A behavior evolution-based operation compliance intelligent monitoring method and system
By constructing initial and shadow operation compliance baseline models and utilizing the directional consistency amplification mechanism of micro-deviation vectors, the problems of misjudgment and false alarms in existing technologies are solved, enabling accurate identification and blocking of long-term hidden violations and improving the system's compliance and security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HUNAN JIACHUANG INFORMATION TECH DEV CO LTD
- Filing Date
- 2026-03-13
- Publication Date
- 2026-06-09
AI Technical Summary
Existing operational compliance monitoring systems rely on historical operation logs, which are prone to misjudging violations, have difficulty identifying long-term, slow-penetrating violations, and have a high false alarm rate, making it impossible to accurately distinguish between normal business practices and latent attacks.
By constructing an initial operational compliance baseline model, utilizing the directional consistency amplification mechanism of micro-deviation vectors, and combining it with the shadow operational compliance baseline model for isolation, induction, and blocking, long-term hidden violations can be identified.
It enables efficient monitoring of operational compliance, accurately identifies potential risks, reduces false alarms, ensures system security, and provides personalized compliance analysis and intervention measures.
Smart Images

Figure CN121836402B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of operational monitoring technology, and in particular to an intelligent monitoring method and system for operational compliance based on behavioral evolution. Background Technology
[0002] Currently, existing operational compliance monitoring systems mainly rely on historical operation logs to determine violations. However, existing technologies have significant drawbacks: First, if there are already latent violations in the historical records, existing technologies may mistakenly identify them as normal behavior, leading to missed violations. Second, existing technologies typically only consider whether a single operation crosses the line, making it difficult to distinguish between normal changes in business habits and long-term, low-frequency covert probing attacks, resulting in insufficient defense against long-term, slow-penetrating violations. Furthermore, directly intercepting anomalies in existing technologies can easily lead to false alarms and business interruptions, and may alert the perpetrator, making it impossible to ascertain the operator's true intentions.
[0003] Therefore, there is a need for an intelligent monitoring method and system for operational compliance based on behavioral evolution that can prevent interference from historical data, accurately identify and amplify potential long-term probing behaviors. Summary of the Invention
[0004] This invention aims to provide an intelligent monitoring method and system for operational compliance based on behavioral evolution. This invention constructs a clean initial baseline through bidirectional verification of underlying configuration and historical logs, accurately identifies long-term hidden violations by utilizing the directional consistency amplification mechanism of micro deviation vectors, and pioneers a shadow operational compliance baseline model to isolate and induce suspicious behaviors and ultimately block their intent.
[0005] A method for intelligent monitoring of operational compliance based on behavioral evolution includes the following steps:
[0006] In the target business system, obtain the underlying operation configuration data; parse the underlying operation configuration data to obtain the initial operation compliance baseline model;
[0007] Obtain the real-time process operation sequence of the target operation object within the current time window; calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model; record all single micro deviation vectors of the target operation object within multiple consecutive time windows; perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result;
[0008] Based on the evolution results of the target operation deviation, a differentiation judgment is made. If the evolution results of the target operation deviation meet the operational compliance and safety range, it is judged as a normal operation behavior drift, and the real-time process operation sequence is extracted to update the weight of the initial operation compliance baseline model. If the evolution results of the target operation deviation do not meet the operational compliance and safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model. According to the shadow operation compliance baseline model, non-compliant operation blocking operations are performed on the target operation object to complete the intelligent monitoring of the operation compliance of the target business system.
[0009] As a preferred technical solution of the present invention, the specific steps for parsing the underlying configuration data of the operation to obtain the initial operation compliance baseline model include:
[0010] Extract the operation compliance prerequisite dependencies from the underlying configuration data of the operation using a syntax tree; construct a static rule topology graph of the operation based on the operation compliance prerequisite dependencies;
[0011] Obtain compliance behavior operation logs of the target business system within a preset historical period; extract historical compliance execution trajectories from the compliance behavior operation logs; extract operation compliance execution links from the historical compliance execution trajectories; calculate the operation call probability and operation transfer probability in different operation compliance execution links; construct a dynamic execution path graph based on the operation call probability and operation transfer probability.
[0012] Pruning operations are performed on the dynamic execution path graph based on the static rule topology graph to obtain the causal topology graph of operations. Overlapping nodes and overlapping valid edges are extracted from the static rule topology graph and the dynamic execution path graph. Temporal topological features of the causal topology graph of operations are extracted. An initial operation compliance baseline model is trained based on the overlapping nodes, overlapping valid edges and temporal topological features.
[0013] As a preferred embodiment of the present invention, the specific steps for calculating the single micro-deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model include:
[0014] The real-time process operation sequence is mapped into the initial operation compliance baseline model to obtain the real-time process operation subgraph; features are extracted from the real-time process operation sequence to obtain the process operation operation features.
[0015] The topological differences between the real-time process operation subgraph and the operation causal topology graph are calculated. The structural deviation component is calculated based on illegal edges or unauthorized jump nodes that exist in the real-time process operation subgraph but not in the operation causal topology graph. The operation probability distribution divergence between the process operation operation characteristics and the initial operation compliance baseline model is calculated as the environmental deviation component.
[0016] The structural deviation component and the environmental deviation component are orthogonally mapped and concatenated in the feature representation space to obtain a single micro deviation vector. The magnitude of the single micro deviation vector is used to represent the overall deviation magnitude of the real-time process operation sequence. The pointing angle of the single micro deviation vector in the feature representation space represents the deviation type of the operation behavior of the real-time process operation sequence.
