Audit method and device of log, electronic equipment, storage medium and product

By receiving log audit requests, analyzing the logs to be audited to obtain key information about the task, determining the target retrieval parameters, executing the retrieval and calculating the objective function, and performing cyclic retrieval based on preset stop-inspection criteria, the problem of errors introduced by manual auditing is solved, and automated audit decision-making and accuracy improvement are achieved.

CN122152776APending Publication Date: 2026-06-05CHINA UNITED NETWORK COMM GRP CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA UNITED NETWORK COMM GRP CO LTD
Filing Date
2026-02-13
Publication Date
2026-06-05

Smart Images

  • Figure CN122152776A_ABST
    Figure CN122152776A_ABST
Patent Text Reader

Abstract

Embodiments of the present application provide a log auditing method and device, electronic equipment, storage medium and product. The method comprises: receiving a log auditing request; analyzing the log to be audited according to the log auditing request, obtaining task critical information of the log to be audited, and determining target search parameters according to the task critical information; performing search on the log to be audited according to the target search parameters to obtain preliminary evidence; calculating a target function according to the preliminary evidence and a preset characteristic index, and determining a stop search judgment result of the preliminary evidence according to the target function and a preset stop search criterion; and performing cyclic search on the log to be audited according to the stop search judgment result until an auditing result is obtained. The above scheme integrates multi-dimensional characteristic indexes into a target function, converts subjective judgment into a quantifiable evaluation value through mathematical modeling, thereby realizing automatic decision of search termination, reducing subjective factor error, and improving the accuracy of auditing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of operation and maintenance management technology, and in particular to a log auditing method, device, electronic device, storage medium and product. Background Technology

[0002] By conducting compliance audits using log data, it is possible to verify whether business operations meet pre-defined standards, and to take timely and targeted actions to ensure compliant business execution.

[0003] In related technologies, parameters are manually selected and retrieved, and the logs to be audited are audited based on the detection parameters to obtain audit results.

[0004] However, manual auditing introduces subjective errors, resulting in low audit accuracy. Summary of the Invention

[0005] This application provides log auditing methods, apparatus, electronic devices, storage media, and products to improve the accuracy of auditing.

[0006] In a first aspect, embodiments of this application provide a log auditing method, comprising: receiving a log audit request, the log audit request including a log to be audited; analyzing the log to be audited according to the log audit request to obtain key task information of the log to be audited, and determining target retrieval parameters based on the key task information; performing a retrieval on the log to be audited according to the target retrieval parameters to obtain preliminary evidence; calculating an objective function based on the preliminary evidence and preset feature indicators, and determining a stop-inspection judgment result for the preliminary evidence based on the objective function and preset stop-inspection criteria; and performing a cyclical retrieval on the log to be audited according to the stop-inspection judgment result until an audit result is obtained.

[0007] In one possible implementation, the audit log is analyzed to obtain key task information, including: identifying the audit log using a natural language processing model to obtain an identification result; extracting core data from the identification result, the core data including at least one of the following: subject object, operation behavior, occurrence time, and data scope involved; verifying the completeness of the core data using an audit rule base to obtain a verification result, the verification result being either verification passed or verification failed; if the verification result is verification failed, then the missing core data is filled in to obtain the key task information; if the verification result is verification passed, then the core data is identified as the key task information.

[0008] In one possible implementation, determining the target retrieval parameters based on the task key information includes: obtaining historical retrieval parameters for similar historical audit tasks; determining the difference characteristics between the task key information and the task key information of similar historical audit tasks; determining the risk characteristics of the log to be audited; determining an adjustment coefficient based on the difference characteristics and the risk characteristics; and adjusting the historical retrieval parameters based on the adjustment coefficient to obtain the target retrieval parameters.

[0009] In one possible implementation, the target retrieval parameters include a retrieval strategy, a time window range, and related field rules; performing a retrieval on the logs to be audited based on the target retrieval parameters to obtain preliminary evidence includes: determining the retrieval template corresponding to the retrieval strategy; obtaining related data from the log database based on the time window range and the related field rules; calling an external knowledge base interface to obtain cross-source related data associated with the key information of the task; and generating the preliminary evidence based on the related data and the cross-source related data.

[0010] In one possible implementation, calculating the objective function based on the preliminary evidence and preset feature indicators includes: determining the quantification rules corresponding to the preset feature indicators based on the audit standard library and historical similar audit tasks; extracting the original data corresponding to the preset feature indicators from the preliminary evidence according to the quantification rules; determining the weights of the preset feature indicators based on the risk characteristics of the logs to be audited; and performing weighted calculations on the original data according to the weights to obtain the objective function.

[0011] In one possible implementation, determining the suspension judgment result of the preliminary evidence based on the objective function and a preset suspension criterion includes: determining a suspension threshold, a cost threshold, and a threshold for consecutive periods without gain; determining a first judgment result based on the current function value of the objective function and the suspension threshold; determining the current retrieval cost and determining a second judgment result based on the current retrieval cost and the cost threshold; determining a gain value based on the difference between the objective function of the current cycle and the previous cycle, and determining a third judgment result based on the gain value and the threshold for consecutive periods without gain; and determining the suspension judgment result based on the first judgment result, the second judgment result, and the third judgment result.

[0012] In one possible implementation, the audit results include target evidence and the suspension judgment results for each cycle; the method further includes: generating processing suggestions based on the target evidence and the target function; and generating a result output file by combining the target evidence, the suspension judgment results for each cycle, and the processing suggestions according to a preset structured format.

[0013] Secondly, embodiments of this application provide a log auditing apparatus, comprising: a receiving module for receiving a log audit request, the log audit request including a log to be audited; an analysis module for analyzing the log to be audited according to the log audit request, obtaining key task information of the log to be audited, and determining target retrieval parameters based on the key task information; a retrieval module for performing a retrieval on the log to be audited according to the target retrieval parameters to obtain preliminary evidence; a judgment module for calculating a target function based on the preliminary evidence and preset feature indicators, and determining a cessation judgment result for the preliminary evidence based on the target function and preset cessation judgment criteria; and an execution module for performing a cyclical retrieval on the log to be audited according to the cessation judgment result until an audit result is obtained.

