A database access security auditing method based on artificial intelligence

By combining SimSiam feature mapping, bidirectional long short-term memory network and IQN algorithm, a multi-distance weighted deviation analysis is constructed, which solves the shortcomings of traditional database access security auditing methods in real-time identification of abnormal behavior, and realizes high-precision, interpretable intelligent database access security auditing.

CN122153931APending Publication Date: 2026-06-05BEIJING ZHONGKUANG ZHIWANG TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING ZHONGKUANG ZHIWANG TECHNOLOGY CO LTD
Filing Date
2026-02-05
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing database access security auditing methods struggle to identify anomalous behavior in real time, especially when faced with slow, low-frequency, or disguised attacks. Furthermore, traditional rule configuration and maintenance are costly and have poor adaptability. Moreover, existing methods are inadequate in expressing multidimensional differences, resulting in high false alarm rates, low discrimination accuracy, and a lack of interpretability.

Method used

The SimSiam method is used for feature mapping and alignment, combined with bidirectional long short-term memory network to extract behavioral features, and IQN algorithm is used for quantile prediction. Multi-distance weighted deviation analysis is constructed to generate risk assessment sequences, thereby realizing dynamic modeling and intelligent auditing.

Benefits of technology

It improves the accuracy of anomaly identification, enhances the ability to model complex temporal behaviors, provides interpretability for high-risk judgments, eliminates the need for manual rule configuration, and improves the intelligence and real-time performance of database access security auditing.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153931A_ABST
    Figure CN122153931A_ABST
Patent Text Reader

Abstract

The application discloses a database access security audit method based on artificial intelligence, comprising the following steps: S1, acquiring database access records and preprocessing, and constructing an access sequence; S2, generating an access statistical sequence based on the access sequence through a SimSiam method; S3, constructing a behavior baseline sequence according to the access statistical sequence through a bidirectional long short-term memory network; S4, generating an access prediction sequence based on the behavior baseline sequence by using an IQN algorithm; S5, calculating the Euclidean distance, Manhattan distance and Mahalanobis distance of the access prediction sequence and the access statistical sequence, and generating a deviation degree sequence; S6, generating a risk assessment sequence and a risk level sequence based on the deviation degree sequence; and S7, generating an audit result according to the access sequence, the risk assessment sequence and the risk level sequence. The application combines deep feature alignment, time series modeling and quantile prediction, realizes intelligent audit of database access behavior, and has strong adaptability and high interpretability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of database security technology, and in particular to a database access security auditing method based on artificial intelligence. Background Technology

[0002] With database systems widely used in critical sectors such as finance, healthcare, government affairs, and industrial control, ensuring the security of database access has become a core issue in information system operation and maintenance. Especially when facing security risks such as internal attacks, unauthorized access, and sensitive information leaks, traditional access control and operation log mechanisms often only provide post-incident accountability, failing to proactively identify and audit abnormal behavior in real time.

[0003] Existing database access security auditing methods largely rely on rule matching or threshold judgment, such as setting static rules for access frequency, query content, or the number of times sensitive fields are accessed. Once attacks are carried out slowly, infrequently, or in a disguised manner, traditional rules struggle to respond promptly. Furthermore, rule configuration typically requires manual definition, resulting in high maintenance costs, poor adaptability, and difficulty in dealing with constantly evolving attack strategies.

[0004] In recent years, some studies have introduced anomaly detection methods based on statistical analysis and machine learning, attempting to extract features from access behavior and build access models. However, these methods suffer from insufficient modeling capabilities when dealing with complex temporal behavioral features, especially in scenarios with periodic changes, abrupt behavioral changes, and intertwined access by multiple users, often resulting in high false positive rates and low discrimination accuracy. Furthermore, most models struggle to explain the basis of their judgments, lacking auditability and interpretability.

[0005] Furthermore, existing methods often employ a single metric in distance calculation and behavioral deviation analysis, which fails to effectively express the multidimensional differences between visiting behaviors. For example, using only Euclidean distance ignores the covariance structure between different dimensions, resulting in an inability to accurately characterize the overall degree of anomalousness in visiting behaviors.

[0006] Therefore, how to provide an AI-based database access security auditing method is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0007] One objective of this invention is to propose an artificial intelligence-based database access security auditing method. This invention fully utilizes the SimSiam method, bidirectional long short-term memory network, IQN algorithm, and multi-distance weighted deviation analysis technology. By constructing the temporal statistical features of access behavior, baseline behavior model, and quantile prediction structure, it achieves dynamic modeling and intelligent auditing of database access behavior. It has advantages such as high anomaly identification accuracy, strong ability to model complex temporal behavior, good interpretability of risk judgment, and no need for manual rule configuration, which can significantly improve the intelligence level and real-time performance of database access security auditing.

[0008] A database access security auditing method based on artificial intelligence according to an embodiment of the present invention includes the following steps:

[0009] S1. Obtain the access identity, access permissions, and access content fields for consecutive time periods from the database access records, preprocess them, and construct the access sequence in chronological order.

