Method and device for continuous trust evaluation based on graph model and semantic time window
By using a graph model and semantic time window-based approach, the lack of personalized time windows for entities in real-time complex network environments is addressed. This enables dynamic assessment of the trustworthiness of users, terminals, and applications, as well as dynamic perception of security risks, thereby improving the adaptability and recognition capabilities of trust assessment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- INFORMATION & COMM COMPANY OF QINGHAI ELECTRIC POWER
- Filing Date
- 2023-02-01
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies lack the ability to mine individual time windows of entities in real-time complex network environments, making it difficult to effectively conduct continuous trust assessments and dynamic security awareness.
We employ a graph model-based and semantic time window approach. By acquiring behavioral record data of entity connections, we establish a chain structure, perform behavioral scoring and real-time semantic time window calculation, delete redundant data, update entity trust values, generate personalized real-time semantic time windows, and update trust values in conjunction with the global entity behavior graph.
It enables a comprehensive assessment of the trustworthiness of users, terminals, and applications in complex network environments, improves the dynamic perception and identification of dangerous behaviors in network environments, and enhances the adaptability and security risk identification capabilities of the trust assessment model.
Smart Images

Figure CN116155746B_ABST
Abstract
Description
Technical Field
[0001] The embodiments of the present invention relate to the field of continuous trust assessment, and in particular to a continuous trust assessment method and apparatus based on graph models and semantic time windows. Background Technology
[0002] Continuous trust assessment (CTAs) is a crucial means of ensuring network security. Through network situational awareness and risk detection technologies, CTAs comprehensively and accurately perform security perception, trust measurement, and user behavior analysis. Specifically, CTAs continuously quantifies the trust status of each entity in the network environment. This provides a basis for flexible access control policies, enabling the identification of dynamic attack behaviors by potential attackers. Furthermore, trust values replace traditional security metrics as the basis for access control, reducing the risk of data leakage from network entities during access control and overcoming the limitations imposed by business isolation on secure access control. Therefore, in complex network environments, real-time and accurate entity trust values are a critical factor in ensuring the effectiveness of trust assessment models.
[0003] In complex network environments, entity behavior records are often a crucial reference for assessing an entity's trustworthiness. A careful analysis of the interaction relationships among entities in complex network environments reveals that entities can be broadly categorized into three types: users, terminals, and applications. In this scenario, complex relationships exist between terminals, users, and applications, including many-to-many, one-to-many, and one-to-one relationships. These interaction relationships can be represented as follows: Figure 1 The secure data and interaction relationships between the three types of entities are important reference information for entity trust values in the network environment.
[0004] In addition, there is a large amount of time-series data in the real-time changing network environment. These data come from different sources and have different dynamic characteristics. Time windows are a very important factor in the continuous trust assessment process of entities. If only manually set time windows are used, the entire continuous trust assessment process is limited by subjective factors, which limits the ability to achieve dynamic security perception of the network environment.
[0005] The article "Research on Server Network Behavior Modeling and Anomaly Detection Method Based on Subgraphs" models server behavior as a tree structure according to the communication relationships between hosts and processes, and then divides it into subgraphs according to its traffic flow to facilitate the numericalization of anomaly detection features. It also combines clustering algorithms for anomaly identification of server behavior. However, this approach only addresses anomaly traffic detection for server entities and is difficult to apply to all network entities in complex network environments.
[0006] The invention, with publication number CN202010662813.2 and titled "A Smart Home Security Data Acquisition Method Based on Dynamic Trust Assessment Model," introduces a smart home security data acquisition method based on a dynamic trust assessment model. This method proposes a malicious node identification method based on a time window and a security trust difference. However, the time window in this method is a manually set parameter, and the trust value difference is used as a threshold for judging abnormal nodes.
[0007] The invention, with publication number CN201710600172.6 and titled "A Dynamic Window Selection Method and Wireless Network Trust Management System Based on Game Theory," proposes a dynamic window selection method and a wireless network trust management system based on game theory. It establishes a game model between the trust management system and the attacker; obtains the quantitative strategy sets of both the attacker and defender; and uses numerical simulation to obtain the payoff matrix of the game model. The global payoff function in the game theory model is calculated using the average of the payoff functions under different time windows. The time window selection comes from the window of the trust management system's strategy set that matches the maximum probability distribution of the Nash equilibrium. This application calculates the system's dynamic time window while considering the strategic interaction between the attacker and defender, aiming to minimize the overall system attack loss.
[0008] In summary, current technical solutions lack the ability to mine personalized time windows of entities in real-time complex network environments. Summary of the Invention
[0009] In view of this, in order to solve the above-mentioned technical problems or some of the technical problems, the present invention provides a method and apparatus for continuous trust assessment based on graph model and semantic time window.
[0010] In a first aspect, embodiments of the present invention provide a continuous trust assessment method based on graph models and semantic time windows, comprising:
[0011] S1: Obtain the behavior record data corresponding to multiple entity connections and the entity trust value corresponding to each behavior record data, and establish a chain structure based on the behavior record data and the entity trust value corresponding to each behavior record data, and store the behavior record data and the entity trust value corresponding to each behavior record data into the historical behavior record database according to the chain structure.
