Method and device for constructing cloud-native AI operation and maintenance audit based on security management and control computing
By building a cloud-native management and control platform and an AI model, we have achieved real-time understanding and risk identification of operation and maintenance, and dynamically adjusted permissions. This has solved the problems of multi-cloud environment management and security response lag in traditional operation and maintenance models, improved the precision and real-time nature of auditing, and met data privacy compliance requirements.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHENZHEN Y& D ELECTRONICS CO LTD
- Filing Date
- 2026-03-18
- Publication Date
- 2026-07-03
AI Technical Summary
Traditional operation and maintenance models are complex to manage in multi-cloud environments, have slow security incident response, low audit efficiency, and cannot effectively monitor the arbitrary sharing of privileged accounts and trace responsibility, threatening the security of core enterprise data.
We build a cloud-native management and control platform, which transforms character streams into structured semantic units through lightweight agents and AI models. We introduce risk scoring and dynamic verification, implement fine-grained permission management, implement encrypted communication channels, realize dynamic permission policies, perform streaming full auditing and intelligent log processing, perform millisecond-level in-process blocking, and build cross-domain collaborative auditing based on federated learning and privacy computing.
It enables real-time understanding and risk identification of operation and maintenance, dynamically adjusts permissions, reduces the risk of data leakage, improves the precision and real-time nature of auditing, solves the problems of multi-cloud environment management and security response lag in traditional models, and meets data privacy compliance requirements.
Smart Images

Figure CN121887539B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a cloud-native AI operation and maintenance auditing method and apparatus based on security management computing. Background Technology
[0002] In today's digital transformation, enterprise IT infrastructure is becoming increasingly complex, but operational security risks have long been overlooked. For example, when privileged accounts are shared freely among multiple departments, when operational operations lack effective monitoring, and when it is impossible to trace the responsible party after a security incident, this not only violates the principle of least privilege but also seriously threatens the security of the enterprise's core data assets.
[0003] With the rapid development of cloud computing and artificial intelligence technologies, enterprise IT operations and maintenance environments are undergoing profound changes. Traditional operations and maintenance models face challenges such as complex multi-cloud environment management, delayed security incident response, and low auditing efficiency, while the deep integration of cloud-native and AI technologies has brought revolutionary breakthroughs to modern bastion hosts. Summary of the Invention
[0004] To address the aforementioned technical problems, this invention provides a cloud-native AI operation and maintenance auditing method based on security management computing, employing the following technical solution, including the following steps:
[0005] Build a cloud-native management and control platform;
[0006] By using lightweight proxies and AI models, the raw character stream is transformed into structured, understandable semantic units, outputting structured semantic data.
[0007] Based on the structured semantic data, by introducing risk scoring and continuous verification, a dynamically changing permission boundary is constructed, and a dynamic permission policy is output.
[0008] Based on the dynamic permission policy, the operation records are transformed into an ordered and analyzable data stream, which is then used for streaming full auditing and intelligent log processing to output a real-time audit data stream.
[0009] Based on the real-time audit data stream, intervention is carried out on ongoing risky operations to achieve millisecond-level in-process blocking, upgrading the response mode of security incidents from passive auditing to proactive defense.
[0010] Construct cross-domain collaborative auditing for federated learning and privacy-preserving computation.
[0011] Preferably, the step of constructing the cloud-native management and control platform specifically includes:
[0012] Containerized deployment and orchestration based on Kubernetes protocol proxy;
[0013] Build encrypted communication channels between microservices and implement fine-grained network access policies;
[0014] By using API-driven methods, asset information on different cloud environments and physical machines is automatically discovered and synchronized to form a unified resource view.
[0015] Preferably, the step of converting the original character stream into structured, understandable semantic units and outputting structured semantic data through a lightweight proxy and AI model specifically includes:
[0016] Perform multi-protocol traffic proxying and kernel-level forwarding optimization;
[0017] Based on NLP, perform semantic parsing and structuring of operation and maintenance instructions;
[0018] Perform data plane performance optimization and hybrid model inference.
[0019] Preferably, the step of constructing dynamically changing permission boundaries and outputting dynamic permission policies based on the structured semantic data by introducing risk scoring and continuous verification specifically includes:
[0020] Analyze user entity behavior and calculate trust scores;
[0021] Based on real-time trust scores and context information, dynamically adjust user permissions;
[0022] Implement strong authentication at login portals and key operational nodes.
[0023] Preferably, the step of converting operation records into an ordered, analyzable data stream based on the dynamic permission policy, performing streaming full auditing and intelligent log processing, and outputting a real-time audit data stream specifically includes:
[0024] Based on the aforementioned dynamic permission policy, the raw logs generated by the protocol proxy layer are collected, parsed, and distributed in real time.
[0025] By combining command text logs with graphical operation recordings, a dual-track audit record of command logs and video recordings is formed.
[0026] Transform non-searchable text content in the graphical interface into indexable and searchable structured data.
[0027] Preferably, the step of intervening in ongoing risky operations based on the real-time audit data stream to achieve millisecond-level in-process blocking, and upgrading the security event response mode from passive auditing to proactive defense, specifically includes:
[0028] Based on the real-time audit data stream, millisecond-level inference is performed on the streaming operation feature vector to identify complex abnormal behavior patterns that deviate from the baseline.
[0029] Upon receiving a high-risk instruction from the AI model, the system intercepts a single high-risk system call without interrupting the entire session, achieving microsecond-level zero-latency blocking.
[0030] This extends a single disruption event into a complete handling process, forming an automated closed loop from detection to recovery.
[0031] Preferably, the step of constructing cross-domain collaborative auditing for federated learning and privacy computing specifically includes:
[0032] Sensitive audit logs are cleaned and their features extracted locally, and noise is added before the shared model gradient.
[0033] Without touching the original data, we aggregate encrypted or noisy model parameters from different participants and update a general model that represents the whole.
[0034] Each node receives a global model containing cross-organizational common knowledge and performs local fine-tuning based on its own operation and maintenance environment to form a hybrid detection capability that combines general and local features, thereby enabling cross-regional threat intelligence collaboration.
[0035] To address the aforementioned technical problems, this invention also provides a cloud-native AI operation and maintenance auditing device based on security management computing, employing the following technical solution, including:
[0036] The base module is used to build a cloud-native management and control base.
[0037] The conversion module is used to convert the raw character stream into structured, understandable semantic units through a lightweight agent and an AI model, outputting structured semantic data.
[0038] The module is used to construct dynamically changing permission boundaries and output dynamic permission policies based on the structured semantic data by introducing risk scoring and continuous verification.