[0010] S2. Perform sliding sampling on the access sequence using a fixed window, and use the SimSiam method to perform feature mapping and alignment operations on the sampling results to generate an access statistics sequence.

[0011] S3. Extract the bidirectional state of each time step of the access statistics sequence through a bidirectional long short-term memory network, calculate the central tendency, fluctuation range and periodic structure based on the extraction results, and construct the behavioral baseline sequence.

[0012] S4. Use the IQN algorithm to perform sequence fitting on the behavioral baseline sequence, generate quantile sampling values ​​and perform embedding processing, and perform element-wise addition, linear transformation and activation operation on the embedding result and the behavioral baseline sequence to generate the access prediction sequence.

[0013] S5. Calculate the Euclidean distance, Manhattan distance, and Mahalanobis distance between the visit prediction sequence and the visit statistics sequence. Based on the behavioral baseline sequence, set a weight set, and weightedly fuse the three types of distances to generate a deviation sequence.

[0014] S6. Perform Z-Score standardization on the deviation series and calculate the volatility by time step to generate a risk assessment series and a risk level series;

[0015] S7. Time-align the access sequence, risk assessment sequence, and risk level sequence to generate database access security audit results.

[0016] Optionally, the access identity field represents a field that identifies the access subject, the access permission field represents an information field that records the access level, the access content field represents a field that records the specific access operation content, the preprocessing includes format normalization, missing value handling and timestamp alignment, and the quantile sample value represents a sample scalar generated in the IQN algorithm based on a preset number of quantiles.

[0017] Optionally, S2 specifically includes:

[0018] S21. Perform sliding sampling on the access sequence according to a fixed window, and generate access behavior segments by ordering the access data of consecutive time periods according to the window order.

[0019] S22. Perform numerical perturbation operation on the access behavior segment using a pseudo-random number generator to obtain the target perturbation segment and the reference perturbation segment, and perform feature mapping processing using the SimSiam method to generate the target mapping vector and the reference mapping vector.

[0020] S23. Calculate the difference vector between the target mapping vector and the reference mapping vector according to the element position, construct the Jacobian matrix based on the difference vector, and perform a joint alignment operation on the difference vector and the Jacobian matrix to generate alignment features.

[0021] S24. Combine the alignment features in chronological order to construct an access statistics sequence.

[0022] Optionally, S22 specifically includes:

[0023] S221. The random offset generated by the pseudo-random number generator is used to perform perturbation calculation on each numerical field of the access behavior segment. The random offset is added to each field of the access behavior segment to form the target perturbation segment and the reference perturbation segment.

[0024] S222. The SimSiam method is used to perform a one-dimensional feature mapping on the target perturbation segment and the reference perturbation segment. Linear transformation, GELU function activation and batch normalization operations are performed on the data of each dimension within the two segments in sequence to generate two intermediate feature representations.

[0025] S223. Perform a linear transformation on the two intermediate feature representations again, and compress and map the transformation results according to the dimensions. Perform linear combination processing on the data of each dimension according to the preset compression coefficient to form the target mapping vector and the reference mapping vector.

[0026] Optionally, S23 specifically includes:

[0027] S231. Perform a first-order difference calculation on the target mapping vector and the reference mapping vector, and arrange the difference results in dimensional order to generate a difference vector.

[0028] S232. Based on the numerical changes of the difference vector in each dimension, calculate the changes between adjacent dimensions, and arrange the changes in order of dimension to construct the Jacobian matrix;

[0029] S233. Perform a multiplication operation on the value of each dimension of the difference vector and the change in the corresponding dimension of the Jacobian matrix, and perform an addition operation on the result of the multiplication operation and the value of the corresponding dimension of the difference vector to generate a fused vector.

[0030] S234. Perform numerical correction on the fusion vector. Calculate the correction amount based on the numerical difference between each dimension of the fusion vector and the difference vector, and perform a dimension-by-dimensional addition operation on the correction amount and the difference vector to form an alignment feature.

[0031] Optionally, S3 specifically includes:

[0032] S31. At each time step of accessing the statistical sequence, forward state extraction and backward state extraction operations are performed through a bidirectional long short-term memory network, and the forward and backward states are concatenated in dimensional order to generate a bidirectional state vector.

[0033] S32. Perform weighted summation and mean calculation on the values ​​of each dimension of the bidirectional state vector to generate the central tendency quantity;

[0034] S33. Calculate the difference between the maximum and minimum values ​​of each dimension of the bidirectional state vector to generate the fluctuation range quantity.

[0035] S34. Perform first-order difference processing on the numerical values ​​of the bidirectional state vectors of adjacent time steps, and perform repetition rate analysis on the difference results to generate periodic structure quantities.

[0036] S35. Combine all central trend quantities, fluctuation range quantities, and cyclical structure quantities according to time steps to construct a behavioral baseline sequence.

[0037] Optionally, the specific processes of forward state extraction and backward state extraction include:

[0038] The alignment features of the current time step in the access statistics sequence are input into the forward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the forward state of the previous time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the forward state of the current time step. In the first time step, the preset initial forward state is used as the forward state of the previous time step.

