Data detection method and related device

By constructing event sequences and calculating perturbation indices, the accuracy and sensitivity issues of data leakage detection in multi-channel information transmission environments were resolved, enabling the discovery of hidden information and ensuring information security.

CN121864504BActive Publication Date: 2026-07-07BOE TECHNOLOGY GROUP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BOE TECHNOLOGY GROUP CO LTD
Filing Date
2026-03-19
Publication Date
2026-07-07

Smart Images

  • Figure CN121864504B_ABST
    Figure CN121864504B_ABST
Patent Text Reader

Abstract

The present disclosure provides a data detection method and related equipment. The method comprises: in response to detecting outgoing information, collecting transmission data corresponding to the outgoing information; based on the transmission data, constructing an event sequence; based on the event sequence, performing session reconstruction and object extraction to obtain a set of to-be-inspected carriers; calculating a perturbation index of each to-be-inspected carrier in the set of to-be-inspected carriers; and based on the perturbation index, generating a data detection result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and in particular to a data detection method and related equipment. Background Technology

[0002] With the popularization of enterprise cloudification, mobilization and collaborative office, data flows in parallel and multi-path ways among terminal devices, enterprise networks, public Internet, various cloud services and third-party collaboration platforms, and information transmission exhibits the characteristics of strong concurrency, strong heterogeneity and strong elasticity.

[0003] In related technologies, boundary-centric protection systems are gradually weakening. Data entry and exit points have expanded from single gateways to various forms such as browsers, client applications, object storage, email and instant messaging, and message queues, forming a typical multi-channel transmission pattern. In this environment, data leakage is no longer just a one-time high-volume transmission, but more often exhibits fragmented, cross-media, and cross-platform continuous behavior, placing higher demands on data detection technologies. Summary of the Invention

[0004] This disclosure proposes a data detection method and related equipment to solve or partially solve the above-mentioned problems to a certain extent.

[0005] In a first aspect, this disclosure provides a data detection method, comprising:

[0006] In response to the detection of outgoing information, the transmission data corresponding to the outgoing information is collected;

[0007] Based on the transmitted data, an event sequence is constructed;

[0008] Based on the event sequence, session reconstruction and object extraction are performed to obtain a set of carriers to be inspected;

[0009] Calculate the perturbation index of each carrier in the set of carriers to be inspected;

[0010] Based on the aforementioned perturbation index, data detection results are generated.

[0011] A second aspect of this disclosure provides a computer device including one or more processors, a memory, and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, and the one or more programs include instructions for performing the method of the first aspect.

[0012] A third aspect of this disclosure provides a non-volatile computer-readable storage medium comprising a computer program that, when executed by one or more processors, causes the one or more processors to perform the method described in the first aspect.

[0013] A fourth aspect of this disclosure provides a computer program product comprising one or more computer programs that, when executed by one or more processors, implement the method described in the first aspect.

[0014] The data detection method and related equipment provided in this disclosure construct an event sequence from the transmitted data, and then perform session reconstruction and object extraction based on the event sequence to obtain the carrier to be inspected. Next, a perturbation index is calculated on the carrier to be inspected, so that the data can be detected based on the perturbation index. This can discover hidden information in the data to a certain extent and ensure information security. Attached Figure Description

[0015] To more clearly illustrate the technical solutions in this disclosure or related technologies, the accompanying drawings used in the description of the embodiments or related technologies will be briefly introduced below. Obviously, the accompanying drawings described below are only embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0016] Figure 1 A schematic diagram of an exemplary system provided by an embodiment of this disclosure is shown.

[0017] Figure 2 A flowchart illustrating an exemplary data detection method provided in an embodiment of this disclosure is shown.

[0018] Figure 3 A schematic diagram of the hardware structure of an exemplary computer device provided in an embodiment of this disclosure is shown. Detailed Implementation

[0019] To make the objectives, technical solutions, and advantages of this disclosure clearer, the following detailed description is provided in conjunction with specific embodiments and the accompanying drawings.

[0020] It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of this disclosure should have the ordinary meaning understood by one of ordinary skill in the art to which this disclosure pertains. The terms "first," "second," and similar terms used in the embodiments of this disclosure do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed following the word and their equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect. Terms such as "upper," "lower," "left," and "right" are used only to indicate relative positional relationships; when the absolute position of the described object changes, the relative positional relationship may also change accordingly.

[0021] It is understood that before using the technical solutions of the various embodiments in this disclosure, users will be informed of the type, scope of use, and usage scenarios of the personal information involved in an appropriate manner, and user authorization will be obtained.

[0022] For example, upon receiving a user's active request, a prompt message is sent to the user to explicitly inform them that the requested operation will require the acquisition and use of the user's personal information. This allows the user to independently choose, based on the prompt message, whether to provide personal information to the software or hardware such as electronic devices, applications, servers, or storage media performing the operations of this disclosed technical solution.

[0023] As an optional but not limited implementation, in response to a user's active request, sending a prompt message to the user can be done via a pop-up window, where the prompt message can be presented in text format. Furthermore, the pop-up window can also include a selection control allowing the user to choose "agree" or "disagree" to provide personal information to the electronic device.

[0024] It is understood that the above notification and user authorization process are merely illustrative and do not constitute a limitation on the implementation of this disclosure. Other methods that comply with relevant laws and regulations may also be applied to the implementation of this disclosure.

[0025] Figure 1 A schematic diagram of an exemplary system 100 provided in this disclosure embodiment is shown. This exemplary system 100 may include a terminal device 110, a server 130, and a data detection device 160. Optionally, software and / or an application 120 (hereinafter referred to as application 120) may be installed on the terminal device 110. A user 140 may interact with the application 120 via the terminal device 110 and / or an attachment device to the terminal device 110.

[0026] In some embodiments, application 120 may be downloaded and installed on terminal device 110. In some embodiments, application 120 may also be accessed in other ways, such as via a web page. Figure 1 In system 100, in response to application 120 being launched, terminal device 110 can display the interface of application 120.

[0027] In some embodiments, terminal device 110 can communicate with server 130 through network 150 to provide services to application 120. Network 150 can be a wired network or a wireless network. In some cases, intermediate devices or network nodes such as routers and switches can be further configured in network 150, and terminal device 110 communicates with server 130 through these intermediate devices or network nodes, which can also be considered as communicating through network 150.

[0028] Terminal device 110 can be any type of mobile terminal, fixed terminal, or portable terminal, including mobile phones, desktop computers, laptop computers, notebook computers, netbook computers, tablet computers, media computers, multimedia tablets, personal communication system (PCS) devices, personal navigation devices, personal digital assistants (PDAs), audio / video players, digital cameras / camcorders, television receivers, radio receivers, e-book devices, gaming devices, or any combination thereof, including accessories and peripherals of these devices or any combination thereof. In some embodiments, terminal device 110 can also support any type of user-facing interface (such as "wearable" circuitry). Application 120 can be various types of computing systems / servers capable of providing computing power, including but not limited to mainframes, edge computing nodes, computing devices in cloud environments, etc. Server 130 can be a server providing various services, such as a backend server supporting various applications or software displayed on terminal device 110. Server 130 here can be hardware or software. When it is hardware, it can be implemented as a distributed server cluster consisting of multiple servers or as a single server. When these are software applications, they can be implemented as multiple software programs or software modules (e.g., to provide distributed services) or as a single software program or software module. No specific limitations are made here.

[0029] In some cases, the data detection device 160 can be independent of the terminal device 110 and the server 130. In other cases, if the terminal device 110 and / or the server 130 have data detection capabilities, the data detection device 160 can be integrated with the terminal device 110 and / or the server 130.

[0030] It should be understood that the structure and function of the various elements in system 100 are described for illustrative purposes only and do not imply any limitation on the scope of this disclosure.

[0031] In some exemplary scenarios, the data detection device 160 can collect transmitted data in the system 100 to perform data detection, which can be used to detect data leakage. However, the inventors of this disclosure have found that in related technologies, data detection is usually based on the plaintext characteristics of the transmitted data, which leads to inaccurate detection results and situations such as false alarms and missed alarms.

[0032] Furthermore, data breach prevention products typically rely on static rules, keyword matching, file hash fingerprinting, or simple transmission rate thresholds. While these methods can cover some high-determinism scenarios within an organization, they lack sufficient visibility when facing end-to-end encryption, application-native encryption, and proprietary encapsulation. They often rely on limited side information for inference, making it difficult to balance sensitivity and accuracy. On the other hand, daily operations involve numerous screenshots, scans, exports, and subsequent re-transmissions, as well as format conversions or incremental saving using image, audio, and document containers. These changes significantly weaken detection capabilities based on plaintext features and single-structure assumptions, leading to both false positives and false negatives. In addition, attackers or violators may use low-speed, small-fragment, cross-time-window, and cross-channel distribution methods to circumvent peak values ​​and single-channel thresholds, accumulating transmissions over long time scales, further increasing the difficulty of detection.

[0033] In summary, the core challenge of data leakage detection in multi-channel information transmission environments is not a single algorithm problem, but rather a combination of factors such as collection visibility, time and semantic alignment, container and structural layer change adaptation, cross-channel correlation, and strategy coordination. Systematic improvements in these fundamental capabilities are urgently needed.

[0034] In view of this, a first aspect of the present disclosure provides a data detection method that can solve or partially solve the above-mentioned problems to a certain extent.

[0035] Figure 2 A flowchart illustrating an exemplary data detection method 200 provided in an embodiment of this disclosure is shown. This data detection method 200 can be used to detect data leaks. Optionally, this data detection method 200 can be... Figure 1 Data detection equipment 160 can be implemented, or it can be carried out by Figure 1 The entities in System 100 implement the system together through interaction.

[0036] like Figure 2 As shown, the data detection method 200 may further include the following steps.

[0037] In step 202, in response to the detection of outgoing information, the transmission data corresponding to the outgoing information is collected.

[0038] In some cases, the outgoing information can refer to data or information sent from an organization's or individual's internal network, internal system, or internal device to an external network, external system, or third party. In this step, the outgoing information can be outgoing information detected in system 100, for example, by... Figure 1 The terminal device 110 sends information to the outside through the network 150.

[0039] In this step, when outgoing information is detected in system 100, the transmission data corresponding to the outgoing information can be collected.

[0040] Optionally, data collection can be initiated based on outgoing information as the trigger point. The collection operation can correspond to an extended time window, configured around the discovery time of the outgoing information (e.g., the time when the outgoing information is detected), and typically can be a continuous time period. During data collection, end-side and network-side data that are consistent with the outgoing information in terms of subject, device, and time can be collected within this extended time window. Optionally, the extended time window can be configured as needed.

[0041] The "subject" can refer to the entity corresponding to the outgoing information, such as the initiator of the outgoing information. The subject can typically be identified through identity authentication information, such as a login account, a user bound to an IP address, or an application permission holder. For example, if the outgoing information is initiated by user 140, then the subject corresponding to the outgoing information can be user 140's account. The "device" can refer to the device used to send the outgoing information. The device can be identified through hardware identifiers, such as MAC address, IP address, device ID, etc., and acts as the source or destination node of data packets during communication. For example, if user 140 uses terminal device 110 to send the outgoing information, then the device corresponding to the outgoing information can be terminal device 110. The "end-side transmitted data" can refer to transmitted data collected at the end, such as transmitted data collected from the terminal device 110. The "network-side transmitted data" can refer to transmitted data collected at the network side, such as transmitted data collected from the network 150.

[0042] In some cases, the above-mentioned data collection operation can be based on the subject identifier and device identifier corresponding to the outgoing information. Within the extended time window, the end-side transmission data and network-side transmission data are retrieved and aggregated (i.e., transmission data matching the subject identifier and device identifier are retrieved and aggregated into a data set), thereby obtaining end-side transmission data and network-side transmission data that are consistent with the outgoing information in terms of subject, device, and time. Since the retrieval of transmission data is completed within the extended time window, the current outgoing information can be included in the collection scope simultaneously with the necessary context events such as preparation, transmission, and acknowledgment (included in the end-side transmission data and network-side transmission data), thereby forming the transmission data set corresponding to the current outgoing information. Optionally, the subject identifier and device identifier can be obtained based on a pre-built subject list. For example, based on the device and / or subject corresponding to the outgoing information, the corresponding entries are matched from the subject list to determine the subject identifier and device identifier corresponding to the outgoing information.

[0043] In this way, by collecting a set of transmission data that is interpretably associated with the current outgoing information in terms of subject, device, and timing context, rather than just collecting a single piece of current outgoing information, subsequent processing steps can complete the outgoing link restoration and detection judgment under the condition of complete evidence.

[0044] In step 204, an event sequence is constructed based on the transmitted data.

[0045] In this step, events can be extracted from the transmitted data, and then the event sequence can be constructed based on the events.

[0046] In some cases, an event can refer to a discrete notification that does not maintain its own state. Once the publisher sends an event, it doesn't care how the receiver processes it. Events typically include information about "what happened," such as event type, timestamp, and associated IDs (e.g., subject identifier, device identifier).

[0047] In step 206, session reconstruction and object extraction are performed based on the event sequence to obtain a set of carriers to be inspected.

[0048] In this step, the session can be reconstructed based on the event sequence to obtain session fragments, and then object entities can be extracted from the session fragments as carriers to be inspected.

[0049] In this context, a session fragment can refer to a segment that possesses session characteristics. A session can refer to a continuous, stateful interaction process, typically beginning with the establishment of a connection and ending with its termination. It focuses on a collection of related requests and responses between communicating parties to maintain context and state. An object entity can refer to an entity of an object, which can be a complete object or a part of an object.

[0050] In step 208, the perturbation index of each carrier in the set of carriers to be inspected is calculated.

[0051] In some cases, data leaks are not transmitted in plaintext. For example, one way data leaks can be through steganography, where information is hidden in seemingly normal images, documents, audio, or other media, making it difficult to detect using content-level detection methods (such as keyword-based detection or optical character recognition (OCR)).

[0052] Therefore, in this step, by calculating the perturbation index of the carrier under test, the hidden information can be filtered out using the perturbation index. Thus, the perturbation index can be understood as the index corresponding to the hidden information of small parameters concealed within the carrier under test.