[0039] The conversion module is used to convert operation records into an ordered and analyzable data stream based on the dynamic permission policy, perform streaming full audit and intelligent log processing, and output real-time audit data stream;
[0040] The blocking module is used to intervene in ongoing risky operations based on the real-time audit data stream, achieving millisecond-level in-process blocking and upgrading the response mode of security events from passive auditing to proactive defense.
[0041] The collaboration module is used to build cross-domain collaborative auditing for federated learning and privacy computing.
[0042] To address the aforementioned technical problems, the present invention also provides a computer device that employs the technical solution described below, comprising a memory and a processor. The memory stores computer-readable instructions, and the processor, when executing the computer-readable instructions, implements the steps of the aforementioned cloud-native AI operation and maintenance auditing method based on security management computing.
[0043] To address the aforementioned technical problems, the present invention also provides a computer-readable storage medium, which employs the technical solution described below. The computer-readable storage medium stores computer-readable instructions, which, when executed by a processor, implement the steps of the aforementioned cloud-native AI operation and maintenance auditing method based on security control computing.
[0044] Compared with the prior art, the present invention has the following main advantages:
[0045] (1) By introducing an AI model, the original character stream is transformed into structured semantic units. This means that the system can not only record what commands were executed, but also understand the impact of the commands on the business level, providing a high-quality standardized data foundation for subsequent intelligent analysis and policy control, and significantly improving the precision of auditing.
[0046] (2) Based on structured semantic data, a dynamic risk scoring and continuous verification mechanism is introduced to construct a real-time changing permission boundary. More importantly, through the analysis of real-time audit data streams, the system can block ongoing risky operations at the millisecond level. This completely changes the traditional reactive approach, upgrading security response from passive auditing to proactive defense, and greatly reducing the risk of core data leakage.
[0047] (3) Built on a cloud-native management and control platform, it achieves elastic access through a lightweight agent, which can better adapt to distributed and containerized modern IT infrastructure. The streaming full audit processing method also solves the problems of large log volume and high processing latency in the traditional mode, ensuring the real-time audit and system stability in high-concurrency operation and maintenance scenarios.
[0048] (4) A cross-domain collaborative auditing mechanism for federated learning and privacy-preserving computation has been introduced. This enables auditing models to be trained and risk intelligence to be shared between different security domains or VPCs without exchanging raw data. This satisfies data privacy compliance requirements and achieves unified security control from a global perspective, solving the blind spot problem of traditional technologies in multi-regional collaborative auditing. Attached Figure Description
[0049] To more clearly illustrate the solutions in this invention, the accompanying drawings used in the description of the embodiments of this invention will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0050] Figure 1 This is a flowchart of an embodiment of the cloud-native AI operation and maintenance auditing method based on security management computing of the present invention;
[0051] Figure 2 This is a diagram of the cloud-native management and control foundation architecture constructed in the cloud-native AI operation and maintenance auditing method based on security management and control computing of the present invention;
[0052] Figure 3 This is a schematic diagram illustrating the application of the cloud-native AI operation and maintenance auditing method based on security control computing, as described in this invention, in the financial industry for federated learning and real-time risk control.
[0053] Figure 4 This is a schematic diagram illustrating the application of the cloud-native AI operation and maintenance auditing method based on security management computing, as described in this invention, in the government sector for unified hybrid cloud management and compliance auditing.
[0054] Figure 5 This is a schematic diagram of a structure of an embodiment of the cloud-native AI operation and maintenance auditing device based on security management computing of the present invention;
[0055] Figure 6 This is a schematic diagram of the structure of an embodiment of the computer device of the present invention. Detailed Implementation
[0056] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains; the terminology used herein in the specification is for the purpose of describing particular embodiments only and is not intended to limit the invention; the terms "comprising" and "having," and any variations thereof, in the specification, claims, and foregoing drawings are intended to cover non-exclusive inclusion. The terms "first," "second," etc., in the specification, claims, or foregoing drawings are used to distinguish different objects and not to describe a particular order.
[0057] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of the invention. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0058] To enable those skilled in the art to better understand the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.
[0059] It should be noted that the cloud-native AI operation and maintenance auditing method based on security control computing provided in the embodiments of the present invention is generally executed by a server / terminal device. Correspondingly, the cloud-native AI operation and maintenance auditing device based on security control computing is generally set in the server / terminal device.
[0060] It should be understood that the number of terminal devices, networks, and servers is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be used.
[0061] Example 1
[0062] Please refer to Figure 1 The flowchart illustrates an embodiment of the cloud-native AI operation and maintenance auditing method based on security-management computing according to the present invention. The cloud-native AI operation and maintenance auditing method based on security-management computing includes the following steps:
[0063] Step S1: Build a cloud-native management and control platform.
[0064] In this embodiment, the electronic devices (e.g., servers / terminal devices) running on the cloud-native AI operation and maintenance audit method based on security management computing can receive cloud-native AI operation and maintenance audit requests based on security management computing via wired or wireless connections. It should be noted that the aforementioned wireless connection methods may include, but are not limited to, 3G / 4G / 5G connections, WiFi connections, Bluetooth connections, WiMAX connections, Zigbee connections, UWB (ultra-wideband) connections, and other currently known or future known wireless connection methods.
[0065] In this embodiment, step S1 may specifically include the following steps:
[0066] S11 is a protocol proxy based on Kubernetes, used for containerized deployment and orchestration.
[0067] Use Docker to package the protocol proxy program (based on OpenSSH secondary development) and its dependent environment into an image. Define the basic runtime environment through Dockerfile to ensure consistency between development, testing, and production environments.
[0068] Write the Kubernetes Deployment and Service YAML files. The Deployment defines the number of Pod replicas, update strategy (such as rolling updates), resource requests and limits (such as requests: cpu: "1" memory: "2Gi"). Service resources expose stable internal or external access points through ClusterIP or LoadBalancer types.
[0069] Configure HorizontalPodAutoscaler (HPA) to automatically adjust the number of replicas of protocol proxy Pods based on key performance metrics such as concurrent SSH connections and CPU utilization. For example, when a provincial operator performs network cutover, HPA triggers a rapid expansion of the number of replicas from 20 to 200 based on real-time monitoring data, achieving second-level elasticity and ensuring stability during peak business periods.
[0070] The purpose of step S11 is to break down traditional protocol proxy services such as SSH, RDP, and SFTP into stateless containerized components, enabling rapid deployment, version control, and elastic scaling.
[0071] S12 establishes encrypted communication channels between microservices and implements fine-grained network access policies.
[0072] Enable auto-injection tags (e.g., istio-injection=enabled) on the Kubernetes namespace to automatically inject the Envoy Sidecar container into each protocol proxy Pod. All inbound and outbound traffic will pass through the Sidecar proxy.