[0012] S2: Based on each chain of data in the historical behavior record database, and combined with the global data information in the historical behavior record database, a single behavior score is performed, and each chain of data and the corresponding behavior score value are stored in the historical behavior record score database.
[0013] S3: Based on each data record in the historical behavior record scoring database, a copy is sent to the record grouping storage module of the entity corresponding to each data record, the real-time semantic time window of the entity corresponding to each data record is calculated, and redundant record data is deleted.
[0014] S4: Based on the real-time semantic time window of the entity corresponding to each data record, the record data in the entity record group storage module and the calculated real-time semantic time window size are transmitted to the entity record group trust update module of the entity corresponding to each data record, and the global entity behavior graph and entity trust value are updated.
[0015] In one possible implementation, the method further includes:
[0016] For the behavioral record data corresponding to a single entity connection, a graph model G is used. n ={V n E n B n} characterization, where V n V represents the set of source and destination endpoints involved in a single action, user i, terminal j, application k, and their respective trust score order pairs. n ={(i,s i ),(j,s j ),(k,s k )};
[0017] E n E is a set of directed edges used to represent behavioral sources and receptors. n ={<i,> ,<j,> ,<k,j>};
[0018] B n B represents data generated by the interaction between the behavioral source and the receptor. n ={C ij ,f jk ,f kj}, where C ij The authentication record, f, is used to characterize the interaction between user i and terminal j. jk ,f kj It is multi-attribute evidence data generated by the interaction between the client and server deployed on terminal j of application k.
[0019] In one possible implementation, the method further includes:
[0020] For the behavior record data G corresponding to a single entity connection n ={V n E n B nA security score is calculated, and each behavior record and its corresponding security score value are stored in the historical behavior record scoring database.
[0021] For the user i, terminal j, and application k entities corresponding to the historical behavior records at time t, regarding B n Stored evidence data B n ={C ij ,f jk ,f kj The score for a single behavior is calculated using the first formula, which is:
[0022] Among them, S max This is the maximum trust limit set.
[0023] s i s j s k It is the trust score of user i, terminal j, and application k at the moment of entering the historical behavior record database;
[0024] S ij S jk S kj It is for C respectively ij ,f jk ,f kj The entropy weight method scoring of multi-attribute data exists in the data, where the weight of the entropy weight method is based on the C value among all behavioral records stored in the current subject-object historical behavior record. ij ,f jk ,f kj The calculation yielded the result.
[0025] In one possible implementation, the method further includes:
[0026] For the trust score set D = {(t0,x0),(t1,x1)......(t...} of the behavior records to be processed in the entity record grouping storage module, n-1 ,x n-1 )}, set θ th The data set S is generated according to a preset procedure, where {t0, t1, ..., t2} is defined. n-1} represents the time point for each network behavior, which can be set according to the meaning of the corresponding indicator, {x0, x1, ..., x...} n-1} represents the collected indicator values within the corresponding time period.
[0027] In one possible implementation, the method further includes:
[0028] S30: Assign i = 0, f = 0, T p=(t i ,x i ), T c =(t i+1 ,x i+1 ), initial window W f ={T p ,T c}, ρ0=1, low-density window counter τ=0;
[0029] S31: Calculation T p =(t i+1 ,x i+1 Assign i = 2;
[0030] S32: Assign value to T c =(t i+1 ,x i+1 ),calculate
[0031] S33: Calculate |θ w -θ c |, if |θ w -θ c |<θ th If yes, proceed to S34; otherwise, proceed to S35.
[0032] S34: T c The representative time series data is placed in window W f That is, W f =W f ∪T c And assign the value T p =T c , ρ f =ρ f +1;
[0033] S35: Move window W f Place it into the window set W, i.e., W = W∪W f f = f + 1, assignment
[0034] W f ={T p ,T c};
[0035] S36: Check the window density forward and perform a window merging operation;
[0036] S37: Assign i = i + 1, go to S32, and continue until i = |D|.
[0037] For [θ th ,τ th ,ρ thSubstitute the combined values into S30 to S37, and begin the optimization process with the goal of minimizing the second formula, which is:
[0038] Here, α and β are specified parameters used to adjust the final compression error and compression scale, respectively. After obtaining the optimal parameter combination, the window set W and the number of windows f under the optimal parameters are recorded, and the average window length L of the entity is output. w L w This is the real-time semantic time window for the entity;
[0039] For a set of windows W, retrieve the child windows W within it. f The endpoint data is merged, duplicate endpoint data is merged, and the chain data records corresponding to the time points of the endpoint data and the current real-time semantic time window of the entity are sent to the entity record grouping trust update module, and other redundant record data is deleted.