[0053] In step 210, data detection results are generated based on the perturbation index.

[0054] In this step, after obtaining the perturbation index of the carrier to be inspected, data leakage can be detected based on the perturbation index, and then data detection results can be generated.

[0055] As can be seen from the above embodiments, the data detection method provided in this disclosure constructs an event sequence from the transmitted data, then performs session reconstruction and object extraction based on the event sequence to obtain the carrier to be inspected, and then calculates a perturbation index on the carrier to be inspected. Thus, the data can be detected based on the perturbation index, which can discover hidden information in the data to a certain extent and ensure information security.

[0056] In some cases, method 200 may further include a preprocessing step to prepare for subsequent steps. These preprocessing steps may or may not be real-time. It is understood that when the preprocessing step is a non-real-time step, the real-time processing efficiency of method 200 can be improved.

[0057] In some embodiments, the method 200 may further include the following steps:

[0058] In step 220, a main entity list and a transmission channel list are established.

[0059] In this step, the Subject List can be a list of subjects constructed with unique subject identifiers. It can be used for retrieval (e.g., retrieval in the aforementioned data collection and transmission step) and adjudication from a subject perspective. Because the Subject List is constructed based on unique subject identifiers, it ensures consistent mapping for the same operator across multiple namespaces, thereby allowing the merging of data or information belonging to the same subject while reducing the risk of mistakenly merging data or information belonging to different subjects. In some cases, the Subject List can serve as the basis for "associating events by subject" or "determining compliance by subject."

[0060] A transport channel list can be a set of valid transport channels that are consistent with the actual network state, ensuring that subsequent policy matching and parsing execution are based on a trusted boundary. Here, a transport channel can refer to a transmission path or a transmission medium, also known as a channel. For example, wired transmission media can be twisted-pair cables, optical fibers, etc., while wireless transmission media can be radio waves, microwaves, etc.

[0061] In some embodiments, step 220 of establishing the subject list and the transmission channel list may further include the following steps:

[0062] In step 2202, multi-source data is acquired.

[0063] In this step, the multi-source data can be historical transmission data in system 100, which can be obtained by acquiring historical records. It is understood that the multi-source data can refer to data from multiple sources, such as data obtained from identity, terminal, and security agents.

[0064] In step 2204, the subjects are merged based on the device identifiers in the multi-source data, and subject identifiers are assigned to the merged subjects.

[0065] In this step, the main body can be deduplicated based on multi-source data, thereby unifying the main bodies with different forms of expression (e.g., different names) in different data.

[0066] Optionally, this step can use a device identifier with cross-system stability as the merging anchor to aggregate multi-source data based on temporal continuity and session boundaries (e.g., the start and end points of a session). This allows for the merging of entities with different representations from the multi-source data through aggregation, and then a unique entity identifier is assigned. In this way, physical or system fingerprints (device identifiers) ensure consistent mapping of the same operator across multiple namespaces, and "device × session" segmentation reduces the risk of erroneous merging under common terminal or multi-session conditions. The unique entity identifier can serve as an index for the entity list, used for entity-level retrieval.

[0067] In step 2206, based on the multi-source data, the metadata corresponding to the subject identifier is extracted, and the subject list is generated based on the metadata and the subject identifier.

[0068] In this step, the relevant basic attributes of the entity corresponding to the entity identifier can be extracted from the multi-source data corresponding to the entity identifier as the metadata of the entity. Then, the metadata and the corresponding entity identifier are combined as entries in the entity list for retrieval. The metadata may include basic attributes such as organizational affiliation, job position, and commonly used equipment corresponding to the entity (or its entity identifier). Optionally, different expressions of the entity corresponding to the entity identifier (e.g., different names) can also be added as metadata to the entries corresponding to the entity identifier to facilitate retrieval.

[0069] In some embodiments, step 220 of establishing the subject list and the transmission channel list may further include the following steps:

[0070] In step 2208, based on the multi-source data, multiple transmission channels in system 100 are determined.

[0071] In this step, multiple transmission channels that have been used or existed in system 100 can be determined based on the transmission channels (data transmission channels) corresponding to the multi-source data.

[0072] In step 2210, the plurality of transmission channels are verified, and the transmission channels that pass the verification are formed into the transmission channel list.

[0073] In this step, invalid or failed channels can be removed by verifying the transmission channels, so that the channel list only records all valid information transmission channels, ensuring that the system monitors only compliant channels.

[0074] Optionally, transmission channels can be verified through a three-way cross-validation of the transmission channel configuration list, actual traffic, and audit events. This process can eliminate invalid or failed channels and construct a set of valid channels that reflects the actual network state. For example, transmission channels that exist only in the transmission channel configuration list but lack observational evidence (i.e., no actual traffic) are deemed invalid; transmission channels that exist only in the observational evidence but are not registered (i.e., no audit events) can be marked as shadow channels and added to the transmission channel list for subsequent governance processes.

[0075] Optionally, after obtaining each transmission channel in the transmission channel list, metadata can be supplemented for these transmission channels based on the multi-source data. For example, information such as the source domain (sender), destination domain (receiver), protocol family (each available transmission protocol of the transmission channel), encryption and authentication methods, and visibility level (the level of observability and transparency of the transmission channel) can be supplemented for each transmission channel, so that subsequent policy matching and parsing execution are based on trusted boundaries.

[0076] In this context, the source domain or sender can refer to the place where the information is sent, i.e., the "source" of the information transmission. For example, the original producer or sender of the information can also be called the information source. Examples include a computer sending data, a mobile phone making a call, or a sensor. The information source generates the data to be transmitted and converts it into a signal suitable for transmission through the transmission channel via a transmitter.

[0077] The destination or receiver can refer to the endpoint of information transmission, that is, the "purpose" of information transmission, such as the recipient of the information or the final destination, and can also be called the sink. Examples include a server receiving emails, another mobile phone answering a call, or a browser displaying a webpage. The sink uses the receiver to restore the received signal into understandable information.

[0078] In computer networks, this can be further refined:

[0079] Sender: Includes the information source and transmitter, responsible for generating data and performing encoding, modulation, and other processing;

[0080] The receiver: includes the receiver and the sink, and is responsible for decoding, demodulating and ultimately using the information.

[0081] Further, in step 222, based on the main entity list and the transmission channel list, an allowed flow matrix from the sender to the receiver is constructed, and priority information is configured in the allowed flow matrix to generate allowed flow rules.

[0082] This step can be used to govern the permitted flow of information. In this step, compliance requirements are formalized as a multi-dimensional mapping space consisting of "subject, sender, receiver, transmission channel type, and data / carrier category," and a permitted flow matrix is ​​constructed and instantiated into executable permitted flow rules. This permitted flow matrix uses permitted, restricted, and prohibited as the basic values ​​for priority information. Optionally, the priority information can be set according to the restriction strength of the permitted flow rule, the scope of application of the permitted flow rule, and the risk level of the permitted flow rule, and can be adjusted according to different actual situations. The priority order from high to low is: permitted > restricted > prohibited.

[0083] In subsequent embodiments, the allowed flow matrix can be used to match allowed flow rules. During matching, when multiple allowed flow rules are matched simultaneously, the allowed flow rule with the highest priority can be selected as the allowed flow rule with the highest matching degree based on the priority information corresponding to the multiple allowed flow rules. Optionally, after determining the allowed flow rule with the highest matching degree, an exception number can be used to identify the temporary authorization of the allowed flow rule with the highest matching degree, and the version and effective time of the applicable allowed flow rule can be fixed. In this way, by introducing priority and exception number to resolve conflicts and temporary authorization, and by freezing the version and effective range, it is ensured that the judgment criteria are consistent and the results are traceable. The judgment criteria are consistent, which means that for input conditions with the same subject scope, source domain, destination domain, transmission channel type and carrier type, the same set of rule matching and conflict resolution standards are always used to make the same kind of decision; the results are traceable, which means that each decision result of allowing, restricting or prohibiting can be traced back to its corresponding rule number, version number, exception number, effective range and the source of the input field.

[0084] The allowed flow matrix can be implemented as a directed domain-to-domain decision table: rows represent the source domain (sender), columns represent the destination domain (receiver), and each cell stores priority information for that transmission direction. Based on this, the allowed flow matrix can be a multi-dimensional rule structure with "source domain → destination domain" as the main axis, superimposed with conditions such as subject scope (which can correspond to one or more subjects) and transmission channel type. It can be considered that a rule submatrix corresponding to a certain subject scope and a certain channel type includes multiple allowed flow rules for each sender-to-receiver transmission direction. Thus, for each transmission direction (each pair of senders and receivers), combined with the corresponding subject and transmission channel type, an allowed flow rule can be obtained, that is, a compliant transmission constraint with the dimension of "subject - source domain (sender) - destination domain (receiver) - transmission channel type".

[0085] In some embodiments, the preprocessing step may further include: setting a parsing strategy and a parsing template for the carrier to be inspected. The parsing strategy guides the parsing operation of the carrier to be inspected, and the parsing template is used to perform the parsing operation. The parsing template can be a template generated based on the parsing strategy, and can be further formed into a template library for obtaining a suitable parsing template to perform the corresponding parsing operation when needed.

[0086] Optionally, the parsing strategy can be set based on the list of transmission channels and carrier types, combined with compliance constraints. This parsing strategy can include the parsing location, parsing depth, and parsing steps for different transmission channels and different types of carriers to be inspected. In some cases, the parsing strategy can also include a fallback path after parsing failure for different transmission channels and different types of carriers to be inspected. The parsing template can correspond to the specific execution method of the parsing operation for different types of carriers to be inspected. Here, compliance constraints are a set of external rules and boundary conditions. The system "projects" these constraints into executable strategy parameters, thereby determining the parsing location, parsing depth, parsing steps (as well as the parsing output range, retention method, audit granularity, fallback path, etc.). In other words, the parsing location, parsing depth, and parsing steps are execution-level options, and compliance constraints are the basis and limitations for selecting these options.

[0087] Optionally, the parsing strategy follows the principle of "prioritizing proximity to plaintext and minimizing data," binding parsing locations, depths, and steps to different transmission channels and carriers, and defining fallback paths for failures. For example, when the endpoint is reachable, parsing is completed at the endpoint, and only metrics and fingerprints are output. Metrics can refer to structured metrics used for subsequent detection and judgment, such as container echo, incremental vine length, phase echo metric and its normalized score, structural markers, and quality labels obtained in subsequent embodiments. Fingerprints can refer to stable identifier summaries used for object identification, deduplication, cross-channel association, and audit traceability, such as unique identifiers generated based on one or more combinations of object entity hash values, session fragment hash values, structural information summaries, summaries of page view or frame view features, and object clues. Alternatively, when the endpoint is unreachable or restricted by encryption (resulting in plaintext invisibility), a fallback to the network side (e.g., gateway or cloud side) is used to approximate the measurement with structural and statistical features. Specifically, in this scenario, when the endpoint is unreachable or the plaintext is not visible, the content itself is not parsed directly. Instead, observable encapsulation structure features (such as object size, fragment number, cross-references / frame boundaries, changes in the number of objects, etc.) and statistical features (such as length distribution, upload rhythm, bitrate stability, phase jump density, etc.) are used to approximate whether the carrier has abnormal embedded or hidden payloads.

[0088] Optionally, the parsing depth can be adaptively selected between fast, standard, and deep parsing based on resource availability and real-time requirements. Specifically, different parsing levels can be dynamically selected based on available computing power, memory availability, allowed processing time, and whether immediate blocking is required. Optionally, parsing levels can be divided into fast, standard, and deep levels. The fast level may perform only necessary basic structural checks to prioritize response speed; the standard level may complete routine structural parsing while balancing speed and accuracy; and the deep level may perform more comprehensive, fine-grained parsing when resources are sufficient and time requirements are lower, thus balancing real-time performance and detection effectiveness under different operating conditions.

[0089] Optionally, the parsing steps follow an ordered pipeline of decapsulation, structure extraction, and indicator generation, with visibility and quality labels recorded at each degradation stage. Specifically, the carrier under test is executed sequentially in a fixed order: first, the encapsulated structure is opened and restored (decapsulation); then, structural information such as page view or frame view, object graph, and cross-references is extracted (structure extraction); finally, based on this structural information, detection features such as container echo, incremental vine length, and phase hysteresis measure are calculated (indicator generation) to ensure stable processing and reproducible results. Optionally, when the system cannot execute the original parsing scheme due to unreachable endpoints, plaintext invisibility, missing data fragments, or insufficient resources, and can only use a lower level or approximate method, it can be considered that degradation processing has been adopted. At this time, the current observable range (visibility) and the resulting quality labels such as evidence completeness and parsing reliability can be recorded simultaneously for subsequent judgment to reduce confidence and support post-event review.

[0090] In some embodiments, step 204 of constructing an event sequence based on the transmitted data may further include the following steps:

[0091] In step 2042, the transmitted data is parsed to obtain multiple events.

[0092] The transmitted data can be the raw data of the information transmission channel. In this step, the raw data can be parsed to generate standard events with uniform fields. The standard event can be an event containing the same multiple fields, that is, the fields or necessary fields contained in each event are consistent. For example, if a standard event needs to contain fields A, B, and C, then each standard event needs to contain the field values ​​corresponding to fields A, B, and C.

[0093] It is understandable that the parsed events in this step can be the aforementioned standard events. The purpose of parsing the transmitted data to obtain standard events in this step is to eliminate the heterogeneity in field naming, value semantics, and granularity between different log sources of transmitted data.

[0094] Optionally, the field set of a standard event may include fields such as source identifier, subject identifier, device identifier, channel type, action type, object clue, and source time. For each standard event, the aforementioned field set needs to be padded. Generally, fields such as channel type, action type, object clue, and source time can be parsed from the transmission data corresponding to the event. The padding of the subject identifier and device identifier can be achieved using the aforementioned subject list. For example, based on the subject corresponding to the transmission data of the event, a search is performed in the subject list to obtain the corresponding unique subject identifier and device identifier, thereby reducing the missing and ambiguity caused by multiple namespaces. This standardization process provides a unified data semantics and a minimum complete field set for subsequent cross-source alignment.