[0039] The alignment features of the current time step of the access statistics sequence are input into the backward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the backward state of the next time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the backward state of the current time step. In the last time step, the preset initial backward state is used as the backward state of the next time step.

[0040] The forward and backward states are concatenated in dimensional order to generate a bidirectional state vector.

[0041] Optionally, S4 specifically includes:

[0042] S41. Divide the behavioral baseline sequence into time steps and perform amplitude normalization processing on the division results according to a preset numerical range to form multiple behavioral baseline vectors.

[0043] S42. In the quantile sampling unit of the IQN algorithm, call the pseudo-random number generator to generate a set of quantile sampling values ​​corresponding to the behavior baseline vector within the interval from zero to one based on the preset number of quantiles.

[0044] S43. Input the set of quantile sampled values ​​into the embedding unit of the IQN algorithm, and perform linear mapping, sine transformation and dimension expansion operations in sequence to generate quantile embedding vectors;

[0045] S44. Add the quantile embedding vector to the corresponding behavioral baseline vector according to the element position to generate the fusion vector, and feed the fusion vector into the fitting unit of the IQN algorithm to perform linear transformation and ReLU function activation operation to generate the quantile fitting vector.

[0046] S45. Perform weighted summation and mean calculation operations on all quantile fitting vectors at the same time step to generate access prediction vectors for the corresponding time step. The weights of the weighted summation are set according to the values ​​in the quantile embedding vectors corresponding to each quantile fitting vector.

[0047] S46. Arrange all access prediction vectors in chronological order to construct an access prediction sequence.

[0048] Optionally, S5 specifically includes:

[0049] S51. Pair the access prediction sequence and the access statistics sequence by time step, calculate the numerical difference between the access prediction vector and the access statistics vector at each time step in each dimension, and arrange all the calculation results in dimensional order to generate distance calculation data.

[0050] S52. Perform squaring, summing, and square root operations on the distance calculation data in each dimension to generate a Euclidean distance sequence;

[0051] S53. Perform absolute value and summation operations on the distance calculation data in each dimension to generate a Manhattan distance sequence;

[0052] S54. Construct a covariance matrix based on the visit prediction sequence and the visit statistics sequence, and perform matrix operations on the visit prediction vector and visit statistics vector at each time step according to the covariance matrix to generate a Mahalanobis distance sequence.

[0053] S55. Extract the central tendency, fluctuation range and periodic structure quantities corresponding to each time step from the behavioral baseline sequence, and perform Min-Max normalization on the three types of quantities to form a set of weights for Euclidean distance, Manhattan distance and Mahalanobis distance.

[0054] S56. Perform multiplication operations on the Euclidean distance, Manhattan distance and Mahalanobis distance of each time step with the corresponding weights in the weight set, and perform summation operations. Arrange the summation results in time order to generate a deviation sequence.

[0055] Optionally, S54 specifically includes:

[0056] S541. Concatenate the access prediction vector and access statistics vector of all time steps in dimensional order to construct a joint dataset, and perform mean calculation on the values ​​of each dimension in the joint dataset to generate mean data.

[0057] S542. Based on the mean data, perform centering processing on the values ​​of each dimension in the joint dataset, calculate the average value of the product of the centered values ​​by dimension, and construct the covariance matrix.

[0058] S543. Perform matrix decomposition and inversion on the covariance matrix to generate the inverse covariance matrix;

[0059] S544. Calculate the numerical difference between the access prediction vector and the access statistics vector at each time step according to the dimension. Perform matrix multiplication on the numerical difference and the inverse covariance matrix to generate an intermediate matrix. Then, perform product summation on the intermediate matrix and the numerical difference according to the row and column correspondence to generate the corresponding Mahalanobis distance value.

[0060] S545. Arrange all Mahalanobis distance values ​​according to time steps to construct a Mahalanobis distance sequence.

[0061] The beneficial effects of this invention are:

[0062] First, this invention uses the SimSiam method to perform feature mapping and alignment on access behavior segments, enabling the acquisition of stable and consistent behavioral representations under unlabeled conditions. This approach effectively reduces the impact of field perturbations, numerical fluctuations, and noise changes in access data, making access features more uniform and reliable. It overcomes the shortcomings of traditional rule-based auditing methods, which rely on manually set thresholds and are sensitive to perturbations, thereby providing higher-quality input data for subsequent time-series modeling.

[0063] Secondly, this invention employs a bidirectional long short-term memory network to extract forward and backward features of access behavior, and constructs a baseline sequence of behavior through central tendency, fluctuation range, and periodic structure. Based on this, the IQN algorithm is introduced to achieve quantile prediction of baseline behavior, enabling the prediction results to express various future behavioral states and improving the model's adaptability to periodic changes, sudden anomalies, and multi-user mixed access scenarios. Through embedding processing, element-wise fusion, and activation transformation, this invention achieves a more refined characterization of access behavior trends, enhancing the accuracy and stability of anomaly identification.