[0017] As a preferred embodiment of the present invention, the specific steps for performing operational deviation evolution based on all single micro-deviation vectors include:
[0018] Extract the pointing angle of the single micro deviation vector in the feature representation space of adjacent time windows and calculate it to obtain the cosine similarity of the angle between adjacent single micro deviation vectors; calculate the dispersion of all cosine similarities of the angle within a continuous time window to obtain the target behavior evolution operation coefficients.
[0019] A nonlinear amplification function is constructed based on the operational coefficients of the target behavior evolution; the magnitude of each single micro deviation vector is extracted as the single deviation penalty base in each time window; all single deviation penalty bases are substituted into the operational nonlinear amplification function for sequential accumulation operation to obtain the target operational deviation evolution result.
[0020] As a preferred technical solution of the present invention, the specific steps for blocking non-compliant operations on the target operation object based on the shadow operation compliance baseline model include:
[0021] Redirect the subsequent real-time process operation sequence of the target operation object to the shadow operation compliance baseline model for operation compliance judgment: return the disguised compliant operation instruction generated based on the shadow operation compliance baseline model to the target operation object; record the graph topology variation trajectory of the subsequent real-time process operation sequence of the target operation object within the shadow operation compliance baseline model;
[0022] Within a preset continuous time period, the relative topological divergence of the graph structure between the shadow operational compliance baseline model and the initial operational compliance baseline model is continuously calculated.
[0023] When the relative topological divergence of the graph structure reaches the preset high-risk operation compliance threshold, the complete operation mutation trajectory corresponding to the target operation object in the shadow operation compliance baseline model is extracted; and non-compliant operation blocking operation is performed on the target operation object according to the complete operation mutation trajectory.
[0024] As a preferred technical solution of the present invention, the specific steps of substituting all single deviation penalty bases into the operational nonlinear amplification function for sequence accumulation operation include: when the evolutionary coordination coefficients meet the preset direction consistency condition, performing exponential amplification gain on the single deviation penalty bases before performing sequence accumulation operation; when the evolutionary coordination coefficients meet the preset random fluctuation condition, performing linear gain on the single deviation penalty bases before performing sequence accumulation operation.
[0025] An intelligent monitoring system for operational compliance based on behavioral evolution, comprising:
[0026] The operation benchmark analysis module includes a benchmark construction unit and a deviation analysis unit. The benchmark construction unit is used to obtain the underlying operation configuration data in the target business system and parse the underlying operation configuration data to obtain the initial operation compliance baseline model.
[0027] The deviation analysis unit is used to obtain the real-time process operation sequence of the target operation object within the current time window; calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model; record all single micro deviation vectors of the target operation object within multiple consecutive time windows; and perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result.
[0028] The operation compliance judgment module includes a compliance judgment unit. This unit differentiates and judges based on the evolution results of the target operation deviation. If the evolution results meet the operational compliance safety range, it is determined to be a normal operational behavior drift, and the real-time process operation sequence is extracted to update the weights of the initial operation compliance baseline model. If the evolution results do not meet the operational compliance safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model. Based on the shadow operation compliance baseline model, non-compliant operations are blocked on the target operation object, completing intelligent monitoring of the operational compliance of the target business system.
[0029] The present invention has the following advantages:
[0030] 1. This invention constructs an initial operational compliance baseline model by parsing the underlying configuration data of the target business system and monitoring the behavioral deviations of the operational objects in real time. It can efficiently identify operational compliance deviations and make dynamic adjustments. By calculating the single micro-deviation vector within each time window and performing evolutionary analysis based on multiple deviations, it can accurately determine the trend of operational behavior, identify potential non-compliance risks, and ensure system compliance.
[0031] 2. This invention constructs a shadow operation compliance baseline model. When an operation deviates from the compliance range, the shadow operation compliance baseline model can be automatically triggered to block the operation, preventing non-compliant operations from adversely affecting the system and further improving operation compliance assurance. By calculating the relative topological divergence of the graph structure, potential high-risk operations can be accurately identified and dealt with in a timely manner, ensuring system security and reducing security risks caused by operation deviations. Based on the different characteristics of the target operation object, the behavioral evolution path, environmental changes, and other factors, operation compliance is monitored in a refined manner, providing personalized compliance analysis and intervention measures. Attached Figure Description
[0032] Figure 1 This is a schematic diagram of the structure of an intelligent monitoring system for operational compliance based on behavioral evolution, as used in an embodiment of the present invention. Detailed Implementation
[0033] To enable those skilled in the art to better understand the technical solutions of this invention, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of this invention.
[0034] Example 1: An intelligent monitoring method for operational compliance based on behavioral evolution, comprising the following steps:
[0035] In the target business system, the underlying operational configuration data is obtained; the underlying operational configuration data is parsed to obtain the initial operational compliance baseline model; the underlying operational configuration data refers to the basic configuration materials that are pre-set in the development, construction and deployment phases of the target business system to rigidly constrain the order of business process flow and system access permissions; the underlying operational configuration data specifically includes the call contract files of the business system interfaces, that is, the specification files that define the call order and parameter passing restrictions of various functional interfaces in the business system, the role-based access control policy files, the configuration files that define the system menu browsing or data operation permissions of users of different positions or levels, and the program source code files that carry the core business flow judgment logic. These data do not depend on the actual operation logs of users, but constitute the set of absolute physical and logical rules that the target business system must follow in an ideal state.