[0040] In one possible implementation, the method further includes:
[0041] S361: Obtain the low-density window count value τ;
[0042] S362: If ρ f <ρ th If τ = τ + 1 th If ρ f ≥ρ th ,τ=0, go to S37, where τ th For continuous low-density windows;
[0043] S363:
[0044] In one possible implementation, the method further includes:
[0045] Query the set of directed edges E that exist in the currently processed subject and object records. n ={<,j>,<j,k> ,<k,j> Does it already exist in the historical behavior graph G corresponding to multiple global entity connections? global If it does not exist, connect the corresponding node and assign the corresponding edge weight, then calculate according to the third formula, which is:
[0046] Among them, F i· F represents the frequency of interaction between entity i and all other entities at the same level as j within that time window. ij S represents the frequency of interaction between entity i and its parent entity j within that time window. ij For evidence data B n ={C ij ,fjk ,f jk The calculated score (S) ij S jk S kj );
[0047] The edge between the terminal and the user layer is set as follows:
[0048] If a corresponding edge exists, the corresponding edge weight is updated according to the third formula. The weights of nodes at different levels are calculated to generate a new global graph, thereby completing the update of the global entity behavior graph.
[0049] In one possible implementation, the method further includes:
[0050] For each entity record group, no trust update operation is performed during the first time window phase, and the trust value of the corresponding entity is the initial value;
[0051] When a second time window is generated, the trust level will be updated using the following steps:
[0052] S41: Obtain the current global average score of behavior records, calculate the score of the current behavior record to be processed and compare it with the previous time window in the trust update module. The difference between the mean scores of the internal history of behavioral records is denoted as ΔS. i,j,k,t ,;
[0053] S42: Get the current time window The historical behavior graph G corresponding to the global connections of multiple entities at a certain time t. global The node corresponding to the entity is retrieved, and the specific factor calculated using the fourth formula is used to measure the impact of a single behavior record on the trust level of entity i in the global network. The fourth formula is:
[0054] in, This indicates the indirect trust centrality of the node. G represents the number of paths that pass through node i and are the longest paths. vp This represents the number of longest paths connecting v and p, where N is the total number of nodes in the graph at time t.
[0055] in d iv It is the distance from node i to node v, representing the direct trust centrality of that node;
[0056] S43: Analyze the historical behavior graphs G before and after adding the behavior record. global The trust level of this node in the global network affects δ. t-1 δ tThe formula for calculating the change in trust level of this behavior record for that entity is as shown in Formula 5:
[0057] S44: After calculating the change in trust level for all records within this time window, the trust level update formula is as shown in Formula 6:
[0058] in, It is the set of other entity sequences that exist in the record group for entity i within the current time window. The distance between node i and the graph at time t is... The number of nodes in t op t ed These are the time data at the beginning and end of the time window, respectively.
[0059] Secondly, embodiments of the present invention provide a continuous trust assessment device based on graph models and semantic time windows, comprising:
[0060] The acquisition and establishment module is used to acquire behavior record data corresponding to multiple entity connections and entity trust value corresponding to each behavior record data, and establish a chain structure based on the behavior record data and entity trust value corresponding to each behavior record data, and store the behavior record data and entity trust value corresponding to each behavior record data into the historical behavior record database according to the chain structure.
[0061] The scoring module is used to score a single behavior based on each chain of data in the historical behavior record database and in combination with global data information in the historical behavior record database, and to store each chain of data and its corresponding behavior score value into the historical behavior record scoring database.
[0062] The calculation module is used to transmit a copy to the record grouping storage module of the entity corresponding to each data record based on each data record in the historical behavior record scoring database, calculate the real-time semantic time window of the entity corresponding to each data record, and delete redundant record data.
[0063] The update module is used to transmit the record data in the entity record group storage module and the calculated real-time semantic time window size to the entity record group trust update module corresponding to each data record, based on the real-time semantic time window of the entity corresponding to each data record, and to update the global entity behavior graph and entity trust value.
[0064] Thirdly, embodiments of the present invention provide an electronic device, including: a processor and a memory, wherein the processor is configured to execute a continuous trust assessment program based on graph models and semantic time windows stored in the memory, so as to implement the continuous trust assessment method based on graph models and semantic time windows described in the first aspect above.
[0065] Fourthly, embodiments of the present invention provide a storage medium, comprising: the storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the continuous trust assessment method based on graph models and semantic time windows described in the first aspect above.