[0064] Finally, this invention combines Euclidean distance, Manhattan distance, and Mahalanobis distance, using a weighted fusion of weights to construct a deviation sequence. This assesses the level of difference in access behavior from multiple perspectives and further utilizes Z-Score standardization and risk level classification to generate risk assessment results. This mechanism not only enhances the interpretability of audit results but also overcomes the misjudgment problem caused by the single measurement method in traditional approaches. It enables automated and real-time detection of database access anomalies without the need for manual rules, significantly improving the intelligence level of database access security auditing. Attached Figure Description

[0065] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings:

[0066] Figure 1 This is a flowchart of a database access security auditing method based on artificial intelligence proposed in this invention;

[0067] Figure 2 This is a flowchart of the IQN quantile prediction and multi-distance deviation analysis of an artificial intelligence-based database access security auditing method proposed in this invention;

[0068] Figure 3 This is a core flowchart of the access prediction and risk assessment method for a database access security audit based on artificial intelligence proposed in this invention. Detailed Implementation

[0069] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.

[0070] refer to Figure 1-3 A database access security auditing method based on artificial intelligence includes the following steps:

[0071] S1. Obtain the access identity, access permissions, and access content fields for consecutive time periods from the database access records, preprocess them, and construct the access sequence in chronological order.

[0072] S2. Perform sliding sampling on the access sequence using a fixed window, and use the SimSiam method to perform feature mapping and alignment operations on the sampling results to generate an access statistics sequence.

[0073] S3. Extract the bidirectional state of each time step of the access statistics sequence through a bidirectional long short-term memory network, calculate the central tendency, fluctuation range and periodic structure based on the extraction results, and construct the behavioral baseline sequence.

[0074] S4. Use the IQN algorithm to perform sequence fitting on the behavioral baseline sequence, generate quantile sampling values ​​and perform embedding processing, and perform element-wise addition, linear transformation and activation operation on the embedding result and the behavioral baseline sequence to generate the access prediction sequence.

[0075] S5. Calculate the Euclidean distance, Manhattan distance, and Mahalanobis distance between the visit prediction sequence and the visit statistics sequence. Based on the behavioral baseline sequence, set a weight set, and weightedly fuse the three types of distances to generate a deviation sequence.

[0076] S6. Perform Z-Score standardization on the deviation series and calculate the volatility by time step to generate a risk assessment series and a risk level series;

[0077] S7. Time-align the access sequence, risk assessment sequence, and risk level sequence to generate database access security audit results.

[0078] In this embodiment, the access identity field represents a field that identifies the access subject, the access permission field represents an information field that records the access level, the access content field represents a field that records the specific access operation content, the preprocessing includes format normalization, missing value handling and timestamp alignment, and the quantile sample value represents a sample scalar generated based on a preset number of quantiles in the IQN algorithm.

[0079] In this embodiment, S2 specifically includes:

[0080] S21. Perform sliding sampling on the access sequence according to a fixed window, and generate access behavior segments by ordering the access data of consecutive time periods according to the window order.

[0081] S22. Perform numerical perturbation operation on the access behavior segment using a pseudo-random number generator to obtain the target perturbation segment and the reference perturbation segment, and perform feature mapping processing using the SimSiam method to generate the target mapping vector and the reference mapping vector.

[0082] S23. Calculate the difference vector between the target mapping vector and the reference mapping vector according to the element position, construct the Jacobian matrix based on the difference vector, and perform a joint alignment operation on the difference vector and the Jacobian matrix to generate alignment features.

[0083] S24. Combine the alignment features in chronological order to construct an access statistics sequence.

[0084] In this embodiment, S22 specifically includes:

[0085] S221. The random offset generated by the pseudo-random number generator is used to perform perturbation calculation on each numerical field of the access behavior segment. The random offset is added to each field of the access behavior segment to form the target perturbation segment and the reference perturbation segment.

[0086] S222. The SimSiam method is used to perform a one-dimensional feature mapping on the target perturbation segment and the reference perturbation segment. Linear transformation, GELU function activation and batch normalization operations are performed on the data of each dimension within the two segments in sequence to generate two intermediate feature representations.

[0087] S223. Perform a linear transformation on the two intermediate feature representations again, and compress and map the transformation results according to the dimensions. Perform linear combination processing on the data of each dimension according to the preset compression coefficient to form the target mapping vector and the reference mapping vector.

[0088] In this embodiment, S23 specifically includes:

[0089] S231. Perform a first-order difference calculation on the target mapping vector and the reference mapping vector, and arrange the difference results in dimensional order to generate a difference vector.

[0090] S232. Based on the numerical changes of the difference vector in each dimension, calculate the changes between adjacent dimensions, and arrange the changes in order of dimension to construct the Jacobian matrix;

[0091] S233. Perform a multiplication operation on the value of each dimension of the difference vector and the change in the corresponding dimension of the Jacobian matrix, and perform an addition operation on the result of the multiplication operation and the value of the corresponding dimension of the difference vector to generate a fused vector.

