CN-122027195-A - Behavior trend identification and active safety control method, system and equipment

Abstract

The invention belongs to the technical field of network security detection and relates to a behavior tendency identification and active security control method, system and equipment, which comprises the steps of collecting global atomization behavior data and terminal compliance state data of a target object at a terminal side and a network side in real time; the method comprises the steps of performing cleaning and standardization processing on global atomization behavior data, extracting abnormal behavior feature vectors deviating from a normal base line, inputting the abnormal behavior feature vectors into a preset risk quantification model to obtain risk trend scores, comparing the calculated risk trend scores with preset grading risk thresholds, determining the current risk grade of a target object, generating a corresponding self-adaptive safety control instruction, wherein the higher the risk grade is, the higher the limit grade of the self-adaptive safety control instruction on the target object is, and executing corresponding active defense operation on a terminal or network equipment of the target object in response to the self-adaptive safety control instruction. The invention can improve the accuracy of object behavior trend identification and management and control.

Inventors

• LIU ZHENHUI
• GENG YUNXIAO
• LUO XUELAI
• FENG ZHAOWEN
• WANG DAN
• WANG WENHUA

Assignees

• 航空工业信息中心

Dates

Publication Date

20260512

Application Date

20251224

Claims (12)

1. 1. A behavioral trend identification and active safety control method, the method comprising: Step one, collecting global atomization behavior data of a target object at a terminal side and a network side in real time and terminal compliance state data; step two, cleaning and standardizing the global atomization behavior data, and extracting abnormal behavior feature vectors deviating from a normal baseline by comparing the global atomization behavior data with a preset historical normal behavior model; step three, inputting the abnormal behavior feature vector into a preset risk quantification model, and carrying out weighted calculation by combining the terminal compliance state data to obtain a risk tendency score representing the departure tendency and the safety risk degree of the target object at the current moment; comparing the calculated risk tendency score with a preset grading risk threshold value, determining the current risk level of the target object, and generating a corresponding self-adaptive safety control instruction, wherein the higher the risk level is, the higher the limiting level of the self-adaptive safety control instruction on the target object is; and step five, responding to the self-adaptive security management and control instruction, and executing corresponding active defense operation on the terminal or network equipment of the target object.
2. 2. The method according to claim 1, wherein step one is specifically as follows: Acquiring print job metadata, an optical disc recording record, a mobile storage device plug and large file transmission record, mail transceiver information and text fingerprints, a VPN/firewall/code hosting platform access log and a terminal compliance state according to a drive-level probe deployed at the terminal side and an audit gateway deployed on an intranet, and obtaining an original behavior and a combined block log set; performing time stamp alignment, repeated record deduplication and hash consistency check processing on the original behavior and the combined block log set to obtain global atomization behavior data; And carrying out context annotation processing by combining asset management data and user identity mapping information according to the global atomization behavior data to obtain a contextualized log set with equipment/user/position information as the terminal compliance state data.
3. 3. The method of claim 1, wherein the data cleaning and normalization operations in step two are as follows: According to the contextualized log set, performing word segmentation, entity identification and semantic tagging on the mail text and the attachment of the target object to obtain a structured semantic tag set; Performing feature extraction and normalization processing on the print job metadata and the I/O records according to the contextualized log set to obtain a numerical feature set of event frequency, throughput and time distribution; And according to the structural semantic tag set and the numerical value feature set, performing feature mapping and unified format conversion to obtain a unified format modeling feature set for modeling.
4. 4. The method of claim 1, wherein the abnormal behavior feature vector extraction in step two operates as follows: Calculating behavior frequency deviation, access path deviation and semantic matching difference according to the historical normal behavior model and the unified format model set to obtain a plurality of abnormal sub-feature sets; According to the abnormal sub-feature set, applying time smoothing, noise suppression and outlier rejection to obtain a filtered abnormal sub-feature set; and merging and labeling the abnormal sub-features according to the filtered abnormal sub-feature set and a preset feature fusion rule and priority mapping to obtain the abnormal behavior feature vector.