[0066] The continuous trust assessment scheme based on graph models and semantic time windows provided in this invention involves the following steps: S1: Obtaining behavioral record data corresponding to multiple entity connections and the entity trust value corresponding to each behavioral record data, and establishing a chain structure based on the behavioral record data and the entity trust value corresponding to each behavioral record data, storing the behavioral record data and the entity trust value corresponding to each behavioral record data into a historical behavioral record database according to the chain structure; S2: Based on each chain data in the historical behavioral record database, combined with the global data information in the historical behavioral record database, performing a single behavior score, and comparing each chain data with the corresponding entity trust value. The corresponding behavior score is stored in the historical behavior record score database; S3: Based on each data record in the historical behavior record score database, a copy is sent to the record group storage module of the entity corresponding to each data record, the real-time semantic time window of the entity corresponding to each data record is calculated and redundant record data is deleted; S4: Based on the real-time semantic time window of the entity corresponding to each data record, the record data in the entity record group storage module and the calculated real-time semantic time window size are sent to the entity record group trust update module of the entity corresponding to each data record, and the global entity behavior graph and entity trust value are updated. Compared with the current technical solution, which lacks the mining of personalized time windows of entities in real-time complex network environments, this solution conducts a comprehensive evaluation of the trustworthiness of users, terminals and applications in complex network environments based on historical behavior. The deletion of redundant data and the generation of entity adaptive windows in the semantic time window segmentation process, combined with the graph model, realizes continuous trust assessment for dynamic perception and sensitive identification of dangerous behaviors in the network environment. Attached Figure Description
[0067] Figure 1 A user-terminal-application interaction diagram provided in an embodiment of the present invention;
[0068] Figure 2 A flowchart of a continuous trust assessment method based on graph models and semantic time windows is provided for an embodiment of the present invention;
[0069] Figure 3 A schematic diagram of the structure of a continuous trust assessment device based on graph model and semantic time window provided in an embodiment of the present invention;
[0070] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation
[0071] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0072] First, let's explain the relevant terms:
[0073] User: An entity that uses terminal devices or network services in a network environment, which can usually be uniquely identified by a user account ID.
[0074] Terminal: A device entity located at the periphery of the network environment, which processes information input from user entities, outputs processing results, can deploy client software for network services, and communicates with remote network servers.
[0075] Application: An entity that provides network services in a network environment, typically a network service server, which can store and compute data and communicate with client terminals that deploy network services.
[0076] Semantic time window: A time window for processing time series data that has dynamic periodicity and is updated in real time. This time window depends on the segmentation calculation of historical time series data. The specific segmentation calculation method needs to aim to preserve the semantic information contained in the time series data to the greatest extent.
[0077] To facilitate understanding of the embodiments of the present invention, further explanations and descriptions will be provided below with reference to the accompanying drawings and specific embodiments. These embodiments do not constitute a limitation on the embodiments of the present invention.
[0078] Combination Figure 1 In this embodiment of the invention, entities in the network environment are divided into three categories: users, terminals, and applications. The interaction relationships between these three types of entities are as follows: Figure 1 As shown, based on this interaction relationship and the security information data collected by the system in real time, a chain-like data structure is established as a record storage mode for single network behaviors.
[0079] Figure 2A flowchart of a continuous trust evaluation method based on graph models and semantic time windows, provided for embodiments of the present invention, specifically includes:
[0080] S1: Obtain the behavior record data corresponding to multiple entity connections and the entity trust value corresponding to each behavior record data, and establish a chain structure based on the behavior record data and the entity trust value corresponding to each behavior record data, and store the behavior record data and the entity trust value corresponding to each behavior record data into the historical behavior record database according to the chain structure.
[0081] First, obtain user-terminal-application behavior log data (e.g., network behavior) and the entity trust value corresponding to each behavior log data. For the behavior log data corresponding to a single entity connection, use the graph model G. n ={V n E n B n} characterization, where V n V represents the set of source and destination endpoints involved in a single action, user i, terminal j, application k, and their respective trust score order pairs. n ={(i,s i ),(j,s j ),(k,s k )};
[0082] E n E is a set of directed edges used to represent behavioral sources and receptors. n ={<i,> ,<j,> ,<k,j>};
[0083] B n B represents data generated by the interaction between the behavioral source and the receptor. n ={C ij ,f jk ,f kj}, where C ij The authentication record, f, is used to characterize the interaction between user i and terminal j. jk ,f kj It is multi-attribute evidence data generated by the interaction between the client and server deployed on terminal j of application k.
[0084] S2: Based on each chain of data in the historical behavior record database, and combined with the global data information in the historical behavior record database, a single behavior score is performed, and each chain of data and its corresponding behavior score value are stored in the historical behavior record score database.
[0085] For the behavior record data G corresponding to a single entity connection n ={V n E n Bn A security score is calculated, and each behavior record and its corresponding security score value are stored in the historical behavior record scoring database.
[0086] For the user i, terminal j, and application k entities corresponding to the historical behavior records at time t, regarding B n Stored evidence data B n ={C ij ,f jk ,f kj The score for a single behavior is calculated using Formula 1:
[0087]
[0088] Among them, S max This is the maximum trust limit set.
[0089] s i s j s k It is the trust score of user i, terminal j, and application k at the moment of entering the historical behavior record database;
[0090] S ij S jk S kj It is for C respectively ij ,f jk ,f kj The entropy weight method scoring of multi-attribute data exists in the data, where the weight of the entropy weight method is based on the C value among all behavioral records stored in the current subject-object historical behavior record. ij ,f jk ,f kj The calculation yielded the result.
[0091] Each chain of data and its corresponding behavioral score is stored in the historical behavioral record scoring database.