[0092] S234. Perform numerical correction on the fused vector. Calculate the correction amount based on the numerical differences in each dimension between the fused vector and the difference vector, and perform a dimension-by-dimensional addition operation on the correction amount and the difference vector to form alignment features. Specifically, this includes:

[0093] Perform difference calculations on the numerical values ​​of each dimension of the fusion vector and the difference vector to generate a dimension error vector;

[0094] The dimension error vector is weighted and adjusted according to the numerical range of each dimension in the difference vector to generate the corrected error vector.

[0095] The corrected error vector and the difference vector are added one dimension at a time to generate the alignment feature.

[0096] In this embodiment, S3 specifically includes:

[0097] S31. At each time step of accessing the statistical sequence, forward state extraction and backward state extraction operations are performed through a bidirectional long short-term memory network, and the forward and backward states are concatenated in dimensional order to generate a bidirectional state vector.

[0098] S32. Perform weighted summation and mean calculation on the values ​​of each dimension of the bidirectional state vector to generate the central tendency quantity;

[0099] S33. Calculate the difference between the maximum and minimum values ​​of each dimension of the bidirectional state vector to generate the fluctuation range quantity.

[0100] S34. Perform first-order difference processing on the numerical values ​​of the bidirectional state vectors of adjacent time steps, and perform repetition rate analysis on the difference results to generate periodic structure quantities.

[0101] S35. Combine all central trend quantities, fluctuation range quantities, and cyclical structure quantities according to time steps to construct a behavioral baseline sequence.

[0102] In this embodiment, the specific processes of forward state extraction and backward state extraction include:

[0103] The alignment features of the current time step in the access statistics sequence are input into the forward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the forward state of the previous time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the forward state of the current time step. In the first time step, the preset initial forward state is used as the forward state of the previous time step.

[0104] The alignment features of the current time step of the access statistics sequence are input into the backward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the backward state of the next time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the backward state of the current time step. In the last time step, the preset initial backward state is used as the backward state of the next time step.

[0105] The forward and backward states are concatenated in dimensional order to generate a bidirectional state vector.

[0106] In this embodiment, S4 specifically includes:

[0107] S41. Divide the behavioral baseline sequence into time steps and perform amplitude normalization processing on the division results according to a preset numerical range to form multiple behavioral baseline vectors.

[0108] S42. In the quantile sampling unit of the IQN algorithm, call the pseudo-random number generator to generate a set of quantile sampling values ​​corresponding to the behavior baseline vector within the interval from zero to one based on the preset number of quantiles.

[0109] S43. Input the set of quantile sampled values ​​into the embedding unit of the IQN algorithm, and perform linear mapping, sine transformation and dimension expansion operations in sequence to generate quantile embedding vectors;

[0110] S44. Add the quantile embedding vector to the corresponding behavioral baseline vector according to the element position to generate the fusion vector, and feed the fusion vector into the fitting unit of the IQN algorithm to perform linear transformation and ReLU function activation operation to generate the quantile fitting vector.

[0111] S45. Perform weighted summation and mean calculation operations on all quantile fitting vectors at the same time step to generate access prediction vectors for the corresponding time step. The weights of the weighted summation are set according to the values ​​in the quantile embedding vectors corresponding to each quantile fitting vector.

[0112] S46. Arrange all access prediction vectors in chronological order to construct an access prediction sequence.

[0113] In this embodiment, S5 specifically includes:

[0114] S51. Pair the access prediction sequence and the access statistics sequence by time step, calculate the numerical difference between the access prediction vector and the access statistics vector at each time step in each dimension, and arrange all the calculation results in dimensional order to generate distance calculation data.

[0115] S52. Perform squaring, summing, and square root operations on the distance calculation data in each dimension to generate a Euclidean distance sequence;

[0116] S53. Perform absolute value and summation operations on the distance calculation data in each dimension to generate a Manhattan distance sequence;

[0117] S54. Construct a covariance matrix based on the visit prediction sequence and the visit statistics sequence, and perform matrix operations on the visit prediction vector and visit statistics vector at each time step according to the covariance matrix to generate a Mahalanobis distance sequence.

[0118] S55. Extract the central tendency, fluctuation range and periodic structure quantities corresponding to each time step from the behavioral baseline sequence, and perform Min-Max normalization on the three types of quantities to form a set of weights for Euclidean distance, Manhattan distance and Mahalanobis distance.

[0119] S56. Perform multiplication operations on the Euclidean distance, Manhattan distance and Mahalanobis distance of each time step with the corresponding weights in the weight set, and perform summation operations. Arrange the summation results in time order to generate a deviation sequence.

[0120] In this embodiment, S54 specifically includes:

[0121] S541. Concatenate the access prediction vector and access statistics vector of all time steps in dimensional order to construct a joint dataset, and perform mean calculation on the values ​​of each dimension in the joint dataset to generate mean data.

[0122] S542. Based on the mean data, perform centering processing on the values ​​of each dimension in the joint dataset, calculate the average value of the product of the centered values ​​by dimension, and construct the covariance matrix.