[0036] The specific steps for parsing the underlying operational configuration data to obtain the initial operational compliance baseline model include:
[0037] Extract the operation compliance prerequisite dependencies from the underlying configuration data of the operation using a syntax tree; construct a static rule topology graph of the operation based on the operation compliance prerequisite dependencies;
[0038] Specifically, a syntax tree is a representation of complex program code statements converted into a tree-like hierarchical structure. By traversing each decision node of the syntax tree, conditional judgment statements representing permission verification and interface call order are identified, thereby extracting the operation compliance prerequisite dependencies. Operation compliance prerequisite dependencies refer to the mandatory sequential logical constraints in a business process, where a specific operation can only be allowed by the system after another prerequisite operation has been successfully executed and meets specific permission conditions. By abstracting each functional interface in the target business system into nodes and using the extracted operation compliance prerequisite dependencies as directed edges connecting adjacent nodes, a static rule topology graph representing the unbreakable constraints at the system's underlying level is generated. This graph completely depicts all theoretically legal operation flow paths in the target business system.
[0039] Obtain compliance behavior operation logs of the target business system within a preset historical period; extract historical compliance execution trajectories from the compliance behavior operation logs; extract operation compliance execution links from the historical compliance execution trajectories; calculate the operation call probability and operation transfer probability in different operation compliance execution links; construct a dynamic execution path graph based on the operation call probability and operation transfer probability.
[0040] After obtaining the compliance behavior operation logs of the target business system within a preset historical period, the massive raw log data is cleaned based on the user's unique identity. The discrete operation actions of the same user within the same login period are linked together in chronological order according to the timestamps to extract continuous historical compliance execution trajectories. From the above-mentioned long-term execution trajectory, short sequences for completing specific business objectives, such as completing a complete order approval process, are further segmented and extracted, and these are defined as operation compliance execution links. In order to quantify the regular state of the operation compliance execution links, a frequency statistical algorithm is used to calculate the frequency at which each individual operation node in different operation compliance execution links is accessed by the user, i.e., the operation call probability; at the same time, the transfer frequency of the operation from the previous node to a specific subsequent node is calculated, i.e., the operation transfer probability.
[0041] Using actual operations from historical logs as graph nodes and actual flow directions as edges, and employing the calculated operation call probability and operation transfer probability as the weight attribute values of the corresponding nodes and edges, a dynamic execution path graph reflecting users' actual operating habits and the actual business flow status is constructed.
[0042] Pruning operations are performed on the dynamic execution path graph based on the static rule topology graph to obtain the causal topology graph of operations; overlapping nodes and overlapping valid edges are extracted from the static rule topology graph and the dynamic execution path graph; temporal topological features of the causal topology graph of operations are extracted; and an initial operation compliance baseline model is trained based on the overlapping nodes, overlapping valid edges and temporal topological features.
[0043] Pruning operations are performed on the dynamic execution path graph based on the static rule topology graph to filter historical dirty data and immunize against historical poisoning. Immunization against historical poisoning refers to the monitoring system's ability to effectively prevent its normal behavior judgment criteria (baseline model) from being contaminated and skewed by malicious behaviors or long-standing violations that have been lurking in the historical logs.
[0044] The specific steps are as follows: The graph structure of the dynamic execution path graph is isomorphically mapped and compared with the graph structure of the static operation rule topology graph. If an execution link is found in the dynamic execution path graph, but no corresponding legal constraint is found in the static operation rule topology graph, it indicates that the link is a contaminated path caused by historical violations, system vulnerabilities, or unauthorized user access. In this case, the system will forcibly delete these illegal links that violate the underlying rules from the dynamic execution path graph; this deletion process is called pruning. The remaining network topology graph after pruning not only absolutely conforms to the underlying system's permission rules but also includes the high-frequency calling habits of actual business operations, thus obtaining an operation causal topology graph that reflects the pure and true core business logic.
[0045] After obtaining the causal topology graph of the operation, the overlapping nodes and overlapping valid edges contained in the static rule topology graph and dynamic execution path graph during the comparison process are extracted, which serve as the absolute boundary of compliant operations in the spatial dimension. At the same time, the distribution and sequence pattern of the average flow time interval between each operation node in the causal topology graph of the operation are extracted, which are used as temporal topological features. The above overlapping nodes, overlapping valid edges, and temporal topological features are used as training samples and input into the graph neural network algorithm model for feature representation learning. The graph neural network will convert the input discrete graph structure and temporal features into low-dimensional continuous numerical vectors, and continuously adjust the parameter weights inside the network through an unsupervised learning mechanism, so that the model can fit and memorize the probability distribution of these legal features. When the model has undergone multiple iterations of training and its output feature vector distribution reaches a stable convergence state, the initial operation compliance baseline model is trained. Because the interference of illegal logs has been eliminated in advance, the initial operation compliance baseline model has the business causal identification capability of being immune to known and unknown historical operation poisoning in the zero-time state.
[0046] Obtain the real-time process operation sequence of the target operation object within the current time window; calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model; record all single micro deviation vectors of the target operation object within multiple consecutive time windows; perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result;
[0047] The specific steps for calculating the single-step micro-deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model include:
[0048] The real-time process operation sequence is mapped into the initial operation compliance baseline model to obtain the real-time process operation subgraph; features are extracted from the real-time process operation sequence to obtain the process operation operation features.
[0049] The target operation object typically refers to a specific logged-in user, automated operation script, or external service entity that calls the interface in the business system; the current time window refers to a continuous and uninterrupted fixed-duration monitoring period set by the system (e.g., the past five minutes or one hour); the system captures all cross-node access actions triggered by the object within the window through the streaming data processing engine, and arranges them in chronological order to form a real-time process operation sequence.
[0050] Each operation node and flow direction in the real-time process operation sequence is projected and compared to the global causal topology space contained in the pre-trained initial operation compliance baseline model. The mapping process is essentially a subgraph isomorphic matching operation. The system extracts the actual nodes and edges in the sequence and combines them to generate a local network graph that only reflects the actual behavior trajectory of the object within the current monitoring period, i.e., the real-time process operation subgraph.