[0073] By configuring global or local mTLS modes (such as STRICT mode) through Istio's PeerAuthentication resource, all inter-service communication within the cluster is forced to be encrypted using the TLS 1.3 protocol. Istio's Citadel component is responsible for automatically issuing and rotating short-term certificates (valid for 24 hours) for each service, significantly reducing the risk of certificate leakage.
[0074] Access permissions between microservices are defined using AuthorizationPolicy and Sidecar resources. For example, a configuration policy can restrict the audit service Pod to communicate only with storage layer Pods (such as Elasticsearch), while prohibiting it from directly accessing the external network, thus implementing a whitelist security model that denies access by default.
[0075] The purpose of step S12 is to prevent lateral movement and ensure secure communication between the access layer, control layer, and audit layer by integrating service mesh with the zero-trust network.
[0076] S13, through API-driven methods, automatically discovers and synchronizes asset information on different cloud environments and physical machines, forming a unified resource view.
[0077] Cloud environments include, but are not limited to, public clouds, private clouds, and edge clouds.
[0078] Develop a multi-cloud connector module that integrates SDKs from major cloud vendors (such as AWS SDK, Azure SDK, and Alibaba Cloud SDK). By configuring cloud account credentials, it periodically calls interfaces such as ListInstances and DescribeInstances of various cloud platforms to synchronize asset information such as cloud servers and RDS instances.
[0079] For edge devices or physical servers deployed behind an enterprise firewall, deploy a lightweight proxy. This proxy establishes a persistent connection with the central management platform via gRPC or WebSocket, traverses NAT, and reports asset status and performance data via heartbeat.
[0080] Heterogeneous asset data from different sources (cloud host IDs, private IPs, tags, etc.) are cleaned and transformed into standardized resource objects within the platform. A synchronization strategy combining incremental discovery and full discovery is adopted, along with a message queue (such as Kafka) to ensure the real-time transmission of resource change events, achieving eventual consistency of assets.
[0081] The purpose of step S13 is to solve the problem of fragmented management in multi-cloud environments.
[0082] Figure 2 This is a diagram of the cloud-native management and control foundation architecture built in the cloud-native AI operation and maintenance auditing method based on security management and control computing of this invention. (See diagram for example.) Figure 2As shown, the cloud-native management and control platform adopts a layered architecture design, organically integrating cloud-native components and AI modules to achieve a flexible, secure, and intelligent operation and maintenance audit system. The cloud-native management and control platform includes an access layer, control layer, audit layer, storage layer, and AI model layer. The access layer performs multi-protocol proxying and secure access, providing a unified operation and maintenance entry point and supporting multiple operation and maintenance protocols. The control layer performs identity authentication, permission management, and session management. It establishes a complete 4A architecture system for user identity authentication, permission management, and session lifecycle management. This architecture originates from best practices in enterprise privileged access management (PAM), building a comprehensive operation and maintenance security defense through interconnected modules. The audit layer records and analyzes operation behavior in real time, generating real-time analysis and alerts. The storage layer persistently stores audit logs. Audit logs use encrypted storage technologies (such as TLS 1.3) and blockchain notarization technology to ensure log integrity and immutability, meeting compliance requirements. The AI model layer performs behavior analysis and command understanding, supporting online model updates without service interruption.
[0083] The purpose of step S1 is to lay the foundation for the entire auditing method, and to solve the problems of low resource utilization, poor elastic scaling and fragmented management of multi-cloud environments of traditional bastion hosts through cloud-native methods, so as to provide a high-performance, highly available and observable operating environment for upper-layer AI applications.
[0084] Step S2: Through a lightweight agent and an AI model, the original character stream is converted into structured, understandable semantic units, and structured semantic data is output.
[0085] In this embodiment, step S2 may specifically include the following steps:
[0086] S21 performs multi-protocol traffic proxying and kernel-level forwarding optimization.
[0087] For SSH, the proxy component acts as a man-in-the-middle, first authenticating with the client, and then establishing a session with the target server using a separate connection. Transparent traffic redirection is achieved by modifying the client's default connection port or using DNS resolution to point to the proxy IP.
[0088] In the data plane portion of the proxy component, eBPF (Extended Berkeley Packet Filter) technology is used to mount socket filters or XDP programs at the Linux kernel level. Packet parsing and forwarding decisions are made directly in kernel space, bypassing lengthy user-space protocol stack processing, reducing network latency from milliseconds to microseconds compared to traditional proxies.
[0089] Create an independent network namespace or container sandbox for each user session at the proxy layer to ensure complete isolation of the network environment and process space between different sessions, preventing information leakage and attack penetration.
[0090] The purpose of step S21 is to serve as a unified operation and maintenance entry point, transparently proxying SSH, RDP, SFTP and other protocol traffic, intercepting, parsing and forwarding traffic without changing user operating habits, and reducing forwarding latency through kernel technology.
[0091] S22, based on NLP, performs semantic parsing and structuring of operation and maintenance instructions.
[0092] For the SSH protocol, the complete command-line string is extracted from the channel data; for RDP, user keyboard input and mouse operations are obtained through a virtualized channel. Regular expressions and a lexical analyzer (such as ANTLR) are used to perform tokenization and preliminary construction of the syntax tree on the input.
[0093] A pre-trained BERT (Bidirectional Encoder Representation from Transformer) model was fine-tuned on a massive corpus of operational commands. When a command-line statement such as "rm -rf / var / log / " was input into the model, it was able to recognize:
[0094] Operation type: File deletion.
[0095] The target of the operation is the / var / log / directory.
[0096] Risk level: High (-rf parameter applies to critical directories).
[0097] Context awareness: The model not only analyzes individual commands but also combines historical command sequences to understand the operational context. For example, consecutive commands like `cd / etc`, `cat shadow`, and `vim sshd_config` will be identified by the model as sensitive file access behavior patterns.
[0098] The purpose of step S22 is to perform real-time parsing of the command line text flowing through the agent, not only to identify the literal meaning of the command, but also to understand its operational intent, target object and potential risks, and to transform unstructured text into structured audit data.
[0099] S23 performs data plane performance optimization and hybrid model inference.
[0100] A two-level inference architecture is adopted. A lightweight classification model (such as distilled MiniLM or FastText) is deployed on the agent node (edge) to quickly screen all operations, mark obviously safe operations for permission, and only identify high-risk or ambiguous requests.
[0101] The high-risk operations and their corresponding session contexts after initial screening are forwarded to the large model (such as a Transformer-based model) in the central control layer via an asynchronous message queue (such as Kafka) for in-depth semantic analysis and risk assessment.