[0123] S543. Perform matrix decomposition and inversion on the covariance matrix to generate the inverse covariance matrix, specifically including:

[0124] Perform singular value decomposition on the covariance matrix to decompose it into an eigenma matrix, an eigenvalue matrix, and a transpose eigenma matrix;

[0125] Perform the reciprocal operation on all non-zero eigenvalues ​​in the eigenvalue matrix to construct the reciprocal eigenvalue matrix;

[0126] The inverse covariance matrix is ​​generated by combining the eigenvalue matrix, the reciprocal eigenvalue matrix, and the transpose eigenvalue matrix through matrix multiplication.

[0127] S544. Calculate the numerical difference between the access prediction vector and the access statistics vector at each time step according to the dimension. Perform matrix multiplication on the numerical difference and the inverse covariance matrix to generate an intermediate matrix. Then, perform product summation on the intermediate matrix and the numerical difference according to the row and column correspondence to generate the corresponding Mahalanobis distance value.

[0128] S545. Arrange all Mahalanobis distance values ​​according to time steps to construct a Mahalanobis distance sequence.

[0129] In this embodiment, S6 specifically includes:

[0130] S61. Calculate the mean and standard deviation for all values ​​in the deviation series;

[0131] S62. Perform Z-Score standardization on the deviation value of each time step. Subtract the mean from the deviation value of the current time step and divide by the standard deviation to obtain the standardized deviation value of that time step.

[0132] S63. Calculate the fluctuation range of the standardized results within a sliding window of fixed length, extract the maximum and minimum values ​​within the window, and calculate the difference between the maximum and minimum values ​​as the fluctuation range of the window.

[0133] S64. Arrange all fluctuation ranges in chronological order to construct a risk assessment sequence;

[0134] S65. Compare the fluctuation range of each time step of the risk assessment sequence with the preset risk threshold rules to determine the risk range in which the fluctuation range is located. If it is higher than the high risk threshold, it is marked as high risk; if it is lower than the low risk threshold, it is marked as low risk; otherwise, it is marked as medium risk. Arrange all risk level labels in chronological order to generate a risk level sequence.

[0135] Example 1:

[0136] To verify the feasibility of this invention in practice, it was applied to a database access auditing scenario. The environment contained multiple user roles, multi-level access permissions, and a large number of distributed business access requests. In this environment, the database access volume was high, and the changes in access behavior exhibited periodicity, diversity, and suddenness. This made traditional rule-based auditing methods inadequate to handle frequently changing access patterns, easily leading to high false positive rates, audit lag, and inability to explain the source of anomalies. Therefore, an intelligent auditing method is needed that can automatically extract behavioral features, dynamically model access patterns, and accurately identify abnormal behavior to address the technical pain points of insufficient capabilities in traditional rule-based auditing.

[0137] In this scenario, the access identity, access permissions, and access content fields of database users over several consecutive hours are collected, preprocessed, and time-stepped to construct an access sequence. Subsequently, the access sequence is input into the sliding sampling and SimSiam feature alignment structure of this invention. Unsupervised feature mapping yields an access statistics sequence, ensuring consistent feature representation of access behavior even when affected by perturbations, noise fluctuations, and differences in request formats. The feature-aligned access statistics sequence is more suitable for time-series modeling, helping to reduce spurious differences in behavioral representation.

[0138] In the behavioral modeling process, forward and backward dependency features of visiting behavior are extracted through a bidirectional long short-term memory network, and the central tendency, fluctuation range, and periodic structure are calculated to construct a behavioral baseline sequence, which clearly presents the overall performance, local fluctuations, and periodic changes of visiting behavior. Subsequently, an IQN quantile prediction mechanism is introduced to perform quantile sampling, embedding, fitting, and prediction on the behavioral baseline sequence, enabling the model to simultaneously predict multiple future behavioral states and providing a multi-perspective prediction benchmark for subsequent anomaly identification.

[0139] To identify the degree of anomalousness in access behavior, this invention uses Euclidean distance, Manhattan distance, and Mahalanobis distance to calculate the difference between the predicted access sequence and the statistical access sequence. A weight set is constructed based on the behavioral baseline sequence, and a deviation sequence is generated through multi-distance weighted fusion, giving the deviation features a higher expressive power. Furthermore, risk assessment sequences and risk level sequences are generated through Z-score normalization and volatility calculation, allowing anomalous behavior to be quantified. Finally, time alignment generates structured results that can be directly used for security auditing.

[0140] In actual testing, the access behavior of 500 users was selected from the database access environment for statistical analysis, generating over 200,000 access records. Compared with traditional rule-based auditing methods, this invention demonstrates significant advantages in anomaly identification, particularly in scenarios involving low-frequency abnormal behavior, unauthorized access, and periodic behavioral mutations.

[0141] The table below presents some data from scenario testing to evaluate the effectiveness of this invention:

[0142] Table 1. Performance comparison data between the method of this invention and traditional auditing methods in access anomaly detection.