[0051] Feature extraction is performed on the contextual attributes of the real-time process operation sequence to extract statistical data such as the user's login geographical location, the hardware fingerprint of the access device, the frequency and time interval of the operation, and the network jump status. The above non-logical data reflecting the operation habits and the physical network environment are collectively referred to as process operation operation features.
[0052] The topological differences between the real-time process operation subgraph and the operation causal topology graph are calculated. The structural deviation component is calculated based on illegal edges or unauthorized jump nodes that exist in the real-time process operation subgraph but not in the operation causal topology graph. The operation probability distribution divergence between the process operation operation characteristics and the initial operation compliance baseline model is calculated as the environmental deviation component.
[0053] Specifically, the system traverses all nodes and edges in the real-time process operation subgraph and compares them one by one with the absolute rule boundaries in the operation causal topology graph. If the system finds an edge in the real-time process operation subgraph that does not exist in the operation causal topology graph (i.e., an illegal edge), or if it finds that a user has exceeded their authority, skipped or omitted a necessary pre-approval node in the operation process and directly accessed a subsequent node (i.e., an unauthorized skipping node), the system will trigger the rule penalty mechanism. Based on the sensitivity level or the size of the unauthorized span of the breached business node, different structural penalty weight values are assigned to it, and these penalty weights are accumulated or nonlinearly fused to obtain a value specifically used to characterize the intensity of the destruction, tampering or unauthorized attempt of the underlying business logic. This core value is the structural deviation component.
[0054] The divergence of the operational probability distribution between the operational characteristics of the calculation process and the historical normal operational probability distribution recorded in the initial operational compliance baseline model is used to identify situations where users, although following the sequential logic of the business process, have experienced abnormal deviations in their operational habits or environment. For example, a user might suddenly query routine business data frequently from a different location in the early morning. The process operation characteristics, including unstructured attributes such as operation frequency and device fingerprints, are extracted from previous data. Mathematical statistical analysis methods, such as the relative entropy algorithm (also known as the Kolb-Leibler divergence), are used to measure the degree of overlap and area of difference between the real-time probability distribution curves of these operational characteristics within the current time window and the normal historical characteristic probability distribution curves recorded in the baseline model. This calculated statistical distance value, representing behavioral habit drift, network physical environment fluctuations, or changes in time frequency, is defined as the environmental deviation component.
[0055] The structural deviation component and the environmental deviation component are orthogonally mapped and concatenated in the feature representation space to obtain a single micro deviation vector; where the magnitude of the single micro deviation vector is used to represent the overall deviation magnitude of the real-time process operation sequence; the pointing angle of the single micro deviation vector in the feature representation space represents the deviation type of the operation behavior of the real-time process operation sequence.
[0056] The specific data processing operation involves the system constructing a multi-dimensional orthogonal Cartesian coordinate system in memory, i.e., a feature representation space. The structural deviation component, representing the degree of disruption to business logic, is used as the independent coordinate value of one of the coordinate axes (e.g., the horizontal X-axis), and the environmental deviation component, representing changes in operational habits and the external environment, is used as the coordinate value of an orthogonal coordinate axis perpendicular to it (e.g., the vertical Y-axis). Through the combination and spatial projection of coordinate values, a directed line segment with clear geometric properties, i.e., a single-order micro-deviation vector, is generated in this space. The technical effect of the above feature decoupling and vectorization design is to endow the system's deviation degree with two key mathematical and physical meanings: the absolute length (i.e., the modulus) of this single-order micro-deviation vector in space, which is composed of various... The square root of the sum of squares of the dimensional deviation components is obtained, which is used to intuitively quantify the overall deviation magnitude and intensity of the real-time process operation sequence from the normal baseline. The angle (i.e., the pointing angle) formed by this single micro-deviation vector with each orthogonal coordinate axis in the multi-dimensional feature representation space accurately reflects the proportional weight of each deviation component in the overall deviation, thus clearly and intuitively representing the specific operational behavior deviation type of the current real-time process operation sequence. For example, if the pointing angle of the vector is mainly biased towards the structural deviation axis, it indicates that this is a strong logical overreach attempt mainly targeting business rule vulnerabilities; if the pointing angle of the vector is mainly biased towards the environmental deviation axis, it indicates that this is likely an account theft or abnormal login from a different location caused by a change in environmental habits.
[0057] The specific steps for evolving operational bias based on all single micro-bias vectors include:
[0058] Extract the pointing angle of the single micro deviation vector in the feature representation space of adjacent time windows and calculate it to obtain the cosine similarity of the angle between adjacent single micro deviation vectors; calculate the dispersion of all cosine similarities of the angle within a continuous time window to obtain the target behavior evolution operation coefficients.
[0059] Specifically, the system constructs a feature sequence queue for a specific target operation object in memory or a time-series database. As time progresses, the single micro-deviation vectors calculated for this object within each independent time window (such as every ten minutes or hour) are sequentially pushed into the queue for storage. The pointing angles of the single micro-deviation vectors generated in adjacent time windows in the queue are extracted in the multi-dimensional feature representation space and calculated using spatial geometric algebra algorithms to obtain the cosine similarity of the angle between adjacent single micro-deviation vectors. The pointing angle represents the specific business type or vulnerability probing direction of the operation behavior deviating from the baseline, such as attempting lateral privilege escalation or parameter tampering. The cosine similarity is calculated by taking the cosine of the angle between two adjacent vectors to accurately measure the degree of overlap between the deviation directions of these two operations. If the cosine similarity value is closer to one, it indicates that the illegal probing actions of the target operation object in two adjacent time windows are extremely similar in direction, indicating that it may be repeatedly and continuously probing attacks against the same business system vulnerability.