[0102] For common, risk-free command combinations, the inference results are stored in a local LRU cache. When the same command sequence appears again, the risk score is retrieved directly from the cache, avoiding duplicate calculations and significantly reducing the average response latency (keeping it within 200ms).
[0103] The purpose of step S23 is to balance the accuracy of semantic parsing with the processing speed in high-concurrency scenarios, ensuring that AI analysis does not become a bottleneck in operation and maintenance.
[0104] The purpose of step S2 is to focus on the unification and in-depth analysis of the operation and maintenance entry point, laying a data foundation for subsequent intelligent management and control.
[0105] Step S3: Based on the structured semantic data, a dynamically changing permission boundary is constructed by introducing risk scoring and continuous verification, and a dynamic permission policy is output.
[0106] In this embodiment, step S3 may specifically include the following steps:
[0107] S31 analyzes user entity behavior and calculates trust scores.
[0108] Extract time-series features (operation frequency, time interval), content features (command type entropy, sensitivity of accessed file paths), and environmental features (login IP geolocation, device fingerprint) from audit logs. These features constitute a vector representation of the current behavior. .
[0109] A Transformer-based time-series anomaly detection model is employed to learn users' historical behavioral patterns. By learning the distribution of normal data, the model can reconstruct the input sequence and calculate the reconstruction error. The larger the error, the more the current behavior deviates from the baseline.
[0110] By integrating multi-dimensional features and model detection results, a real-time trust score is calculated. . in: Indicates the user's time Real-time trust score, with a value range of [value range missing]. A higher score indicates greater credibility. This represents a user's basic trust value, which is usually set based on the user's role (such as DBA, operations engineer) and historical reputation. Indicates the first The weighting coefficients of each risk factor (such as abnormal login IP, unconventional operation time, and high-risk command execution) can be dynamically adjusted through the analytic hierarchy process or machine learning models. It is a binary variable or a continuous variable, representing time... Did the first one detect? Each risk factor and its severity. For example, if login from a non-work location is detected, .
[0111] The purpose of step S31 is to establish a dynamic behavioral baseline for users based on historical data and real-time operations, quantify the risk level of their current behavior, and generate a real-time trust score.
[0112] S32 dynamically adjusts user permissions based on real-time trust scores and contextual information.
[0113] Building upon the traditional four-tuple of user, device, time, and protocol, a fifth dimension—trust score range—is added. Permissions are no longer statically assigned to roles, but rather assigned to roles that fall within a specific trust score range.
[0114] When trust rating Below the preset threshold But above the blocking threshold At this time, the Policy Decision Point (PDP) automatically triggers a privilege downgrade. For example, a DBA user who originally had write permissions to the production database may have their privileges temporarily downgraded to read-only when their risk score increases, as the Policy Execution Point (PEP) will intercept UPDATE, DELETE, and other statements in the session.
[0115] When operations and maintenance personnel need to perform urgent, high-risk operations (such as modifying core configuration files), they can apply for temporary authorization through the ticketing system. Upon system approval, a temporary permission token with a very short validity period (minimum 5 minutes) is generated. After the token expires, the permissions are automatically revoked, effectively reducing the risk of permission leaks.
[0116] The purpose of step S32 is to dynamically adjust user permissions based on real-time trust scores and context information, thereby enabling on-demand and real-time allocation of permissions and overcoming the drawbacks of permanent permissions.
[0117] S33 implements strong authentication at login portals and key nodes in operation and maintenance.
[0118] It supports combined authentication using passwords, dynamic tokens (time-based one-time passwords, TOTPs, such as Google Authenticator), biometrics (fingerprints, facial recognition), and USB keys (compliant with standards such as SQY20). It integrates enterprise identity sources (such as Active Directory domains, Okta) to achieve single sign-on (SSO), but access to critical assets still triggers MFA.
[0119] During long-lived connection sessions (such as SSH), a periodic challenge mechanism is introduced. For example, after 30 minutes of inactivity, or before the user executes a high-risk command such as `sudo su -`, the session management component forces the user to perform secondary biometric verification.
[0120] It works in conjunction with the behavior analysis engine. If the system detects the trust score of the current session... A sharp drop in activity will immediately trigger an MFA verification request to the user, even if the operation has not been blocked, nipping the potential risk of account loss in the bud.
[0121] The purpose of step S33 is to implement strong authentication at the login portal and key nodes of operation and maintenance to ensure that the operator is a real person and the person in question, and to prevent session hijacking and identity theft.
[0122] The purpose of step S3 is to overturn the traditional static authorization model by introducing risk scoring and continuous verification to build a dynamically changing permission boundary, thereby achieving zero-trust access control that never trusts and always verifies.
[0123] Step S4: Based on the dynamic permission policy, the operation records are transformed into an ordered and analyzable data stream, and streaming full audit and intelligent log processing are performed to output a real-time audit data stream.
[0124] In this embodiment, step S4 may specifically include the following steps:
[0125] S41, Based on the dynamic permission policy, the raw logs generated by the protocol proxy layer are collected, parsed and distributed in real time.
[0126] Configure Filebeat or Fluentd as the log collection agent in all protocol agent Pods to send the generated operation logs and command records to a specific Topic in the Kafka cluster in real time. Kafka, as a high-throughput message queue, plays a role in peak shaving, valley filling, and data buffering.
[0127] Deploy an Apache Flink task to consume data from Kafka. The Flink task parses the raw log format and extracts key fields (user, IP, command, return code, timestamp, etc.).
[0128] The parsed structured data stream is split into two parts. One part of the data (such as operation metadata and command text) is written to Elasticsearch in real time for fast retrieval; the other part of the data (such as feature vectors) is sent to the KafkaTopic in the AI model layer for real-time inference by the model.
[0129] The purpose of step S41 is to collect, parse, and distribute the raw logs generated by the protocol proxy layer in real time, thereby realizing the transformation from batch processing to stream processing and reducing the audit latency from minutes to seconds.
[0130] S42 combines command text logs with graphical operation recordings to form a dual-track audit record of command logs and video recordings.
[0131] Text logs—precisely record every character the user enters in the SSH or RDP command-line window and the execution results.
[0132] Video recording – Through a protocol proxy component, screen changes from graphical interfaces such as RDP or VNC are captured frame by frame and encoded and compressed into video streams in H.264 or VP9 format.
[0133] Generate a globally unique Session ID for each operations and maintenance session. Each frame of text logs and video recordings is tagged with this Session ID and a precise timestamp.
[0134] Video recordings are stored as unstructured data in object storage (such as MinIO or S3). Text log entries stored in Elasticsearch are associated with video recordings using a Session ID and an absolute timestamp. Auditors can view the logs by clicking on any command record to jump to the corresponding video feed.
[0135] The purpose of step S42 is to both meet the need for rapid retrieval and provide a complete visual chain of evidence.