[0143] Indicator Categories Traditional rule-based auditing methods Method of the present invention Total number of access records (records) 200,000 200,000 Number of actual anomaly records (items) 1,200 1,200 Number of anomalies detected (items) 3,850 1,310 Accurately identify the number of anomalies (items). 960 1,155 Number of false alarms (items) 2,890 155 Number of underreported items 240 45 Accuracy (%) 24.9 88.2 Recall rate (%) 80.0 96.2 F1 Overall Score (%) 37.7 92.1 Average response time (ms) 128 34 Success rate of identifying periodic access mutations (%) 42.3 91.4 Unauthorized access detection success rate (%) 57.0 94.8 Success rate of identifying abnormal access content (%) 39.5 89.7 Risk level consistency index (0~1) 0.31 0.87

[0144] As shown in Table 1, this invention significantly outperforms traditional rule-based auditing methods in terms of anomaly identification accuracy, recall, and overall performance. Out of 200,000 access records, this invention accurately identified 1,155 genuine abnormal behaviors with only 155 false positives, while the traditional method generated nearly 3,000 false positives, demonstrating a significant advantage in ensuring audit reliability. Furthermore, this invention, through IQN quantile prediction, multi-distance weighted deviation analysis, and Z-Score risk standardization, makes the model more sensitive to subtle deviations and periodic abrupt changes in access behavior, increasing the periodic abrupt change identification rate from the traditional 42.3% to 91.4%. Simultaneously, this invention also achieves significant optimization in unauthorized access and content-abnormal access, making the anomaly identification scope more comprehensive.

[0145] In terms of response speed, the average processing time of this invention is only 34ms, far lower than the 128ms of the traditional method, proving its suitability for real-time auditing needs in high-concurrency environments. Looking at the comprehensive F1 score, this invention achieves 92.1%, a significant improvement over the 37.7% of traditional auditing, fully demonstrating the technical advantages of high accuracy, high stability, and high interpretability in practical applications.

[0146] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A database access security auditing method based on artificial intelligence, characterized in that, Includes the following steps: S1. Obtain the access identity, access permissions, and access content fields for consecutive time periods from the database access records, preprocess them, and construct the access sequence in chronological order. S2. Perform sliding sampling on the access sequence using a fixed window, and use the SimSiam method to perform feature mapping and alignment operations on the sampling results to generate an access statistics sequence. S3. Extract the bidirectional state of each time step of the access statistics sequence through a bidirectional long short-term memory network, calculate the central tendency, fluctuation range and periodic structure based on the extraction results, and construct the behavioral baseline sequence. S4. Use the IQN algorithm to perform sequence fitting on the behavioral baseline sequence, generate quantile sampling values ​​and perform embedding processing, and perform element-wise addition, linear transformation and activation operation on the embedding result and the behavioral baseline sequence to generate the access prediction sequence. S5. Calculate the Euclidean distance, Manhattan distance, and Mahalanobis distance between the visit prediction sequence and the visit statistics sequence. Based on the behavioral baseline sequence, set a weight set, and weightedly fuse the three types of distances to generate a deviation sequence. S6. Perform Z-Score standardization on the deviation series and calculate the volatility by time step to generate a risk assessment series and a risk level series; S7. Time-align the access sequence, risk assessment sequence, and risk level sequence to generate database access security audit results.

2. The database access security auditing method based on artificial intelligence according to claim 1, characterized in that, The access identity field represents a field that identifies the accessing subject, the access permission field represents an information field that records the access level, the access content field represents a field that records the specific access operation content, the preprocessing includes format normalization, missing value handling and timestamp alignment, and the quantile sample value represents a sample scalar generated in the IQN algorithm based on a preset number of quantiles.

3. The database access security auditing method based on artificial intelligence according to claim 1, characterized in that, S2 specifically includes: S21. Perform sliding sampling on the access sequence according to a fixed window, and generate access behavior segments by ordering the access data of consecutive time periods according to the window order. S22. Perform numerical perturbation operation on the access behavior segment using a pseudo-random number generator to obtain the target perturbation segment and the reference perturbation segment, and perform feature mapping processing using the SimSiam method to generate the target mapping vector and the reference mapping vector. S23. Calculate the difference vector between the target mapping vector and the reference mapping vector according to the element position, construct the Jacobian matrix based on the difference vector, and perform a joint alignment operation on the difference vector and the Jacobian matrix to generate alignment features. S24. Combine the alignment features in chronological order to construct an access statistics sequence.

4. The database access security auditing method based on artificial intelligence according to claim 3, characterized in that, S22 specifically includes: S221. The random offset generated by the pseudo-random number generator is used to perform perturbation calculation on each numerical field of the access behavior segment. The random offset is added to each field of the access behavior segment to form the target perturbation segment and the reference perturbation segment. S222. The SimSiam method is used to perform a one-dimensional feature mapping on the target perturbation segment and the reference perturbation segment. Linear transformation, GELU function activation and batch normalization operations are performed on the data of each dimension within the two segments in sequence to generate two intermediate feature representations. S223. Perform a linear transformation on the two intermediate feature representations again, and compress and map the transformation results according to the dimensions. Perform linear combination processing on the data of each dimension according to the preset compression coefficient to form the target mapping vector and the reference mapping vector.

