselected decision labels one by one and assigning them to the first left node and the second right node;

When the decision labels are all selected, the decision tree model is obtained.

In detail, according to the information gain algorithm, the purity of the nodes can be determined, that is, whether the branch nodes belong to the same category, which is beneficial for the generated decision tree to more accurately predict information interception. When the first information gain of the account is 0.918, the first information gain of accounting is 0.722, and the first information gain of accrual is 0.998, then according to the first information gain, it can be selected as the root node of the decision tree model, and the The sub-decision tree corresponding to the accrual attribute is used as the main sub-decision tree. Among the unselected decision labels, the information gain of the account is the largest, that is, the sub-decision tree corresponding to the account is aggregated into the left node split by the accrual attribute, and the The sub-decision tree corresponding to accounting is aggregated into the right node split from the accrual attribute.

Specifically, when all decision labels are selected, it indicates that the decision tree has been aggregated, that is, the decision tree model is obtained.

S4. Obtain the access information of the access subject of the business service system in real time, and use the decision tree model to intercept and score the access information;

In the embodiment of the present invention, the access subject refers to an active entity, including a user, a user group, a terminal, a host or an application, the subject can access the object, and the object is a passive entity whose access to the object should be controlled. The access information refers to a series of access operations performed by the access subject in the business system. According to the access operations performed by the access subject, the decision tree model can be used to score, so that the next step can be performed according to the scoring results.

In detail, the access information of the access subject of the business system can be obtained in real time by using a listener (Listener) in the business service system or according to the access log in the business service system.

In the embodiment of the present invention, the interception score is performed on the access information, and it can be judged whether to intercept the access information according to the interception score. When the interception score is greater than the scoring threshold, the access information needs to be intercepted; when the interception When the score is less than the score threshold, the access subject can normally access the business service system.

In the embodiment of the present invention, the use of the decision tree model to intercept and score the access information includes:

Input the pre-acquired training data set into the decision tree model to obtain a score data set;

Calculate the loss value of the decision tree model according to the score data set and a preset loss function, wherein the preset loss function includes:

为损失值，

为所述得分数据集中的得分数据，

为预设的真实得分数据，

为决策树的棵数，

为反余弦函数，

为对数函数;in,

is the loss value,

is the score data in the score dataset,

is the preset real score data,

is the number of decision trees,

is the inverse cosine function,

is a logarithmic function;

When the loss value is greater than or equal to the preset loss threshold, add a decision tree to the decision tree model until the loss value is less than the loss threshold, output the current decision tree model as an intercept scoring model ;

The access information is input into the interception score model to obtain the interception score of the access information.

In detail, the training data set is based on access information, and the training data set is trained according to the decision tree model to obtain a prediction of the interception score of the decision tree model for the access information.

Specifically, the intercept scoring model is a random forest model, wherein the random forest model refers to a classifier that uses multiple trees to train and predict samples, and has a high predictive ability.

The loss function is used to adjust the parameters of the interception scoring model to reduce the loss between the real value and the predicted value, so that the predicted value generated by the interception scoring model is closer to the real direction, so as to achieve the purpose of learning.

S5. Intercept the access information whose interception score is greater than the preset scoring threshold, and extract the core information semantics of the access information whose interception score is greater than the preset scoring threshold;

In the embodiment of the present invention, when the interception score is greater than the preset scoring threshold, the access information needs to be intercepted, that is, when the interception score is greater than the scoring threshold, it means that the access information is not safe. If the access information is allowed to continue to be accessed, It may cause the business service system to fail, so this access information needs to be intercepted.

In the embodiment of the present invention, the intercepting the access information whose interception score is greater than the preset scoring threshold includes:

Extracting access parameters of the access information;

The access parameter is intercepted by using a preset interceptor.

In detail, a computer statement (such as a Python statement, a JAVA statement) with a parameter extraction function can extract the access parameters of the access information, wherein the access parameters of the access information include a uniform locator (url), and the service information requested to be accessed , access duration, etc.