[0014] In one possible implementation, the analysis module is specifically configured to identify the log to be audited using a natural language processing model to obtain an identification result; the analysis module is further configured to extract core data from the identification result, the core data including at least one of the following: subject object, operation behavior, time of occurrence, and scope of data involved; the analysis module is further configured to verify the integrity of the core data using an audit rule base to obtain a verification result, the verification result being either verification passed or verification failed; the analysis module is further configured to, if the verification result is verification failed, complete the missing core data to obtain the task key information; the analysis module is further configured to, if the verification result is verification passed, determine the core data as the task key information.

[0015] In one possible implementation, the analysis module is specifically used to obtain historical retrieval parameters for similar audit tasks; the analysis module is further used to determine the difference characteristics between the key information of the task and the key information of similar historical audit tasks; the analysis module is further used to determine the risk characteristics of the log to be audited; the analysis module is further used to determine an adjustment coefficient based on the difference characteristics and the risk characteristics; the analysis module is further used to adjust the historical retrieval parameters based on the adjustment coefficient to obtain the target retrieval parameters.

[0016] In one possible implementation, the target retrieval parameters include a retrieval strategy, a time window range, and associated field rules; the retrieval module is specifically used to determine the retrieval template corresponding to the retrieval strategy; the retrieval module is further used to obtain associated data from the log database according to the time window range and the associated field rules; the retrieval module is further used to call an external knowledge base interface to obtain cross-source associated data related to the key information of the task; the retrieval module is further used to generate the preliminary evidence based on the associated data and the cross-source associated data.

[0017] In one possible implementation, the judgment module is specifically used to determine the quantification rules corresponding to the preset feature indicators based on the audit standard library and historical similar audit tasks; the judgment module is also specifically used to extract the original data corresponding to the preset feature indicators from the preliminary evidence according to the quantification rules; the judgment module is also specifically used to determine the weights of the preset feature indicators based on the risk characteristics of the log to be audited; the judgment module is also specifically used to perform weighted calculations on the original data according to the weights to obtain the objective function.

[0018] In one possible implementation, the judgment module is specifically used to determine a stop-inspection threshold, a cost threshold, and a threshold for the number of consecutive times without gain; the judgment module is further used to determine a first judgment result based on the current function value of the objective function and the stop-inspection threshold; the judgment module is further used to determine the current retrieval cost and determine a second judgment result based on the current retrieval cost and the cost threshold; the judgment module is further used to determine a gain value based on the difference between the objective function of the current cycle and the previous cycle, and determine a third judgment result based on the gain value and the threshold for the number of consecutive times without gain; the judgment module is further used to determine the stop-inspection judgment result based on the first judgment result, the second judgment result, and the third judgment result.

[0019] In one possible implementation, the audit results include target evidence and the suspension judgment results for each cycle; the device further includes: a generation module, configured to generate processing suggestions based on the target evidence and the target function; the generation module is further configured to generate a result output file from the target evidence, the suspension judgment results for each cycle, and the processing suggestions according to a preset structured format.

[0020] Thirdly, embodiments of this application provide a log auditing device, including: a memory and a processor;

[0021] The memory stores computer-executed instructions;

[0022] The processor executes computer execution instructions stored in the memory, causing the processor to perform the first aspect and / or various possible implementations of the first aspect as described above.

[0023] Fourthly, embodiments of this application provide a non-volatile computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the first aspect and / or various possible implementations of the first aspect.

[0024] Fifthly, embodiments of this application provide a computer program product, including a computer program that, when executed by a processor, implements the first aspect and / or various possible implementations of the first aspect.

[0025] The log auditing method, apparatus, electronic device, storage medium, and product provided in this application include: receiving a log audit request, the log audit request including a log to be audited; analyzing the log to be audited according to the log audit request to obtain key task information of the log to be audited, and determining target retrieval parameters based on the key task information; performing a retrieval on the log to be audited according to the target retrieval parameters to obtain preliminary evidence; calculating an objective function based on the preliminary evidence and preset feature indicators, and determining a retrieval stop judgment result for the preliminary evidence based on the objective function and preset retrieval stop criteria; and performing a cyclical retrieval on the log to be audited according to the retrieval stop judgment result until an audit result is obtained. This solution integrates multi-dimensional feature indicators into an objective function, transforms subjective judgment into quantifiable evaluation values ​​through mathematical modeling, thereby achieving automated decision-making for retrieval termination, reducing subjective error, and improving audit accuracy. Attached Figure Description

[0026] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0027] Figure 1 A schematic diagram illustrating an application scenario of a log auditing method provided in this application embodiment;

[0028] Figure 2 A flowchart illustrating a log auditing method provided in an embodiment of this application;

[0029] Figure 3 A flowchart illustrating another log auditing method provided in this application embodiment;

[0030] Figure 4 A schematic diagram illustrating the generation of target retrieval parameters provided in an embodiment of this application;

[0031] Figure 5 This is a schematic diagram illustrating the stop-inspection determination provided in an embodiment of this application;

[0032] Figure 6 A schematic diagram of the log auditing process provided in the embodiments of this application;

[0033] Figure 7 A schematic diagram of the structure of a log auditing device provided in an embodiment of this application;

[0034] Figure 8 A schematic diagram of another log auditing device provided in an embodiment of this application;

[0035] Figure 9 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.

[0036] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0037] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0038] In this application embodiment, "at least one" refers to one or more, and "more than one" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0039] It should be noted that the phrase "at...time" in the embodiments of this application can refer to the instant at which a certain situation occurs, or to a period of time after the occurrence of a certain situation; the embodiments of this application do not specifically limit this. Furthermore, the display interface provided in the embodiments of this application is merely an example, and the display interface may include more or less content.

[0040] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use, processing, transmission, provision, disclosure, and application of related data all comply with relevant laws, regulations, and standards, necessary confidentiality measures have been taken, they do not violate public order and good morals, and corresponding operation entry points are provided for users to choose to authorize or refuse.