[0060] Using statistical algorithms such as variance, standard deviation, or information entropy to assess dispersion, volatility analysis is performed on cosine similarity sequences recorded over dozens or even hundreds of time windows. In business security logic, if a user's operations deviate from the normal baseline due to changes in job position or business travel environment, the direction of each deviation is usually a chaotic random business drift, resulting in a very large calculated dispersion. Conversely, if a hacker is carrying out covert, short-fluctuation, long-cycle infiltration, to avoid triggering security alerts, they often only perform extremely small and highly consistent probing actions each day, resulting in a very stable continuous cosine similarity sequence with minimal dispersion. The dispersion is then converted into target behavior evolution operation coefficients through inverse proportional mapping or normalization functions. The magnitude of these coefficients directly characterizes the premeditation, regularity, and consistency of the target's long-term behavioral probing.
[0061] A nonlinear amplification function is constructed based on the operational coefficients of the target behavior evolution; the magnitude of each single micro deviation vector is extracted as the single deviation penalty base in each time window; all single deviation penalty bases are substituted into the operational nonlinear amplification function for sequential accumulation operation to obtain the target operational deviation evolution result;
[0062] The specific steps for substituting all single deviation penalty bases into the operational nonlinear amplification function for sequence accumulation include: when the evolutionary coordination coefficients meet the preset directional consistency condition, applying an exponential amplification gain to the single deviation penalty bases before performing sequence accumulation; when the evolutionary coordination coefficients meet the preset random fluctuation condition, applying a linear gain to the single deviation penalty bases before performing sequence accumulation.
[0063] When the system determines that the target behavior evolution operation coefficient is extremely high, i.e., it meets the preset high directional consistency condition, indicating that the system is undergoing very patient micro-probing in the same direction, the system will configure the nonlinear amplification function of the operation as a mathematical function with exponential or high-power gain characteristics. When the coefficient is extremely low, indicating that the behavior is just a chaotic and random fluctuation of normal business, the system will configure it as a normal linear gain or even a decaying filtering function. After configuration, the system extracts the absolute length of each single micro-deviation vector generated by the object in each time window from the time sequence queue, i.e., the magnitude. Since the magnitude physically represents the magnitude of the operation's deviation from the baseline, the system defines it as the single deviation penalty base in each time window. The single deviation penalty base is usually extremely small and is often directly ignored or learned as normal noise in traditional security systems.
[0064] All single deviation penalty bases extracted from the continuous time series are substituted into the previously configured nonlinear amplification function in chronological order for sequence accumulation, thereby obtaining the final target operational deviation evolution result. The specific data processing steps are as follows: using time series integration or cumulative summation algorithms, each seemingly insignificant single deviation penalty base in the historical sequence is used as the input variable (base) of the function, and the single amplification gain value is calculated under exponential and other nonlinear amplification effects. Then, the gain values at all time points are accumulated. If the user's behavior is merely normal random fluctuation, the tiny base increases extremely slowly under ordinary linear accumulation, resulting in a slow evolution. If the target consistently remains below the safe water level, but if the target performs dozens of highly consistent, extremely small, latent poisoning operations, even if the penalty base for each operation is only 0.01, under the nonlinear exponential amplification mechanism triggered by the consistency of direction, the evolved value will experience a geometric surge after being accumulated over dozens of time windows. The system's final output of this explosively growing target operation deviation evolution result successfully amplifies and completely exposes the long-term covert penetration attack that was originally hidden in massive normal traffic at the numerical level, providing an absolutely reliable quantitative decision-making basis for the system to decisively trigger shadow operation compliance baseline model isolation or violation blocking strategies.
[0065] Based on the evolution results of the target operation deviation, a differentiation judgment is made. If the evolution results of the target operation deviation meet the operational compliance and safety range, it is judged as a normal operation behavior drift, and the real-time process operation sequence is extracted to update the weight of the initial operation compliance baseline model. If the evolution results of the target operation deviation do not meet the operational compliance and safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model. According to the shadow operation compliance baseline model, non-compliant operation blocking operations are performed on the target operation object to complete the intelligent monitoring of the operation compliance of the target business system.
[0066] Specifically, the evolution result of the target operation deviation, calculated through nonlinear amplification and accumulation, is compared with the system's preset operation compliance safety range threshold. If the evolution result is within the safety range, the system determines that the change in the target operation object's behavior is a normal operational behavior drift caused by reasonable reasons such as normal business iteration or user change of business travel environment. At this time, in order to enable the system to have dynamic adaptive capabilities, the system will extract the feature data of the real-time process operation sequence and use the backpropagation mechanism or incremental learning algorithm to perform normal iterative updates on the network node feature weights within the initial operation compliance baseline model in the master control running state, so that the baseline model can learn. And accept this legitimate new business practice; conversely, if the evolution of the target operation deviation exceeds the scope of operation compliance and security, it indicates that the target object is likely to be carrying out long-term infiltration and poisoning or continuous unauthorized probing; in order to protect the main model from being contaminated by dirty data without directly cutting off the suspicious connection, a non-existent technology sandbox isolation mechanism is triggered at this time, that is, the master control's initial operation compliance baseline model's learning and update permissions for the target object are immediately frozen, and at the same time, a virtual twin model completely consistent with the current master control baseline model is directly cloned and copied in memory, and it is independently divided into a sandbox running environment specifically for the suspicious object, that is, a shadow operation compliance baseline model is constructed.
[0067] The specific steps for blocking non-compliant operations of the target object based on the shadow operation compliance baseline model include:
[0068] Redirect the subsequent real-time process operation sequence of the target operation object to the shadow operation compliance baseline model for operation compliance judgment: return the disguised compliant operation instruction generated based on the shadow operation compliance baseline model to the target operation object; record the graph topology variation trajectory of the subsequent real-time process operation sequence of the target operation object within the shadow operation compliance baseline model;
[0069] Within a preset continuous time period, the relative topological divergence of the graph structure between the shadow operational compliance baseline model and the initial operational compliance baseline model is continuously calculated.