[0095] In step 2044, time calibration parameters are determined based on the transmitted data.

[0096] In this step, within a preset time window, the time offset, time drift rate, and jitter amplitude can be estimated based on the source of the transmitted data to form the time calibration parameters corresponding to the transmitted data.

[0097] Among them, the time offset describes a fixed shift of time, addressing the issue of "how much earlier / later the overall time is"; the time drift rate describes a linearly changing speed difference over time, addressing the issue of "the difference increasing over time due to moving faster / slower"; and the jitter amplitude reflects short-term random disturbances, addressing the issue of "random fluctuations of being earlier / later in a short period of time." Since these correspond to three different time inconsistency phenomena, this embodiment uses these three parameters to obtain the time calibration parameters to ensure the accuracy of time calibration.

[0098] In this step, the time offset, time drift rate, and jitter amplitude of each source are estimated within a preset time window. This aims to characterize the systematic and random differences between the source times of different sources and the unified time reference. Parameter estimation can be viewed as a process of robust regression and variance evaluation on time pairs or anchored signals. The output is the effective calibration parameter for each source within the preset time window, labeled with confidence level and valid interval to limit the extrapolation of outdated or anomalous parameters.

[0099] In step 2046, based on the time calibration parameters and the source time corresponding to each event, a time field based on a unified time reference is generated for each event.

[0100] In this step, the source time of the transmitted data can be mapped to a unified time base and a unified time field can be generated based on the time calibration parameters of the source data. Accordingly, this time field based on the unified time base can be added to the event corresponding to the transmitted data, thereby enabling the event to be sorted on the unified time base.

[0101] Optionally, the mapping from the source time to the unified time base can be viewed in the model as an affine transformation superimposed with random disturbances. The affine transformation part is determined by the time offset and the time drift rate, while the random disturbances can be designed based on the jitter amplitude. The mapping process retains the source time and parameter version, realizing reversible traceability from the source time to the unified time, and binding the source of the transmitted data with the version number to ensure consistency for subsequent auditing and reproduction.

[0102] In step 2048, the multiple events are sorted based on the time field corresponding to each event to obtain the event sequence.

[0103] In this step, standard events with a uniform time field (based on a uniform time base) can be time-sorted within a configurable delay window, outputting a consistent and non-repeating sequence of events. The sorting is performed on a uniform time base to ensure global monotonicity, and the delay window is used to absorb out-of-order events caused by cross-network and buffering issues.

[0104] The configurable delay window refers to a waiting window that sorts and buffers standard events that have been collected and mapped to a unified time. It temporarily holds events arriving within a short period before outputting the event sequence, waiting for potentially late-arriving events to fill in before sorting and outputting them. The reason this delay window can absorb out-of-order events caused by network and buffering is that although events occur sequentially in their actual occurrence time, due to network transmission, batch log reporting, proxy caching, thread scheduling, etc., later-arriving events may arrive first, and earlier-arriving events may arrive later. Therefore, the system does not output events immediately upon arrival, but instead caches these events with a unified time field within a configurable short waiting interval (delay window). Events within the delay window are then reordered according to the unified time field, and only those events that are "old enough" and unlikely to be interrupted by earlier events are output. In this way, events that arrive late but have an earlier actual time can still be inserted back into the correct position in the event sequence as long as they arrive within the delay window, thus "absorbing" small-scale out-of-order events. If an event arrives later than the delay window, it can be marked as an out-of-window late event and processed according to the degradation strategy, without disrupting the global monotonicity of the already output sequence.

[0105] Optionally, idempotent deduplication can be performed on the sorted events. The deduplication operation first uses the hash value of the combination of the source identifier, the event key (a unique identifier for the event), and the object clue (explained later) as the idempotency key to find multiple events that are essentially the same event. Then, a field coverage priority retention strategy is applied (i.e., the more fields in the original information corresponding to an event that cover the standard event, the more likely that event is to be retained), thus completing the event deduplication. This eliminates duplicate entries caused by retransmissions and mirrored records.

[0106] After sorting and deduplication, this step outputs a sequence of events that is continuous and unique in time, meaning that the events are ordered in time and there are no repetitions.

[0107] In some embodiments, step 206, which involves reconstructing the session and extracting objects based on the event sequence to obtain a set of carriers to be inspected, may further include the following steps:

[0108] In step 2062, the events in the event sequence are classified according to the transmission channel and transmission protocol corresponding to each event in the event sequence to obtain at least one event set.

[0109] In this step, standard events in the event sequence can be categorized according to the information transmission channel and transmission protocol. The purpose is to obtain event sub-streams (event sets) with field semantics consistent with the state machine. Optionally, events with the same transmission channel and transmission protocol can be grouped into the same event set. For each categorized event set, the events within it have the same protocol semantics, directional attributes, and state transition rules (correspondingly, the event set can also be considered a normalized event sequence), thereby providing definite boundary conditions and segmentation criteria for subsequent session reconstruction.

[0110] In step 2064, for each event set, consecutive and causally related events in the event set are divided into session segments, and corresponding subject identifiers and device identifiers are bound to the session segments.

[0111] In this step, session reconstruction can be performed based on event sets. That is, events are segmented into session fragments according to transmission channels and transmission protocols, and then bound to specific subjects and devices.

[0112] Session reconstruction can refer to reorganizing discrete, potentially missing, and potentially out-of-order events into several session fragments within a standard event sequence on a unified timeline, based on constraints such as "channel / protocol semantics + connection / identity anchors + state machine closure + idle timeout," and further merging these session fragments into traceable session entities, ensuring that each session entity satisfies:

[0113] Ownership determination: Can be bound to a unique entity identifier and device identifier (or at least marked as "Pending confirmation");

[0114] Boundary determination: There is a session start point and / or session end point (or a definite time window boundary);

[0115] Semantic closure: Under the semantics of the corresponding transport protocol, the sequence of events satisfies minimum state closure (e.g., request-response, handshake-data-end, etc.).

[0116] Object carrying capacity: The session can reliably extract object clues (e.g., files, attachments, object entries, etc.) and supports the concatenation of object entities.

[0117] In other words, session reconstruction transforms event streams into session objects, providing a structured framework for subsequent object extraction, cross-channel concatenation, judgment, and reproduction.

[0118] In this step, the standard events in the event set can be divided into session fragments to obtain the initial session set.

[0119] Optionally, the event set can be segmented into sessions based on constraints such as the connection 5-tuple, application layer session identifier, and idle timeout, dividing continuous and causally related events into session segments. This process is equivalent to finding a locally maximally consistent subsequence in time and state space, ensuring that each session segment satisfies temporal monotonicity and protocol state closure (i.e., continuous and causally related). The connection 5-tuple can be a set consisting of source IP address, source port, destination IP address, destination port, and transport layer protocol, used to uniquely identify the network session.

[0120] Next, this step can also bind the session fragment to the corresponding subject and device based on the unique subject identifier and device identifier, forming a session fragment labeled with the subject identifier and device identifier.

[0121] Optionally, the binding operation uses a unique subject identifier and device identifier as anchors, combining the spatiotemporal consistency of login, tokens, certificates, and process context to assign session fragments to a single subject-device pair. Session fragments that do not meet consistency requirements can be marked as pending confirmation to avoid cross-subject crosstalk. This results in session fragments with both subject and device identifiers.

[0122] In step 2066, object clues are extracted from the session fragment.

[0123] In this step, for each session fragment with a subject identifier and a device identifier, information such as name indicators, type indicators, boundaries, and fragment numbers related to files, attachments, and object entries can be extracted from the session fragment as corresponding object clues, and an object clue table corresponding to the session fragment can be generated. Object clues are hints about the boundaries and syntax of files, attachments, or object entries, including name indicators, type indicators, length, and fragment numbers. Name indicators can be information indicating a name; this information is not necessarily the name itself, but the corresponding name can be identified based on this information. Similarly, type indicators can be information indicating a type; this information is not necessarily the type itself, but the corresponding type can be identified based on this information.

[0124] The essence of extracting object cues in this step is to identify object-level events from the transmission semantics and represent the composition and order relationship of objects with splicable fragment meta-information (object cues).

[0125] In step 2068, the object entity is obtained based on the object clues.

[0126] In this step, after obtaining object clues, object reorganization and extraction can be performed to obtain object entities.

[0127] Optionally, for each session segment with a subject identifier and a device identifier, the object entity can be obtained from its corresponding object clue table or object clue to obtain a draft of the object entity. This step generates the draft of the object entity through consistency verification and missing item annotation, and records the completeness and source context.

[0128] For object entities transmitted using fragmentation, chunking, and segmentation, they can be concatenated with other object entities transmitted using the same methods. Optionally, fragmentation, chunking, and segmentation can be concatenated in an ordered manner according to fragment sequence numbers and verification information. The fragment sequence number can be obtained by sorting based on the time field value of the event corresponding to the session fragment. Fragmentation is based on object-level splitting, chunking on transport-level splitting, and segmentation on protocol syntax-level splitting. In this step, it is necessary to distinguish between fragmentation, chunking, and segmentation for concatenation to ensure that usable object entities can still be recovered in a real-world environment with multiple layers of splitting.

[0129] Optionally, decapsulation processing can be performed on multi-part and nested encapsulated object entities. Multi-part and nested encapsulation are a type of data encapsulation. Multi-part encapsulation refers to a logical object in the same transmission being represented in multiple parallel parts under the same outer encapsulation layer. Each part has its own boundary markers, header information, or content segments. Examples include the multipart structure of emails or MIME extensions, and multiple content segments in form uploads. Nested encapsulation refers to an object being encapsulated within another object or another format shell, forming a hierarchical containment relationship. Examples include a compressed package containing a document, an email attachment containing a compressed file, or a document object embedding an image or additional file stream, etc. Specifically, for multi-part and nested encapsulated object entities, decapsulation can be performed using container syntax to restore the top-level object. Here, the container can refer to the encapsulation container of a multimedia / document carrier, typically a format shell layer that carries content and defines encoding, structure, index, and metadata.

[0130] In some embodiments, the extracted object entities can also be labeled with their corresponding carrier category and parsing depth.

[0131] Optionally, the corresponding carrier category and parsing depth can be determined based on the object entity's identifier and structure. The carrier category is determined by the magic number (the starting byte characteristic value of the file type identifier), header structure, object graph, or encoding parameters; the parsing depth is determined collaboratively by visibility, resource constraints, and compliance requirements. Specifically, the visibility level can be determined first by where the current object entity is visible and how much content can be viewed. Then, the resource tier can be determined based on the available computing power, memory availability, and allowed processing time. Next, compliance boundaries can be determined based on rules such as whether plaintext reading is allowed, whether out-of-domain parsing is allowed (parsing outside the destination domain), and whether only digests can be output. Finally, these three inputs are mapped to pre-configured parsing tier selection rules, outputting one of the following parsing depths: fast, standard, or deep.

[0132] In this way, when an object entity is obtained, each object entity can be labeled with a carrier category and parsing depth, which can serve as the basis for subsequent measurement and filtering execution plans.

[0133] In step 2070, a relationship graph is constructed based on the subject identifier, the device identifier, the session fragment, and the object entity.

[0134] In this step, a relationship graph containing these four types of entities and their relationships can be constructed based on the entities themselves: subject, device, session, and object. The nodes of the relationship graph consist of subjects, devices, sessions, and objects, corresponding to the subject identifier, device identifier, session fragment, and object entity, respectively. The edges of the relationship graph are constrained by time, causality, and attribution, reflecting bidirectional traceability between subject and device, subject and session, device and session, and session and object. As a unified query and reasoning carrier, the relationship graph supports cross-level associations and evidence playback at different granularities.

[0135] In step 2072, based on the relationship graph, object entities that meet preset conditions are selected as the carriers to be inspected, and the set of carriers to be inspected is obtained.

[0136] In this step, after obtaining the relationship graph, object entities can be filtered based on the relationship graph, and the filtered object entities that meet the preset conditions are used as the carriers to be inspected, so that subsequent steps can perform data detection based on the carriers to be inspected.

[0137] The set of carriers to be detected can refer to a subset of objects selected from the set of object nodes (nodes corresponding to object entities) in the relationship graph. Each carrier in this set corresponds to an object node in the relationship graph and carries a reference identifier or association key pointing to the object node and its associated subject node, device node, and session node. Optionally, the set of carriers to be detected can be structured data, which can be stored in a database or in memory, and the implementation method is selectable.

[0138] Optionally, the preset condition can be a minimum availability condition. The minimum availability condition is jointly defined by a completeness threshold, resolution depth reachability, and necessary side information availability; objects that do not meet the condition are marked as unavailable or need to be supplemented, and their context is preserved. Specifically, the completeness threshold can be a completeness threshold for the object entity; when the completeness of the object entity reaches or exceeds this threshold, the completeness condition is met. Resolution depth reachability can be whether the resolution depth corresponding to the object entity can be reached; if it can be reached, the resolution depth reachability condition is met. Necessary side information availability can be whether the necessary side information (e.g., endpoint information and / or network information) required for data detection of the object entity is available; when this information is available, the necessary side information availability condition is met. When all three conditions are met, the object entity meets the minimum availability condition.

[0139] Optionally, whether the parsing depth can be achieved can be determined by judging whether the current object entity, under the joint constraints of visibility, structural integrity, processing resources, and compliance boundaries, possesses the minimum input conditions required to execute the target parsing level (fast level, standard level, or deep level). Optionally, whether the side information is available can be determined by judging whether the external auxiliary information required to support the current object entity in completing detection, filtering, or association exists and is available to a sufficient degree to support this determination. It can be understood that this external auxiliary information can refer to information that can be collected from the edge side and / or the network side.

[0140] In this way, some object entities are selected as carriers to be inspected, which can be used for subsequent data detection.