[0041] Furthermore, the technical solution involved in this application, which involves big data analysis of user information (including but not limited to personal biometrics, identity data, consumption data, asset data, electronic terminal operation data, etc.) and the use of artificial intelligence technology for automated decision-making, and makes decisions that have a significant impact on personal rights based on the results of automated decision-making, provides users with corresponding operation entry points for users to choose to agree to or reject the results of automated decision-making; if the user chooses to reject, the process will proceed to the expert decision-making process.

[0042] It should be noted that the auditing methods, devices, electronic devices, storage media, and products of this application can be used in the field of operation and maintenance management technology, or in any field other than operation and maintenance management. The application fields of the auditing methods, devices, electronic devices, storage media, and products of this application are not limited.

[0043] Figure 1 This is a schematic diagram illustrating an application scenario of a log auditing method provided in this application embodiment. The scenario illustrated is as follows: During business execution, logs are recorded in real time, and auditing these logs helps determine whether the business is compliant.

[0044] For example, in the operation and maintenance management of an enterprise or organization, log auditing is a key link in ensuring compliance, data security, and incident response.

[0045] With scenario examples, in many industries, such as banking and healthcare, system logs, user behavior logs, network traffic logs, and other logs need to be analyzed in real time or in batches to identify potential non-compliant operations, data leakage risks, or system anomalies.

[0046] However, in practical applications, auditing tasks often face the challenge of determining the sufficiency of evidence. For example, when it is necessary to confirm whether a user operation involves the leakage of sensitive data, the system needs to retrieve relevant log fragments, permission configuration records, historical audit conclusions, and other evidence. If the retrieval process lacks a clear quantitative standard for "whether the evidence is sufficient," it may lead to premature termination of the retrieval, resulting in the omission of key information and affecting the credibility of the audit conclusions. Conversely, blindly extending the retrieval time may introduce redundant information, increase computational costs, and reduce response efficiency. Especially in complex audit scenarios, the requirements for evidence vary significantly depending on the risk level.

[0047] In related technologies, making decisions in the audit process manually can introduce subjective errors, leading to low accuracy of audit results.

[0048] The log auditing method provided in this application aims to solve the above-mentioned technical problems in related technologies.

[0049] The technical solution of this application and how the technical solution of this application solves the above-mentioned technical problems are described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of this application will now be described with reference to the accompanying drawings.

[0050] Figure 2 A flowchart illustrating a log auditing method provided in this application embodiment, the method comprising the following steps:

[0051] S201. Receive log audit request, which includes logs to be audited.

[0052] For example, a log audit request is received through a preset interface. The log audit request includes the log to be audited, which serves as the core target object for all subsequent audit analysis and retrieval operations.

[0053] Optionally, the logs to be audited may include various logs that require compliance and security audits, such as software system operation logs, business operation logs, and data interaction logs.

[0054] S202. Based on the log request, analyze the logs to be audited to obtain the key information of the tasks in the logs to be audited, and determine the target retrieval parameters based on the key information of the tasks.

[0055] For example, based on the received log audit request as a whole, and combined with the text content and format characteristics of the log to be audited, the log is structured and parsed to fully decompose and extract the key task information of the log to be audited.

[0056] Optionally, the key information for the task may include core elements such as the operating entity, operating behavior, time of occurrence, scope of data involved, and audit scenario corresponding to the log to be audited.

[0057] For example, key task information is transformed into target retrieval parameters that can be directly executed and quantified, with the target retrieval parameters corresponding one-to-one with the key task information.

[0058] Using scenario examples, the time window for retrieval is determined based on the occurrence time of the log to be audited. Relevant field rules for retrieval are determined based on the operation subject and operation behavior. A retrieval strategy is determined based on the audit scenario to achieve precise matching between target retrieval parameters and audit tasks.

[0059] S203. Perform a search on the audit logs according to the target search parameters to obtain preliminary evidence.

[0060] For example, a search template matching the target search parameters is invoked, and the log to be audited is used as the core search benchmark. The search is conducted according to the constraints such as the time window range and related field rules specified in the target search parameters to obtain preliminary evidence.

[0061] For example, during the retrieval process, irrelevant and invalid data that do not meet the constraints of the target retrieval parameters are automatically filtered out, and only valid data that is relevant to the log to be audited and can support subsequent audit judgments are retained. These filtered valid data together constitute preliminary evidence.

[0062] Based on the above implementation methods, by precisely constraining the target retrieval parameters, we can ensure that the preliminary evidence obtained is highly targeted and relevant, avoid irrelevant data from being mixed into the evidence set, which could lead to audit judgment bias, and thus improve the accuracy of the audit.

[0063] S204. Calculate the objective function based on preliminary evidence and preset characteristic indicators, and determine the suspension judgment result based on the preliminary evidence based on the objective function and preset suspension criteria.

[0064] For example, preset characteristic indicators are set in combination with industry audit standards and historical valid audit data to comprehensively measure the quality of evidence. Specifically, they may include core dimensions such as evidence coverage, rule consistency, information gain, and redundancy.

[0065] For example, based on the preliminary evidence obtained in the first round, relevant data corresponding to each preset characteristic indicator in the preliminary evidence are extracted. These data are integrated through preset calculation logic to finally obtain the objective function. The objective function is a quantitative representation of the quality, sufficiency and accuracy of the preliminary evidence. Its value directly reflects whether the preliminary evidence can support accurate audit conclusions.

[0066] For example, the preset criterion for stopping the search is a pre-set quantitative standard used to determine whether the search needs to continue, and it is directly related to the objective function. By comparing the two, the final result of the preliminary evidence for stopping the search is determined, that is, whether to terminate the search or continue the search.

[0067] S205. Based on the results of the inspection suspension judgment, perform a loop search on the audit logs to be audited until the audit results are obtained.

[0068] For example, if the decision to halt the audit is to continue the search, then based on the calculation results of the preceding objective function, the shortcomings in the quality of the preliminary evidence are analyzed, and the target search parameters are adjusted accordingly, including expanding the search scope, optimizing the rules for related fields, and adjusting the time window range. Then, based on the adjusted target search parameters, a supplementary search is performed on the log to be audited to obtain new valid evidence. This new evidence is then integrated with the original preliminary evidence to form an updated evidence set. The updated evidence set is then re-entered into the preceding steps, the objective function is recalculated, the decision to halt the audit is determined again, and the above cyclical process is repeated.