[0070] When the relative topological divergence of the graph structure reaches a preset high-risk operation compliance threshold, the complete operation mutation trajectory corresponding to the target operation object in the shadow operation compliance baseline model is extracted; and non-compliant operation blocking operation is performed on the target operation object according to the complete operation mutation trajectory.
[0071] First, at the network application routing or proxy level, subsequent access traffic initiated by the target object is intercepted and its policies modified. The subsequent real-time process operation sequence is logically redirected to the shadow operation compliance baseline model for independent feature matching and operation compliance judgment. To avoid alerting the target and misleading them into believing that their covert unauthorized or malicious probing operations have gone undetected and have been successfully accepted by the system's underlying logic, the system returns a disguised compliance operation instruction generated based on the shadow operation compliance baseline model. This disguised compliance operation instruction means that the system intercepts illegal cross-node requests but does not return a genuine error code indicating insufficient permissions; instead, it simulates a successful operation or a response message containing partially anonymized fake data to the client. While the target object is induced to continue probing deeper, the system, by default, allows the target object's subsequent violation sequences to continuously pollute and update the shadow operation compliance baseline model in the background. Using graph node tracing and source tracking technology, the system meticulously records the abnormal surge in node frequency and the generation of unauthorized permission edges caused by these malicious traffic events within the shadow operation compliance baseline model. The data links generated in this process constitute the graph topology variation trajectory.
[0072] Within a preset continuous time period during which the target operation object is induced to continuously operate in the shadow sandbox environment, the advanced analysis engine in the system's backend continuously calculates the relative topological divergence of the graph structure between the dynamically updated shadow operation compliance baseline model and the initial operation compliance baseline model, which is in a safe frozen state. The specific data processing and analysis steps are as follows: In each time slice, the system extracts the graph node probability distribution matrix and topological connectivity attributes from the master control initial operation compliance baseline model and the current shadow operation compliance baseline model. Then, using a relative entropy algorithm (such as the Kohlbek-Leibler divergence measurement technique) or a graph edit distance algorithm, it calculates the difference in structural distribution probability in the multidimensional feature space between the two originally identical digital twin models. Since the initial operation compliance baseline model is absolutely frozen and maintains rule purity, while the shadow operation compliance baseline model continuously accepts the target object's illegal evolutionary operations, the difference in probability distribution and topological form between the two will become larger and larger as the depth of the target operation object's penetration and probing increases. This difference, which continuously expands with time integration, is the calculated relative topological divergence of the graph structure.
[0073] As the parallel isolation evolution progresses, the system backend monitors the changes in the relative topological divergence of the graph structure in real time. When the relative topological divergence of the graph structure continues to rise and eventually reaches the system's preset high-risk operation compliance threshold, the system determines that the target operation's ultimate attack intent, such as attempting to access core database nodes or trying to obtain the highest level of approval privileges, has been fully exposed and is beyond doubt. The system immediately terminates the interactive operation of the parallel masquerade trap environment and uses its internal data snapshot comparison engine to completely extract all node probing, permission jumps, and illegal connections generated by the target operation since it was isolated and redirected from the shadow operation compliance baseline model. The system records data, splices it chronologically, and packages it into a complete and irrefutable chain of evidence of operational mutations. This complete operational mutation trajectory is used as the direct basis for determining serious violations. Based on the specific threat depth and vulnerable nodes exposed by the trajectory, the system coordinates with the underlying zero-trust network access control components to perform substantive non-compliant blocking operations on the target, including but not limited to forcibly disconnecting physical network connections, forcibly logging out current business login sessions, comprehensively downgrading user access permissions, or adding the user to a global blacklist. This ensures that the system achieves a complete closed-loop intelligent monitoring of the target business system's operational compliance without interfering with the normal operation of the main business and while obtaining complete attack evidence.
[0074] In practical technical applications, before the system performs any topology comparison or vectorized deviation calculation, the underlying configuration data and real-time log data generated by the target business system contain heterogeneous data characteristics with completely different physical units and dimensions, such as timestamps, IP address ranges, access frequency, and device fingerprints. Therefore, the system must first rely on the data preprocessing engine to execute standardized dimension unification and feature normalization algorithms.
[0075] Specifically, for continuous numerical features such as operation execution time and interface call frequency, the system adopts the Z-Score standardization algorithm based on Gaussian distribution. That is, it first calculates the statistical mean and standard deviation of the feature in the historical compliance behavior operation logs, and then subtracts the mean from the feature value collected in real time and divides it by the standard deviation, thereby transforming the original absolute values with different physical units into dimensionless standardized values with a mean of zero and a variance of one. For discrete classification features such as equipment model and operation role type, the system uses one-hot encoding or entity embedding neural network layers to map these discrete text labels into a fixed-length continuous real number vector space.
[0076] After unifying the dimensions, the training of the initial operational compliance baseline model and the deep representation of business characteristics in this embodiment are simulated and implemented based on the graph neural network model architecture and its derived graph sampling and aggregation algorithms. The specific data processing steps are as follows: the system uses the clean operational causal topology graph obtained after previous bidirectional verification and pruning operations as the initial input data structure of the graph neural network. Each legitimate business operation interface is defined as a node in the graph network, and the inviolable preorder dependencies and transition probabilities between operations constitute weighted directed edges. The graph neural network model, through its internally deployed multilayer perceptron and neighbor node aggregation function, weights and fuses the attribute features of the current operation node with the temporal features of its legitimate predecessor and successor nodes within its multi-hop range in each forward propagation iteration. During the self-supervised learning training phase of the model, the system continuously fine-tunes the weight parameter matrix inside the graph neural network through the backpropagation algorithm, making the feature vectors of the normal compliance link highly clustered in the multidimensional space, thereby firmly solidifying the absolute compliance causal logic within the mathematical parameter space distribution of the initial operational compliance baseline model.
