Method, device and electronic equipment for detecting network protocol security risks

By segmenting and cleaning network protocol documents, extracting verb-object phrases, and comparing them with risk phrase sets, the problem of low efficiency in network protocol security risk detection in existing technologies is solved, and potential security risks are identified efficiently.

CN116633646BActive Publication Date: 2026-06-23BEIJING UNIV OF POSTS & TELECOMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING UNIV OF POSTS & TELECOMM
Filing Date
2023-06-02
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing network protocol security risk detection methods are inefficient, making it difficult to quickly discover unknown logical vulnerabilities and security risks in 3GPP protocols. Furthermore, manual analysis is costly, and frequent updates lead to low detection efficiency.

Method used

By acquiring network protocol documents, segmenting and cleaning the data, extracting verb-object phrases with verb-object relationships, and comparing them with the document sentences using a preset set of risk phrases, sentences with security risks are selected.

Benefits of technology

It improves the efficiency of detecting network protocol security risks, can quickly identify potential security risks in protocol documents, and reduces the cost of manual analysis.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116633646B_ABST
    Figure CN116633646B_ABST
Patent Text Reader

Abstract

The application provides a network protocol security risk detection method and device and electronic equipment. The method comprises the following steps: obtaining a network protocol document to be detected; cutting and data cleaning the network protocol document to obtain preprocessed data; extracting a verb-object phrase with a verb-object relationship in the preprocessed data and analyzing document sentences in the preprocessed data; determining a sentence with a security risk in the network protocol document according to the verb-object phrase, the document sentences and a preset risk phrase set. The method screens out a risk phrase with a risk in the network protocol document through the preset risk phrase set, and then screens out a sentence with a security risk in the protocol document by comparing the risk phrase with the document sentences in the network protocol document, thereby improving the detection efficiency of the network protocol security risk.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network communication security technology, and in particular to a method, apparatus, and electronic device for detecting network protocol security risks. Background Technology

[0002] With the opening up of network capabilities and the expansion of the network attack surface, mobile communications face increasing security challenges. Hackers and malicious attackers exploit network vulnerabilities and weaknesses, potentially causing damage to mobile communication systems and threatening user privacy. Particularly in the 3GPP protocol, as it continues to evolve and update, the protocol itself has become more complex and diverse, potentially containing various unknown logical vulnerabilities and security risks.

[0003] To address vulnerabilities in network protocols, a common approach is manual analysis. This involves extensive reading of protocol documents and relying on domain expert knowledge to filter for security-related statements. This method is time-consuming and costly, and struggles to comprehensively identify risks inherent in standard protocols. Furthermore, every time the protocol standard is updated, manual analysis must be performed again, resulting in the current inefficiency of existing methods for detecting network protocol security risks. Summary of the Invention

[0004] The purpose of this invention is to provide a method, apparatus, and electronic device for detecting network protocol security risks, so as to improve the detection efficiency of network protocol security risks.

[0005] In a first aspect, embodiments of the present invention provide a method for detecting network protocol security risks, comprising: acquiring a network protocol document to be detected; segmenting and cleaning the network protocol document to obtain preprocessed data; extracting verb-object phrases with verb-object relationships from the preprocessed data and analyzing document sentences in the preprocessed data; and determining sentences in the network protocol document that contain security risks based on the verb-object phrases, the document sentences, and a preset set of risk phrases.

[0006] In a preferred embodiment, the step of determining the clauses in the network protocol document that contain security risks based on the verb-object phrases, the document clauses, and the preset risk phrase set includes: determining the risk phrases containing security risks in the verb-object phrases based on the verb-object phrases and the risk phrase set; and determining the clauses in the network protocol document that contain security risks based on the risk phrases and the document clauses.

[0007] In a preferred embodiment, after determining the risky phrases with security risks among the verb-object phrases based on the verb-object phrases and the risk phrase set, the step includes: determining associated risky phrases related to the risky phrases based on the frequency of the verb-object phrases and their positions in the preprocessed data; and determining the sentences with security risks in the network protocol document based on the risky phrases and the document sentences, which includes: determining the sentences with security risks in the network protocol document based on the associated risky phrases, the risky phrases, and the document sentences.