[0136] S43 transforms unsearchable text content in the graphical interface into indexable and searchable structured data.
[0137] Graphical interfaces such as Windows server configuration and database management tools.
[0138] For RDP session recording, a background task periodically reads video files from object storage and extracts keyframes (e.g., every 5 seconds or at the moment of a mouse click). The extracted images are then sent to an OCR engine (such as Tesseract OCR or a self-developed deep learning OCR model).
[0139] The OCR engine identifies text information such as menus, button names, and configuration file contents in the image. This identified text, along with its timestamps in the video, is then reorganized into an audit log entry and written to Elasticsearch.
[0140] When a user searches for changes to their IP address on the auditing platform, the search engine not only matches ifconfig or nmcli in the command logs, but also searches for all the user's operations on the Windows network settings interface through OCR content, greatly improving the comprehensiveness of the audit and the efficiency of the search.
[0141] The purpose of step S43 is to compensate for the blind spots of pure command auditing by retrieving unstructured data driven by OCR and NLP.
[0142] Step S4 transforms massive, scattered operation records into an ordered, analyzable data stream. Through real-time processing technology, it cleans, enriches, and aggregates the audit data, providing high-quality data fuel for upper-level AI analysis.
[0143] Step S5: Based on the real-time audit data stream, intervene in ongoing risky operations to achieve millisecond-level in-process blocking, upgrading the response mode of security events from passive auditing to proactive defense.
[0144] In this embodiment, step S5 may specifically include the following steps:
[0145] S51, based on the real-time audit data stream, perform millisecond-level inference on the streaming operation feature vector to identify complex abnormal behavior patterns that deviate from the baseline.
[0146] The trained Transformer or LSTM anomaly detection model is encapsulated into a high-performance REST / gRPC inference service using Kubeflow or TensorFlowServing. This service is deployed on a Kubernetes cluster and supports horizontal autoscaling.
[0147] Flink real-time tasks concurrently send the processed feature vectors (such as an embedding vector containing the most recent 50 command sequences) to the inference server endpoint.
[0148] Transformer or LSTM anomaly detection models score the behavioral sequence of the current session and output an anomaly score. . The higher the value, the greater the likelihood that the sequence exhibits abnormal behavior. If Exceeding the preset dynamic threshold The inference service immediately pushes alerts and risk details (such as detecting suspected permission probing behavior with a 99% confidence level) to the downstream response module.
[0149] The purpose of step S51 is to identify complex abnormal behavior patterns that deviate from the baseline through real-time detection of deep abnormal behavior based on Transformer, such as slow permission probing and attacks disguised as normal commands.
[0150] Upon receiving a high-risk instruction from the AI model, S52 intercepts a single high-risk system call without interrupting the entire session, achieving microsecond-level zero-latency blocking.
[0151] The policy decision point (PDP) of the control layer receives anomaly scores. Then, a blocking instruction is generated, which includes the PID of the target session and the system call number to be blocked (such as SYS_unlink corresponding to the rm command).
[0152] In the target host kernel, an eBPF program is preloaded and mounted at sys_entertracepoint (the entry point for all system calls). This eBPF program maintains a map of blocking rules dynamically issued by the control layer.
[0153] When a user process initiates a system call, the eBPF program is triggered. It extracts the current process's PID and system call number from the ctx parameter and matches them against the "blocking rule map". If a match is found, the eBPF program immediately modifies the system call's return value, for example, returning -EPERM (operation not allowed), and skips the execution of the original system call. The entire checking and interception process is completed in kernel space, with a latency typically within 1-5 microseconds.
[0154] The function of step S52 is to block kernel-mode sessions at the microsecond level based on eBPF.
[0155] S53 extends a single blocking event into a complete handling process, forming an automated closed loop from detection to recovery.
[0156] Security administrators pre-define event response scripts in the SOAR platform. For example, for an aberration privilege escalation event, the script includes the following steps:
[0157] ① Record evidence of obstruction (orders, video recordings);
[0158] ② Freeze all active sessions of this user;
[0159] ③ Send high-priority alerts to the security team via WeChat Work / email;
[0160] ④ Automatically create fault work orders in the IT service management system.
[0161] When an AI model or eBPF blocking module generates a risk event, the event triggers the SOAR engine. The SOAR engine parses the event context, matches the corresponding playbook, and begins sequentially or in parallel invoking various APIs (bastion host API, message gateway API, ITSM API).
[0162] All alerts and response actions triggered by the same source of an event (such as a compromised account) are aggregated into a single security case. The case records the entire process from detection to handling, including the execution results and evidence chain of all operations, ultimately forming a complete report for post-event auditing and tracing.
[0163] The purpose of step S53 is to extend a single blocking event into a complete handling process through an automated response and handling closed loop based on SOAR, including notification, account freezing, evidence preservation, work order creation, etc., forming an automated closed loop from detection to recovery.
[0164] The purpose of step S5 is to elevate AI capabilities from analysis to action by building an AI-based proactive defense and real-time response mechanism.
[0165] Step S6: Construct cross-domain collaborative auditing for federated learning and privacy computing.
[0166] In this embodiment, step S6 may specifically include the following steps:
[0167] S61 cleans and extracts features from sensitive audit logs locally, and adds noise before the shared model gradient.
[0168] Each local node (such as a Shanghai branch of a major state-owned bank) uses local audit log data (containing the branch's unique operational behavior patterns) to train a local replica model and calculate the gradient used to update the global model. .
[0169] Before uploading the gradient to the federated coordinator, the local node adds random noise that satisfies differential privacy to the gradient. Its mathematical representation is: in This is the gradient uploaded after adding noise. It is the original local model gradient. It has a mean of 0 and a variance of Gaussian noise. Size based on privacy budget Dynamic adjustments ensure that the impact of any single record on the final model is controlled within an acceptable range, making it impossible for attackers to deduce the specific training data even if they obtain the gradient.
[0170] The purpose of step S61 is to fundamentally prevent the leakage of raw data by performing local data preprocessing and differential privacy perturbation.
[0171] S62 aggregates encrypted or noisy model parameters from different participants without touching the original data, and updates a general model that represents the whole.
[0172] The Secure Aggregation protocol is employed. Local nodes communicate with each other via secret sharing or homomorphic encryption to transfer the noisy gradient. The ciphertext is sent to the coordinator. If the coordinator cannot decrypt either gradient independently, it directly performs a summation operation on the ciphertext.
[0173] The coordinator executes the FedAvg algorithm to update the global model parameters. . in: Indicates the first The global model parameters after rounds of iteration. This indicates the total number of clients (such as branches) participating in this round of federated learning. Indicates the first The number of samples in the local training data of each client. This represents the total number of samples from all participating parties, i.e. . Indicates the first The client in the first The local model parameters obtained after one round of training.