[0077] For the calculation of the single micro-deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model, the system adopts a hybrid calculation model that orthogonally combines the graph edit distance algorithm and the relative entropy algorithm. When calculating the structural deviation component representing the logical violation, the system uses the graph edit distance algorithm to accurately measure the minimum structural modification cost required for the real-time process operation subgraph to be transformed into the standard operation causal topology graph. The system configures an asymmetric cost penalty matrix inside the algorithm. For illegal edge operations that are forcibly inserted beyond the permission boundary in the real-time sequence, the algorithm will assign an extremely high exponential cost value, thereby calculating a numerical scalar that accurately reflects the intensity of the violation of the underlying business rules.
[0078] Meanwhile, when calculating the environmental deviation component representing habit drift, the system uses the relative entropy algorithm to calculate the information divergence difference between the real-time feature probability distribution and the normal baseline probability distribution within the model. The larger this value, the more serious the deviation of the current operator's network environment or work-rest time from daily habits. After obtaining these two key numerical scalars, the system uses a spatial vector synthesis algebraic model in the Cartesian coordinate system to construct a virtual two-dimensional orthogonal feature representation space in the system memory. The system forcibly projects the structural deviation component representing core business logic as the horizontal axis coordinate and the environmental deviation component representing surface behavior fluctuations as the vertical axis coordinate, and calculates and synthesizes a single micro-deviation vector that includes both the absolute length of the deviation (module length) and the physical direction of the deviation type (direction angle), thereby completely realizing the orthogonal decoupling of core business overreach and ordinary environmental fluctuations at the mathematical model level.
[0079] To address long-term, low-frequency, latent poisoning hidden within massive amounts of legitimate requests, the system utilizes a vector space geometric algebra model and a nonlinear dynamic time series amplification algorithm to achieve behavioral evolution and tracking exposure. The specific data analysis steps are as follows: First, the system uses the vector inner product formula to calculate the cosine similarity of the pointing angles of single micro-deviation vectors within two adjacent time windows in the historical queue. Then, it uses a statistical variance model to calculate the dispersion of this cosine similarity sequence over a continuous period. If the variance is extremely small and the cosine value continuously approaches one, the model determines that the target object is making highly regular, repeated, and minute probes in the same vulnerability direction. When the high consistency condition in this direction is met, the system activates the core operational nonlinear amplification function. This function is a nonlinear exponential surge model with a natural constant or a preset hyperparameter greater than one as the base and the continuous time period of the probe or the same-direction synergy coefficient as the exponent.
[0080] Regarding the parallel induction and the calculation of the relative topological divergence of the final graph structure in the shadow operation compliance baseline model, the system relies on digital twin isolation technology and symmetric distribution divergence measurement model in the field of artificial intelligence. Specifically, when the evolution result triggers a high-risk alarm, the system directly calls a deep copy instruction in the sandbox security domain of memory to completely copy all network topology, node characteristics, and weight matrix parameters of the master control initial operation compliance baseline model at the precise millisecond moment of alarm triggering, instantiating it into an independently running shadow operation compliance baseline model object. During subsequent disguised traffic redirection, the frozen and protected initial operation compliance baseline model maintains an absolutely static probability distribution, while the shadow operation compliance baseline model continuously absorbs illegal probing traffic and undergoes internal parameter weight variation shifts. The system analysis engine uses the symmetric distribution divergence measurement model to continuously collect the feature probability output distribution of the two parallel twin models for the same business node and calculates the Jensen-Shannon divergence value between the two distribution forms. Compared with the traditional relative entropy, this algorithm has symmetry and numerical smoothness, and is particularly suitable for evaluating the overall structural differences between two complex models that were originally from the same source but subsequently diverged in evolution path.
[0081] Example 2: An intelligent monitoring system for operational compliance based on behavioral evolution (see [link]). Figure 1 As shown, it includes:
[0082] The operation benchmark analysis module includes a benchmark construction unit and a deviation analysis unit. The benchmark construction unit is used to obtain the underlying operation configuration data in the target business system and parse the underlying operation configuration data to obtain the initial operation compliance baseline model.
[0083] The deviation analysis unit is used to obtain the real-time process operation sequence of the target operation object within the current time window; calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model; record all single micro deviation vectors of the target operation object within multiple consecutive time windows; and perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result.
[0084] The operation compliance judgment module includes a compliance judgment unit. This unit differentiates and judges based on the evolution results of the target operation deviation. If the evolution results meet the operational compliance safety range, it is determined to be a normal operational behavior drift, and the real-time process operation sequence is extracted to update the weights of the initial operation compliance baseline model. If the evolution results do not meet the operational compliance safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model. Based on the shadow operation compliance baseline model, non-compliant operations are blocked on the target operation object, completing intelligent monitoring of the operational compliance of the target business system.
[0085] It should be understood that those skilled in the art can make improvements or modifications based on the above description, and all such improvements and modifications should fall within the protection scope of the appended claims. Parts not described in detail in this specification are prior art known to those skilled in the art.