Specifically, when the interception score is greater than a preset score threshold, an interceptor (Interceptor) may be used to intercept the access parameter of the access request for obtaining the access information, thereby intercepting the access information. Among them, the Interceptor interceptor mainly completes the analysis of request parameters, assigns page form parameters to corresponding attributes in the stack, performs function inspection, program exception debugging, etc., can analyze the access parameters, and can know that the access parameters are illegal parameters, That is, the interceptor is used to terminate the request access to the access parameter, thereby intercepting the access parameter.

Exemplarily, when the interception score of the access information is 80 points, and the scoring threshold is 60 points, then the interception score of the access information is greater than the scoring threshold, and the access information needs to be intercepted. If the access information is for business services When the database of the system is accessed, an access request will be generated according to the access information, that is, the business service system is accessed according to the access request, but the interception score of the database access is greater than the scoring threshold, and the database access needs to be intercepted, that is, the filter The server intercepts this access request, so that the business service system is in a safe state.

In the embodiment of the present invention, the core information semantics refers to the key semantics that can reflect the access information, that is, can reflect the characteristic information of the access information, and the access information to be intercepted can be intercepted through the core information semantics of the access information, When the core information semantics appears, the system will get that the access information is illegal information, and it cannot allow it to access the access information, so it needs to intercept the access information.

In the embodiment of the present invention, the extraction of the core information semantics of the access information whose interception score is greater than the preset score threshold is consistent with the step of extracting the core decision semantics of the interception decision basis in S2, and will not be repeated here.

S6. Construct a second sub-decision tree cluster by using the semantics of the core information, and use the second sub-decision tree cluster to perform feedback adjustment on the decision tree model.

In the embodiment of the present invention, the second sub-decision tree cluster is a collection of multiple sub-decision trees constructed according to the semantics of the core information, classify the semantics of the core information to obtain multiple sub-decision trees, and assemble multiple sub-decision trees Get the second sub-decision tree cluster.

In detail, the construction of the second sub-decision tree cluster by using the core information semantics is consistent with the step of constructing the first sub-decision tree cluster according to the core decision semantics in S3, and will not be repeated here.

In the embodiment of the present invention, after the access information is intercepted, it will be recorded that the intercepted access information is illegal information, and the decision tree model is further adjusted according to the core semantic information of the extracted access information, so that the decision tree model can predict more accurately Intercept scoring of access information, and then more accurately intercept illegal access information.

In the embodiment of the present invention, using the second sub-decision tree cluster to perform feedback adjustment on the decision tree model includes:

calculating a second information gain for a second decision label in the second sub-decision tree cluster;

Select the decision mark corresponding to the largest information gain among the first information gain and the second information gain as the third root node of the decision tree model, and split the attribute node on the attribute corresponding to the third root node ;

Utilize the following splitting algorithm to determine the optimal splitting node of the attribute node:

为所述最佳分裂节点的增益值，

为划分搭配左子树中所有样本的梯度之和，

为划分搭配右子树中所有样本的梯度之和，

为划分搭配左子树中所有样本的二阶导数之和，

为划分搭配右子树中所有样本的二阶导数之和，

为正则化常数；in,

is the gain value of the best split node,

is the sum of the gradients of all samples in the left subtree for the partition collocation,

is the sum of the gradients of all samples in the right subtree of the partition collocation,

is the sum of the second derivatives of all samples in the left subtree of the partition collocation,

is the sum of the second derivatives of all samples in the right subtree of the partition collocation,

is a regularization constant;

Allocating the maximum value of the first information gain corresponding to the first decision label and the second information gain corresponding to the second decision label to the optimal split node;

When there are unselected decision labels in the first sub-decision tree and the second sub-decision tree, iterate the decision tree model until all the decision labels are selected, and complete the decision tree model feedback adjustments.

In detail, the splitting algorithm aims at the algorithm with the largest gain value before and after data division, determines the best splitting point according to the largest gain value, calculates the gain value of each split point in turn, and finally integrates the gain values of all split points Finally, the split point with the largest gain value is obtained.

Specifically, the core information semantics is divided according to the characteristic attributes of the core information semantics, and the core information semantics is divided into two or more sub-information semantic sets, and the sub-information semantic sets are iterated repeatedly until the stopping condition of the decision tree growth is reached. Then it reaches the leaf node, which is the result of the classification, and the leaf node no longer divides the sub-information semantic set.