[0174] The coordinator will aggregate and update the global model. Distribute back to all participating nodes.
[0175] The purpose of step S62 is to perform federated coordinator aggregation and global model update.
[0176] S63: Each node receives a global model containing cross-organizational common knowledge and performs local fine-tuning based on its own operation and maintenance environment to form a hybrid detection capability of general and local, realizing cross-regional threat intelligence collaboration.
[0177] After receiving the general global model, each branch uses a small amount of local, unique data to fine-tune the model for the final few layers. For example, a branch may have its own special set of business system commands. Through fine-tuning, the model can both identify general attack patterns nationwide and accurately detect abnormal behavior locally.
[0178] When a branch detects a new type of zero-day attack, the attack's behavioral characteristics indirectly affect the global model through the model gradient (although noise has been added, it still carries the statistical characteristics of the attack pattern). When other branches obtain the updated global model in the next round, they will naturally be immune to defending against this new type of attack.
[0179] For critical audit log summaries and model update versions, blockchain technology is used for evidence storage to ensure that the model iteration history is traceable and the audit records are tamper-proof, meeting the stringent compliance requirements for data auditing in industries such as finance and government.
[0180] The purpose of step S63 is to perform local model fine-tuning and collaborative detection.
[0181] Step S6 aims to break down data silos within large enterprises or industries. While adhering to data sovereignty and privacy regulations (such as GDPR and the Data Security Act), it achieves cross-organizational and cross-branch threat intelligence sharing and collaborative defense through a model-driven approach that keeps the data static but moves the model, thereby enhancing the overall security level of the ecosystem.
[0182] Figure 3 This is a schematic diagram illustrating the application of the cloud-native AI-based operations and maintenance auditing method based on security control computing, as described in this invention, in the financial industry for federated learning and real-time risk control. Figure 3 As shown, the bank needs to centrally manage over 100,000 privileged accounts across the entire bank, while also meeting the requirement for cross-branch audit data sharing. However, due to data localization regulations, original audit logs cannot be shared across branches. In this case, the specific implementation is as follows:
[0183] The cloud-native infrastructure uses a bastion host cluster built on Kubernetes, supporting tens of thousands of concurrent sessions.
[0184] AI behavior analysis deployment uses deep learning models such as Transformer and LSTM to analyze the operation sequences of maintenance personnel and identify abnormal behavior patterns.
[0185] Federated learning auditing uses the Substra framework to perform federated learning analysis of audit logs across branches, protecting data privacy.
[0186] eBPF enables microsecond-level blocking of high-risk operations, such as privilege escalation operations outside of working hours, and provides real-time blocking.
[0187] The implementation of this method has the following effects: the operational audit coverage has been increased to 100%, achieving unified management of privileged accounts across the bank; audit efficiency has been improved by more than 80%, with AI automatically identifying more than 90% of high-risk operations; compliance of cross-branch audit data sharing has been improved, meeting relevant regulatory requirements; and the response time to security incidents has been shortened from hours to minutes, significantly reducing security risks.
[0188] Figure 4 This is a schematic diagram illustrating the application of the cloud-native AI-based operation and maintenance auditing method based on security control computing, as described in this invention, in the government sector for unified hybrid cloud management and compliance auditing. Figure 4 As shown, the government cloud needs to manage more than 200 business systems, with resources distributed across public cloud, private cloud, and edge nodes, and must meet strict compliance requirements such as Level 4 of the Information Security Protection Standard 2.0 and security assessment.
[0189] The cloud-native hybrid cloud architecture adopts a Kubernetes multi-cluster management solution to achieve integrated management and control of "cloud, network, edge, and device".
[0190] By deploying CloudLei Technology's AI audit module, semantic analysis and risk scoring are performed on operation and maintenance operations, thereby enhancing AI auditing.
[0191] The compliance audit automation uses AI models to automatically generate audit reports that comply with the Cybersecurity Classified Protection 2.0 standard, increasing the compliance audit automation rate from 35% to 90%.
[0192] Implement workload-level network isolation based on Cilium to prevent lateral movement and perform micro-segmentation.
[0193] The implementation of this method has yielded the following results: a 72% reduction in the rate of operational incidents and a significant improvement in system stability; a 45% reduction in compliance audit costs and a reduction in the audit cycle from weekly to daily; improved efficiency in cross-cloud resource management, eliminating the need for operations and maintenance personnel to remember multiple accounts and passwords; and the establishment of a centralized and proactive operations and maintenance security control model oriented towards users, thereby reducing human-caused security risks.
[0194] Furthermore, the cloud-native AI operation and maintenance auditing method based on security management computing of the present invention can be applied to HIPAA compliance and privacy protection scenarios in the medical industry. For example, hospitals need to protect patient privacy data (PHI) while meeting the compliance requirements of medical industries such as HIPAA, and realize the full-process audit of privileged operations of electronic medical record systems.
[0195] Lightweight cloud-native deployment uses Kubernetes to build a lightweight bastion host, supporting both private deployment and SaaS service modes.
[0196] The medical BERT model is a fine-tuned version of the BioBERT model, which identifies patient IDs and sensitive information contained in commands.
[0197] Supports DICOM protocol auditing. For DICOM protocol used in medical image transmission, whitelist verification and digital signature verification of image files are added. This enables full auditing of DICOM protocol transmission, discovering and blocking multiple unauthorized image data access incidents, effectively protecting patient privacy.
[0198] The auditing system supports the desensitization of sensitive medical data to ensure patient privacy and supports anonymization during the audit process to meet HIPAA / GDPR compliance requirements.
[0199] Embedding session watermarks in the medical device user interface can prevent malicious screenshots and data leaks. The watermark should include user information, a timestamp, and the device's identifier to facilitate post-incident accountability.
[0200] Implement least privilege control, dynamically adjust permissions based on user roles and operation scenarios, and ensure the "know-only" principle.
[0201] The implementation of this method has the following effects: significantly reduced risk of patient privacy data leakage, meeting HIPAA compliance requirements; improved operation and maintenance efficiency, with operation and maintenance personnel only needing to remember one account and password to access multiple devices with a single login; traceability and accountability for security incidents, achieving visualization of the operation process through unique identifiers, two-factor authentication, and full-process screen recording security auditing; and reduced operation and maintenance complexity, enabling unified management of multiple devices and operation and maintenance personnel, with clear and concise personnel permissions and device asset information.
[0202] The beneficial effects of implementing this embodiment are:
[0203] (1) By introducing an AI model, the original character stream is transformed into structured semantic units. This means that the system can not only record what commands were executed, but also understand the impact of the commands on the business level, providing a high-quality standardized data foundation for subsequent intelligent analysis and policy control, and significantly improving the precision of auditing.