Claims
1. A method for intelligent monitoring of operational compliance based on behavioral evolution, characterized in that, Includes the following steps: In the target business system, obtain the underlying operation configuration data; parse the underlying operation configuration data to obtain the initial operation compliance baseline model; Obtain the real-time process operation sequence of the target operation object within the current time window; calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model; record all single micro deviation vectors of the target operation object within multiple consecutive time windows; perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result; Differentiation judgment is made based on the evolution results of the target operation deviation. If the evolution results of the target operation deviation meet the operational compliance and safety range, it is judged as normal operation behavior drift. The real-time process operation sequence is extracted and the weight of the initial operation compliance baseline model is updated. If the evolution result of the target operation deviation does not meet the operational compliance and safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model; non-compliant operation blocking operations are performed on the target operation object according to the shadow operation compliance baseline model to complete the intelligent monitoring of the operation compliance of the target business system; The specific steps for parsing the underlying operational configuration data to obtain the initial operational compliance baseline model include: Extract the operation compliance prerequisite dependencies from the underlying configuration data of the operation using a syntax tree; construct a static rule topology graph of the operation based on the operation compliance prerequisite dependencies; Obtain compliance behavior operation logs of the target business system within a preset historical period; extract historical compliance execution trajectories from the compliance behavior operation logs; extract operation compliance execution links from the historical compliance execution trajectories; calculate the operation call probability and operation transfer probability in different operation compliance execution links; construct a dynamic execution path graph based on the operation call probability and operation transfer probability. Pruning operations are performed on the dynamic execution path graph based on the static rule topology graph to obtain the causal topology graph of operations; overlapping nodes and overlapping valid edges are extracted from the static rule topology graph and the dynamic execution path graph; temporal topological features of the causal topology graph of operations are extracted; and an initial operation compliance baseline model is trained based on the overlapping nodes, overlapping valid edges and temporal topological features. The specific steps for calculating the single-step micro-deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model include: The real-time process operation sequence is mapped into the initial operation compliance baseline model to obtain the real-time process operation subgraph; features are extracted from the real-time process operation sequence to obtain the process operation operation features. The topological differences between the real-time process operation subgraph and the operation causal topology graph are calculated. The structural deviation component is calculated based on illegal edges or unauthorized jump nodes that exist in the real-time process operation subgraph but not in the operation causal topology graph. The operation probability distribution divergence between the process operation operation characteristics and the initial operation compliance baseline model is calculated as the environmental deviation component. The structural deviation component and the environmental deviation component are orthogonally mapped and concatenated in the feature representation space to obtain a single micro deviation vector; where the magnitude of the single micro deviation vector is used to represent the overall deviation magnitude of the real-time process operation sequence; the pointing angle of the single micro deviation vector in the feature representation space represents the deviation type of the operation behavior of the real-time process operation sequence. The specific steps for evolving operational bias based on all single micro-bias vectors include: Extract the pointing angle of the single micro deviation vector in the feature representation space of adjacent time windows and calculate it to obtain the cosine similarity of the angle between adjacent single micro deviation vectors; calculate the dispersion of all cosine similarities of the angle within a continuous time window to obtain the target behavior evolution operation coefficients. A nonlinear amplification function is constructed based on the operational coefficients of the target behavior evolution; the magnitude of each single micro deviation vector is extracted as the single deviation penalty base in each time window; all single deviation penalty bases are substituted into the operational nonlinear amplification function for sequential accumulation operation to obtain the target operational deviation evolution result; The specific steps for blocking non-compliant operations of the target object based on the shadow operation compliance baseline model include: Redirect the subsequent real-time process operation sequence of the target operation object to the shadow operation compliance baseline model for operation compliance judgment: return the disguised compliant operation instruction generated based on the shadow operation compliance baseline model to the target operation object; record the graph topology variation trajectory of the subsequent real-time process operation sequence of the target operation object within the shadow operation compliance baseline model; Within a preset continuous time period, the relative topological divergence of the graph structure between the shadow operational compliance baseline model and the initial operational compliance baseline model is continuously calculated. When the relative topological divergence of the graph structure reaches a preset high-risk operation compliance threshold, the complete mutation trajectory of the operation corresponding to the target operation object in the shadow operation compliance baseline model is extracted; the operation non-compliance blocking operation is performed on the target operation object according to the complete mutation trajectory of the operation, and the specific steps of substituting all single deviation penalty bases into the operation nonlinear amplification function for sequence accumulation operation include: when the evolutionary coordination coefficient meets the preset directional consistency condition, the single deviation penalty base is exponentially amplified and then the sequence accumulation operation is performed; when the evolutionary coordination coefficient meets the preset random fluctuation condition, the single deviation penalty base is linearly amplified and then the sequence accumulation operation is performed.
2. An intelligent monitoring system for operational compliance based on behavioral evolution, characterized in that, It is used to implement the intelligent monitoring method for operational compliance based on behavioral evolution as described in claim 1, comprising: The benchmark analysis module includes a benchmark construction unit and a deviation analysis unit; The baseline construction unit is used to obtain the underlying operation configuration data in the target business system, parse the underlying operation configuration data, and obtain the initial operation compliance baseline model. The deviation analysis unit is used to obtain the real-time process operation sequence of the target operation object within the current time window, calculate the single micro deviation vector of the real-time process operation sequence relative to the initial operation compliance baseline model, record all single micro deviation vectors of the target operation object within multiple consecutive time windows, and perform operation deviation evolution based on all single micro deviation vectors to obtain the target operation deviation evolution result. The operation compliance judgment module includes a compliance judgment unit. The compliance judgment unit is used to differentiate and judge based on the evolution result of the target operation deviation. If the evolution result of the target operation deviation meets the operation compliance safety range, it is judged as normal operation behavior drift. The real-time process operation sequence is extracted and the weight of the initial operation compliance baseline model is updated. If the evolution result of the target operation deviation does not meet the operation compliance safety range, a shadow operation compliance baseline model is constructed based on the initial operation compliance baseline model. According to the shadow operation compliance baseline model, the non-compliant operation blocking operation is performed on the target operation object, thus completing the intelligent monitoring of the operation compliance of the target business system.