[0092] S3: Based on each data record in the historical behavior record scoring database, a copy is sent to the record grouping storage module of the entity corresponding to each data record, the real-time semantic time window of the entity corresponding to each data record is calculated, and redundant record data is deleted.
[0093] For the trust score set D = {(t0,x0),(t1,x1)......(t...} of the behavior records to be processed in the entity record grouping storage module, n-1 ,x n-1 )}, where {t0, t1......t n-1} represents the time point for each network behavior, which can be set according to the meaning of the corresponding indicator, {x0, x1, ..., x...} n-1} represents the collected indicator values within the corresponding time period, given a θ. th To begin generating the data set S, the following steps are performed, given the constraints:
[0094] S30: Assign i = 0, f = 0, T p =(t i ,x i ), T c =(t i+1 ,x i+1 ), initial window W f ={T p ,T c}, ρ0=1, low-density window counter τ=0;
[0095] S31: Calculation T p =(t i+1 ,x i+1 Assign i = 2;
[0096] S32: Assign value to T c =(t i+1 ,x i+1 ),calculate
[0097] S33: Calculate |θ w -θ c |, if |θ w -θ c |<θ th If yes, proceed to S34; otherwise, proceed to S35.
[0098] S34: T c The representative time series data is placed in window W f That is, W f =W f ∪T c And assign the value T p =T c , ρ f =ρ f +1;
[0099] S35: Move window W f Place it into the window set W, i.e., W = W∪W f f = f + 1, assign the value W f ={T p ,T c};
[0100] S36: Check the window density forward and perform a window merging operation:
[0101] S361: Obtain the low-density window count value τ;
[0102] S362: If ρ f <ρ th If τ = τ + 1 th If ρ f ≥ρ th ,τ=0, go to S37, where τ th For continuous low-density windows;
[0103] S363:
[0104] S37: Assign i = i + 1, go to S32, and continue until i = |D|.
[0105] For [θ th ,τ th ,ρ th Substitute the combined values into S30 to S37, and begin the optimization process with the goal of minimizing Formula 2, as follows:
[0106]
[0107] Here, α and β are specified parameters used to adjust the final compression error and compression scale, respectively. After obtaining the optimal parameter combination, the window set W and the number of windows f under the optimal parameters are recorded, and the average window length L of the entity is output. w L w This is the real-time semantic time window for the entity;
[0108] For a set of windows W, retrieve the child windows W within it. f The endpoint data is merged, duplicate endpoint data is merged, and the chain data records corresponding to the time points of the endpoint data and the current real-time semantic time window of the entity are sent to the entity record grouping trust update module, and other redundant record data is deleted.
[0109] S4: Based on the real-time semantic time window of the entity corresponding to each data record, the record data in the entity record group storage module and the calculated real-time semantic time window size are transmitted to the entity record group trust update module of the entity corresponding to each data record, and the global entity behavior graph and entity trust value are updated.
[0110] The updating of the global entity behavior graph in the entity record grouping trust update module in this embodiment of the invention mainly includes:
[0111] Query the set of directed edges E that exist in the currently processed subject and object records. n ={<,j>,<j,k> ,<k,j> Does it already exist in the historical behavior graph G corresponding to multiple global entity connections? globalIf it does not exist, connect the corresponding nodes and assign the corresponding edge weights, and calculate according to Formula 3, which is as follows:
[0112]
[0113] Among them, F i· F represents the frequency of interaction between entity i and all other entities at the same level as j within that time window. ij S represents the frequency of interaction between entity i and its parent entity j within that time window. ij For evidence data B n ={C ij ,f jk ,f jk The calculated score (S) ij S jk S kj );
[0114] The edge between the terminal and the user layer is set as follows:
[0115] If a corresponding edge exists, the corresponding edge weight is updated according to Formula 3. The weights of nodes at different levels are calculated to generate a new global graph, thereby completing the update of the global entity behavior graph.
[0116] Furthermore, the entity record grouping trust update module calculates trust values based on time-series graphs, mainly including:
[0117] For each entity record group, no trust update operation is performed during the first time window phase, and the trust value of the corresponding entity is the initial value;
[0118] When a second time window is generated, the trust level will be updated using the following steps:
[0119] S41: Obtain the current global average score of behavior records, calculate the score of the current behavior record to be processed and compare it with the previous time window in the trust update module. The difference between the mean scores of the internal history of behavioral records is denoted as ΔS. i,,,t ,;
[0120] S42: Get the current time window The historical behavior graph G corresponding to the global connections of multiple entities at a certain time t. global The node corresponding to the entity is retrieved, and the specific factor calculated using Formula 4 is used to measure the impact of a single behavior record on the trust level of entity i in the global network. Formula 4 is as follows:
[0121]
[0122] in, This indicates the indirect trust centrality of the node. G represents the number of paths that pass through node i and are the longest paths. vp This represents the number of longest paths connecting v and p, where N is the total number of nodes in the graph at time t.