5. 5. The method of claim 1, wherein the risk propensity score in step three is obtained by: Inputting the abnormal behavior feature vector into the risk quantization model according to the abnormal behavior feature vector, and performing primary fusion processing according to factors of sensitivity weight, behavior severity, time correlation, semantic confidence and I/O fluctuation to obtain a primary risk assessment result; According to the preliminary risk assessment result, carrying out weight adjustment and normalization processing on the preliminary risk assessment result by combining the terminal compliance state data to obtain a calibrated risk tendency score The formula is as follows: [. is a behavior accumulation term, N represents different types of behavior in N; Is the first Sensitivity weights for class behavior; is a coefficient of severity of behavior, integral term Expressed in a survey window A behavior density within; Is a function of the frequency at which the behavior occurs. Is a time decay factor; is a semantic and I/O association factor; off-job semantic confidence based on NLP analysis; Is the variance value of the abnormal I/O flow; is the compliance score of the terminal device.
6. 6. The method according to claim 1, wherein the method further comprises: Triggering an online or offline parameter optimization flow based on a history labeling sample and a continuous learning strategy according to the risk tendency score to obtain updated model parameters; According to the updated model parameters, carrying out back measurement and verification on the risk quantification model on the history labeling sample and the real-time sample to generate model performance indexes and obtain performance feedback; And writing the parameter change record, the calculation process key points and the key intermediate quantity of the risk quantification model into an untampered audit log according to the performance feedback.
7. 7. The method of claim 1, wherein determining the current risk level of the target object in step four operates as follows: According to the risk tendency score, the historical score distribution of the same post or group is aggregated, and a group behavior baseline is calculated to obtain group baseline data; dynamically generating or adjusting a grading threshold according to the group baseline data, the post sensitivity and the current security context to form a post/group self-adaptive threshold set; And comparing the risk tendency score with a corresponding threshold according to the self-adaptive threshold set, and determining the current risk level of the target object.
8. 8. The method according to claim 1, wherein the fifth step is specifically as follows: The responding to the adaptive security management instruction performs corresponding active defense operation on the terminal or the network equipment of the target object, and the method comprises the following steps: According to the current risk level of the target object, retrieving a corresponding management and control strategy template from a predefined strategy library, and dynamically generating a specific management and control strategy by combining the business role, the real-time task and the compliance context of the target object to obtain a management and control plan capable of being issued; Converting the management and control plan into an executable command and issuing the executable command to the terminal side or corresponding network equipment through a terminal management channel or network protection equipment to obtain an issued execution instruction; And according to the execution instruction, monitoring the execution state in real time, collecting an execution result and related evidence, packaging and tamper-proofing the collected evidence to form an evidence packet for auditing and evidence obtaining, and storing the evidence packet in an auditing module end.
9. 9. The method of claim 1, wherein the global atomization behavior data comprises at least physical peripheral operation data, intranet communication semantic data, and whole-network product log data; The physical peripheral operation data comprises printing content, optical disk recording and large file transmission records of the mobile storage device.
10. 10. The method of claim 1, wherein the active defense operation comprises at least one or more of rights downgrade, peripheral interface blocking, network quarantine, and evidence chain curing.
11. 11. A behavioral trend identification and active safety control system implementing the method of any one of claims 1 to 10, the system comprising: the data acquisition module is used for acquiring global atomization behavior data and terminal compliance state data of the target object at the terminal side and the network side in real time; the feature extraction module is used for cleaning and standardizing the global atomization behavior data, and extracting abnormal behavior feature vectors deviating from a normal baseline by comparing the global atomization behavior data with a preset historical normal behavior model; The risk scoring module is used for inputting the abnormal behavior feature vector into a preset risk quantification model, and carrying out weighted calculation by combining the terminal compliance state data to obtain a risk tendency score representing the departure tendency and the safety risk degree of the target object at the current moment; The instruction generation module is used for comparing the calculated risk tendency score with a preset grading risk threshold value, determining the current risk level of the target object and generating a corresponding self-adaptive safety control instruction, wherein the higher the risk level is, the higher the limit level of the self-adaptive safety control instruction on the target object is; And the security management and control module is used for responding to the self-adaptive security management and control instruction and executing corresponding active defense operation on the terminal or network equipment of the target object.
12. 12. An electronic device comprising a memory for storing a computer software program, a processor for reading and executing the computer software program, characterized in that the computer software program implements the method according to any one of claims 1 to 10.

