CN-122001688-A - Self-adaptive training method for grade protection risk identification model

Abstract

The invention relates to the technical field of information safety, in particular to a self-adaptive training method for a grade protection risk identification model. The method comprises the steps of obtaining a network element topology matrix, a log set, a compliance label set, a network element communication baseline sequence, a cross-domain routing authority matrix, a loophole vector and a reference array, extracting an interaction matrix, an evolution matrix and a state matrix, inputting the state matrix into an initial spectrum analysis engine for propagation calculation, outputting a prediction matrix for deviation calculation to generate a compensation feedback matrix, extracting a convergence index of the compensation feedback matrix, outputting a convergence signal, and when the convergence signal does not meet the condition, carrying out correction calculation on the initial spectrum analysis engine according to the compensation feedback matrix, updating and returning to execute propagation calculation. The invention realizes stable self-adaptive optimizing and converging of the risk identification model in a complex network environment with dynamic evolution of the architecture and strict access constraint.

Inventors

• SHAO JUNLI
• CHEN DAWEN
• QIAN XIAOJUN
• GAO YAMIN
• SHI YIYI
• WAN YAZHEN
• ZHANG XIAOJIAO

Assignees

• 金盾检测技术股份有限公司

Dates

Publication Date

20260508

Application Date

20260409

Claims (8)