[0141] As mentioned earlier, in some cases, data leaks are not transmitted in plaintext. For example, one method of data leakage is through steganography, where information is hidden within seemingly normal images, documents, audio, or other media, making it difficult to detect using content-level detection methods (such as keyword-based detection or Optical Character Recognition (OCR)). This type of hiding typically requires "minimal impact on human-perceptible semantics," thus appearing as minor alterations to the container structure or signal details. These alterations are not significant at the semantic level but leave computable traces of anomalies at the levels of "encoding structure, object graph, and phase continuity."

[0142] Therefore, in step 208, by calculating the perturbation index of the carrier under test, the hidden information can be filtered out using the perturbation index. In other words, perturbation is not directly equivalent to leakage, but a necessary byproduct of "concealed load bearing"; when perturbation, cross-channel correlation results, and allowable flow rules simultaneously meet the triggering conditions, perturbation becomes an interpretable and reproducible evidence channel in "leakage prevention".

[0143] Furthermore, in some embodiments, step 208, which calculates the perturbation index of each carrier in the set of carriers to be inspected, may further include the following steps:

[0144] In step 2082, the type of the carrier to be tested is determined.

[0145] As mentioned earlier, when extracting object entities, their corresponding carrier categories have already been determined based on the object entity's identifier and structure. The set of carriers to be inspected is a subset of the set of object entities; in other words, the carriers to be inspected also belong to the object entities and have already been tagged with their carrier types.

[0146] Therefore, the type of the carrier to be tested can be determined based on the carrier type label of the carrier to be tested.

[0147] Optionally, the carrier type may include image type, portable file format (PDF) type, and audio type.

[0148] In step 2084, in response to the fact that the type of the carrier to be inspected is an image type, the carrier to be inspected is recoded to obtain a recoded carrier; the difference information between the recoded carrier and the carrier to be inspected is constructed, and feature information is extracted from the difference information; based on the feature information, the perturbation index of the carrier to be inspected is determined.

[0149] In this step, a corresponding parsing template can be selected from the template library (pre-built in the aforementioned preprocessing step) based on the carrier type (image type) and parsing depth of the carrier to be inspected. This determines the parsing location and parsing step sequence of the carrier to be inspected, and completes the warm-up of the codec and parser. This process reduces the uncertainty caused by cold start by mapping "carrier type-visibility-resource constraints" to a determined parsing execution plan (parsing template), ensuring that the same carrier obtains a consistent processing path and reproducible metric output in different batches.

[0150] Then, the carrier to be inspected is parsed based on the parsing template. Specifically, for image-type carriers to be inspected, decapsulation and integrity verification can be performed, and sampling rate alignment can be performed to establish a frame index and generate a normalized frame view. Specifically, for image-type carriers to be inspected, decapsulation and integrity verification are performed, sampling rate alignment is performed in the video dimension, a frame index is established structurally, and parsable ranges are marked for missing fragment objects to generate a normalized frame view or fragment view. This normalization step unifies heterogeneous encapsulations to comparable coordinate and temporal domain representations, providing stable input for subsequent feature extraction and reducing metric drift caused by encapsulation differences.

[0151] Next, for the image-type carrier under inspection, the image content of the frame view or segment view is recoded to generate recoded content. Then, based on the image content of the frame view and the recoded content, difference information (difference field) about the content is constructed as the difference information between the recoded carrier and the carrier under inspection. Next, structural features are extracted from the difference information as feature information, and this feature information is used to characterize the perturbation index of the image-type carrier under inspection. This perturbation index can be a container echo. A container echo can refer to: for the image-type carrier under inspection, aligning and comparing the original image with an image processed by at least two robust recoding paths, and forming a container-level perturbation metric based on the block features and / or frequency domain features reflecting non-random structural residues in its difference field, used to characterize the degree to which the image encapsulation or coding structure has been subtly rewritten.

[0152] Since the errors of conventional image compression algorithms are approximately random, and steganography or micro-embedding in pixels or transform coefficient layers can form remnants of tissue that can be re-encoded and revealed, the blocky / frequency domain structural features in the difference field can serve as statistical evidence of subtle rewriting of the container, without dependence on image semantics. Therefore, in some embodiments, the difference information can be a difference field, and the structural features extracted from the difference information can be blocky / frequency domain structural features in the difference field. Here, the difference field can refer to a mathematical expression used in image analysis to describe local texture or structural orientation changes in an image. The blocky / frequency domain structural features in the difference field can be obtained using image residual statistical analysis methods. Specifically, the blocky features in the difference field can refer to the statistical analysis of the residual intensity of each block, the abrupt changes between adjacent blocks, and the degree of anomalous block aggregation after dividing the difference field into fixed regions; the frequency domain features in the difference field can refer to the statistical analysis of energy distribution, spectral peak significance, and directional energy bias in different frequency bands after frequency transformation of the difference field.

[0153] In some embodiments, two robust recoding paths can be used to generate two recoding results during recoding. Then, difference information is constructed based on these two recoding results (e.g., by selecting the average of the two recoding results), thereby improving the accuracy of the difference information and reducing errors caused by inappropriate recoding method selection. A robust recoding path can refer to a recoding path that provides a stable and reproducible residual response to normal images, does not suffer significant distortion due to encoder randomness or minor parameter fluctuations, and can reliably recover structural remnants caused by steganography or minor embeddings. Optionally, this can be achieved by fixing the encoder version, color space and size processing rules, and quality parameter range, while avoiding excessively strong or weak recompression.

[0154] In step 2086, in response to the fact that the type of the carrier under test is a portable file format type, the cross-references and object graph of the carrier under test are parsed to obtain incremental update information; based on the incremental update information, the perturbation index of the carrier under test is determined.

[0155] In this step, a corresponding parsing template can be selected from the template library based on the carrier type (portable file format type) and parsing depth of the carrier to be tested. This determines the parsing location and step sequence of the carrier to be tested, and completes the warm-up of the codec and parser. This process reduces the uncertainty caused by cold start by mapping "carrier type-visibility-resource constraints" to a defined parsing execution plan (parsing template), ensuring that the same carrier obtains a consistent processing path and reproducible metric output in different batches.

[0156] Then, the carrier to be inspected is parsed based on the parsing template. Specifically, for PDF-type carriers to be inspected, decapsulation and integrity verification are performed, character set alignment is performed in the text dimension, page indexes are established, and a normalized page view is generated. Specifically, for PDF-type carriers to be inspected, decapsulation and integrity verification are performed, character set alignment is performed in the text dimension, page indexes are established structurally, and parsable ranges are marked for missing fragment objects, generating a normalized page view or fragment view. This normalization step unifies heterogeneous encapsulations to comparable coordinate and temporal domain representations, providing stable input for subsequent feature extraction and reducing metric drift caused by encapsulation differences.

[0157] Next, for the PDF-type carrier under inspection, cross-references and object graphs can be parsed in its page view or fragment view to identify incremental update information. Specifically, for each incremental update, the incremental scale sequence and chain depth of that incremental update are extracted to obtain the incremental vine length as the perturbation index of the carrier under inspection. The incremental vine length can refer to: for the PDF-type carrier under inspection, the structural evolution metric formed by identifying incremental update chains through parsing cross-reference structures and object graphs, and based on the scale information of each incremental update and the number of layers of the overall incremental update chain, used to characterize the degree of abnormal growth of the document object structure with multiple appended saves.

[0158] The object graph can refer to an object graph constructed from multiple interrelated objects constituting the PDF-type test carrier, and the cross-reference can refer to the byte offset of each object in the PDF-type test carrier. Each incremental update refers to the update between two adjacent file save states (or two adjacent layers of incremental append records) corresponding to the test carrier. The incremental scale sequence refers to the scale information of each incremental update recorded in chronological order. Specifically, it can be represented by the number of bytes appended each time, the number of objects added / modified each time, or the type distribution of the added objects; essentially, it is an ordered sequence of how much information was written at each incremental layer. The chain depth refers to the number of incremental append layers the PDF-type test carrier has undergone from the initial version to the current version, that is, the number of layers in the incremental update chain.

[0159] Because incremental saving follows the syntax constraints of appending objects to update the index, if there is continuous appending that is disproportionate to visible page changes, it will manifest as an abnormal growth trajectory in the object graph and chain depth; this trajectory reflects the decoupling of container structure evolution from the presented content, and can reveal potential hidden payloads without parsing plaintext.

[0160] In step 2088, in response to the fact that the type of the carrier under test is audio, the carrier under test is phase-expanded to obtain a phase change rate sequence; the sign change density and amplitude upper bound of the change rate of the phase change rate sequence are statistically analyzed to obtain phase feature information; based on the phase feature information, the perturbation index of the carrier under test is determined.

[0161] In this step, a corresponding parsing template can be selected from the template library based on the carrier type (audio type) and parsing depth of the carrier to be tested. This determines the parsing position and step sequence of the carrier to be tested, and completes the warm-up of the codec and parser. This process reduces the uncertainty caused by cold start by mapping "carrier type-visibility-resource constraints" to a defined parsing execution plan (parsing template), ensuring that the same carrier obtains a consistent processing path and reproducible metric output in different batches.

[0162] Then, the carrier to be inspected is parsed based on the parsing template. Specifically, for audio carriers to be inspected, decapsulation and integrity verification are performed, and sampling rate alignment is performed to establish a frame index and generate a normalized frame view. Specifically, for audio carriers to be inspected, decapsulation and integrity verification are performed, sampling rate alignment is performed in the audio dimension, a frame index is established structurally, and parsable ranges are marked for missing segments to generate a normalized frame view or segment view. Specifically, for audio carriers to be inspected, if continuous short-time analysis units can be established, it corresponds to a frame view; if the audio is streamed in segments, uploaded in chunks, or has missing segments, it corresponds to a segment view. This normalization step unifies heterogeneous encapsulations to a comparable coordinate and time domain representation, providing stable input for subsequent feature extraction and reducing metric drift caused by encapsulation differences.

[0163] Next, for the audio-type carrier under test, phase unwrapping can be performed on its frame view or segment view to obtain a phase change rate sequence. The sign change density and amplitude upper bound of the change rate are statistically analyzed as phase feature information. Then, based on the phase feature information, the perturbation index of the carrier under test is determined. This perturbation index can be the phase return-to-the-Sea metric. The phase return-to-the-Sea metric can refer to: for the audio-type carrier under test, obtaining a phase change rate sequence by subtracting a continuous phase sequence, and using the phase continuity measure formed by the sign change density and absolute value upper bound of the phase change rate sequence to characterize the degree of perturbation in the short-time phase evolution of the audio.

[0164] Optionally, after phase unrolling the frame view or segment view, a continuous phase sequence can be obtained. Then, by subtracting the unrolled continuous phase sequences of adjacent frame views or segment views, a phase change rate sequence can be obtained. The sign change density refers to the frequency or density of sign switching in the phase change rate sequence within a unit time or unit number of frames. Essentially, it reflects the frequency of phase change rate direction reversal and is used to characterize whether the phase evolution is stable within a short window. The upper bound of the amplitude can refer to the upper bound statistic of the absolute value of the phase change rate, such as the maximum value, upper quantile, or upper envelope value. Essentially, it reflects the magnitude of the maximum perturbation intensity in the phase change rate, thus describing the amplitude boundary of the change rate itself. In this embodiment, the sign change density characterizes whether the jump occurs frequently, while the upper bound of the amplitude characterizes whether the jump amplitude is sufficiently large. These two correspond to frequency and intensity, respectively, and together they characterize the degree to which phase continuity is disrupted.

[0165] Since the phase evolution of normal audio is smooth within a short time window, steganalytic perturbations disrupt phase continuity but have limited impact on the energy spectrum. Therefore, by characterizing this deviation with the stability and jump features of the phase derivative (phase change rate), anomalous phase behavior can be identified without relying on semantic transcription.

[0166] In this embodiment, sensitivity measures to minute embeddings and anomalous structures are obtained at the container or signal structure level of three types of carriers: images, portable file format documents, and audio. The values ​​of three indicators—container echo, incremental vine length, and phase echo measure—are used as perturbation indicators.

[0167] In this embodiment, by setting three metrics—container echoprint, incremental vine length, and phase echometric—three types of carriers can be covered: image carriers, portable file format carriers, and audio carriers. The visible anomalies of hidden payloads differ across these three types of carriers. Specifically, image steganography is more easily revealed in the recoded residual structure, document steganography / smuggling is more easily reflected in the evolution of incremental update chains and object graphs, and audio steganography is more likely to disrupt the short-window smoothness of phase evolution while minimizing changes to the energy spectrum. Therefore, these three metrics establish measures for these three most stable, least plaintext-dependent, and compliant anomalies, enabling the system to form a computable criterion for hidden payload-type data leakage without reading or with minimal plaintext reading. In some embodiments, this can be combined with subsequent structural consistency checks and temporal correlation chains to reduce false alarms.

[0168] In some embodiments, step 210, which generates data detection results based on the perturbation index, may further include the following steps:

[0169] In step 212, anomaly detection is performed on the carrier under test based on the perturbation index.

[0170] As mentioned earlier, perturbation indices characterize hidden information in the carrier under test. Therefore, this step can utilize perturbation indices to detect anomalies in the carrier under test.

[0171] In step 214, in response to determining that the carrier under test has an anomaly, a set of candidate carriers is generated based on the carriers under test that have an anomaly.

[0172] In this step, if the carrier under test is abnormal, the abnormal carrier under test can be used as a candidate carrier to generate a candidate carrier set for further data detection.

[0173] In step 216, the temporal correlation result of each candidate vector in the candidate vector set is determined.

[0174] In this step, the time correlation result can reflect the cross-channel (transmission channel) connection of events (including end-side events and network-side events) corresponding to the candidate carrier on a unified time axis, and can restore the linkage link corresponding to the candidate carrier.

[0175] In step 218, based on the candidate carrier set, combined with the perturbation index and the time correlation result, the data detection result is generated.

[0176] In this embodiment, after screening out the abnormal carriers (candidate carriers) based on the perturbation index, the candidate carriers are further analyzed by combining the perturbation index and the time correlation result, which can improve the accuracy of the data detection results.