[0123] in d iv It is the distance from node i to node v, representing the direct trust centrality of that node;
[0124] S43: Analyze the historical behavior graphs G before and after adding the behavior record. global The trust level of this node in the global network affects δ. t-1 δ t The formula for calculating the change in trust level of this behavior record for that entity is as shown in Formula 5:
[0125]
[0126] S44: After calculating the change in trust level for all records within this time window, the trust level update formula is as shown in Formula 6:
[0127] in, It is the set of other entity sequences that exist in the record group for entity i within the current time window. The distance between node i and the graph at time t is... The number of nodes in t op t ed These are the time data at the beginning and end of the time window, respectively.
[0128] It should be noted that the time window in this embodiment of the invention needs to be combined with the historical behavior data changes of a certain entity, and is a dynamic window calculated in real time with the goal of preserving the value of behavior record information to the greatest extent; the trust value difference is combined with the current semantic time window to participate in the update of the trust value; the dynamic semantic time window involved in this embodiment of the invention depends on the network behavior score and behavior frequency of each entity, so as to maximize the preservation of the information value of each entity's behavior record and have personalized characteristics.
[0129] This method is based on a user-terminal-application behavior graph model, which links the trust updates of entities with those of global entities, enabling comprehensive awareness of security risks in the environment. The scheme employs a semantically preserved time window segmentation method, where each entity's time window is highly correlated with its own behavior records and frequency, enhancing the adaptability of time windows in continuous trust assessment. This semantically preserved time window segmentation method can identify key behavioral data for each entity, thereby reducing redundant data and improving the speed at which the trust assessment model can identify security risk behaviors. The level of behavior record scores for entities is a crucial factor in changes in entity trust levels. Entity trust scores participate in the trust aggregation of behavior record scores, and entity trust scores are highly dependent on behavior record scores. This mechanism, combined with real-time semantic time windows, provides a more sensitive ability to identify dangerous behaviors.
[0130] Figure 3 This diagram illustrates the structure of a continuous trust assessment device based on a graph model and semantic time window according to an embodiment of the present invention. Figure 3 As shown, the device includes:
[0131] The acquisition module 301 is used to acquire behavior record data corresponding to multiple entity connections and entity trust values corresponding to each behavior record data, and to establish a chain structure based on the behavior record data and entity trust values corresponding to each behavior record data, and store the behavior record data and entity trust values corresponding to each behavior record data into the historical behavior record database according to the chain structure. For detailed explanations, please refer to the relevant descriptions in the above method embodiments, which will not be repeated here.
[0132] The scoring module 302 is used to score a single behavior based on each chain of data in the historical behavior record database, combined with global data information in the historical behavior record database, and to store each chain of data and its corresponding behavior score value in the historical behavior record scoring database. For detailed explanations, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0133] The calculation module 303 is used to transmit a copy of each data record in the historical behavior record scoring database to the record grouping storage module of the entity corresponding to each data record, calculate the real-time semantic time window of the entity corresponding to each data record, and delete redundant record data. For detailed explanations, please refer to the relevant descriptions in the above method embodiments, which will not be repeated here.
[0134] The update module 304 is used to transmit the record data in the entity record group storage module and the calculated real-time semantic time window size to the entity record group trust update module corresponding to each data record, based on the real-time semantic time window of the entity corresponding to each data record, and to update the global entity behavior graph and entity trust value. For detailed explanations, please refer to the relevant descriptions in the above method embodiments, which will not be repeated here.
[0135] The continuous trust assessment device based on graph model and semantic time window provided in this embodiment of the invention is used to execute the continuous trust assessment method based on graph model and semantic time window provided in the above embodiment. Its implementation method and principle are the same. For details, please refer to the relevant description of the above method embodiment, which will not be repeated here.
[0136] Figure 4 An electronic device according to an embodiment of the present invention is shown, such as... Figure 4 As shown, the electronic device may include a processor 901 and a memory 902, wherein the processor 901 and the memory 902 may be connected via a bus or other means. Figure 4 Taking the example of a connection between China and Israel via a bus.
[0137] Processor 901 can be a Central Processing Unit (CPU). Processor 901 can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above types of chips.
[0138] The memory 902, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as the program instructions / modules corresponding to the methods provided in the embodiments of the present invention. The processor 901 executes various functional applications and data processing of the processor by running the non-transitory software programs, instructions, and modules stored in the memory 902, thereby implementing the methods in the above-described method embodiments.
[0139] The memory 902 may include a program storage area and a data storage area. The program storage area may store the operating system and applications required for at least one function; the data storage area may store data created by the processor 901, etc. Furthermore, the memory 902 may include high-speed random access memory and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 902 may optionally include memory remotely located relative to the processor 901, and these remote memories may be connected to the processor 901 via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
[0140] One or more modules are stored in memory 902, and when executed by processor 901, they perform the methods described in the above method embodiments.
[0141] The specific details of the aforementioned electronic device can be understood by referring to the relevant descriptions and effects in the above method embodiments, and will not be repeated here.