,所述第一子决策集群中包含的子决策树为

，并且每个子决策树都包含自身的属性特征，如

子决策树包含自身的属性特征，通过计算

和

中每个子决策树对应的决策标注，选取最大的决策标注为所述决策树模型的根节点，当

对应的决策标注的增益值是所有子决策树中最大值，则选取

为所述决策树模型的根节点，

中包含自身的属性，则在

分裂出的节点中，选取最佳分裂点，将除

之外的信息增益最大的子决策树分配至

分裂出的节点中，依次将未被选取的子决策树对应决策标注的增益值最大值分配至上一个子决策树分裂的最佳分裂点中，直到所有的子决策树均被选取，就完成所述决策树的反馈调整，根据调整之后的决策树模型能更加准确地预测出访问信息的拦截评分，进而对于访问信息的拦截更加精准，使业务服务系统处于一个安全的环境中。Exemplarily, when the sub-decision trees included in the second sub-decision tree cluster are

, the sub-decision tree contained in the first sub-decision cluster is

, and each sub-decision tree contains its own attribute features, such as

The sub-decision tree contains its own attribute characteristics, calculated by

with

The decision label corresponding to each sub-decision tree in , select the largest decision label as the root node of the decision tree model, when

The gain value of the corresponding decision label is the maximum value in all sub-decision trees, then select

is the root node of the decision tree model,

Include its own attributes in the

Among the split nodes, select the best split point, and divide

The sub-decision tree with the largest information gain is assigned to

Among the split nodes, the maximum value of the gain value corresponding to the decision label of the unselected sub-decision tree is assigned to the best split point of the previous sub-decision tree in turn, until all the sub-decision trees are selected, and the whole process is completed. According to the feedback adjustment of the above decision tree, according to the adjusted decision tree model, the interception score of access information can be predicted more accurately, and the interception of access information is more accurate, so that the business service system is in a safe environment.

The embodiment of the present invention uses the interception log of the business service system, and then obtains the interception decision-making basis according to the interception log, which is beneficial to provide interception basis for information interception, and makes the target interception more accurate; extracts the core decision semantics in the interception decision-making basis, and according to the core decision-making Semantic construction of a decision tree is conducive to scoring the access information of the business system, and then judging whether to intercept the access information according to the scoring result; when the intercept score value is greater than the scoring threshold, intercept the access information and extract the core information semantics of the access information , according to the core information semantics, the decision tree can be adjusted by feedback, and a more accurate decision tree model can be obtained, which can more accurately realize the interception and judgment of access information, and ensure the security of the business service system. Therefore, the interception feedback processing method, device, electronic equipment, and computer-readable storage medium proposed by the present invention based on big data analysis and interception can solve the problem of low accuracy in information interception.

As shown in FIG. 4 , it is a functional block diagram of an interception feedback processing device based on big data analysis provided by an embodiment of the present invention.

The interception feedback processing device 100 based on big data analysis of the present invention can be installed in an electronic device. According to the functions realized, the interception feedback processing device 100 based on big data analysis may include an interception decision basis acquisition module 101, a core decision semantics extraction module 102, a decision tree model aggregation module 103, an interception score determination module 104, and an access information interception module 105 and a decision tree model feedback adjustment module 106. The module in the present invention can also be called a unit, which refers to a series of computer program segments that can be executed by the processor of the electronic device and can complete fixed functions, and are stored in the memory of the electronic device.

In this embodiment, the functions of each module/unit are as follows:

The interception decision-making basis acquisition module 101 is used to acquire the interception decision-making basis of the business service system based on the interception log of the target interception by the business service system;

The core decision semantics extraction module 102 is configured to perform vector conversion on the interception decision basis to obtain a vector interception decision basis, and extract the core decision semantics of the interception decision basis according to the vector interception decision basis;

The decision tree model aggregation module 103 is configured to construct a first sub-decision tree cluster according to the core decision semantics, and aggregate the first sub-decision tree cluster into a decision tree model;

The interception scoring determination module 104 is configured to obtain access information of the access subject of the business service system in real time, and use the decision tree model to intercept and score the access information;

The access information interception module 105 is configured to intercept the access information whose interception score is greater than the preset score threshold, and extract the core information semantics of the access information whose interception score is greater than the preset score threshold;

The decision tree model feedback adjustment module 106 is configured to use the core information semantics to construct a second sub-decision tree cluster, and use the second sub-decision tree cluster to perform feedback adjustment on the decision tree model.