[0177] Optionally, step 212, which involves anomaly detection of the carrier under test based on the aforementioned perturbation index, can be modified by normalizing the perturbation index and combining it with the structural information of the carrier under test to generate a candidate carrier set. In this way, by combining the structural information of the carrier under test for anomaly determination, an evidence channel independent of the perturbation index can be provided, improving the accuracy of data detection.

[0178] In some embodiments, step 212, which involves anomaly detection of the carrier under test based on the perturbation index, may further include the following steps:

[0179] In step 2122, the structural consistency of the carrier under test is determined based on the structural information of the carrier under test.

[0180] In this step, by determining the structural consistency of the carrier under test, anomalies in the structural information of the carrier under test can be identified, thereby assisting in data detection.

[0181] In some embodiments, step 2122, which determines the structural consistency of the carrier under test based on the structural information of the carrier under test, may further include the following steps:

[0182] In step 21222, in response to the fact that the type of the carrier under inspection is an image type, the structural consistency of the carrier under inspection is determined based on the consistency between the main image and the thumbnail corresponding to the carrier under inspection and the correlation of color channels.

[0183] In this step, for the image-type carrier under inspection, the consistency of structural information can be determined based on the consistency between its main image and thumbnail, as well as the correlation of color channels, thereby determining the structural consistency of the carrier under inspection. The main image can refer to the main display image or primary image corresponding to the thumbnail; it means the full-size image used for primary presentation within the same carrier. Optionally, the thumbnail can preferably be a preview image or embedded thumbnail from within the carrier under inspection (such as thumbnails carried in metadata or container structures). If the carrier under inspection does not carry a preview image or embedded thumbnail, a reference thumbnail can be generated from the main image according to a preset scaling rule to serve as the thumbnail.

[0184] In this embodiment, anomalies are identified by comparing the consistency between the main image and the thumbnail with the correlation of color channels. Specifically, this is mainly done by comparing "two sources / two representations"—such as "embedded thumbnails carried within the carrier" and "reference thumbnails reconstructed from the main image according to fixed rules," or "structural constraints that the main image and thumbnails should maintain under normal transcoding links." For example, anomalies may occur in the following situations: First, an attacker only rewrites the main image (embedded payload / perturbation) but does not update the embedded thumbnail simultaneously, resulting in inconsistency between the thumbnail and the main image; second, an attacker deliberately retains a "clean thumbnail" while the main image carries a hidden payload, forming a clear decoupling; third, steganography / micro-embedding perturbs the statistical coupling relationship between color channels, causing the channel correlation between the main image and the thumbnail to deviate from the stable relationship that should be presented by normal scaling / resampling. Therefore, this embodiment logically selects a "structural evidence channel independent of perturbation indicators" to reduce false positives and improve interpretability.

[0185] Optionally, the consistency between the main image and the thumbnail, as well as the correlation of their color channels, can be determined using methods such as hash value comparison (pHash algorithm) and structural similarity index (SSIM). Optionally, the correlation of color channels between the main image and the thumbnail can be analyzed using methods such as two-dimensional histogram, Pearson correlation coefficient, and principal component analysis (PCA).

[0186] If the main image and thumbnail are inconsistent and / or the color channel correlation is abnormal, it can be determined that the structural information of the carrier under test is abnormal, i.e., the structure is inconsistent; conversely, if the main image and thumbnail are consistent, the structural information of the carrier under test is abnormal. Figure 1 If the color channel correlation is normal, it can be determined that the structural information of the carrier under test is normal, that is, the structure is consistent.

[0187] In step 21224, in response to the fact that the type of the carrier under inspection is a portable file format (PDF), the structural consistency of the carrier under inspection is determined based on the matching relationship between the changes in the number and type of objects on the carrier under inspection and the changes in the visible pages.

[0188] In this step, for the PDF type of carrier to be inspected, the structural information can be determined to be consistent based on the matching relationship between the changes in the number and type of objects and the visible page changes, thereby determining the structural consistency of the carrier to be inspected.

[0189] Optionally, multiple pages of the PDF-type carrier to be inspected can be divided into multiple page groups based on adjacent pages, and sorted according to the page numbers corresponding to the page groups. Then, the changes in the number of objects and the changes in the types of objects in each page group, as well as the visible page changes in each page group, can be calculated. Next, it is determined whether the changes in the number of objects and the changes in the types of objects match the visible page changes. If they do not match, it can be determined that the structural information of the carrier to be inspected is abnormal, i.e., the structure is inconsistent; otherwise, if they match, it can be determined that the structural information of the carrier to be inspected is normal, i.e., the structure is consistent.

[0190] Optionally, the visible page changes for each page group can refer to the quantified changes in the content that is directly visible to the user after converting two pages in the page group into comparable page views or fragment views under a unified rendering rule. Optionally, this change can be characterized by one or more combinations of changes in the number of text blocks, changes in image areas, changes in layout areas, and pixel-level rendering differences.

[0191] Optionally, to determine whether the changes in the number of objects and the changes in the types of objects match the visible page changes, the changes in the number of objects and the changes in the types of objects corresponding to the page group can be compared with the visible page changes to determine whether they fall within a preset correspondence range. If the visible page changes are small or basically unchanged, while the changes in the number of objects or the types of objects increase significantly, or the magnitude of the changes in the number of objects or the types of objects significantly exceeds the upper limit that the visible changes usually correspond to, then it is determined to be a mismatch. Conversely, if the magnitude of the changes in the number of objects or the types of objects matches the visible page changes within a preset tolerance range, then it is determined to be a match.

[0192] In some cases, incremental update information from the PDF-type carrier under inspection can be incorporated to identify situations where the incremental chain is lengthened while the page remains static, thus confirming structural consistency together with the aforementioned matching relationships. Optionally, when the number of incremental update layers in the PDF-type carrier under inspection continuously increases, but the visible page changes are small or essentially unchanged, it can be used to determine that there is a decoupling between the growth of the underlying object structure and the surface displayed content, thus serving as supplementary evidence of structural anomalies. Specifically, the cross-reference table (or cross-reference stream), tail information, and object graph of the PDF-type carrier under inspection can be parsed first to identify whether the current document has formed an incremental update chain through multiple incremental saves, and the number of layers in the incremental update chain, the number of new objects in each layer, or the amount of new bytes added can be counted; at the same time, the page views corresponding to adjacent versions are uniformly rendered and compared to obtain the visible page changes. If, in several consecutive incremental updates, the number of incremental chain layers continuously increases, and the number of new objects or the amount of new bytes added reaches a preset threshold, while the visible page changes are always lower than another preset threshold, then it is determined that there is a situation where the incremental chain is lengthened while the page remains static.

[0193] In step 21226, in response to the fact that the type of the carrier under test is audio, the structural consistency of the carrier under test is determined based on the consistency of the bitrate stability and semantic stability of the carrier under test.

[0194] In this step, for the audio type of the carrier to be tested, the consistency of its structural information can be determined based on the consistency of its bitrate stability and semantic stability, thereby determining the structural consistency of the carrier to be tested.

[0195] Optionally, bitrate stability can be determined by analyzing the bitrate distribution over different time periods. Semantic stability can be determined by analyzing whether energy changes are abrupt.

[0196] When the bitrate is stable but the semantics are unstable, or vice versa, it can be determined that the structural information of the carrier under test is abnormal, i.e., the structure is inconsistent; otherwise, it can be determined that the structural information of the carrier under test is normal, i.e., the structure is consistent.

[0197] The above methods can be used to identify anomalous situations where phase perturbation and energy distribution do not match.

[0198] In some embodiments, after determining structural consistency, a structural consistency result can be output. If structural inconsistency is identified, a structural marker can also be output. Optionally, the structural marker includes a normal marker indicating normal structural information and an abnormal marker indicating abnormal structural information. The normal marker can provide endorsement of structural consistency, while the abnormal marker can provide a penalty factor for structural inconsistency.

[0199] Further, in step 2124, anomaly detection is performed on the carrier under test based on the perturbation index and the structural consistency. Optionally, in this step, the perturbation index can be normalized according to the carrier type, and then matched based on the normalized perturbation index, structural consistency result, and structural marker to perform anomaly detection on the carrier under test.

[0200] In some embodiments, step 2124, which involves anomaly detection of the carrier under test based on the perturbation index and structural consistency, may further include the following steps:

[0201] In step 21242, in response to the fact that the type of the carrier to be inspected is an image type, when the feature information is within a preset range and the main image and the thumbnail are inconsistent or the color channel correlation is abnormal, it is determined that the carrier to be inspected is abnormal.

[0202] Optionally, normalization processing configuration information can be loaded according to the type of the carrier to be inspected (image type). Based on this configuration information, the feature information used as a perturbation indicator is normalized to perform monotonic mapping and interval standardization for the perturbation indicator, thereby converting it into a dimensionless score that can be compared horizontally. This normalization processing configuration information can be pre-configured and can be adjusted according to specific circumstances. The normalization configuration takes historical distribution and content conditions as a reference, aiming to eliminate the dimensional and scale biases caused by non-abnormal factors such as compression ratio, incremental storage frequency, and sampling and encoding differences, so that the same indicators have comparability and stability under different carriers and processing links.

[0203] Next, based on the normalized feature information, it is determined whether it falls within a preset range, that is, whether it enters the observation interval for abnormal situations. This preset range (observation interval) can be pre-configured and adjusted according to specific circumstances.

[0204] Then, when the normalized feature information is within a preset range, if the main image and the thumbnail are inconsistent or the color channel correlation is abnormal, it is determined that the carrier under test is abnormal and can be used as a candidate carrier.

[0205] In step 21244, in response to the fact that the type of the carrier to be inspected is a portable file format type, when the incremental update information is within a preset range and there is a mismatch between the number of objects or the type change and the visible page change, it is determined that the carrier to be inspected is abnormal.

[0206] Optionally, normalization processing configuration information can be loaded according to the type of the carrier to be inspected (the type of file format that can be carried). Based on this configuration information, the incremental update information, which serves as a perturbation indicator, is normalized to perform monotonic mapping and interval standardization for the perturbation indicator, thereby converting it into a dimensionless score that can be compared horizontally. This normalization processing configuration information can be pre-configured and can be adjusted according to specific circumstances. The normalization configuration takes historical distribution and content conditions as a reference, aiming to eliminate dimensional and scale biases caused by non-abnormal factors such as compression ratio, incremental storage frequency, and differences in sampling and encoding, so that similar indicators have comparability and stability under different carriers and processing links.

[0207] Next, based on the normalized incremental update information, it is determined whether it falls within a preset range, that is, whether it enters the observation interval for abnormal situations. This preset range (observation interval) can be pre-configured and adjusted according to specific circumstances.

[0208] Then, when the normalized incremental update information is within a preset range, if the change in the number of objects or the type or the growth of the incremental chain does not match the change in the visible page, it is determined that the carrier under inspection is abnormal and can be used as a candidate carrier.

[0209] In step 21246, in response to the fact that the type of the carrier to be inspected is audio, when the phase feature information is within a preset range and the bit rate distribution is stable but the semantics are unstable, it is determined that the carrier to be inspected is abnormal.

[0210] Optionally, normalization processing configuration information can be loaded according to the type of the carrier to be tested (audio type). Based on this configuration information, the phase feature information, which serves as a perturbation indicator, is normalized to perform monotonic mapping and interval standardization for the perturbation indicator, thereby converting it into a dimensionless score that can be compared laterally. This normalization processing configuration information can be pre-configured and can be adjusted according to specific circumstances. The normalization configuration takes historical distribution and content conditions as a reference, aiming to eliminate dimensional and scale biases caused by non-abnormal factors such as compression ratio, incremental retention frequency, and sampling and coding differences, so that similar indicators have comparability and stability under different carriers and processing links.

[0211] Next, based on the normalized phase feature information, it is determined whether it is within a preset range, that is, whether it has entered the observation interval for abnormal situations. This preset range (observation interval) can be pre-configured and adjusted according to specific circumstances.

[0212] Then, when the normalized phase feature information is within a preset range, if the code rate distribution is stable but the semantics are unstable, it is determined that the carrier under test is abnormal and can be used as a candidate carrier.

[0213] In this embodiment, a structural consistency determination of the carrier is introduced to provide an evidence channel independent of perturbation indicators. In the image direction, the consistency between the thumbnail and the main image, along with the correlation of color channels, characterizes the macroscopic consistency that normal transcoding should maintain. In the document direction, the matching relationship between changes in the number and type of objects and changes in visible page views describes the grammatical expectations of incremental saving. In the audio direction, the stationarity of bitrate and energy distribution constrains the continuity of phase over time. These structural clues do not depend on plaintext semantics, reflect the inherent constraints of the container or signal layer, and can effectively distinguish between reasonable alterations and anomalous embeddings.

[0214] In this embodiment, at the evidence fusion layer, logical matching is performed using normalized perturbation indices and structural consistency results. When the container echo of an image carrier enters the observation range and is accompanied by thumbnail inconsistencies or abnormal channel correlations, it is considered that there is a structured residual consistent with steganography. When the incremental vine length of a portable document enters the observation range and the growth of the object or incremental chain does not match the changes in the visible page, it is considered that there is an incremental trajectory consistent with the hidden payload. When the phase echo metric of an audio carrier enters the observation range and the bitrate or energy distribution is stable but the phase continuity characteristics are abnormal, it is considered that there is an abnormal pattern consistent with phase perturbation. The above matching uses "indicator entering the observation range + at least one structural anomaly" as the triggering criterion, thereby probabilistically reducing false alarms caused by a single evidence channel.

[0215] In some embodiments, to improve interpretability, the candidate carrier can be generated along with the name, structural marker, and minimum evidence set of the triggered perturbation indicator, along with a normalized configuration version and a quality label. The normalized configuration version is used to trace the source of the threshold, and the quality label is used to indicate the impact of visibility degradation, missing data fragments, and reduced parsing depth on the decision confidence, thereby supporting subsequent review and re-evaluation. The minimum evidence set can refer to the minimum combination of evidence necessary to support the establishment of the candidate carrier. Optionally, the minimum evidence set can include at least: information on perturbation indicators entering a preset range (observation interval), at least one corresponding structural marker, and basic location information of the candidate carrier (object identifier or carrier category). The quality label can be generated based on the actual execution status during the parsing process, specifically based on whether conditions such as end-side invisibility, missing data fragments, reduced parsing depth, delayed windowing, or missing structural information occur.