[0069] For example, if the decision to stop inspection is to terminate the search, then all search operations are stopped, and the final audit result is formed based on the finally obtained sufficient evidence that meets the decision to stop inspection.

[0070] The log auditing method provided in this application includes receiving a log audit request, which includes logs to be audited; analyzing the logs to be audited according to the log audit request to obtain key task information of the logs to be audited, and determining target retrieval parameters based on the key task information; performing a retrieval on the logs to be audited according to the target retrieval parameters to obtain preliminary evidence; calculating an objective function based on the preliminary evidence and preset feature indicators, and determining the retrieval stop judgment result based on the objective function and preset stop judgment criteria; and performing a cyclical retrieval on the logs to be audited according to the retrieval stop judgment result until the audit result is obtained. This solution integrates multi-dimensional feature indicators into an objective function, transforming subjective judgment into quantifiable evaluation values ​​through mathematical modeling, thereby achieving automated decision-making for retrieval termination, reducing subjective errors, and improving the accuracy of auditing.

[0071] Based on any of the above embodiments, the following, in conjunction with Figure 3 The detailed process of auditing the logs is explained.

[0072] Figure 3 This is a flowchart illustrating another log auditing method provided in an embodiment of this application. Figure 3 As shown, the method includes:

[0073] S301. Receive log audit request, which includes logs to be audited.

[0074] It should be noted that the execution process of S301 is the same as that of S201, and will not be repeated here.

[0075] S302. Based on the log request, analyze the logs to be audited to obtain the key information of the tasks in the logs to be audited, and determine the target retrieval parameters based on the key information of the tasks.

[0076] One feasible implementation method involves analyzing the audit logs as follows: using a natural language processing model to identify the audit logs and obtain identification results; extracting core data from the identification results, whereby the core data includes at least one of the following: the subject object, the operation behavior, the time of occurrence, and the scope of data involved; verifying the completeness of the core data using an audit rule base and obtaining a verification result, which is either verification passed or verification failed; if the verification result is verification failed, then the missing core data is supplemented to obtain key task information; if the verification result is verification passed, then the core data is identified as key task information.

[0077] For example, taking the log to be audited as input, a natural language processing model is invoked to identify and process its text content, field features, and semantic information, transforming the unstructured or semi-structured log to be audited into a structured recognition result, thereby achieving effective parsing of the core content of the log.

[0078] Optionally, the natural language model is trained using historical audit logs as samples.

[0079] Based on the above identification results, core data directly related to audit judgment is extracted. The core data must cover at least one of the following: subject, operation behavior, time of occurrence, and scope of data involved. This extraction process focuses on the key dimensions required for auditing, eliminates redundant and irrelevant information in the logs, and locks in the core elements that support the setting of search parameters.

[0080] For example, the integrity standards of the audit rule base are based on industry audit requirements and the core elements of log auditing. The preset audit rule base is invoked, and the extracted core data is compared with the preset audit element integrity standards in the audit rule base to verify the integrity of the core data. Finally, a verification result of "verification passed" or "verification failed" is output.

[0081] Optionally, if the verification result is that the verification fails, it indicates that the core data extracted is missing. In this case, the missing core data is completed based on the completion logic of the audit rule base and the correlation information of the log to be audited. After completion, complete task key information is formed.

[0082] Optionally, if the verification result is successful, it indicates that the extracted core data has met the integrity requirements, and the core data can be directly identified as the key information of the task.

[0083] In this feasible implementation, the natural language processing model is used to identify unstructured or semi-structured logs to be audited, which can accurately parse the core semantics and field information in the logs, avoiding information recognition bias caused by manual parsing or simple character matching, thereby improving the accuracy of auditing.

[0084] One feasible implementation method is to determine the target retrieval parameters by: obtaining historical retrieval parameters for similar audit tasks; determining the differences between the key information of the task and the key information of similar historical audit tasks; determining the risk characteristics of the log to be audited; determining adjustment coefficients based on the differences and risk characteristics; and adjusting the historical retrieval parameters based on the adjustment coefficients to obtain the target retrieval parameters.

[0085] For example, retrieve historical audit tasks of the same type as the current audit log from the historical audit task data, and extract the corresponding historical search parameters from the execution records of the historical audit tasks of the same type. The historical search parameters are search configuration data that have been verified to be effective in practice from the historical audit tasks of the same type, and serve as the basis for determining the current target search parameters.

[0086] Optionally, historical similar audit tasks are reviewed audit tasks to ensure the reliability of historical retrieval parameters.

[0087] For example, the key information of the task is compared with the key information of similar historical audit tasks. By matching fields and comparing dimensions, the differences between the two in terms of subject, operation, time of occurrence, and scope of data involved are filtered out to form the difference features between the two. The difference features represent the personalized needs of the current audit task that are different from similar historical audit tasks.

[0088] Optionally, based on the key information of the task in the log to be audited and combined with the preset risk characteristic judgment rules, the risk attributes of the log to be audited in terms of operation type, data level involved, subject permissions, etc. are identified, and the risk characteristics of the log to be audited are determined. The risk characteristics are used to reflect the level of risk of the current audit task and the audit rigor requirements.

[0089] For example, using the identified difference features and risk features as input, the corresponding adjustment coefficients are calculated according to the preset parameter adjustment logic. The value of the adjustment coefficient is positively correlated with the significance of the difference features and the level of the risk features, and is used to quantitatively characterize the adjustment range and direction of the historical retrieval parameters.

[0090] For example, the calculated adjustment coefficients are applied to the extracted historical retrieval parameters to adaptively adjust the configuration items such as retrieval strategy, time window range, and related field rules in the historical retrieval parameters. After the adjustment is completed, the target retrieval parameters adapted to the current audit log are obtained.

[0091] Below, in conjunction with Figure 4 The parameters for generating the target retrieval are explained.

[0092] Figure 4 This is a schematic diagram illustrating the generation of target retrieval parameters provided in an embodiment of this application. For example... Figure 4 As shown, the process involves identifying the historical similar audit tasks corresponding to the log to be audited. Key task information in the log to be audited is compared with the key task information of historical similar audit tasks to obtain discrepancies. Risk characteristics of the log to be audited are then identified. Adjustment coefficients are determined by combining the discrepancy characteristics and risk characteristics. Based on these adjustment coefficients, historical detection parameters are adjusted to obtain the target retrieval parameters.