[0142] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the methods described above. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), random access memory (RAM), flash memory, hard disk drive (HDD), or solid-state drive (SSD), etc.; the storage medium can also include combinations of the above types of memory.
[0143] Although embodiments of the invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations all fall within the scope defined by the appended claims.
Claims
1. A method for continuous trust assessment based on graph models and semantic time windows, characterized in that, include: S1: Obtain the behavior record data corresponding to multiple entity connections and the entity trust value corresponding to each behavior record data, and establish a chain structure based on the behavior record data and the entity trust value corresponding to each behavior record data, and store the behavior record data and the entity trust value corresponding to each behavior record data into the historical behavior record database according to the chain structure. S2: Based on each chain of data in the historical behavior record database, and combined with the global data information in the historical behavior record database, a single behavior score is performed, and each chain of data and the corresponding behavior score value are stored in the historical behavior record score database. S3: Based on each data record in the historical behavior record scoring database, a copy is sent to the record grouping storage module of the entity corresponding to each data record, the real-time semantic time window of the entity corresponding to each data record is calculated, and redundant record data is deleted. S4: Based on the real-time semantic time window of the entity corresponding to each data record, the record data in the entity record group storage module and the calculated real-time semantic time window size are transmitted to the entity record group trust update module of the entity corresponding to each data record, and the global entity behavior graph and entity trust value are updated. S3 calculates the real-time semantic time window for each data record corresponding to the entity and deletes redundant record data, including: starting to generate a data pair set according to preset steps. The preset steps include: S30: Assumption , , , Initial window , Low-density window counter ; S31: Calculation , Assignment ; S32: Assignment ,calculate ; S33: Calculation ,like If yes, proceed to S34; otherwise, proceed to S35. S34: Will The representative time series data is placed in the window. ,Right now and assign values , ; S35: Move window Add to window collection ,Right now Assignment ; ; S36: Check the window density forward and perform a window merging operation; S37: Assignment Turn to S32, until stop; For The combination value is substituted into S30-S37 to start optimization with the second formula as the target, and the second formula is: ; wherein, denotes the time point of the i-th network behavior, denotes the collected indicator data within the corresponding time period, denotes the limit value, denotes the trust value score set of the behavior records to be processed in the entity record group storage module, and are specified parameters, respectively used to adjust the final compression error and compression size, and after obtaining the optimal parameter combination, record the window set under the optimal parameter and the number of windows , output the average window length of the entity , the real-time semantic time window of the entity; For window collections Retrieve its sub-windows The endpoint data is merged, duplicate endpoint data is merged, and the chain data records corresponding to the time points of the endpoint data and the current real-time semantic time window of the entity are sent to the entity record grouping trust update module, and other redundant record data is deleted.
2. The method according to claim 1, characterized in that, The S1 step involves establishing a chain structure based on the behavior record data and the entity trust value corresponding to each behavior record data, including: For the behavioral record data corresponding to a single entity connection, use a graph model. Characterization, in which, This refers to the source and destination involved in a single action, and the user. ,terminal ,application The set of their respective trust rating pairs ; It is a set of directed edges used to represent behavioral sources and recipients. ; This represents data generated by the interaction between the behavioral source and the receptor. ,in, Characterizing users With terminal Interactions between them use authentication records. It is an application On the terminal Multi-attribute evidence data generated by the interaction between the deployed client and server.
3. The method according to claim 1, characterized in that, In step S2, a single behavior score is calculated based on each chain of data in the historical behavior record database, combined with global data information in the historical behavior record database, including: Behavioral record data corresponding to a single entity connection Perform security scoring and store each behavior record data and its corresponding security score value in the historical behavior record scoring database; right The user corresponding to the time history behavior record ,terminal ,application Entity, targeting Stored evidence data The score for a single behavior is calculated using the first formula, which is: ; in, This is the maximum trust limit set. , , User ,terminal ,application Trust score of an entity at the moment its historical behavior records are entered into the database; , , They are respectively for The entropy weight method scoring of multi-attribute data exists in the data, where the weight of the entropy weight method is based on the weight of all behavioral records stored in the current subject-object historical behavior record. The calculation yielded the result.
4. The method according to claim 1, characterized in that, S3 involves calculating the real-time semantic time window for each data record corresponding to the entity and deleting redundant record data, including: Trust value scoring set for behavior records to be processed in the entity record grouping storage module ,set up Limits, and begin generating data pairs according to preset steps. ,in, The time point for each network activity can be set according to the meaning of the corresponding indicator. These are the indicator values collected within the corresponding time period.