[0216] Optionally, for step 216 of determining the time association result of each candidate carrier in the candidate carrier set, the end-side events and network-side events can be connected across channels on a unified time axis according to the subject to form the time association result corresponding to the candidate carrier, thereby restoring the linkage link corresponding to the candidate carrier.

[0217] In some embodiments, step 216, which determines the time correlation result of each candidate vector in the candidate vector set, may further include the following steps:

[0218] In step 2162, for each candidate vector in the candidate vector set, the source object and discovery time corresponding to the candidate vector are determined.

[0219] The source object can refer to the object entity corresponding to the candidate carrier (obtained in step 206 above), and the discovery time can refer to the discovery time of the outgoing information corresponding to the candidate carrier.

[0220] In step 2164, based on the source object, the subject identifier and device identifier corresponding to the candidate carrier are determined.

[0221] In the preceding steps, the association between the subject identifier, the device identifier, the session fragment, and the object entity was established for the object entity. In this step, after determining the source object (object entity), the corresponding subject identifier and device identifier can be determined based on this association. This identifier serves as the anchor point for subsequent retrieval and matching, ensuring consistent reference at the identity and carrier levels for cross-origin events.

[0222] In step 2166, a time window is determined with the discovery time as the center, and within the time window, associated events corresponding to the candidate carrier are retrieved based on the subject identifier and the device identifier to obtain a set of associated events.

[0223] In this step, a time window can be set centered on the discovery time. Within the set time window, events are retrieved by subject identifier and device identifier to obtain a set of associated events. Optionally, searches can be performed separately for end-side events and network-side events to obtain sets of end-side events and sets of network-side events associated with candidate carriers, respectively. The time window is used to limit the search scope to suppress noise while retaining sufficient context to cover the stages of preparation, transmission, and feedback. It is understood that this time window is configurable and can be adjusted according to actual conditions.

[0224] In step 2168, each associated event in the associated event set is labeled with a start point, transition, or end point to obtain the labeled associated event set.

[0225] In this step, events can be labeled as start points, transitions, or end points based on the event type order and field consistency, forming a set of candidate events with role tags. The event type order refers to a predefined sequence of event types according to the normal processing flow in a specific business scenario, used to describe the typical order of the same outgoing action from preparation, initiation, transmission to completion. For example, in a webmail attachment outgoing scenario, the event type order could be "object generation / attachment addition → send trigger → connection establishment → authentication / handshake → upload segmentation → server response / completion receipt"; in a cloud drive upload scenario, it could be "file selection → upload initialization → segmented upload → segmented confirmation → merge completion". Therefore, the event type order is essentially a template of an expected business sequence, used to subsequently determine the position of each event in the chain. Field consistency refers to whether events retrieved in order of event type maintain an interpretable correspondence across key related fields. Commonly used fields for this determination include: subject identifier, device identifier, session identifier, object identifier or object clues (such as filename, object size, fragment sequence number, hash digest), channel type, destination domain name / IP, request path, transmission direction, and time window affiliation. Field consistency does not require all fields to be completely identical, but rather that these fields correspond and are compatible within the current business semantics. For example, "send trigger event" and "upload request event" initiated by the same subject and device can be considered consistent in terms of field association if they have the same object size range, similar filename clues, and the same destination domain name.

[0226] In this embodiment, the determination of field consistency can be achieved using a "field matching + tolerance constraint" approach. Specifically, fields can be divided into three categories: The first category is strongly constrained fields, such as subject identifier, device identifier, and transmission direction. These fields typically require complete consistency. The second category is weakly constrained fields, such as filename, object size, fragment sequence number, and destination path. These fields allow matching within a preset tolerance range. For example, filenames are allowed to have case differences, object sizes are allowed to have small deviations due to compression or encapsulation, and timestamps are allowed to fall within the same extended window. The third category is supplementary fields, such as browser process name, protocol sub-type, and token identifier. These fields are used to enhance confidence but are not absolutely necessary. If the strongly constrained fields are satisfied, and the weakly constrained fields meet the preset number or preset weight matching conditions, the event pair can be determined to have field consistency. Otherwise, the consistency is considered insufficient, and they should not be linked into the same link.

[0227] In this embodiment, the roles of start point, transition, or end point are determined under the joint constraints of "event type order + field consistency". Generally speaking, events located at the beginning of the event type order and capable of providing initiating actions such as object creation, object addition, and sending trigger can be marked as start points; events located in the middle stage of the event type order and responsible for connecting functions such as connection establishment, authentication, upload segmentation, and proxy forwarding can be marked as transitions; and events located at the end of the event type order and reflecting result actions such as server response, upload completion, successful / failed sending receipts, and object landing confirmation can be marked as end points. When determining which role label to assign, one should not only look at the event name itself, but also consider the event's position in the expected event type sequence, and then check its consistency with preceding and following events in key fields: If an event's type belongs to the front-end type in the event type sequence and is consistent with subsequent transition events in terms of subject, device, and object clues, it can be labeled as the starting point; if an event's type belongs to the middle type in the event type sequence and is reachable from both preceding and following events, it can be labeled as a transition; if an event's type belongs to the result type in the event type sequence and is aligned with preceding transmission events in terms of object and destination fields, it can be labeled as the end point. In other words, role labels are not assigned in isolation, but are determined by the event's position in the expected flow and its alignment with upstream and downstream events.

[0228] In this way, retrieved events can be labeled with roles based on event type order and field consistency, classifying them into start points, transitions, or end points. Role labeling relies on the consistency constraints of protocol semantics and object clues, making the functional positioning of events on the timeline clear, thus providing a determinable boundary for subsequent causal relationship construction. Protocol semantics defines the event type order, while object clues are the core fields in field consistency. Specifically, protocol semantics refers to the processing meaning and sequence of various events under a certain transmission channel or protocol that should be followed in business operations. For example, in an upload scenario, there is usually a semantic sequence of "trigger upload → establish connection → transmit segment → complete receipt," thus determining which event types should be listed first, which in the middle, and which at the end—the source of the aforementioned event type order. Object clues refer to identifying information that characterizes whether the same object spans multiple events, such as filename, object size, segment number, hash digest, and object type. It is one of the specific contents of the aforementioned fields and is a crucial set of fields for judging field consistency. In other words, the protocol semantics answer the question of what order the events should appear in, and the object clues answer whether these events revolve around the same object. Only when the two work together can the events be marked as the start, transition or end point.

[0229] In step 2170, for the labeled set of associated events, the reachability relationships between the associated events are established under the constraints of time monotonicity, subject consistency, and device consistency, and an event relationship graph corresponding to the candidate carrier is generated.

[0230] In this step, based on the determined (labeled) roles of each associated event, reachability relationships are established between events under the constraints of time monotonicity, subject consistency, and device consistency, generating an event causal relationship graph. The reachability relationship requires that preceding and following events satisfy temporal sequence and compatibility of key fields (subject and device) (i.e., time monotonicity, subject consistency, and device consistency constraints), avoiding erroneous associations across subjects or devices and ensuring that candidate paths are interpretable both semantically and temporally. In other words, if two associated events have a temporal sequence and both subject and device identifiers are identical, then these two associated events are reachable. Thus, based on the reachability relationship between two associated events, edges corresponding to the reachability relationship can be constructed using the two associated events as nodes, thereby constructing the event relationship graph. Furthermore, since the edges corresponding to the reachability relationship are constructed based on the temporal sequence of the two associated events, these edges can be directed edges, and the event relationship graph can be a directed graph.

[0231] In step 2172, feasible paths from the start point to the end point are searched in the event relationship graph, and a score is calculated for each feasible path.

[0232] Since the nodes in the event relationship graph are all related events in the set of related events, and each related event has been labeled with a role tag (starting point, transition, or ending point) in the previous steps, in this step, a feasible path from the starting point to the ending point can be searched in the event relationship graph based on these role tags. Optionally, a node labeled as the starting point can be found in the event relationship graph, and then, using that node as the starting point, the next node in the event relationship graph that has an edge with that node (in some cases, this can be a directed edge) can be found (in some cases, this next node can be the node pointed to by the directed edge), and so on, until a node labeled as the ending point is found, thus obtaining a feasible path.

[0233] After obtaining all feasible paths in the event relationship graph, a score can be calculated for each feasible path. Optionally, sub-scores such as matching degree, time interval compliance, and field consistency can be calculated for each feasible path, and then a comprehensive score is obtained based on the sub-scores as the score for the feasible path.

[0234] The matching degree measures the degree of fit between the role sequence and the expected business sequence. The time interval conformity measures the reasonableness of the time interval between adjacent events, and the field consistency measures the compatibility strength between object clues and transmission parameters. The expected business sequence can be obtained from a predefined standard role sequence template based on the protocol semantics, channel type, and historical normal processing flow corresponding to the current outbound scenario. Specifically, the system can establish corresponding business templates for different channel types. For example, for a webpage upload scenario, "object preparation / send trigger - connection establishment / handshake - data transmission - completion receipt" can be abstracted into an expected business sequence of "start point - transition - transition - end point"; for an email sending scenario, "attachment addition - send trigger - protocol interaction - server confirmation" can also be mapped to the corresponding expected business sequence. The expected business sequence can be obtained by rule configuration, protocol state machine definition, or induction based on historical normal samples, and serves as a reference sequence for subsequent matching degree calculations.

[0235] Specifically, when calculating the matching degree for each feasible path, the role sequence of the current feasible path can be obtained first, and then compared position by position with the expected service sequence under the corresponding transmission channel type. If the role types at the same position are consistent, it is recorded as a match; otherwise, it is recorded as a mismatch. Subsequently, the matching degree can be obtained based on the ratio of the number of matched positions to the total number of compared positions. For example, if the role sequence corresponding to each node of the feasible path is start-transition-transition-end point, and the expected service sequence is start-transition-transition-end point, then all four positions match, and the matching degree can be 4 / 4, i.e., 100%. As another example, if the role sequence corresponding to each node of the feasible path is start-transition-end point, and the expected service sequence is start-transition-transition-end point, then the matching ratio can be calculated based on the aligned effective positions, or the missing role positions can be recorded as mismatches, thus obtaining a matching degree lower than 100% (e.g., 75%). Furthermore, in some embodiments, higher weights can be set for the start and end points, so that the impact of start and end point mismatches on the matching degree is greater, highlighting the importance of link boundary events.

[0236] For example, when calculating the time interval compliance, a time interval threshold can be set for the time intervals of adjacent events. Then, the time interval can be calculated for each pair of adjacent nodes in a feasible path. Next, it is determined whether the time interval between adjacent nodes is less than or equal to the threshold. Finally, based on the number of time intervals that meet the threshold and the total number of time intervals, the time interval compliance is calculated. Assuming the role sequence corresponding to each node in a feasible path is start-transition-transition-end point, three time intervals can be calculated: "start-transition", "transition-transition", and "transition-end point". If two of these time intervals are less than or equal to the threshold, and the other time interval is greater than the threshold, then the time interval compliance is 2 / 3.

[0237] For example, field consistency can be calculated based on the compatibility strength between object clues and transmission parameters. Object clues, extracted from session events during the object extraction phase, identify the continuity of the same object across different events. Their content may include filename, object size, object type, fragment number, hash digest, page range, frame range, etc. Transmission parameters, extracted during the standardization process of end-side and network-side events, reflect the channel characteristics and transmission status of the object during transmission. Their content may include destination domain name, destination address, request path, session identifier, transmission direction, fragment size, fragment order, protocol type, and acknowledgment status, etc. Field consistency measures the compatibility strength between object clues and transmission parameters, determining whether events at each node along a feasible path truly revolve around the same object and the same transmission behavior.

[0238] Specifically, when calculating field consistency, several key fields in the object clues and transmission parameters can be selected for item-by-item comparison, and a field consistency score can be calculated based on the comparison results. For example, filename, object size, fragment sequence number, destination domain name, and session identifier can be used as comparison fields; fields that are completely consistent are scored as full marks, fields that allow for small deviations (such as object size, time-related transmission batches) are scored as matches within the tolerance range, and inconsistent fields are scored as mismatches. Subsequently, the field consistency value can be obtained based on the ratio of the number of matching fields to the total number of fields. For example, if a total of 5 fields are compared, and 4 of them meet the consistency or tolerance matching criteria, and only 1 field does not match, then the field consistency score can be 4 / 5. Furthermore, in some embodiments, fields that directly reflect the object's identity, such as filename, object size, and fragment sequence number, can be given higher weights, while protocol detail fields can be given lower weights, thereby making the object ontology-related fields have a greater impact on the final consistency result.

[0239] After obtaining the scores for each sub-item, a comprehensive score can be derived based on these scores to serve as the score for feasible paths. Optionally, the scores for each sub-item can be normalized, and then the normalized sub-item scores can be weighted and summed to obtain the comprehensive score. The weights corresponding to each sub-item score can be preset and adjusted according to actual needs.

[0240] In step 2174, based on the score of each feasible path, the time correlation result corresponding to the candidate carrier is determined.

[0241] Since each pair of adjacent nodes in a feasible path is established based on reachability, and reachability is determined based on temporal order, each feasible path is a link based on temporal order, also known as a time-related link. Correspondingly, the preferred feasible path determined from multiple feasible paths based on scoring can also be called a time-related result. In this embodiment, the preferred feasible path is called a time-related result because this step does not ultimately determine a single event, but rather the most reliable linkage link obtained by concatenating end-side events and network-side events on a unified timeline according to their temporal relationship, time interval rationality, and field consistency. This result essentially reflects how these events are related in time and which temporal order is most reasonable; therefore, it is described as a time-related result.

[0242] Optionally, before determining the preferred feasible path from multiple feasible paths, a list of key timestamps and a field-aligned summary can be generated for each time-related link (feasible path), and missing annotations can be added for unobservable parts such as missing handshakes, missing receipts, or missing segments. Then, the preferred feasible path is determined from the multiple feasible paths that have completed the aforementioned processing as the time-related result corresponding to the candidate carrier.