In detail, each module described in the interception feedback processing device 100 based on big data analysis in the embodiment of the present invention adopts the interception feedback processing based on big data analysis interception described above in FIGS. 1 to 3 . The same technical means as the method can produce the same technical effect, and will not be repeated here.

As shown in FIG. 5 , it is a schematic structural diagram of an electronic device implementing an interception feedback processing method based on big data analysis interception provided by an embodiment of the present invention.

The electronic device 1 may include a processor 10, a memory 11, a communication bus 12, and a communication interface 13, and may also include computer programs stored in the memory 11 and operable on the processor 10, such as based on big data Analytical interception feedback handler.

Wherein, the processor 10 may be composed of integrated circuits in some embodiments, for example, may be composed of a single packaged integrated circuit, or may be composed of multiple integrated circuits with the same function or different functions packaged, including one or A combination of multiple central processing units (Central Processing unit, CPU), microprocessors, digital processing chips, graphics processors and various control chips, etc. The processor 10 is the control core (ControlUnit) of the electronic device, which uses various interfaces and lines to connect various components of the entire electronic device, and runs or executes programs or modules stored in the memory 11 (for example, executes based on Big data analysis interception feedback processing program, etc.), and call the data stored in the memory 11 to execute various functions of the electronic device and process data.

The memory 11 includes at least one type of readable storage medium, and the readable storage medium includes flash memory, mobile hard disk, multimedia card, card-type memory (for example: SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. . The storage 11 may be an internal storage unit of the electronic device in some embodiments, such as a mobile hard disk of the electronic device. In other embodiments, the memory 11 can also be an external storage device of the electronic device, such as a plug-in mobile hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD ) card, flash memory card (Flash Card), etc. Further, the memory 11 may also include both an internal storage unit of the electronic device and an external storage device. The memory 11 can not only be used to store application software and various data installed in the electronic device, such as the code of the interception feedback processing program based on big data analysis, but also can be used to temporarily store the data that has been output or will be output.

The communication bus 12 may be a peripheral component interconnect standard (PCI for short) bus or an extended industry standard architecture (EISA for short) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. The bus is configured to realize connection and communication between the memory 11 and at least one processor 10 and the like.

The communication interface 13 is used for communication between the electronic device and other devices, including a network interface and a user interface. Optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a Bluetooth interface, etc.), which are generally used to establish a communication connection between the electronic device and other electronic devices. The user interface may be a display (Display) or an input unit (such as a keyboard (Keyboard)). Optionally, the user interface may also be a standard wired interface or a wireless interface. Optionally, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode, organic light-emitting diode) touch device, and the like. Wherein, the display may also be properly referred to as a display screen or a display unit, and is used for displaying information processed in the electronic device and for displaying a visualized user interface.

The figure only shows an electronic device with components, and those skilled in the art can understand that the structure shown in the figure does not constitute a limitation on the electronic device, and may include fewer or more components than those shown in the figure , or combinations of certain components, or different arrangements of components.

For example, although not shown, the electronic device may also include a power supply (such as a battery) for supplying power to various components. Preferably, the power supply may be logically connected to the at least one processor 10 through a power management device, so that Realize functions such as charge management, discharge management, and power consumption management. The power supply may also include one or more DC or AC power supplies, recharging devices, power failure detection circuits, power converters or inverters, power status indicators and other arbitrary components. The electronic device may also include various sensors, a Bluetooth module, a Wi-Fi module, etc., which will not be repeated here.

It should be understood that the embodiments are only for illustration, and are not limited by the structure in terms of the scope of the patent application.