[0008] In a preferred embodiment, the step of determining the sentence in the network protocol document that has a security risk based on the aforementioned associated risk phrase, the aforementioned risk phrase, and the aforementioned document sentence includes: saving the aforementioned associated risk phrase and the aforementioned risk phrase as a risk phrase set; synthesizing a virtual sentence based on the aforementioned risk phrase set; and filtering the aforementioned document sentences related to the aforementioned virtual sentence to determine them as sentences in the aforementioned network protocol document that have a security risk.

[0009] In a preferred embodiment, the step of segmenting and cleaning the network protocol document to obtain preprocessed data includes: segmenting the network protocol document according to the corresponding clauses using preset symbols to obtain initial clauses; and cleaning the initial clauses to obtain preprocessed data.

[0010] In a preferred embodiment, the step of cleaning the initial clauses to obtain preprocessed data includes: deleting content that conforms to preset rules from the initial clauses to obtain a first intermediate clause; and merging repeated line breaks, tabs, spaces, and delimiters in the first intermediate clauses to obtain preprocessed data.

[0011] In a preferred embodiment, after deleting the content that conforms to the preset rules in the initial clause to obtain the first intermediate clause, the method further includes: renaming the preset standard file name in the first intermediate clause to obtain the second intermediate clause; and merging the repeated newline characters, tabs, spaces, and delimiters in the first intermediate clause to obtain preprocessed data, which includes: merging the repeated newline characters, tabs, spaces, and delimiters in the second intermediate clause to obtain preprocessed data.

[0012] In a preferred embodiment, the aforementioned network protocol document is the Third Generation Partnership Project (3GPP) protocol.

[0013] Secondly, embodiments of the present invention provide a network protocol security risk detection device, comprising: a data acquisition module for acquiring a network protocol document to be detected; a data cleaning module for segmenting and cleaning the network protocol document to obtain preprocessed data; a phrase extraction module for extracting verb-object phrases with verb-object relationships from the preprocessed data and analyzing document sentences in the preprocessed data; and a security risk determination module for determining sentences in the network protocol document that contain security risks based on the verb-object phrases, the document sentences, and a preset set of risk phrases.

[0014] Thirdly, embodiments of the present invention provide an electronic device, wherein the electronic device includes a processor and a memory, the memory storing machine-executable instructions that can be executed by the processor, and the processor executing the machine-executable instructions to implement a network protocol security risk detection method according to any one of the first to fourth possible implementations of the first aspect.

[0015] The embodiments of the present invention bring the following beneficial effects:

[0016] This invention provides a method, apparatus, and electronic device for detecting network protocol security risks. The method includes: acquiring a network protocol document to be detected; segmenting and cleaning the network protocol document to obtain preprocessed data; extracting verb-object phrases with verb-object relationships from the preprocessed data and analyzing document sentences in the preprocessed data; and determining sentences in the network protocol document that contain security risks based on the verb-object phrases, the document sentences, and a preset set of risk phrases. This method determines whether there are risks in the verb-object phrases in the network protocol document using a preset set of risk phrases, thereby filtering out risky phrases. Then, by comparing the risky phrases with the document sentences in the network protocol document, sentences containing security risks can be filtered out, thus improving the efficiency of network protocol security risk detection.

[0017] Other features and advantages disclosed in this embodiment will be set forth in the following description, or some features and advantages may be inferred from the description or determined without doubt, or may be learned by practicing the techniques described above.

[0018] To make the above-mentioned objects, features and advantages of this disclosure more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description

[0019] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0020] Figure 1 A flowchart illustrating a method for detecting network protocol security risks provided in an embodiment of the present invention;

[0021] Figure 2 A flowchart illustrating another method for detecting network protocol security risks provided in an embodiment of the present invention;

[0022] Figure 3 A schematic diagram of a network protocol security risk detection device provided in an embodiment of the present invention;

[0023] Figure 4 This invention provides a schematic diagram of an electronic device structure.