[0243] Key timestamps, field alignment summaries, and missing data annotations provide interpretable supplementary information for each feasible path. They serve both in scoring feasible paths and in further determining the preferred link when feasible paths have similar scores. Key timestamps clarify the specific times of each key stage (such as start-up triggering, connection establishment, data transmission, and destination receipt) on the feasible path, thus determining whether the feasible path has a reasonable temporal sequence and providing a direct basis for calculating time interval compliance. Field alignment summaries summarize the correspondence between object clues and transmission parameters at each node on the feasible path, such as whether filenames, object sizes, fragment numbers, destination domains, and session identifiers are consistently aligned, thus intuitively reflecting whether the feasible path indeed revolves around the same object and the same transmission behavior. Missing markers can be used to identify key links in the feasible path that should have appeared according to the expected business sequence but were not collected due to missing logs, blind spots in observation, or missing segments. For example, missing handshakes, missing receipts, or missing segments. Their purpose is to distinguish between "not observed" and "not originally present" to prevent the system from mistakenly treating missing evidence as the abnormal link itself.

[0244] Furthermore, in some embodiments, the determination of the preferred feasible path may not rely solely on a single overall score. Instead, it may involve first ranking the paths by score, and then combining key timestamps, field alignment summaries, and missing data annotations for selection. Specifically, the system can first calculate a comprehensive score for all feasible paths and rank them from highest to lowest to obtain a candidate sequence of feasible paths. If the feasible path with the highest score is significantly higher than the others, it can be directly identified as the preferred feasible path. If the scores of the top-scoring feasible paths are close, the system further compares whether the key timestamps of these high-scoring paths better match the expected business sequence, whether the field alignment summaries are more complete and consistent, and whether there are fewer missing data annotations or only minor missing steps. This allows the system to select the feasible path with stronger explanatory power and more complete evidence from the high-scoring feasible paths as the preferred feasible path. In other words, the score provides an overall credibility ranking, while the key timestamps, field alignment summaries, and missing data annotations provide detailed decision-making criteria after ranking.

[0245] As can be understood, in this embodiment, ranking based on scores is a preliminary step in determining the preferred feasible path. The preferred feasible path is the path with the best ranking or the strongest comprehensive interpretability selected based on the ranking results. In other words, ranking based on scores first arranges all feasible paths into a candidate list according to their score priority, and the preferred feasible path is the final selected path in this candidate list. When there are no ties or near ties, the preferred feasible path is usually the feasible path ranked first. When there are multiple paths with similar scores, a second comparison is performed by combining key timestamps, field alignment summaries, and missing data annotations to determine the final preferred feasible path.

[0246] Optionally, step 218, which generates the data detection result based on the candidate carrier set, the perturbation index, and the time correlation result, can also be combined with the aforementioned allowed flow rules for comprehensive judgment to generate the data detection result. In this way, by introducing allowed flow rules to constrain the source domain, destination domain, and transmission channel of the candidate carriers, detection judgment and policy governance are integrated, avoiding mismatches between technical approval and policy prohibition, and reducing compliance risks.

[0247] In some embodiments, step 218, which generates the data detection result based on the candidate carrier set and the time correlation result, may further include the following steps:

[0248] In step 2182, the subject, sender, receiver, and transmission channel type corresponding to the outgoing information are determined.

[0249] The "subject" can refer to the entity corresponding to the outgoing information, such as the initiator of the outgoing information. The subject can typically be identified through identity authentication information, such as a login account, a user bound to an IP address, or an application permission holder. For example, if the outgoing information is initiated by user 140, then the subject corresponding to the outgoing information could be user 140's account.

[0250] The sender (or source domain) can refer to the place that sends the outgoing information, that is, the "source" of transmitting the outgoing information. For example, it can be the original producer or sender of the outgoing information, or a source of information. For instance, a computer sending the outgoing information. In a computer network, the sender includes a source and a transmitter, responsible for generating data and performing encoding, modulation, and other processing. Specifically, the source generates the data to be transmitted and the transmitter converts it into a signal suitable for transmission in the transmission channel.

[0251] The receiver (or destination domain) can refer to the endpoint of the outgoing information, i.e., the "destination" of the outgoing information transmission. For example, it can be the recipient or final destination of the outgoing information, or the sink. For instance, it could be the server receiving the outgoing information. In computer networks, the receiver includes both a receiver and a sink, responsible for decoding, demodulating, and ultimately using the information. Specifically, the sink uses the receiver to restore the received signal into understandable information.

[0252] The transmission channel type can refer to the type of transmission channel used for the outgoing information.

[0253] All of the above information can be obtained from the outgoing information or its corresponding transmission data, or from the subject list, and will not be elaborated further here.

[0254] In step 2184, based on the subject, sender, receiver, and transmission channel type corresponding to the outgoing information, and in conjunction with the allowed flow rules, the matching result of the outgoing information in the allowed flow rules is determined.

[0255] Once the subject, sender, receiver, and transmission channel type corresponding to the outgoing information are determined, the information can be matched against the allowed flow rules to obtain the matching result.

[0256] As mentioned earlier, the allowed flow rules originate from the allowed flow matrix. The allowed flow matrix can be implemented as a directed domain-to-domain decision table: rows represent the source domain (sender), columns represent the destination domain (receiver), and each cell stores priority information for that transmission direction. Each allowed flow matrix corresponds to a subject and a transmission channel type. Therefore, for each transmission direction (each pair of sender and receiver), an allowed flow rule can be obtained, i.e., a compliant transmission constraint with the dimension of "subject-source domain (sender)-destination domain (receiver)-transmission channel type". Thus, by matching the subject, sender, receiver, and transmission channel type corresponding to the outgoing information in the corresponding allowed flow matrix, allowed flow rules that match all of these elements can be obtained. The matched allowed flow rules can be output as policy matching results.

[0257] As mentioned earlier, when matching allowed flow rules, in some cases, if multiple allowed flow rules are matched, one of them can be selected as the matched allowed flow rule. Optionally, all matched allowed flow rules can be collected first, and then conflicts can be gradually resolved according to a unified sorting and verification rule, ultimately retaining only one actually effective allowed flow rule as the basis for adjudicating the current outgoing information. Specifically, the system first retrieves all allowed flow rules that match the current outgoing information based on conditions such as the subject scope, source domain, destination domain, channel type, and carrier category; then, these allowed flow rules are sorted according to their priority information (allowed, restricted, or prohibited), for example, prohibited is higher than restricted, restricted is higher than allowed, and allowed flow rules with more specific application scope are higher than allowed flow rules with broader scope. If a temporary authorization rule with an exception number exists, the system first verifies whether all exception conditions corresponding to that exception number, such as approval status, applicable subject, applicable destination domain, applicable channel, and effective time period, are met. Only when all exception conditions are met will the exception's permission rule participate in priority sorting and may override the basic permission rules. If all or some exception conditions are not met, the exception's permission rule is directly removed. After sorting, the system selects the permission rule that is ranked first and whose conditions are verified as met as the final effective permission rule (i.e., the matched permission rule), and uses its decision value (priority information) as the sole decision result for the current outgoing information. In some cases, if multiple matched permission rules have the same priority, a second comparison can be performed according to rule granularity, rule version, generation time, or preset conflict resolution order until a unique result is obtained, thus obtaining a deterministic decision. It can be understood that this deterministic ruling means that for the same outgoing input, under the same rule version and the same effective period, the system always obtains the same final effective allowed flow rule according to the same set of retrieval, verification, sorting and coverage logic, and will not produce uncertain results due to differences in human interpretation or the coexistence of allowed flow rules.

[0258] As mentioned earlier, each allowed flow rule corresponds to priority information (allowed, restricted, or prohibited). Therefore, after obtaining the matched allowed flow rules, the priority information of the matched allowed flow rules can be obtained. Then, the policy deviation level can be calculated and output based on the priority information corresponding to the outgoing information.

[0259] Optionally, the strategy offset level can be calculated by adding a base deviation score to the condition violation score. Specifically, the matching allowed flow rules can be used as the basis, and their priority information (allowed, restricted, or prohibited) can be mapped to a base deviation score (e.g., allowed = 0, restricted = 1, prohibited = 2). Then, the current outgoing information is checked item by item to see if it meets the restrictions and exceptions attached to the matching allowed flow rules (e.g., subject scope, destination domain whitelist, designated channel, carrier category, approval / exception number, effective period, etc.). If any item is not met, the corresponding bonus score is added. Finally, the total score is mapped to no deviation, low deviation, medium deviation, or high deviation according to a preset range. For example, a total score of 0 can be judged as no deviation, a total score of 1 as low deviation, a total score of 2 as medium deviation, and a total score greater than or equal to 3 or a prohibited rule that is hit without a valid exception is directly judged as high deviation.

[0260] In this embodiment, the "permitted / restricted / prohibited" governance boundaries on the organizational side are formalized into computable constraints, and a deterministic ruling is given in the event of exceptions or priority conflicts. The policy deviation level is used as independent information in subsequent comprehensive analysis to reflect the distance between the current outgoing information and the compliance boundary.

[0261] It is understood that the matching result obtained in step 2184 may include the policy matching result and the policy deviation level.

[0262] In step 2186, based on the candidate carrier set, and combining the perturbation index, the time correlation result, and the matching result, the data detection result is generated.

[0263] In this way, by introducing flow permission rules to constrain the source domain, destination domain, and transmission channel of candidate carriers, detection and judgment are integrated with policy governance, avoiding mismatches between technical approval and policy prohibition, and reducing compliance risks.

[0264] In some embodiments, the aforementioned structural markers, along with the perturbation index, the time correlation result, and the matching result, can be combined to generate the data detection result. In this way, the structural markers can provide endorsement of structural consistency or penalty factors for structural inconsistency, thereby further improving the accuracy of the data detection result.

[0265] Further, optionally, step 2186 may also include a step of performing integrity verification on the perturbation index (in some cases, it may be a normalized perturbation index), the structural marker, and the time correlation result.

[0266] Specifically, the integrity of each piece of evidence is verified to ensure the completeness and validity of the minimum set of elements upon which the comprehensive judgment depends. Perturbation indices characterize the strength of container-level perturbations, structural markers provide evidence of container / structure consistency independent of perturbations, and temporal correlation results characterize the reachability and matching quality of the temporal causal chain from the endpoint to the network. The verification process simultaneously binds version and valid range, downgrading missing or out-of-bounds items to avoid amplifying the impact of poor data on the synthesis results.

[0267] In some embodiments, after integrity verification, a comprehensive score can be calculated based on the perturbation index, structural marker, time correlation result, and policy deviation level corresponding to each candidate carrier in the candidate carrier set. When the comprehensive score is greater than or equal to a threshold, the data detection result is positive, indicating a risk of data leakage. Optionally, when the data detection result is positive, the session corresponding to the outgoing information can be blocked, an alarm message can be generated, and then the alarm message can be sent to a designated terminal, such as a terminal monitoring data leakage, or the alarm message can be displayed on the screen of the data detection device 160.

[0268] In some embodiments, a synthesis function can be designed to calculate the comprehensive score. Thus, by inputting the perturbation index, structural marker, temporal correlation result, and policy deviation level corresponding to each candidate carrier in the candidate carrier set into the synthesis function, the comprehensive score can be output. The synthesis function employs monotonic, interpretable nonlinear mapping and weight aggregation for different evidence channels (i.e., different parameters), wherein: the perturbation index provides intensity information, the structural marker provides structural consistency endorsement or penalty factor, the temporal correlation result provides supporting weights based on temporal causality, and the policy deviation level serves as a governance-side gain term.

[0269] In some embodiments, a scoring model can be obtained by training an artificial intelligence (AI) model, and then the aforementioned synthesis function can be implemented using this scoring model. In this way, by inputting the perturbation index, structural label, temporal correlation result, and policy deviation level corresponding to each candidate carrier in the candidate carrier set into the pre-trained scoring model to output a comprehensive score, the efficiency of score generation can be improved.

[0270] Optionally, evidence quality and visibility degradation affect the final score in the form of penalty coefficients. This design ensures the monotonicity and robustness of "the more sufficient the evidence, the higher the overall score." Evidence quality can be comprehensively obtained from the actual execution status of each detection stage described in the aforementioned embodiments. It can be evaluated based on object completeness, parsing success rate, structural information completeness, temporal association chain completeness, side information availability, and the presence of missing fragments, missing fields, or delayed windowing. The more complete and stable these conditions are, the higher the evidence quality; conversely, the lower the quality. Visibility degradation occurs during parsing or association when the endpoint is unreachable, plaintext is not visible, only a web-side summary can be obtained, only partial structural information can be acquired, or only approximate measurements can be used. The system can label it as no degradation, mild degradation, moderate degradation, or severe degradation based on the degree of reduction in the current observable range relative to the ideal visible range. Therefore, evidence quality and visibility downgrades are not additional manual inputs, but are naturally generated by the data integrity, structural visibility, and downgrade execution status actually obtained in the aforementioned steps such as object parsing, candidate screening, and cross-channel concatenation. They can be converted into penalty coefficients during comprehensive analysis.

[0271] In some embodiments, a single threshold can be used to determine the overall score in one go. When the overall score is greater than or equal to the threshold, the output detection result is positive, and the session can be blocked and an alarm message can be generated according to policy constraints. At the same time, the evidence snapshot, rule version, and synthesis path are solidified to support audit reproduction. This single threshold mechanism avoids boundary jitter caused by multi-level classification and hysteresis, and preserves the interpretability of evidence and policy sources while ensuring the determinism of the response.

[0272] In this embodiment, time correlation results are obtained by serializing end-side and network-side events on a unified time axis. Then, the flow permission rules, perturbation indicators, and structural markers are linked to calculate the comprehensive score, and positive or negative results and disposal instructions are output according to the threshold, thereby identifying encryption, steganography, and low-speed fragment leakage.