The interception feedback processing program based on big data analysis stored in the memory 11 in the electronic device 1 is a combination of multiple instructions. When running in the processor 10, it can realize:

Based on the interception log of the target interception by the business service system, the interception decision basis of the business service system is obtained;

Performing vector conversion on the interception decision basis to obtain the vector interception decision basis, and extracting the core decision semantics of the interception decision basis according to the vector interception decision basis;

Constructing a first sub-decision tree cluster according to the core decision semantics, and aggregating the first sub-decision tree cluster into a decision tree model;

Obtaining the access information of the access subject of the business service system in real time, and using the decision tree model to intercept and score the access information;

Intercepting the access information whose interception score is greater than the preset scoring threshold, and extracting the core information semantics of the access information whose interception score is greater than the preset scoring threshold;

Using the semantics of the core information to construct a second sub-decision tree cluster, and using the second sub-decision tree cluster to perform feedback adjustment on the decision tree model.

Specifically, for the specific implementation method of the above instructions by the processor 10, reference may be made to the description of relevant steps in the corresponding embodiments in the drawings, and details are not repeated here.

Further, if the integrated modules/units of the electronic device 1 are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. The computer-readable storage medium may be volatile or non-volatile. For example, the computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory).

The present invention also provides a computer-readable storage medium, the readable storage medium stores a computer program, and when the computer program is executed by a processor of an electronic device, it can realize:

Based on the interception log of the target interception by the business service system, the interception decision basis of the business service system is obtained;

Performing vector conversion on the interception decision basis to obtain the vector interception decision basis, and extracting the core decision semantics of the interception decision basis according to the vector interception decision basis;

Constructing a first sub-decision tree cluster according to the core decision semantics, and aggregating the first sub-decision tree cluster into a decision tree model;

Obtaining the access information of the access subject of the business service system in real time, and using the decision tree model to intercept and score the access information;

Intercepting the access information whose interception score is greater than the preset scoring threshold, and extracting the core information semantics of the access information whose interception score is greater than the preset scoring threshold;

Using the semantics of the core information to construct a second sub-decision tree cluster, and using the second sub-decision tree cluster to perform feedback adjustment on the decision tree model.

In the several embodiments provided by the present invention, it should be understood that the disclosed devices, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division, and there may be other division methods in actual implementation.

The modules described as separate components may or may not be physically separated, and the components shown as modules may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional module in each embodiment of the present invention may be integrated into one processing unit, or each unit may physically exist separately, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software function modules.

It will be apparent to those skilled in the art that the invention is not limited to the details of the above-described exemplary embodiments, but that the invention can be embodied in other specific forms without departing from the spirit or essential characteristics of the invention.

Accordingly, the embodiments should be regarded in all points of view as exemplary and not restrictive, the scope of the invention being defined by the appended claims rather than the foregoing description, and it is therefore intended that the scope of the invention be defined by the appended claims rather than by the foregoing description. All changes within the meaning and range of equivalents of the elements are embraced in the present invention. Any reference sign in a claim should not be construed as limiting the claim concerned.

The embodiments of the present application may acquire and process relevant data based on artificial intelligence technology. Among them, artificial intelligence (AI) is a theory, method, technology and application system that uses digital computers or machines controlled by digital computers to simulate, extend and expand human intelligence, perceive the environment, acquire knowledge and use knowledge to obtain the best results. .

In addition, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or devices stated in the system claims may also be realized by one unit or device through software or hardware. The terms first, second, etc. are used to denote names and do not imply any particular order.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be Modifications or equivalent replacements can be made without departing from the spirit and scope of the technical solutions of the present invention.

Claims (7)

1. an interception feedback processing method based on big data analysis interception, it is characterized in that, described method comprises: S1. Obtain the interception decision basis of the business service system based on the interception log of the target interception by the business service system; S2. Perform vector conversion on the interception decision basis to obtain a vector interception decision basis, and extract core decision semantics of the interception decision basis according to the vector interception decision basis; S3. Construct a first sub-decision tree cluster according to the core decision semantics, and aggregate the first sub-decision tree cluster into a decision tree model; S4. Obtain the access information of the access subject of the business service system in real time, and use the decision tree model to intercept and score the access information, wherein the use of the decision tree model to intercept and score the access information includes: : S41. Input the pre-acquired training data set into the decision tree model to obtain a score data set; S42. Calculate the loss value of the decision tree model according to the score data set and a preset loss function, wherein the preset loss function includes:

in,

is the loss value,

is the score data in the score dataset,

is the preset real score data,

is the number of decision trees,

is the inverse cosine function,

is a logarithmic function; S43. When the loss value is greater than or equal to the preset loss threshold, perform a decision tree addition processing operation on the decision tree model until the loss value is less than the loss threshold, output the current decision tree model as intercept scoring model; S44. Input the access information into the intercept scoring model to obtain the intercept score of the access information; S5. Intercept the access information whose interception score is greater than the preset scoring threshold, and extract the core information semantics of the access information whose interception score is greater than the preset scoring threshold; S6. Construct a second sub-decision tree cluster by using the semantics of the core information, and use the second sub-decision tree cluster to perform feedback adjustment on the decision tree model. 2. The interception feedback processing method based on big data analysis interception as claimed in claim 1, wherein said obtaining the interception decision-making basis of said business service system comprises: extracting interception parameters in the interception log; An interception decision basis of the business service system is generated according to the interception parameters. 3. The interception feedback processing method based on big data analysis interception as claimed in claim 1, wherein the core decision semantics of extracting the interception decision-making basis according to the vector interception decision-making basis includes: Utilize the preset Bert model to extract the first attention weight of each decision word vector in the vector intercept decision basis; According to the position coding of each decision word vector, the first attention weight of the same decision word vector is added to obtain the second attention weight; Select the decision word vector with the highest second attention weight as the core decision semantics. 4. the interception feedback processing method based on big data analysis interception as claimed in claim 1, is characterized in that, described according to described core decision semantics constructs the first sub-decision tree cluster, comprising: Classifying and labeling the core decision semantics to obtain the decision label corresponding to the core decision semantics; Selecting the decision labels one by one as the first root node, splitting the first left node and the first right node on the first root node; assigning the core decision semantics to the first left node and the first right node to obtain a sub-decision tree; Aggregating the sub-decision trees into the first cluster of sub-decision trees. 5. the interception feedback processing method based on big data analysis interception as claimed in claim 1, is characterized in that, described first sub-decision tree cluster is aggregated into a decision tree model, comprising: Using the following information gain algorithm to calculate the first information gain corresponding to the decision label of the sub-decision tree root node in the first sub-decision tree cluster:

in,

is the first information gain,

for the first

The proportion of class decision labels,

is a logarithmic function,

is the number of decision semantic samples of the core decision semantics,

for the first

The number of decision semantic samples in class decision annotation,

Annotate the number of attributes corresponding to the decision; Selecting the first decision label with the largest first information gain as the second root node of the decision tree model, splitting the first left node and the second right node on the attribute corresponding to the first decision label; Selecting the second decision label with the largest information gain from the unselected decision labels one by one and assigning them to the first left node and the second right node; When the decision labels are all selected, the decision tree model is obtained. 6. The interception feedback processing method based on big data analysis interception according to any one of claims 1 to 5, wherein the interception of access information whose interception score is greater than a preset scoring threshold comprises: Extracting access parameters of the access information; The access parameter is intercepted by using a preset interceptor. 7. the interception feedback processing method based on big data analysis interception as claimed in claim 5, is characterized in that, utilizes described second sub-decision tree cluster to carry out feedback adjustment to described decision tree model, comprising: calculating a second information gain for a second decision label in the second sub-decision tree cluster; Select the decision label corresponding to the largest information gain among the first information gain and the second information gain as the third root node of the decision tree model, and split the attribute node on the attribute corresponding to the third root node ; Utilize the following splitting algorithm to determine the optimal splitting node of the attribute node:

in,

is the gain value of the best split node,

is the sum of the gradients of all samples in the left subtree for the partition collocation,

is the sum of the gradients of all samples in the right subtree of the partition collocation,

is the sum of the second derivatives of all samples in the left subtree of the partition collocation,

is the sum of the second derivatives of all samples in the right subtree of the partition collocation,

is a regularization constant; Allocating the maximum value of the first information gain corresponding to the first decision label and the second information gain corresponding to the second decision label to the optimal split node; When there are unselected decision labels in the first sub-decision tree and the second sub-decision tree, iterate the decision tree model until all the decision labels are selected, and complete the decision tree model feedback adjustments.

Images