[0024] Icons: 31-Data acquisition module; 32-Data cleaning module; 33-Phrase extraction module; 34-Security risk determination module; 41-Memory; 42-Processor; 43-Bus; 44-Communication interface. Detailed Implementation

[0025] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. The components of the embodiments of the present invention described and shown in the accompanying drawings can generally be arranged and designed in various different configurations.

[0026] With the opening up of network capabilities and the expansion of the network attack surface, mobile communications face increasing security challenges. Hackers and malicious attackers exploit network vulnerabilities and weaknesses, potentially causing damage to mobile communication systems and threatening user privacy. Particularly in the 3GPP protocol, as it continues to evolve and update, the protocol itself has become more complex and diverse, potentially containing various unknown logical vulnerabilities and security risks. A common approach to addressing vulnerabilities in network protocols is through manual analysis, involving extensive reading of protocol documents and relying on domain expert knowledge to filter out security-related statements. This method is time-consuming and costly, and it's difficult to comprehensively identify risks inherent in standard protocols. Furthermore, once the protocol standard is updated, manual analysis needs to be repeated, resulting in the current inefficiency of existing methods for detecting network protocol security risks.

[0027] Based on this, embodiments of the present invention provide a method, apparatus, and electronic device for detecting network protocol security risks. This method determines whether there are risks in verb-object phrases within a network protocol document by using a preset set of risky phrases, thereby filtering out risky phrases. Then, by comparing these risky phrases with the document sentences in the network protocol document, sentences containing security risks can be filtered out, thus improving the efficiency of network protocol security risk detection. To facilitate understanding of the embodiments of the present invention, a detailed description of the network protocol security risk detection method disclosed in the embodiments of the present invention will be provided first.

[0028] Example 1

[0029] In this embodiment, Figure 1 This is a flowchart illustrating a method for detecting network protocol security risks provided in an embodiment of the present invention.

[0030] Depend on Figure 1 As seen, the method includes:

[0031] Step S101: Obtain the network protocol document to be detected.

[0032] In this embodiment, the aforementioned network protocol document is the 3rd Generation Partnership Project (3GPP) protocol.

[0033] Step S102: The above network protocol document is segmented and cleaned to obtain preprocessed data.

[0034] Step S103: Extract verb-object phrases with verb-object relationships from the preprocessed data and analyze the document sentences in the preprocessed data.

[0035] In this embodiment, step S103 above uses component analysis technology to extract verb-object phrases from the preprocessed data.

[0036] Step S104: Based on the above verb-object phrases, the above document clauses, and the preset risk phrase set, determine the clauses in the above network protocol document that contain security risks.

[0037] In this embodiment, the subject of the document sentence is combined with the risk phrase in the verb-object phrase. The segmented document sentence is used as a hypothesis, and the semantic relevance between the two is determined by textual entailment technology. If the relevance is high, the document sentence is determined to contain a security risk.

[0038] This invention provides a method for detecting network protocol security risks. The method includes: acquiring a network protocol document to be detected; segmenting and cleaning the network protocol document to obtain preprocessed data; extracting verb-object phrases with verb-object relationships from the preprocessed data and analyzing document sentences in the preprocessed data; and determining sentences in the network protocol document that contain security risks based on the verb-object phrases, the document sentences, and a preset set of risk phrases. This method filters out risky phrases in the network protocol document using a preset set of risk phrases, and then compares these risky phrases with the document sentences in the network protocol document to identify sentences with security risks, thereby improving the efficiency of network protocol security risk detection.

[0039] Example 2

[0040] Based on the above embodiments, this invention provides another method for detecting network protocol security risks. Figure 2 This is a flowchart illustrating another method for detecting network protocol security risks provided in an embodiment of the present invention.

[0041] Depend on Figure 2 As seen, the method includes:

[0042] Step S201: Obtain the network protocol document to be detected.

[0043] Step S202: The above network protocol document is segmented and cleaned to obtain preprocessed data.

[0044] In this embodiment, step S202 includes the following steps A1-A2:

[0045] Step A1: Cut the above network protocol document into initial sentences according to the corresponding clauses and preset symbols.

[0046] Here, the preset symbols mentioned above include: period or space.

[0047] Step A2: Perform data cleaning on the initial clauses to obtain preprocessed data.