[0093] In this feasible implementation method, the target retrieval parameters are determined based on the historical retrieval parameters of similar audit tasks in the past. By utilizing the practical experience of historical valid audit data, errors introduced by blindly setting retrieval parameters are avoided, thereby improving the accuracy of auditing.

[0094] S303. Determine the search template corresponding to the search strategy.

[0095] The target retrieval parameters include the retrieval strategy, time window range, and related field rules.

[0096] For example, based on the retrieval strategy, a corresponding retrieval template is matched and determined. The retrieval template is a preset retrieval execution framework that is compatible with various retrieval strategies.

[0097] With scenario examples, the abstract search strategy is transformed into a directly executable search process through search templates, ensuring the standardization and consistency of search operations.

[0098] S304. Based on the time window range and the rules of the associated fields, retrieve the associated data from the log database.

[0099] For example, using a time window range as the time constraint and the rules of related fields as the matching basis, a targeted search is carried out in the log database to filter out data that meets the requirements of time correlation and field correlation with the logs to be audited, and this part of the data is used as the related data.

[0100] The log database is a centralized data source for storing logs to be audited, as well as related business logs and system logs. The logs to be audited are the target objects for inspection in the log database, while the associated data are log data in the log database that are directly related to the logs to be audited and can provide basic support for auditing.

[0101] S305. Call the external knowledge base interface to obtain cross-source related data associated with the key information of the task.

[0102] For example, an external knowledge base interface is called, using the key task information as the retrieval benchmark, to obtain cross-source related data associated with the key task information from the external knowledge base.

[0103] External knowledge bases serve as supplementary data sources in addition to log databases. The information they store is related to the business scenario, compliance requirements, or security rules of the logs to be audited. The acquisition of cross-source related data can make up for the limitations of data dimensions within the log database and achieve mutual verification of multi-source data.

[0104] S306. Generate preliminary evidence based on related data and cross-source related data.

[0105] For example, related data obtained from a log database is integrated with cross-source related data obtained from an external knowledge base, and through data aggregation and format normalization, complete preliminary evidence is formed.

[0106] For example, preliminary evidence includes both directly related data from the log database and cross-source supplementary data from external knowledge bases, providing a comprehensive and multi-dimensional data foundation for the subsequent calculation of the objective function and the evaluation of the stop-inspection criteria.

[0107] S307. Calculate the objective function based on preliminary evidence and preset characteristic indicators, and determine the suspension judgment result based on the preliminary evidence according to the objective function and preset suspension criteria.

[0108] One feasible implementation method is to calculate the objective function by: determining the quantification rules corresponding to the preset characteristic indicators based on the audit standard library and historical similar audit tasks; extracting the original data corresponding to the preset characteristic indicators from preliminary evidence according to the quantification rules; determining the weights of the preset characteristic indicators based on the risk characteristics of the logs to be audited; and performing weighted calculation on the original data according to the weights to obtain the objective function.

[0109] Optionally, the objective function can be calculated using the following formula:

[0110]

[0111] in, Describe the objective function. Indicates the coverage of evidence. This indicates consistency of rules. Indicates information gain. Indicates the search cost. α represents redundancy, and β, γ, η, and ζ represent coefficients.

[0112] Optionally, evidence coverage represents the completeness of fields in preliminary evidence, and can be expressed by the following formula:

[0113]

[0114] Where r represents an audit rule, and R represents the set of audit rules. Indicates the weight of the audit rules. This indicates the indicator function (it takes the value 1 when preliminary evidence supports and satisfies audit rule r, and 0 otherwise).

[0115] Optionally, rule consistency represents the degree of consistency between the search results and the preset rules, and can be expressed by the following formula:

[0116]

[0117] in, This indicates the pass rate of rule r (1 indicates complete pass, 0 indicates failure).

[0118] Optionally, information gain represents the contribution of preliminary evidence to the evidence base, and can be expressed by the following formula:

[0119]

[0120] in, This indicates the number of newly added evidence fragments that are not present in the evidence database after the initial evidence deduplication. This indicates the number of existing evidence fragments in the evidence database before this search.

[0121] Optionally, retrieval cost represents the consumption during the retrieval process, such as computation time and number of API calls.

[0122] Optionally, redundancy represents the proportion of duplicate information in preliminary evidence, and can be expressed by the following formula:

[0123]

[0124] in, Indicates the number of repeated segments. ε represents the total number of segments, and ε represents a constant.

[0125] For example, the audit standards library stores general requirements such as industry audit norms and evidence evaluation standards, while historical data on similar audit tasks provide quantitative experience that has been verified in practice. The combination of the two forms quantitative rules.

[0126] For example, the weights of each preset characteristic indicator are determined by combining the core attributes of risk characteristics, such as their level and scope of influence. Specifically, the higher the risk characteristic level, the higher the correlation with audit accuracy for the preset characteristic indicator (e.g., evidence coverage, rule consistency), the higher its weight allocation; conversely, the lower the risk characteristic level, the lower the corresponding correlation for the characteristic indicator (e.g., redundancy), thus achieving a precise match between the weights and the risk requirements of the audit task.

[0127] For example, the extracted raw data is weighted and summed using the weights corresponding to each preset feature index as coefficients. Through the preset weighted calculation logic, the raw data and corresponding weights of each feature index are integrated to finally obtain the objective function.

[0128] In this feasible implementation, the quantification rules are determined based on the audit standard library and similar historical audit tasks. This approach not only follows industry-standard audit practices but also draws on effective historical practices, avoiding calculation biases caused by subjective setting of quantification rules and thus improving audit accuracy.

[0129] One feasible implementation method involves determining the stop-inspection judgment result through the following steps: determining a stop-inspection threshold, a cost threshold, and a threshold for the number of consecutive periods without gain; determining a first judgment result based on the current function value of the objective function and the stop-inspection threshold; determining the current retrieval cost and, based on the current retrieval cost and the cost threshold, determining a second judgment result; determining a gain value based on the difference between the objective function of the current iteration and the previous iteration, and, based on the gain value and the threshold for the number of consecutive periods without gain, determining a third judgment result; and finally, determining the stop-inspection judgment result based on the first, second, and third judgment results.