1. 1. The self-adaptive training method for the grade protection risk identification model is characterized by comprising the following steps of: Acquiring a network element topology matrix, a log set, a compliance label set, a network element communication baseline sequence, a cross-domain routing authority matrix, a vulnerability vector and a reference array; Extracting an interaction matrix according to a log set and a network element communication baseline sequence, performing superposition calculation on the interaction matrix, a network element topology matrix and a cross-domain routing authority matrix, outputting an evolution matrix, extracting a structure tensor according to the evolution matrix and a vulnerability vector, extracting a characteristic tensor according to the log set, performing splicing calculation on the structure tensor and the characteristic tensor, and outputting a state matrix; The state matrix is input into an initial map analysis engine to carry out propagation calculation and output a prediction matrix, and the deviation degree calculation is carried out on the prediction matrix, the compliance label set and the evolution matrix to generate a compensation feedback matrix; When the convergence signal does not meet the condition, carrying out correction calculation on the initial map analysis engine according to the compensation feedback matrix to generate an updated model; and when the convergence signal meets the condition, the initial spectrum analysis engine is used as a target model to be output.
2. 2. The self-adaptive training method of the grade protection risk identification model according to claim 1 is characterized by comprising the steps of extracting an interaction matrix according to the log set and the network element communication baseline sequence, carrying out superposition calculation on the interaction matrix, the network element topology matrix and the cross-domain routing authority matrix, outputting an evolution matrix, wherein the method comprises the steps of splitting the log set into a time slice record sequence, comparing the time slice record sequence with the network element communication baseline sequence, extracting abnormal access frequency values, constructing an edge weight record table, mapping the edge weight record table into an interaction matrix with symmetrical dimensions, carrying out corresponding element addition on the interaction matrix and the network element topology matrix, outputting an intermediate connection topology matrix, extracting a cross-domain access permission coefficient from the cross-domain routing authority matrix, carrying out Hadamard product point multiplication operation on the cross-domain access permission coefficient and the intermediate connection topology matrix, and outputting the evolution matrix.
3. 3. The self-adaptive training method of the grade protection risk identification model according to claim 1 is characterized by comprising the steps of executing Laplacian normalized transformation operation on an evolution matrix to output a standard Laplacian matrix, executing eigenvalue decomposition operation on the standard Laplacian matrix to extract eigenvalue diagonal matrix and eigenvector combination, executing Gaussian kernel function mapping transformation on the vulnerability vector to output severity eigenvector scalar sets, executing corresponding position addition operation on the severity eigenvector scalar sets and diagonal elements of the eigenvalue diagonal matrix to output a correction eigenvalue matrix, executing inverse reconstruction calculation on the correction eigenvalue matrix and eigenvector combination to extract low-dimensional network element space coordinate vectors, and executing splicing combination on the low-dimensional network element space coordinate vectors according to a network node sequence to output a structure tensor.
4. 4. The self-adaptive training method of the hierarchical protection risk recognition model according to claim 1 is characterized by comprising the steps of extracting feature tensors according to a log set, performing splicing calculation on the structure tensors and the feature tensors, outputting a state matrix, splitting the log set into log slice sets arranged in time sequence, performing slice-by-slice word segmentation mapping processing on the log slice sets by utilizing a pre-training text word embedding algorithm, outputting a high-dimensional semantic vector set carrying a time dimension, performing principal component analysis dimension reduction processing on the high-dimensional semantic vector set carrying the time dimension, outputting the feature tensors, performing broadcast copy expansion calculation on the structure tensors along the time dimension, outputting a time alignment structure tensor, performing alignment splicing calculation on the time alignment structure tensors and the feature tensors along a network element node sequence dimension, outputting a channel fusion tensor, inputting the channel fusion tensor into a bilinear pooling calculation model, performing node-by-node feature self-multiplication operation, extracting a modal cross feature record matrix, performing dimension reduction summation on the modal cross feature record matrix, and outputting a non-activation function.
5. 5. The self-adaptive training method of the hierarchical protection risk recognition model according to claim 1 is characterized in that the initial graph analysis engine comprises a space graph rolling network layer and a time gating circulating network layer which are arranged in a cascading mode, the state matrix is input into the initial graph analysis engine to conduct propagation calculation, a prediction matrix is output, the state matrix and the evolution matrix are input into the space graph rolling network layer to conduct local neighborhood node feature aggregation operation, a space perception feature matrix is output, slicing processing is conducted on the space perception feature matrix according to a time sliding window, a time sequence feature slice set is output, the time sequence feature slice set is input into the time gating circulating network layer to conduct gating operation, a time evolution trend feature matrix is extracted, and the time evolution trend feature matrix is input into a full-connection classifier to conduct normalized exponential function probability mapping, and the prediction matrix is output.
6. 6. The self-adaptive training method of the grade protection risk identification model according to claim 1 is characterized in that deviation degree calculation is conducted on the prediction matrix, the compliance tag set and the evolution matrix, compensation feedback matrixes are generated, the method comprises the steps of inputting the prediction matrix and the compliance tag set into a cross entropy loss calculation model to conduct category difference distance calculation, outputting a basic error matrix, extracting a network element security level distance record table from the evolution matrix, inputting preset topology constraint calculation functions into the prediction matrix, the compliance tag set and the network element security level distance record table, calculating override level penalty factors when compliance nodes are misclassified, outputting topology penalty matrixes, and weighting and summing the basic error matrixes and the topology penalty matrixes to generate the compensation feedback matrixes covering category difference attributes and physical isolation constraint attributes.
7. 7. The adaptive training method of the grade protection risk identification model according to claim 1 is characterized by comprising the steps of extracting convergence indexes of the compensation feedback matrix, comparing the numerical value magnitude relation between the convergence indexes and the reference array, outputting convergence signals, performing a Froude-Luo Beini Usness norm extraction operation on the compensation feedback matrix, outputting global loss scalar values, extracting gradient change rates of historical continuous training batches along a time dimension from the compensation feedback matrix, assembling the gradient change rates into a local fluctuation feature array, combining the global loss scalar values and the local fluctuation feature array to generate convergence indexes comprising multidimensional evaluation dimensions, performing bit-by-bit comparison calculation on the convergence indexes and the reference array, outputting a judgment result set, and summarizing by combining the judgment result set and a preset logic AND operation gate, and outputting the convergence signals.
8. 8. The adaptive training method of the hierarchical protection risk recognition model according to claim 1 is characterized in that when the convergence signal is not satisfied, the specific process comprises the steps of responding to the condition that the convergence signal is not satisfied, extracting a target gradient vector set of a network architecture layer according to the compensation feedback matrix, performing first-order partial derivative square product operation on the target gradient vector set to generate a diagonal hessian matrix set, extracting main diagonal elements of the diagonal hessian matrix set, performing addition operation on the main diagonal elements and a preset damping scalar to output a regularized diagonal element set, performing numerical reciprocal operation on the regularized diagonal element set to output an adaptive learning rate adjustment coefficient set, performing Hadamard product calculation on the adaptive learning rate adjustment coefficient set and the target gradient vector set, outputting an optimizing step size vector set, performing subtraction processing on internal node weight parameters of an initial spectrum analysis engine by utilizing the optimizing step size vector set to generate an updating model, writing the updating model into a memory addressing space to replace the initial triggering instruction, generating a cyclic triggering instruction, and returning the cyclic triggering instruction to perform initial spectrum analysis, and performing cyclic triggering instruction transmission response to the cyclic analysis engine.