[0048] In one embodiment, step A2 includes the following steps B1-B2:

[0049] Step B1: Delete the content in the initial clause that conforms to the preset rules to obtain the first intermediate clause.

[0050] Here, the aforementioned preset rules include: deleting content in the current clause of the initial clause that mentions numbers and tables in subsequent initial clauses; deleting the titles in charts or tables in the initial clauses; and deleting subheadings in the initial clauses, which are generally regular combinations of numbers and dots.

[0051] Step B2: Merge the repeated newline characters, tabs, spaces, and delimiters in the first intermediate clause above to obtain the preprocessed data.

[0052] In one embodiment, after step B1, the method further includes: renaming the preset standard file name in the first intermediate clause to obtain the second intermediate clause; step B2 includes: merging the repeated newline characters, tabs, spaces and delimiters in the second intermediate clause to obtain preprocessed data.

[0053] Here, the aforementioned specification document has been renamed "standard file".

[0054] Step S203: Extract verb-object phrases with verb-object relationships from the preprocessed data and analyze the document sentences in the preprocessed data.

[0055] Here, component analysis is used to extract verb-object phrases with verb-object relationships from the preprocessed data, and the smallest granularity VP (Verb Parse) labeled phrases are extracted. Component analysis extracts component units from all preprocessed data; each unit consists of several words, and each unit is equivalent to a phrase. In particular, each word is a unit, and units can be combined to form larger units. The results are presented in tree form. The results are traversed, and the smallest granularity VP labeled phrases are extracted.

[0056] In practice, verb-object phrases include verbs combined with verbs and objects, such as: abort procedure.

[0057] A verb combined with a preposition and a prepositional object, for example: reuse from combination.

[0058] Furthermore, the main function of analyzing the document sentences in the preprocessed data is to extract the document sentences using natural language processing techniques, and simultaneously store the subjects corresponding to the document sentences for subsequent risk mining. Here, the main method for analyzing the document sentences in the preprocessed data is: using semantic role labeling technology to classify the roles in the sentences, locate the subject-verb-object structure in the sentences, and extract all sentences from the original sentence to obtain smaller-granular sentences, facilitating better analysis of the semantics of the document sentences.

[0059] Step S204: Based on the above verb-object phrases and the above set of risk phrases, identify the risk phrases among the above verb-object phrases that pose a security risk.

[0060] Step S205: Based on the above risk phrases and the above document clauses, determine the clauses in the above network protocol document that contain security risks.

[0061] In some embodiments, after step S204 above, the method further includes the following step C1:

[0062] Step C1: Based on the frequency of the above verb-object phrases and their positions in the above preprocessed data, determine the associated risk phrases related to the above risk phrases.

[0063] The main method of step C1 above is as follows: Arrange the verb-object phrases according to their position of occurrence and count their frequency; if two verb-object phrases appear in close positions, they are considered to have appeared simultaneously; calculate the frequency of each verb-object phrase appearing simultaneously with the aforementioned risk phrases that pose a security risk, and calculate their point mutual information. If the point mutual information exceeds a certain threshold, they are considered highly correlated, thus identifying the associated risk phrases related to the aforementioned risk phrases. The point mutual information is calculated as follows: Where p(word1&word2) represents the probability of two verb-object phrases appearing simultaneously; p(word1) is the probability of word1 appearing in the verb-object phrase (number of times word1 appears / total number of times); p(word2) is the probability of word2 appearing in the verb-object phrase (number of times word2 appears / total number of times). Regarding the results: if PMI > 0; the two verb-object phrases are related; the larger the value, the stronger the correlation. If PMI = 0; the two verb-object phrases are statistically independent, unrelated, and not mutually exclusive. If PMI < 0; the two verb-object phrases are unrelated and mutually exclusive.

[0064] Furthermore, step S205 above includes the following step C2:

[0065] Step C2: Based on the aforementioned associated risk phrases, risk phrases, and document clauses, identify the clauses in the aforementioned network protocol document that contain security risks.

[0066] Here, C2 above includes the following steps D1-D3:

[0067] Step D1: Save the above-mentioned associated risk phrases and the above-mentioned risk phrases as a risk phrase set.