[0130] Optionally, the criterion for stopping inspection can be expressed by the following formula:

[0131]

[0132] Where τ represents the stop-inspection threshold. ε represents the marginal utility threshold, i.e., the gain change threshold, indicating insufficient gain change in the objective function. K represents the number of consecutive rounds. Budget represents the maximum allowable computational cost or time consumption.

[0133] For example, if any one of the first, second, and third judgment results meets the condition, the search stops. Otherwise, proceed to the next adjustment step.

[0134] Optionally, in cases of insufficient information, an adaptive retrieval strategy can be used to supplement evidence. After calculating the current round components and the objective function, a component gap vector is formed:

[0135]

[0136] Address the main weakness To address the primary weakness, select 1-2 actions to execute to prevent amplification of overhead / redundancy:

[0137] High dcov (field missing): Add new retrieval channels (such as connecting to external large language models or other search engines), targeted field queries, etc.

[0138] dcons high (rule not passed): conflict verification (independent source / original log), entity disambiguation (UID / role / token source), etc.

[0139] High dIG (few new information): semantic rewriting, exploration of long-tail small quotas, etc.

[0140] High DRT (high redundancy): Deduplication, merging of homogeneous bundles (retaining only representative ones by source + time bucket), etc.

[0141] High cost of DKT: Precision priority (high confidence source / high precision searcher), rate limiting / source limiting / window shrinking, etc.

[0142] Perform the next round of search: Based on the main weakness and corresponding targeted actions, perform the next round of search and recalculate the objective function according to step three until the stop-search criterion is met.

[0143] This process ensures that each round of searching can be dynamically adjusted to obtain sufficient information to support the audit results.

[0144] This feasible implementation method avoids the one-sidedness of single-dimensional evaluation by using quantitative thresholds across three dimensions: quality, cost, and marginal utility. It ensures that the search is terminated promptly when the evidence quality meets the standards, preventing excessively redundant data from interfering with audit judgment. It also allows for timely suspension of audits when resources are exceeded or gains stagnate, avoiding evidence bias or resource waste caused by invalid searches, thereby improving audit accuracy.

[0145] S308. Based on the results of the inspection suspension judgment, perform a loop search on the audit logs to be audited until the audit results are obtained.

[0146] Below, in conjunction with Figure 5 Explanation of the decision to suspend inspection.

[0147] Figure 5 This is a schematic diagram illustrating the stop-detection judgment provided in an embodiment of this application. Figure 5As shown, in each cycle, the judgment result is determined based on the stop inspection threshold, cost threshold, and consecutive no-gain number threshold, and the next cycle is executed based on the judgment result until the audit result is obtained.

[0148] One feasible implementation method, after obtaining the audit results, may include: generating processing suggestions based on the target evidence and the target function; and generating a result output file based on the target evidence, the stop-inspection judgment results of each cycle, and the processing suggestions according to a preset structured format.

[0149] The audit results include target evidence and the results of the suspension of inspections for each cycle.

[0150] For example, the audit results specifically include two key types of content: target evidence, which is the final set of valid evidence that meets the preset stop-inspection criteria after iterative retrieval. This is the core data basis supporting the audit conclusions and reflecting the actual situation of the audit log, and its quality is quantitatively characterized by the objective function. The stop-inspection judgment result for each round of retrieval, that is, the record of the decision to terminate or continue the retrieval based on the stop-inspection criteria after each round of retrieval during the iterative retrieval process, completely retains the decision logic and evidence evaluation trajectory of each round of retrieval.

[0151] For example, based on the final obtained target evidence and combined with the objective function, a pre-defined audit rule base, scenario adaptation logic, and problem handling template are invoked to generate targeted processing suggestions. The generation of processing suggestions strictly relies on quantitative data and matches it with the quality of the target evidence and the representation results of the objective function to ensure the accuracy of the processing suggestions.

[0152] For example, according to a preset structured format (which can be pre-set based on industry audit standards, regulatory verification requirements, and internal archiving standards, and includes fixed data fields, formatting specifications, and content modules), the target evidence, the results of each round of inspection suspension judgments, and the processing suggestions generated above are uniformly integrated, formatted, and standardized and packaged to finally generate a complete result output file.

[0153] Below, in conjunction with Figure 6 The log auditing process is explained.

[0154] Figure 6 This is a schematic diagram of the log auditing process provided in an embodiment of this application. Figure 6As shown, the audit logs, serving as the initial input to the audit process, refer to the raw log data requiring compliance and security checks. The input audit logs are structured and parsed to extract key information directly relevant to the audit judgment. Based on the initialized search parameters, a preset search template is invoked to selectively filter valid data associated with the audit logs from the centralized log database and external supplementary data sources. A preset evidence quality assessment dimension is invoked to quantitatively evaluate the preliminary evidence set, obtaining the objective function value through weighted calculation. The objective function value is compared with a preset multi-dimensional stop-inspection benchmark to determine if the current evidence meets the conditions for terminating the search. If the conditions are met, the final evidence evaluation and processing suggestion generation stage begins; if not, adaptive search reconstruction is triggered, initiating a cyclical optimization. Based on the evaluation results, shortcomings in evidence quality are accurately identified, and the search strategy is dynamically adjusted to achieve cyclical optimization. When the stop-inspection judgment meets the termination conditions, targeted processing suggestions are generated based on the final target evidence and the quantitative results of the objective function.

[0155] In this feasible implementation, a result output file containing processing suggestions is automatically generated. Based on the result output file, log problems can be accurately investigated, improving the accuracy of auditing.

[0156] Figure 7 This is a schematic diagram of the structure of a log auditing device provided in an embodiment of this application. Figure 7 As shown, the log auditing device 70 may include: a receiving module 71, an analysis module 72, a retrieval module 73, a judgment module 74, and an execution module 75.

[0157] The receiving module 71 is used to receive log audit requests, which include logs to be audited.