[0204] (2) Based on structured semantic data, a dynamic risk scoring and continuous verification mechanism is introduced to construct a real-time changing permission boundary. More importantly, through the analysis of real-time audit data streams, the system can block ongoing risky operations at the millisecond level. This completely changes the traditional reactive approach, upgrading security response from passive auditing to proactive defense, and greatly reducing the risk of core data leakage.
[0205] (3) Built on a cloud-native management and control platform, it achieves elastic access through a lightweight agent, which can better adapt to distributed and containerized modern IT infrastructure. The streaming full audit processing method also solves the problems of large log volume and high processing latency in the traditional mode, ensuring the real-time audit and system stability in high-concurrency operation and maintenance scenarios.
[0206] (4) A cross-domain collaborative auditing mechanism for federated learning and privacy-preserving computation has been introduced. This enables auditing models to be trained and risk intelligence to be shared between different security domains or VPCs without exchanging raw data. This satisfies data privacy compliance requirements and achieves unified security control from a global perspective, solving the blind spot problem of traditional technologies in multi-regional collaborative auditing.
[0207] This invention can be used in a wide variety of general-purpose or special-purpose computer system environments or configurations. Examples include: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, and distributed computing environments including any of the above systems or devices. This invention can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform specific tasks or implement specific abstract data types. This invention can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0208] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing related hardware through computer-readable instructions. These computer-readable instructions can be stored in a computer-readable storage medium. When the program is executed, it can include the processes of the embodiments of the above methods. The aforementioned storage medium can be a non-volatile storage medium such as a magnetic disk, optical disk, or read-only memory (ROM), or random access memory (RAM).
[0209] It should be understood that although the steps in the flowcharts of the accompanying figures are shown sequentially as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the accompanying figures may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times, and their execution order is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the sub-steps or stages of other steps.
[0210] Example 2
[0211] Further reference Figure 5 As a response to the above Figure 1 The present invention provides an embodiment of a cloud-native AI operation and maintenance auditing device based on security management computing, which is implemented according to the method shown. Figure 1 Corresponding to the method embodiments shown, this device can be specifically applied to various electronic devices.
[0212] like Figure 5 As shown, the cloud-native AI operation and maintenance audit device 70 based on security management computing described in this embodiment includes: a base module 71, a conversion module 72, a construction module 73, a conversion module 74, a blocking module 75, and a collaboration module 76. Wherein:
[0213] Base module 71 is used to build a cloud-native management and control base;
[0214] The conversion module 72 is used to convert the original character stream into structured, understandable semantic units through a lightweight agent and an AI model, and output structured semantic data.
[0215] The construction module 73 is used to construct dynamically changing permission boundaries and output dynamic permission policies based on the structured semantic data by introducing risk scoring and continuous verification.
[0216] The conversion module 74 is used to convert operation records into an ordered and analyzable data stream based on the dynamic permission policy, perform streaming full audit and intelligent log processing, and output a real-time audit data stream.
[0217] The blocking module 75 is used to intervene in ongoing risky operations based on the real-time audit data stream, achieving millisecond-level in-process blocking and upgrading the response mode of security events from passive auditing to proactive defense.
[0218] Collaboration Module 76 is used to build cross-domain collaborative auditing for federated learning and privacy computing.
[0219] The beneficial effects of implementing this embodiment are as follows: from character parsing to semantic understanding, audit accuracy is greatly improved; from static compliance to dynamic defense, the response mode actively evolves; from centralized bottlenecks to cloud-native elasticity, the architectural adaptability is enhanced; from data silos to cross-domain collaboration, compliance auditing is fully covered, solving the blind spot problem of traditional technologies in multi-regional collaborative auditing.
[0220] Example 3
[0221] To address the aforementioned technical problems, embodiments of the present invention also provide a computer device. Please refer to [link / reference needed]. Figure 6 , Figure 6 This is a basic structural block diagram of the computer device in this embodiment.
[0222] The aforementioned computer device 8 includes a memory 81, a processor 82, and a network interface 83 that are interconnected via a system bus. It should be noted that only the computer device 8 with components 81, 82, and 83 is shown in the figure; however, it should be understood that it is not required to implement all the shown components, and more or fewer components can be implemented alternatively. Those skilled in the art will understand that the computer device described herein is a device capable of automatically performing numerical calculations and / or information processing according to pre-set or stored instructions, and its hardware includes, but is not limited to, microprocessors, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), embedded devices, etc.
[0223] The aforementioned computer devices can be desktop computers, laptops, handheld computers, and cloud servers, among other computing devices. These devices can facilitate human-computer interaction with users through keyboards, mice, remote controls, touchpads, or voice-activated devices.
[0224] The aforementioned memory 81 includes at least one type of readable storage medium, including flash memory, hard disk, multimedia card, card-type memory (e.g., SD or DX memory), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the aforementioned memory 81 may be an internal storage unit of the aforementioned computer device 8, such as the hard disk or memory of the computer device 8. In other embodiments, the aforementioned memory 81 may also be an external storage device of the aforementioned computer device 8, such as a plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, etc., equipped on the computer device 8. Of course, the aforementioned memory 81 may also include both the internal storage unit and its external storage device of the aforementioned computer device 8. In this embodiment, the aforementioned memory 81 is typically used to store the operating system and various application software installed on the aforementioned computer device 8, such as computer-readable instructions for building a cloud-native AI operation and maintenance audit method based on security management computing. In addition, the aforementioned memory 81 can also be used to temporarily store various types of data that have been output or will be output.
[0225] In some embodiments, the processor 82 may be a central processing unit (CPU), controller, microcontroller, microprocessor, or other data processing chip. The processor 82 is typically used to control the overall operation of the computer device 8. In this embodiment, the processor 82 is used to execute computer-readable instructions stored in the memory 81 or to process data, for example, to execute the computer-readable instructions for building a cloud-native AI operation and maintenance audit method based on security management computing.
[0226] The network interface 83 may include a wireless network interface or a wired network interface, which is typically used to establish a communication connection between the computer device 8 and other electronic devices.
[0227] The beneficial effects of implementing this embodiment are as follows: from character parsing to semantic understanding, audit accuracy is greatly improved; from static compliance to dynamic defense, the response mode actively evolves; from centralized bottlenecks to cloud-native elasticity, the architectural adaptability is enhanced; from data silos to cross-domain collaboration, compliance auditing is fully covered, solving the blind spot problem of traditional technologies in multi-regional collaborative auditing.