[0068] Step D2: Based on the above set of risk phrases, synthesize virtual clauses.

[0069] Step D3: Filter the document sentences related to the above virtual sentences and identify those sentences in the above network protocol documents that have security risks.

[0070] In this embodiment, the method mainly combines the subject of the virtual clause with the risk phrase as a premise, and the document clause as a hypothesis. Using textual entailment techniques, the semantic relevance between the two is determined. If the relevance is high, the sentence is considered more likely to contain a security risk. Textual entailment describes the inference relationship between two texts, where one text is the premise and the other is the hypothesis. If hypothesis H can be inferred from premise P, then P is said to entail H, denoted as P→H. If the document clause can be inferred from the virtual clause, it proves that an entailment relationship exists, i.e., a high semantic similarity.

[0071] This invention provides a method for detecting network protocol security risks. The method includes: acquiring a network protocol document to be detected; segmenting and cleaning the network protocol document to obtain preprocessed data; extracting verb-object phrases with verb-object relationships from the preprocessed data and analyzing document sentences in the preprocessed data; identifying risky phrases with security risks based on the verb-object phrases and a set of risky phrases; and identifying sentences with security risks in the network protocol document based on the risky phrases and document sentences. This method determines whether there are risks in verb-object phrases in the network protocol document using a preset set of risky phrases, thereby filtering out risky phrases. Then, by comparing the risky phrases with document sentences in the network protocol document, sentences with security risks in the protocol document can be filtered out, thus improving the efficiency of network protocol security risk detection.

[0072] Example 3

[0073] Figure 3 This is a schematic diagram of a network protocol security risk detection device provided in an embodiment of the present invention.

[0074] Depend on Figure 3 As seen, the device includes:

[0075] The data acquisition module 31 is used to acquire the network protocol document to be detected.

[0076] The data cleaning module 32 is used to cut and clean the aforementioned network protocol documents to obtain preprocessed data.

[0077] The phrase extraction module 33 is used to extract verb-object phrases with verb-object relationships from the preprocessed data and analyze the document sentences in the preprocessed data.

[0078] The security risk determination module 34 is used to determine the sentences in the above network protocol document that contain security risks based on the above verb-object phrases, the above document sentences, and the preset risk phrase set.

[0079] The data acquisition module 31, the data cleaning module 32, the phrase extraction module 33, and the security risk determination module 34 are connected in sequence.

[0080] The network protocol security risk detection device provided in this embodiment of the invention has the same technical features as the network protocol security risk detection method provided in the above embodiments, and therefore can solve the same technical problems and achieve the same technical effects. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the device described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0081] Example 4

[0082] This embodiment provides an electronic device, including a processor and a memory. The memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions to implement the steps of a method for detecting network protocol security risks.

[0083] This embodiment provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of a method for detecting network protocol security risks.

[0084] See Figure 4 The diagram shows the structure of an electronic device, which includes a memory 41 and a processor 42. The memory 41 stores a computer program that can run on the processor 42. When the processor executes the computer program, it implements the steps provided by the above-mentioned method for detecting network protocol security risks.

[0085] like Figure 4 As shown, the device also includes a bus 43 and a communication interface 44, with the processor 42, the communication interface 44 and the memory 41 connected via the bus 43; the processor 42 is used to execute executable modules, such as computer programs, stored in the memory 41.

[0086] The memory 41 may include high-speed random access memory (RAM) or non-volatile memory, such as at least one disk storage device. Communication between this system network element and at least one other network element is achieved through at least one communication interface 44 (which can be wired or wireless), such as the Internet, wide area network, local area network, metropolitan area network, etc.

[0087] Bus 43 can be an ISA bus, PCI bus, or EISA bus, etc. Buses can be divided into address buses, data buses, control buses, etc. For ease of representation, Figure 4 The symbol is represented by a single double-headed arrow, but this does not mean that there is only one bus or one type of bus.

[0088] The memory 41 stores the program, and the processor 42 executes the program after receiving the execution instruction. The method executed by the network protocol security risk detection device disclosed in any of the embodiments of the present invention can be applied to the processor 42, or implemented by the processor 42. The processor 42 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the integrated logic circuit in the hardware of the processor 42 or by instructions in the form of software. The processor 42 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of this invention can be directly manifested as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory 41, and processor 42 reads information from memory 41 and, in conjunction with its hardware, completes the steps of the above method.