5. The method according to claim 4, characterized in that, S36: Check the window density forward and perform a window merging operation, including: S361: Get low-density window count value ; S362: If , like If so, proceed to S363; otherwise, proceed to S37. , Turn to S37, among which, For continuous low-density windows; S363: , 。 6. The method according to claim 1, characterized in that, In step S4, the global entity behavior graph and entity trust values are updated, including: Query the set of directed edges that exist in the currently processed subject and object records. Does it already exist in the historical behavior graph corresponding to multiple global entity connections? If it does not exist, connect the corresponding node and assign the corresponding edge weight, then calculate according to the third formula, which is: ; in, Indicates the entity within this time window Frequency of interaction with all other entities at the same level as j. Indicates the entity within this time window Frequency of interaction with superior entity j For evidence data The calculated score ( , , ); The edge between the terminal and the user layer is set as follows: ; If a corresponding edge exists, the corresponding edge weight is updated according to the third formula. The weights of nodes at different levels are calculated to generate a new global graph, thereby completing the update of the global entity behavior graph.
7. The method according to claim 6, characterized in that, The method further includes: For each entity record group, no trust update operation is performed during the first time window phase, and the trust value of the corresponding entity is the initial value; When a second time window is generated, the trust level will be updated using the following steps: S41: Obtain the current global average score of behavior records, calculate the score of the current behavior record to be processed and compare it with the previous time window in the trust update module. The difference between the mean scores of internal historical behavioral records is denoted as ,; S42: Get the current time window At a certain moment The historical behavior graph corresponding to the global connection of multiple entities The node corresponding to the entity is retrieved, and the specificity factor calculated using the fourth formula is used to measure the impact of a single behavior record on the entity. The fourth formula relates to the impact of trust levels in a global network: ; in, This indicates the indirect trust centrality of the node. Indicates passing through nodes And this is the number of paths along the longest path. Indicates connection and The number of longest paths, For the current moment The total number of nodes in the graph; in , It is a node To the node The distance represents the direct trust centrality of the node; S43: Analyze the historical behavior graphs before and after adding the behavior record. The impact of this node's trust level in the global network , The formula for calculating the change in trust level of this behavior record for that entity is as shown in Formula 5: ; S44: After calculating the change in trust level for all records within this time window, the trust level update formula is as shown in Formula 6: ; in, It is a physical entity The set of other entity sequences that exist in this record group within the current time window. , For the nodes in the graph at time t, Distance at The number of nodes within, , These are the time data at the beginning and end of the time window, respectively.
8. A continuous trust assessment device based on graph models and semantic time windows, characterized in that, include: The acquisition and establishment module is used to acquire behavior record data corresponding to multiple entity connections and entity trust value corresponding to each behavior record data, and establish a chain structure based on the behavior record data and entity trust value corresponding to each behavior record data, and store the behavior record data and entity trust value corresponding to each behavior record data into the historical behavior record database according to the chain structure. The scoring module is used to score a single behavior based on each chain of data in the historical behavior record database and in combination with global data information in the historical behavior record database, and to store each chain of data and its corresponding behavior score value into the historical behavior record scoring database. The calculation module is used to transmit a copy to the record grouping storage module of the entity corresponding to each data record based on each data record in the historical behavior record scoring database, calculate the real-time semantic time window of the entity corresponding to each data record, and delete redundant record data. The update module is used to transmit the record data in the entity record group storage module and the calculated real-time semantic time window size to the entity record group trust update module corresponding to each data record, based on the real-time semantic time window of the entity corresponding to each data record, and to update the global entity behavior graph and entity trust value. The calculation module calculates the real-time semantic time window for each data record corresponding to the entity and deletes redundant record data, including: starting to generate data pair sets according to preset steps. The preset steps include: S30: Assumption , , , Initial window , Low-density window counter ; S31: Calculation , Assignment ; S32: Assignment ,calculate ; S33: Calculation ,like If yes, proceed to S34; otherwise, proceed to S35. S34: Will The representative time series data is placed in the window. ,Right now and assign values , ; S35: Move window Add to window collection ,Right now Assignment ; ; S36: Check the window density forward and perform a window merging operation; S37: Assignment Turn to S32 until... stop; against Substitute the combined values into S30~S37, and begin the optimization process with the goal of minimizing the second formula, which is: ; in, This represents the time point of the i-th network action. This represents the indicator data collected within the corresponding time period. Indicates the limit value. This represents the trust value score set of the behavior records to be processed in the entity record grouping storage module. and These are specified parameters used to adjust the final compression error and compression scale, respectively. After obtaining the optimal parameter combination, the window set under the optimal parameters is recorded. and number of windows Output the average window length of the entity. , This is the real-time semantic time window for the entity; For window collections Retrieve its sub-windows The endpoint data is merged, duplicate endpoint data is merged, and the chain data records corresponding to the time points of the endpoint data and the current real-time semantic time window of the entity are sent to the entity record grouping trust update module, and other redundant record data is deleted.
9. An electronic device, characterized in that, include: A processor and a memory, the processor being configured to execute a continuous trust assessment program based on a graph model and semantic time window stored in the memory, to implement the continuous trust assessment method based on a graph model and semantic time window as described in any one of claims 1 to 7.
10. A storage medium, characterized in that, The storage medium stores one or more programs, which can be executed by one or more processors to implement the continuous trust assessment method based on graph model and semantic time window as described in any one of claims 1 to 7.