Description

Behavior trend identification and active safety control method, system and equipment Technical Field The invention belongs to the technical field of network security detection, and relates to a behavior tendency identification and active security control method, system and equipment. Background Nowadays, with the deep development of enterprise digital transformation, analysis of personnel behavior data and security management under legal compliance have become important components of enterprise information security management. For example, the prior patent application with publication number CN108427758a discloses a method, a device and a storage medium for analyzing off-job tendency, which have the core thought of analyzing the risk level of the off-job tendency of an employee by collecting internet behavior data (such as information sending behavior data and information browsing behavior data) in an employee terminal and judging whether the behavior data (such as resume delivery behavior data, job searching behavior data and recruitment website access behavior data) related to the off-job tendency exists. However, the proposal focuses on interaction behavior of social software, mailbox system and recruitment website only, and does not cover key behavior data in office scenes such as employee printing, file burning, internal mailing and the like, so that the integrity of behavior portraits is insufficient. The prior patent application with publication number CN113158752A discloses an intelligent safety management and control system for electric power employee approach operation, which realizes real-time monitoring and management of electric power employee operation safety mainly through technologies such as face information acquisition, illegal behavior identification and the like. However, the solution of this patent application only focuses on specific violations of staff "not wearing helmets, not wearing safety belts", etc., and does not consider broader behavioral trends such as job departure trends, data leakage risks, etc. The prior patent application with publication number of CN113158752A discloses an organization internal network risk assessment method and system, which only records the internet surfing behavior of internal personnel, and judges the behavior risk of the personnel according to the negative or abnormal internet surfing behavior. The existing approaches fail to finely characterize the multidimensional behavior of employees, particularly without fully focusing on off-job trends or other security risk signals that may be implied in the employee's regular office behavior. In addition, most of the existing modes are passive response type, and safety control measures such as limiting sensitive data access, adjusting authority and the like cannot be actively adopted when potential risks are identified. Disclosure of Invention The invention aims to solve the technical problem of providing a trend identification and active safety control method, a trend identification and active safety control system and equipment, which are used for finding out hidden risk signals in the conventional office behaviors of staff and achieving the purpose of active safety control. The technical scheme of the invention is as follows: in one aspect, the present invention provides a behavioral trend identification and security control method, the method comprising: Collecting global atomization behavior data of a target object at a terminal side and a network side in real time and terminal compliance state data, wherein the collecting means and the collecting technology meet the requirements of laws and regulations; Cleaning and standardizing the global atomization behavior data, and comparing the global atomization behavior data with a preset historical normal behavior model to extract abnormal behavior feature vectors deviating from a normal baseline; Inputting the abnormal behavior feature vector into a preset risk quantification model, and carrying out weighted calculation by combining the terminal compliance state data to obtain a risk tendency score for representing the departure tendency and the safety risk degree of the target object at the current moment; comparing the calculated risk tendency score with a preset grading risk threshold value, determining the current risk level of the target object, and generating a corresponding self-adaptive safety control instruction, wherein the higher the risk level is, the higher the limiting level of the self-adaptive safety control instruction on the target object is; And responding to the adaptive security control instruction, and executing corresponding active defense operation on the terminal or network equipment of the target object. Optionally, the collecting global atomization behavior data and terminal compliance state data of the target object at the terminal side and the network side in real time includes: Acquiring print job metadata, an optical disc reco