[0158] Analysis module 72 is used to analyze the logs to be audited according to the log request, obtain the key information of the task in the logs to be audited, and determine the target retrieval parameters based on the key information of the task.

[0159] The retrieval module 73 is used to perform a retrieval of the audit logs based on the target retrieval parameters to obtain preliminary evidence.

[0160] The judgment module 74 is used to calculate the objective function based on preliminary evidence and preset characteristic indicators, and to determine the judgment result of stopping inspection based on the preliminary evidence based on the objective function and preset stopping inspection criteria.

[0161] Execution module 75 is used to perform a loop search on the audit logs to be audited based on the stop inspection judgment result until the audit result is obtained.

[0162] Optionally, the receiving module 71 can perform... Figure 2 S201 in the embodiment.

[0163] Optionally, analysis module 72 can execute... Figure 2 S202 in the embodiment.

[0164] Optionally, the retrieval module 73 can perform... Figure 2 S203 in the embodiment.

[0165] Optionally, the judgment module 74 can execute... Figure 2 S204 in the embodiment.

[0166] Optionally, execution module 75 can execute Figure 2 S205 in the embodiment.

[0167] It should be noted that the log auditing device shown in the embodiments of this application can execute the technical solution shown in the above method embodiments, and its implementation principle and beneficial effects are similar, so they will not be described again here.

[0168] In one possible implementation, the analysis module 72 is specifically used for:

[0169] The audit logs are identified using a natural language processing model to obtain the identification results;

[0170] Extract core data from the identification results. Core data includes at least one of the following: subject object, operation behavior, time of occurrence, and scope of data involved.

[0171] The integrity of core data is verified through the audit rule base, and the verification result is either verification passed or verification failed.

[0172] If the verification result is that the verification failed, the missing core data is filled in to obtain the key information of the task;

[0173] If the verification result is successful, the core data will be identified as key information for the task.

[0174] In one possible implementation, the analysis module 72 is specifically used for:

[0175] Retrieve historical search parameters for similar audit tasks in the past;

[0176] Identify the key differences between the key information of this audit and the key information of similar historical audits;

[0177] Determine the risk characteristics of the logs to be audited;

[0178] The adjustment coefficient is determined based on the differences and risk characteristics;

[0179] Based on the adjustment coefficient, the historical search parameters are adjusted to obtain the target search parameters.

[0180] In one possible implementation, the target retrieval parameters include a retrieval strategy, a time window range, and related field rules; the retrieval module 73 is specifically used for:

[0181] Determine the search template corresponding to the search strategy;

[0182] Retrieve related data from the log database based on the time window range and the rules for related fields;

[0183] Call the external knowledge base interface to obtain cross-source related data associated with key task information;

[0184] Preliminary evidence is generated based on related data and cross-source related data.

[0185] In one possible implementation, the determination module 74 is specifically used for:

[0186] Based on the audit standards library and similar historical audit tasks, determine the quantitative rules corresponding to the preset characteristic indicators;

[0187] Based on the quantification rules, extract the raw data corresponding to the preset feature indicators from the preliminary evidence;

[0188] Based on the risk characteristics of the logs to be audited, determine the weights of the preset characteristic indicators;

[0189] The objective function is obtained by weighting the original data according to the weights.

[0190] In one possible implementation, the determination module 74 is specifically used for:

[0191] Determine the threshold for stopping inspection, the cost threshold, and the threshold for the number of consecutive periods with no gain;

[0192] Based on the current function value of the objective function and the stop detection threshold, determine the first judgment result;

[0193] Determine the current retrieval cost, and based on the current retrieval cost and the cost threshold, determine the second judgment result;

[0194] The gain value is determined based on the difference between the objective function of the current cycle and the previous cycle, and the third judgment result is determined based on the gain value and the threshold of consecutive no gain.

[0195] Based on the first, second, and third judgment results, the decision to suspend inspection is determined.

[0196] Figure 8 This is a schematic diagram of another log auditing device provided in an embodiment of this application. Figure 7 Based on the illustrated embodiments, as Figure 8 As shown, the log auditing device 70 also includes a generation module 76.

[0197] Module 76 is generated for:

[0198] Based on the target evidence and the target function, generate processing suggestions;

[0199] Based on a preset structured format, the target evidence, the results of each round of inspection suspension judgment, and the processing suggestions are used to generate a result output file.

[0200] Figure 9 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application, such as... Figure 9 As shown, the electronic device includes:

[0201] The electronic device includes a processor 291 and a memory 292; it may also include a communication interface 293 and a bus 294. The processor 291, memory 292, and communication interface 293 can communicate with each other via the bus 294. The communication interface 293 can be used for information transmission. The processor 291 can invoke logical instructions stored in the memory 292 to execute the methods of the above embodiments.

[0202] Furthermore, the logic instructions in the aforementioned memory 292 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium.

[0203] The memory 292, as a non-volatile computer-readable storage medium, can be used to store software programs and computer-executable programs, such as program instructions / modules corresponding to the methods in the embodiments of this application. The processor 291 executes functional applications and data processing by running the software programs, instructions, and modules stored in the memory 292, that is, it implements the methods in the above-described method embodiments.

[0204] The memory 292 may include a program storage area and a data storage area. The program storage area may store the operating system and application programs required for at least one function; the data storage area may store data created based on the use of the terminal device. Furthermore, the memory 292 may include high-speed random access memory and may also include non-volatile memory.

[0205] This application provides a non-volatile computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the method as described in the foregoing embodiments.

[0206] This application provides a computer program product, including a computer program that, when executed by a processor, implements the method as described in the foregoing embodiments.

[0207] It should be noted that, for the sake of simplicity, the foregoing method embodiments are all described as a series of actions. However, those skilled in the art should understand that this application is not limited to the described order of actions, as some steps may be performed in other orders or simultaneously according to this application. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are all optional embodiments, and the actions and modules involved are not necessarily essential to this application.

[0208] It should be further noted that although the steps in the flowchart are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps; they can be executed in other orders. Moreover, at least some steps in the flowchart may include multiple sub-steps or multiple stages, which do not necessarily complete at the same time but can be executed at different times. The execution order of these sub-steps or stages is also not necessarily sequential but can be alternated or carried out in turn with other steps or at least some of the sub-steps or stages of other steps.