[0089] Furthermore, this embodiment of the invention also provides a machine-readable storage medium storing machine-executable instructions. When these machine-executable instructions are invoked and executed by the processor 42, they cause the processor 42 to implement the aforementioned method for detecting network protocol security risks.

[0090] The electronic devices and computer-readable storage media provided in the embodiments of the present invention have the same technical features, so they can also solve the same technical problems and achieve the same technical effects.

[0091] Furthermore, in the description of the embodiments of the present invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," and "linking" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; and they can refer to the internal connection of two components. Those skilled in the art can understand the specific meaning of the above terms in the present invention based on the specific circumstances.

[0092] In the description of this invention, it should be noted that the terms "center," "upper," "lower," "left," "right," "vertical," "horizontal," "inner," and "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings. They are used only for the convenience of describing the invention and for simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, they should not be construed as limitations on the invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and should not be construed as indicating or implying relative importance.

Claims

1. A method for detecting network protocol security risks, characterized in that, include: Obtain the network protocol document to be tested; The network protocol document is segmented and cleaned to obtain preprocessed data; Extract verb-object phrases with verb-object relationships from the preprocessed data, and analyze the document sentences in the preprocessed data; Based on the verb-object phrase and a preset set of risk phrases, identify the risk phrases among the verb-object phrases that pose a security risk; Based on the frequency of the verb-object phrase and its position in the preprocessed data, the associated risk phrases are determined. Save the associated risk phrases and the risk phrases as a risk phrase set; Based on the set of risk phrases, synthesize virtual clauses; The document sentences related to the virtual sentence are filtered out and identified as sentences in the network protocol document that pose a security risk.

2. The method of claim 1, wherein, The steps of segmenting and cleaning the network protocol document to obtain preprocessed data include: The network protocol document is segmented according to its corresponding clauses using preset symbols to obtain initial clauses; The initial clauses are cleaned to obtain preprocessed data.

3. The method of detecting network protocol security risks of claim 2, wherein, The steps of cleaning the initial clauses to obtain preprocessed data include: Delete the content in the initial clause that conforms to the preset rules to obtain the first intermediate clause; Repeated newline characters, tabs, spaces, and delimiters in the first intermediate clause are merged to obtain preprocessed data.

4. The method of claim 3, wherein the network protocol security risk is detected by: After deleting content that conforms to preset rules from the initial clause to obtain the first intermediate clause, the method further includes: ​ The preset standard file name in the first intermediate clause is renamed to obtain the second intermediate clause; The steps of merging repeated newline characters, tabs, spaces, and delimiters in the first intermediate clause to obtain preprocessed data include: Repeated newline characters, tabs, spaces, and delimiters in the second middle clause are merged to obtain preprocessed data.

5. The method for detecting network protocol security risks according to claim 1, characterized in that, The network protocol document is the Third Generation Partnership Program (3GPP) protocol.

6. A network protocol security risk detection device, characterized in that, include: The data acquisition module is used to acquire the network protocol document to be detected; The data cleaning module is used to segment and clean the network protocol document to obtain preprocessed data. The phrase extraction module is used to extract verb-object phrases with verb-object relationships from the preprocessed data and analyze the document sentences in the preprocessed data. The security risk determination module is used to determine the risk phrases in the verb-object phrases that pose a security risk, based on the verb-object phrases and a preset set of risk phrases. Based on the frequency of the verb-object phrase and its position in the preprocessed data, the associated risk phrases are determined. The associated risk phrases and the risk phrases are saved as a risk phrase set; virtual sentences are synthesized based on the risk phrase set; document sentences related to the virtual sentences are filtered and identified as sentences in the network protocol document that contain security risks.

7. An electronic device, characterized in that, The electronic device includes a processor and a memory, the memory storing computer-executable instructions that can be executed by the processor, the processor executing the computer-executable instructions to implement the network protocol security risk detection method according to any one of claims 1 to 5.