[0273] As can be seen from the above embodiments, the data detection method provided by this disclosure constructs an event sequence from the transmitted data, then performs session reconstruction and object extraction based on the event sequence to obtain the carrier to be inspected, and then calculates a perturbation index on the carrier to be inspected. Thus, the data can be detected based on the perturbation index, which can discover hidden information in the data to a certain extent and ensure information security.

[0274] In some embodiments, perturbation metrics of the carrier can be used to cover steganography and encryption scenarios. Specifically, by calculating container echoes, incremental vine lengths, and phase echo metrics for three types of carriers—images, portable documents, and audio—anomalies in the container layer can be revealed without relying on plaintext content, enhancing detection capabilities under end-to-end encryption, screenshot / scanning bypass, and steganography embedding.

[0275] In some embodiments, cross-channel concatenation can be used to reconstruct outgoing links. Specifically, by concatenating end-side and network-side events on a unified timeline according to the subject, and outputting time correlation results and key timestamps, it is possible to reconstruct linked links and enhance the identification of leakage techniques such as low-speed fragmentation and cross-channel dilution.

[0276] In some embodiments, compliance priority can be achieved through policy coordination. Specifically, allow flow rules are introduced to constrain the source domain, destination domain, and transmission channel, and detection and judgment are integrated with policy governance to avoid mismatches between technical approval and policy prohibition, thereby reducing compliance risks.

[0277] It should be noted that the method of this disclosure embodiment can be executed by a single device, such as a computer or server. The method of this embodiment can also be applied to a distributed scenario, where multiple devices cooperate to complete the task. In such a distributed scenario, one of these devices may execute only one or more steps of the method of this disclosure embodiment, and the multiple devices will interact with each other to complete the method described.

[0278] It should be noted that the above description describes some embodiments of this disclosure. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in a different order than that shown in the above embodiments and still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

[0279] This disclosure also provides a computer device for implementing the above-described data detection method. Figure 3 A schematic diagram of the hardware structure of an exemplary computer device 500 provided in an embodiment of this disclosure is shown. The computer device 500 can be used to implement... Figure 1 Terminal equipment 110, server 130, data detection equipment 160.

[0280] like Figure 3 As shown, the computer device 500 may include: a processor 502, a memory 504, a network interface 506, a peripheral interface 508, and a bus 510. The processor 502, memory 504, network interface 506, and peripheral interface 508 are interconnected within the computer device 500 via the bus 510.

[0281] Processor 502 may be a central processing unit (CPU), image processor, neural network processor (NPU), microcontroller (MCU), programmable logic device, digital signal processor (DSP), application-specific integrated circuit (ASIC), or one or more integrated circuits. Processor 502 can be used to perform functions related to the techniques described in this disclosure. In some embodiments, processor 502 may also include multiple processors integrated as a single logic component. For example, such as... Figure 3 As shown, processor 502 may include multiple processors 502a, 502b and 502c.

[0282] Memory 504 can be configured to store data (e.g., instructions, computer code, etc.). Figure 3 As shown, the data stored in memory 504 may include program instructions (e.g., one or more programs for implementing the data detection method of this disclosure embodiment) and data to be processed (e.g., the memory may store configuration files of other modules, etc.). Processor 502 may also access the program instructions and data stored in memory 504 and execute the program instructions to operate on the data to be processed. Memory 504 may include volatile or non-volatile storage devices. In some embodiments, memory 504 may include random access memory (RAM), read-only memory (ROM), optical disk, magnetic disk, hard disk, solid-state drive (SSD), flash memory, memory stick, etc.

[0283] Network interface 506 can be configured to provide communication with other external devices to computer device 500 via a network. This network can be any wired or wireless network capable of transmitting and receiving data. For example, the network can be a wired network, a local wireless network (e.g., Bluetooth, WiFi, Near Field Communication (NFC), etc.), a cellular network, the Internet, or a combination thereof. It is understood that the type of network is not limited to the specific examples described above.

[0284] Peripheral interface 508 can be configured to connect computer device 500 to one or more peripheral devices to enable information input and output. For example, peripheral devices may include input devices such as keyboard, mouse, touchpad, touch screen, microphone, and various sensors, as well as output devices such as monitor, speaker, vibrator, and indicator lights.

[0285] Bus 510 can be configured to transfer information between various components of computer device 500 (such as processor 502, memory 504, network interface 506, and peripheral interface 508), such as internal buses (e.g., processor-memory bus), external buses (USB port, PCI-E bus), etc.

[0286] It should be noted that although the architecture of the computer device 500 described above only shows the processor 502, memory 504, network interface 506, peripheral interface 508, and bus 510, in specific implementations, the architecture of the computer device 500 may also include other components necessary for normal operation. Furthermore, those skilled in the art will understand that the architecture of the computer device 500 described above may only include the components necessary for implementing the embodiments of this disclosure, and does not necessarily include all the components shown in the figures.

[0287] Based on the same inventive concept, corresponding to any of the above embodiments, this disclosure also provides a non-volatile computer-readable storage medium containing a computer program, which, when executed by one or more processors, causes the one or more processors to perform the data detection method.

[0288] The computer-readable medium of this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.

[0289] The computer program stored in the storage medium of the above embodiments is used to cause the one or more processors to execute the data detection method as described in any of the above embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be repeated here.

[0290] Based on the same inventive concept, corresponding to the data detection method of any of the above embodiments, this disclosure also provides a computer program product, which includes one or more computer programs. In some embodiments, the one or more computer programs are executable by one or more processors to cause the one or more processors to perform the data detection method. Corresponding to the execution entity for each step in each embodiment of the data detection method, the processor executing the corresponding step may belong to the corresponding execution entity.

[0291] The computer program product of the above embodiments is used to cause the processor to execute the data detection method as described in any of the above embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be repeated here.

[0292] Those skilled in the art should understand that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of this disclosure (including the claims) is limited to these examples; within the framework of this disclosure, the technical features of the above embodiments or different embodiments can also be combined, the steps can be implemented in any order, and there are many other variations of different aspects of the embodiments of this disclosure as described above, which are not provided in detail for the sake of brevity.

[0293] Additionally, to simplify the description and discussion, and to avoid obscuring the embodiments of this disclosure, the provided drawings may or may not show well-known power / ground connections to integrated circuit (IC) chips and other components. Furthermore, the apparatus may be shown in block diagram form to avoid obscuring the embodiments of this disclosure, and this also takes into account the fact that the details of implementation of these block diagram apparatuses are highly dependent on the platform on which the embodiments of this disclosure will be implemented (i.e., these details should be fully understood by those skilled in the art). While specific details (e.g., circuits) have been set forth to describe exemplary embodiments of this disclosure, it will be apparent to those skilled in the art that the embodiments of this disclosure can be implemented without these specific details or with variations thereof. Therefore, these descriptions should be considered illustrative rather than restrictive.

[0294] Although this disclosure has been described in conjunction with specific embodiments thereof, many substitutions, modifications, and variations of these embodiments will be apparent to those skilled in the art from the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may be used with the embodiments discussed.

[0295] This disclosure is intended to cover all such substitutions, modifications, and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this disclosure should be included within the scope of protection of this disclosure.

Claims

1. A data detection method, comprising: In response to the detection of outgoing information, the transmission data corresponding to the outgoing information is collected; Based on the transmitted data, an event sequence is constructed; Based on the event sequence, session reconstruction and object extraction are performed to obtain a set of carriers to be inspected; Calculate the perturbation index of each carrier in the set of carriers to be inspected; Based on the aforementioned perturbation index, data detection results are generated; The calculation of the perturbation index of each carrier in the set of carriers to be inspected includes: Determine the type of the carrier to be inspected, including image type, portable file format type, and audio type; In response to the fact that the type of the carrier to be inspected is an image type, the carrier to be inspected is recoded to obtain a recoded carrier; difference information between the recoded carrier and the carrier to be inspected is constructed, and feature information is extracted from the difference information; based on the feature information, the perturbation index of the carrier to be inspected is determined. In response to the fact that the type of the carrier under test is a portable file format type, the cross-references and object graph of the carrier under test are parsed to obtain incremental update information; based on the incremental update information, the perturbation index of the carrier under test is determined. In response to the fact that the type of the carrier under test is audio, the carrier under test is phase-expanded to obtain a phase change rate sequence; the sign change density and amplitude upper bound of the change rate of the phase change rate sequence are statistically analyzed to obtain phase feature information; based on the phase feature information, the perturbation index of the carrier under test is determined.

2. The method as described in claim 1, wherein, Based on the transmitted data, an event sequence is constructed, including: The transmitted data is parsed to obtain multiple events; Based on the transmitted data, determine the time calibration parameters; Based on the time calibration parameters and the source time corresponding to each event, a time field based on a unified time reference is generated for each event. Based on the time field corresponding to each event, the multiple events are sorted to obtain the event sequence.

3. The method as described in claim 1, wherein, Based on the event sequence, session reconstruction and object extraction are performed to obtain a set of carriers to be inspected, including: Based on the transmission channel and transmission protocol corresponding to each event in the event sequence, the events in the event sequence are classified to obtain at least one event set; For each event set, consecutive and causally related events in the event set are divided into session segments, and corresponding subject identifiers and device identifiers are bound to the session segments; Extract object clues from the conversation fragments; Obtain the object entity based on the object clues; Based on the subject identifier, the device identifier, the session fragment, and the object entity, construct a relationship graph; Based on the relationship graph, object entities that meet the preset conditions are selected as the carriers to be inspected, thus obtaining the set of carriers to be inspected.

4. The method of claim 1, wherein, Based on the aforementioned perturbation index, data detection results are generated, including: Based on the aforementioned perturbation index, anomaly detection is performed on the carrier under test; In response to determining that the carrier under test is abnormal, a set of candidate carriers is generated based on the carrier under test that is abnormal; Determine the temporal correlation result for each candidate vector in the candidate vector set; Based on the candidate carrier set, combined with the perturbation index and the time correlation result, the data detection result is generated.

5. The method of claim 4, wherein, Based on the aforementioned perturbation index, anomaly detection is performed on the carrier under test, including: Based on the structural information of the carrier under test, the structural consistency of the carrier under test is determined; Anomaly detection is performed on the carrier under test based on the perturbation index and the structural consistency of the carrier under test.

6. The method of claim 5, wherein, Determining the structural consistency of the carrier under inspection based on its structural information includes: In response to the fact that the type of the carrier under inspection is an image type, the structural consistency of the carrier under inspection is determined based on the consistency between the main image and the thumbnail corresponding to the carrier under inspection and the correlation of color channels. In response to the fact that the type of the carrier under inspection is a portable file format type, the structural consistency of the carrier under inspection is determined based on the matching relationship between the changes in the number and type of objects on the carrier under inspection and the changes in the visible pages; In response to the fact that the type of the carrier under test is audio, the structural consistency of the carrier under test is determined based on the consistency of the bitrate stability and semantic stability of the carrier under test.

7. The method of claim 6, wherein, Based on the perturbation index and structural consistency of the carrier under test, anomaly detection is performed on the carrier under test, including: In response to the fact that the type of the carrier to be inspected is an image type, when the feature information is within a preset range and the main image and the thumbnail are inconsistent or the color channel correlation is abnormal, it is determined that the carrier to be inspected is abnormal; In response to the fact that the type of the carrier to be inspected is a portable file format type, when the incremental update information is within a preset range and there is a mismatch between the change in the number of objects or the change in the type and the change in the visible page, it is determined that the carrier to be inspected is abnormal; In response to the fact that the type of the carrier to be inspected is audio, when the phase feature information is within a preset range and the bit rate distribution is stable but the semantics are unstable, it is determined that the carrier to be inspected is abnormal.

8. The method of claim 4, wherein, Determining the temporal correlation result of each candidate vector in the candidate vector set includes: For each candidate vector in the candidate vector set, determine the source object and discovery time corresponding to the candidate vector; Based on the source object, determine the subject identifier and device identifier corresponding to the candidate carrier; A time window is determined centered on the discovery time, and within the time window, associated events corresponding to the candidate carrier are retrieved based on the subject identifier and the device identifier to obtain a set of associated events; Each associated event in the set of associated events is labeled with a start point, transition, or end point to obtain the labeled set of associated events. For the set of labeled associated events, the reachability relationships between the associated events are established under the constraints of time monotonicity, subject consistency, and device consistency, and an event relationship graph corresponding to the candidate carrier is generated. Search for feasible paths from the start point to the end point in the event relationship graph, and calculate a score for each feasible path; Based on the score of each feasible path, the time correlation result corresponding to the candidate carrier is determined.

9. The method of claim 4, wherein, Based on the candidate carrier set, combined with the perturbation index and the time correlation result, the data detection result is generated, including: Determine the subject, sender, receiver, and transmission channel type corresponding to the outgoing information; Based on the subject, sender, receiver, and transmission channel type corresponding to the outgoing information, and in conjunction with the allowed flow rules, the matching result of the outgoing information in the allowed flow rules is determined; Based on the candidate carrier set, and combined with the perturbation index, the time correlation result, and the matching result, the data detection result is generated.

10. The method of claim 9, further comprising: Establish a list of main entities and a list of transmission channels; Based on the main entity list and the transmission channel list, an allowed flow matrix from the sender to the receiver is constructed, and priority information is configured in the allowed flow matrix to generate the allowed flow rules.

11. The method of claim 10, wherein, Establish a main entity list and a transmission channel list, including: Acquire multi-source data; Based on the device identifiers in the multi-source data, the entities are merged, and entity identifiers are assigned to the merged entities; Based on the multi-source data, the metadata corresponding to the subject identifier is extracted, and the subject list is generated based on the metadata and the subject identifier.

12. A computer device comprising one or more processors, a memory, and one or more programs, wherein the one or more programs are stored in the memory and executed by the one or more processors, the one or more programs comprising instructions for performing the method of any one of claims 1 to 11.

13. A non-volatile computer-readable storage medium comprising a computer program, which, when executed by one or more processors, causes the one or more processors to perform the method of any one of claims 1 to 11.

14. A computer program product comprising one or more computer programs that, when executed by one or more processors, implement the method as described in any one of claims 1 to 11.