[0228] Example 4
[0229] The present invention also provides another embodiment, namely, providing a computer-readable storage medium storing computer-readable instructions that can be executed by at least one processor to cause the at least one processor to perform the steps of the cloud-native AI operation and maintenance auditing method based on security control computing as described above.
[0230] The beneficial effects of implementing this embodiment are as follows: from character parsing to semantic understanding, audit accuracy is greatly improved; from static compliance to dynamic defense, the response mode actively evolves; from centralized bottlenecks to cloud-native elasticity, the architectural adaptability is enhanced; from data silos to cross-domain collaboration, compliance auditing is fully covered, solving the blind spot problem of traditional technologies in multi-regional collaborative auditing.
[0231] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods of the various embodiments of the present invention.
[0232] Obviously, the embodiments described above are merely some embodiments of the present invention, not all embodiments. The accompanying drawings show preferred embodiments of the present invention, but do not limit the patent scope of the present invention. The present invention can be implemented in many different forms; rather, these embodiments are provided to provide a more thorough and complete understanding of the disclosure of the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing specific embodiments, or make equivalent substitutions for some of the technical features. Any equivalent structures made using the content of this specification and drawings, directly or indirectly applied to other related technical fields, are similarly within the patent protection scope of this invention.
Claims
1. A cloud-native AI operation and maintenance auditing method based on a secure management and control computing architecture, characterized in that, Includes the following steps: Build a cloud-native management and control platform; By using lightweight proxies and AI models, the raw character stream is transformed into structured, understandable semantic units, outputting structured semantic data. Based on the structured semantic data, by introducing risk scoring and continuous verification, a dynamically changing permission boundary is constructed, and a dynamic permission policy is output. Based on the dynamic permission policy, the operation records are transformed into an ordered and analyzable data stream, which is then used for streaming full auditing and intelligent log processing to output a real-time audit data stream. Based on the real-time audit data stream, intervention is carried out on ongoing risky operations to achieve millisecond-level in-process blocking, upgrading the response mode of security incidents from passive auditing to proactive defense. Constructing cross-domain collaborative auditing for federated learning and privacy-preserving computation; The specific steps for building a cloud-native management and control platform include: Containerized deployment and orchestration based on Kubernetes protocol proxy; Build encrypted communication channels between microservices and implement fine-grained network access policies; By using API-driven methods, asset information on different cloud environments and physical machines is automatically discovered and synchronized to form a unified resource view; The steps of converting the original character stream into structured, understandable semantic units and outputting structured semantic data through lightweight proxies and AI models specifically include: Perform multi-protocol traffic proxying and kernel-level forwarding optimization; Based on NLP, perform semantic parsing and structuring of operation and maintenance instructions; Perform data plane performance optimization and hybrid model inference.
2. The cloud-native AI operation and maintenance auditing method based on security control computing as described in claim 1, characterized in that, The steps of constructing dynamically changing permission boundaries and outputting dynamic permission policies based on the structured semantic data by introducing risk scoring and continuous verification specifically include: Analyze user entity behavior and calculate trust scores; Based on real-time trust scores and context information, dynamically adjust user permissions; Implement strong authentication at login portals and key operational nodes.
3. The cloud-native AI operation and maintenance auditing method based on security control computing as described in claim 1, characterized in that, The steps of transforming operation records into an ordered, analyzable data stream based on the dynamic permission policy, performing streaming full auditing and intelligent log processing, and outputting a real-time audit data stream specifically include: Based on the aforementioned dynamic permission policy, the raw logs generated by the protocol proxy layer are collected, parsed, and distributed in real time. By combining command text logs with graphical operation recordings, a dual-track audit record of command logs and video recordings is formed. Transform non-searchable text content in the graphical interface into indexable and searchable structured data.
4. The cloud-native AI operation and maintenance auditing method based on security control computing as described in claim 1, characterized in that, The steps of intervening in ongoing risky operations based on the real-time audit data stream to achieve millisecond-level in-process blocking, and upgrading the security event response mode from passive auditing to proactive defense, specifically include: Based on the real-time audit data stream, millisecond-level inference is performed on the streaming operation feature vector to identify complex abnormal behavior patterns that deviate from the baseline. Upon receiving a high-risk instruction from the AI model, the system intercepts a single high-risk system call without interrupting the entire session, achieving microsecond-level zero-latency blocking. This extends a single disruption event into a complete handling process, forming an automated closed loop from detection to recovery.
5. The cloud-native AI operation and maintenance auditing method based on security control computing as described in any one of claims 1 to 4, characterized in that, The specific steps for constructing cross-domain collaborative auditing of federated learning and privacy computing include: Sensitive audit logs are cleaned and their features extracted locally, and noise is added before the shared model gradient. Without touching the original data, we aggregate encrypted or noisy model parameters from different participants and update a general model that represents the whole. Each node receives a global model containing cross-organizational common knowledge and performs local fine-tuning based on its own operation and maintenance environment to form a hybrid detection capability that combines general and local features, thereby enabling cross-regional threat intelligence collaboration.
6. A cloud-native AI-based operation and maintenance auditing device built on security management computing, characterized in that, include: The base module is used to build a cloud-native management and control base. The conversion module is used to convert the raw character stream into structured, understandable semantic units through a lightweight agent and an AI model, outputting structured semantic data. The module is used to construct dynamically changing permission boundaries and output dynamic permission policies based on the structured semantic data by introducing risk scoring and continuous verification. The conversion module is used to convert operation records into an ordered and analyzable data stream based on the dynamic permission policy, perform streaming full audit and intelligent log processing, and output real-time audit data stream; The blocking module is used to intervene in ongoing risky operations based on the real-time audit data stream, achieving millisecond-level in-process blocking and upgrading the response mode of security events from passive auditing to proactive defense. The collaboration module is used to build cross-domain collaborative auditing for federated learning and privacy computing; The base module is further used for: Containerized deployment and orchestration based on Kubernetes protocol proxy; Build encrypted communication channels between microservices and implement fine-grained network access policies; By using API-driven methods, asset information on different cloud environments and physical machines is automatically discovered and synchronized to form a unified resource view; The conversion module is further used for: Perform multi-protocol traffic proxying and kernel-level forwarding optimization; Based on NLP, perform semantic parsing and structuring of operation and maintenance instructions; Perform data plane performance optimization and hybrid model inference.
7. A computer device, characterized in that, The method includes a memory and a processor, wherein the memory stores computer-readable instructions, and the processor executes the computer-readable instructions to implement the steps of the cloud-native AI operation and maintenance audit method based on security management computing as described in any one of claims 1 to 5.
8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-readable instructions, which, when executed by a processor, implement the steps of the cloud-native AI operation and maintenance auditing method based on security management computing as described in any one of claims 1 to 5.