Description

Self-adaptive training method for grade protection risk identification model Technical Field The invention relates to the technical field of information safety, in particular to a self-adaptive training method for a grade protection risk identification model. Background The method is used for accurately identifying the unauthorized risk and hidden attack in the complex network architecture under the network security level protection environment, and is an important technical application direction at present. In the prior art, a risk identification method combining a graph neural network with security log analysis is generally adopted, namely, network element entities and interaction behaviors thereof are abstracted into graph structures by extracting connection relations between network communication logs and static equipment, and a deep learning model is utilized to perform local neighborhood aggregation calculation and classification prediction on node characteristics, so that the method is a mainstream technical means for realizing large-scale network risk assessment and threat discovery at present. However, there are significant limitations to the training mechanisms of existing risk identification models for hierarchical protection scenarios with stringent physical isolation and access control requirements. Firstly, the prior art only depends on static physical connection lines or simple traffic frequency when constructing a graph adjacency relationship, ignores critical cross-domain isolation strategies and access authority constraints in an equal-protection architecture, so that a topological structure constructed by a model lacks perception capability on a security domain boundary, secondly, when extracting network element spatial characteristics, the traditional method mostly regards nodes as geometrical entities with plain weights to perform characterization dimension reduction, and vulnerability priori knowledge (such as existing serious vulnerabilities) of the network elements cannot be embedded into reconstruction of the topological structure, so that potential influence of high-risk core nodes in a feature space is seriously underestimated, and furthermore, positioning of high-concealment and cross-domain cascade threats cannot be realized in a complex network environment with dynamic evolution of the architecture and strict access constraints, so that a risk identification model is difficult to adaptively optimizing and converging. Therefore, a self-adaptive training method for a grade protection risk identification model is provided. Disclosure of Invention The invention aims to provide a self-adaptive training method for a grade protection risk identification model, which aims to solve the problems in the background technology. In order to achieve the purpose, the invention provides a self-adaptive training method for a grade protection risk identification model, which comprises the following steps: Acquiring a network element topology matrix, a log set, a compliance label set, a network element communication baseline sequence, a cross-domain routing authority matrix, a vulnerability vector and a reference array; Extracting an interaction matrix according to a log set and a network element communication baseline sequence, performing superposition calculation on the interaction matrix, a network element topology matrix and a cross-domain routing authority matrix, outputting an evolution matrix, extracting a structure tensor according to the evolution matrix and a vulnerability vector, extracting a characteristic tensor according to the log set, performing splicing calculation on the structure tensor and the characteristic tensor, and outputting a state matrix; The state matrix is input into an initial map analysis engine to carry out propagation calculation and output a prediction matrix, and the deviation degree calculation is carried out on the prediction matrix, the compliance label set and the evolution matrix to generate a compensation feedback matrix; When the convergence signal does not meet the condition, carrying out correction calculation on the initial map analysis engine according to the compensation feedback matrix to generate an updated model; and when the convergence signal meets the condition, the initial spectrum analysis engine is used as a target model to be output. Preferably, an interaction matrix is extracted according to the log set and the network element communication baseline sequence, the interaction matrix, the network element topology matrix and the cross-domain routing authority matrix are subjected to superposition calculation, an evolution matrix is output, the method comprises the steps of splitting the log set into a time slice record sequence, comparing the time slice record sequence with the network element communication baseline sequence, extracting abnormal access frequency values, constructing an edge weight record table, mapping the edge weight record