[0209] It should be understood that the above-described device embodiments are merely illustrative, and the device of this application can also be implemented in other ways. For example, the division of units / modules in the above embodiments is only a logical functional division, and there may be other division methods in actual implementation. For example, multiple units, modules, or components may be combined, or integrated into another system, or some features may be ignored or not executed.

[0210] Furthermore, unless otherwise specified, the functional units / modules in the various embodiments of this application can be integrated into one unit / module, or each unit / module can exist physically separately, or two or more units / modules can be integrated together. The integrated units / modules described above can be implemented in hardware or as software program modules.

[0211] When integrated units / modules are implemented in hardware, the hardware can be digital circuits, analog circuits, etc. The physical implementation of the hardware structure includes, but is not limited to, transistors, memristors, etc. The processor can be any suitable hardware processor, such as CPU, GPU, FPGA, DSP, and ASIC. The storage unit can be any suitable magnetic or magneto-optical storage medium, such as Resistive Random Access Memory (RRAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Enhanced Dynamic Random Access Memory (EDRAM), High-Bandwidth Memory (HBM), Hybrid Memory Cube (HMC), etc.

[0212] If the integrated unit / module is implemented as a software program module and sold or used as an independent product, it can be stored in a computer-readable storage device (CMD). Based on this understanding, the technical solution of this application, in essence, or the part that contributes to related technologies, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a memory and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this application. The aforementioned memory includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0213] In the above embodiments, the descriptions of each embodiment have their own emphasis. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments. The technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as the combination of these technical features does not contradict each other, it should be considered within the scope of this specification.

[0214] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this application are indicated by the claims.

[0215] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.

Claims

1. A log auditing method, characterized in that, include: Receive a log audit request, the log audit request including logs to be audited; Based on the log request, the log to be audited is analyzed to obtain the key task information of the log to be audited, and the target retrieval parameters are determined based on the key task information. A search is performed on the logs to be audited based on the target search parameters to obtain preliminary evidence; The objective function is calculated based on the preliminary evidence and the preset characteristic indicators, and the suspension judgment result of the preliminary evidence is determined based on the objective function and the preset suspension criteria. Based on the suspension judgment result, a loop search is performed on the log to be audited until the audit result is obtained.

2. The method according to claim 1, characterized in that, The audit logs are analyzed to obtain key task information, including: The logs to be audited are identified using a natural language processing model to obtain the identification results; Core data is extracted from the identification results, and the core data includes at least one of the following: subject object, operation behavior, time of occurrence, and scope of data involved; The integrity of the core data is verified using an audit rule base to obtain a verification result, which is either verification passed or verification failed. If the verification result is that the verification fails, the missing core data is filled in to obtain the key information of the task; If the verification result is successful, then the core data is identified as the key information of the task.

3. The method according to claim 2, characterized in that, The target retrieval parameters are determined based on the aforementioned key task information, including: Retrieve historical search parameters for similar audit tasks in the past; Determine the differences between the key information of the task and the key information of similar historical audit tasks; Determine the risk characteristics of the logs to be audited; Based on the aforementioned difference characteristics and risk characteristics, an adjustment coefficient is determined; The historical retrieval parameters are adjusted according to the adjustment coefficient to obtain the target retrieval parameters.

4. The method according to claim 1, characterized in that, The target retrieval parameters include retrieval strategy, time window range, and associated field rules; a retrieval is performed on the logs to be audited based on the target retrieval parameters to obtain preliminary evidence, including: Determine the search template corresponding to the search strategy; Based on the time window range and the associated field rules, retrieve associated data from the log database; Call the external knowledge base interface to obtain cross-source related data associated with the key information of the task; The preliminary evidence is generated based on the associated data and the cross-source associated data.

5. The method according to claim 1, characterized in that, The objective function is calculated based on the preliminary evidence and preset characteristic indicators, including: Based on the audit standard library and historical similar audit tasks, determine the quantitative rules corresponding to the preset feature indicators; According to the quantification rules, extract the original data corresponding to the preset feature indicators from the preliminary evidence; Based on the risk characteristics of the logs to be audited, determine the weights of the preset feature indicators; The original data is weighted according to the weights to obtain the objective function.

6. The method according to claim 5, characterized in that, The determination of the suspension judgment result of the preliminary evidence based on the objective function and the preset suspension criterion includes: Determine the threshold for stopping inspection, the cost threshold, and the threshold for the number of consecutive periods with no gain; Based on the current function value of the objective function and the stop detection threshold, a first judgment result is determined; Determine the current retrieval cost, and based on the current retrieval cost and the cost threshold, determine the second judgment result; The gain value is determined based on the difference between the objective function of the current cycle and the previous cycle, and the third judgment result is determined based on the gain value and the threshold of consecutive no gain times. The suspension of inspection judgment result is determined based on the first judgment result, the second judgment result, and the third judgment result.

7. The method according to any one of claims 1-6, characterized in that, The audit results include target evidence and the results of the suspension judgment for each cycle; the method also includes: Based on the target evidence and the target function, processing suggestions are generated; Based on a preset structured format, the target evidence, the stop-inspection judgment results of each cycle, and the processing suggestions are used to generate a result output file.

8. A log auditing device, characterized in that, include: The receiving module is used to receive log audit requests, wherein the log audit requests include logs to be audited; The analysis module is used to analyze the log to be audited according to the log application request, obtain the task key information of the log to be audited, and determine the target retrieval parameters based on the task key information; The retrieval module is used to perform a retrieval on the logs to be audited based on the target retrieval parameters to obtain preliminary evidence; The judgment module is used to calculate an objective function based on the preliminary evidence and preset feature indicators, and to determine the suspension judgment result of the preliminary evidence based on the objective function and preset suspension criteria. The execution module is used to perform a loop search on the log to be audited based on the stop inspection judgment result until the audit result is obtained.

9. An electronic device, characterized in that, include: A processor, and a memory communicatively connected to the processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory to implement the method as described in any one of claims 1-7.

10. A non-volatile computer-readable storage medium, characterized in that, The non-volatile computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any one of claims 1-7.

11. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the method of any one of claims 1-7.