5. The database access security auditing method based on artificial intelligence according to claim 3, characterized in that, S23 specifically includes: S231. Perform a first-order difference calculation on the target mapping vector and the reference mapping vector, and arrange the difference results in dimensional order to generate a difference vector. S232. Based on the numerical changes of the difference vector in each dimension, calculate the changes between adjacent dimensions, and arrange the changes in order of dimension to construct the Jacobian matrix; S233. Perform a multiplication operation on the value of each dimension of the difference vector and the change in the corresponding dimension of the Jacobian matrix, and perform an addition operation on the result of the multiplication operation and the value of the corresponding dimension of the difference vector to generate a fused vector. S234. Perform numerical correction on the fusion vector. Calculate the correction amount based on the numerical difference between each dimension of the fusion vector and the difference vector, and perform a dimension-by-dimensional addition operation on the correction amount and the difference vector to form an alignment feature.

6. The database access security auditing method based on artificial intelligence according to claim 1, characterized in that, S3 specifically includes: S31. At each time step of accessing the statistical sequence, forward state extraction and backward state extraction operations are performed through a bidirectional long short-term memory network, and the forward and backward states are concatenated in dimensional order to generate a bidirectional state vector. S32. Perform weighted summation and mean calculation on the values ​​of each dimension of the bidirectional state vector to generate the central tendency quantity; S33. Calculate the difference between the maximum and minimum values ​​of each dimension of the bidirectional state vector to generate the fluctuation range quantity. S34. Perform first-order difference processing on the numerical values ​​of the bidirectional state vectors of adjacent time steps, and perform repetition rate analysis on the difference results to generate periodic structure quantities. S35. Combine all central trend quantities, fluctuation range quantities, and cyclical structure quantities according to time steps to construct a behavioral baseline sequence.

7. The database access security auditing method based on artificial intelligence according to claim 6, characterized in that, The specific processes for forward state extraction and backward state extraction include: The alignment features of the current time step in the access statistics sequence are input into the forward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the forward state of the previous time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the forward state of the current time step. In the first time step, the preset initial forward state is used as the forward state of the previous time step. The alignment features of the current time step of the access statistics sequence are input into the backward memory unit of the bidirectional long short-term memory network. The alignment features are weighted with the backward state of the next time step based on the preset weight parameters, and the Tanh function activation operation is performed on the weighted result to generate the backward state of the current time step. In the last time step, the preset initial backward state is used as the backward state of the next time step. The forward and backward states are concatenated in dimensional order to generate a bidirectional state vector.

8. The database access security auditing method based on artificial intelligence according to claim 1, characterized in that, S4 specifically includes: S41. Divide the behavioral baseline sequence into time steps and perform amplitude normalization processing on the division results according to a preset numerical range to form multiple behavioral baseline vectors. S42. In the quantile sampling unit of the IQN algorithm, call the pseudo-random number generator to generate a set of quantile sampling values ​​corresponding to the behavior baseline vector within the interval from zero to one based on the preset number of quantiles. S43. Input the set of quantile sampled values ​​into the embedding unit of the IQN algorithm, and perform linear mapping, sine transformation and dimension expansion operations in sequence to generate quantile embedding vectors; S44. Add the quantile embedding vector to the corresponding behavioral baseline vector according to the element position to generate the fusion vector, and feed the fusion vector into the fitting unit of the IQN algorithm to perform linear transformation and ReLU function activation operation to generate the quantile fitting vector. S45. Perform weighted summation and mean calculation operations on all quantile fitting vectors at the same time step to generate access prediction vectors for the corresponding time step. The weights of the weighted summation are set according to the values ​​in the quantile embedding vectors corresponding to each quantile fitting vector. S46. Arrange all access prediction vectors in chronological order to construct an access prediction sequence.

9. The database access security auditing method based on artificial intelligence according to claim 1, characterized in that, S5 specifically includes: S51. Pair the access prediction sequence and the access statistics sequence by time step, calculate the numerical difference between the access prediction vector and the access statistics vector at each time step in each dimension, and arrange all the calculation results in dimensional order to generate distance calculation data. S52. Perform squaring, summing, and square root operations on the distance calculation data in each dimension to generate a Euclidean distance sequence; S53. Perform absolute value and summation operations on the distance calculation data in each dimension to generate a Manhattan distance sequence; S54. Construct a covariance matrix based on the visit prediction sequence and the visit statistics sequence, and perform matrix operations on the visit prediction vector and visit statistics vector at each time step according to the covariance matrix to generate a Mahalanobis distance sequence. S55. Extract the central tendency, fluctuation range and periodic structure quantities corresponding to each time step from the behavioral baseline sequence, and perform Min-Max normalization on the three types of quantities to form a set of weights for Euclidean distance, Manhattan distance and Mahalanobis distance. S56. Perform multiplication operations on the Euclidean distance, Manhattan distance and Mahalanobis distance of each time step with the corresponding weights in the weight set, and perform summation operations. Arrange the summation results in time order to generate a deviation sequence.

10. The database access security auditing method based on artificial intelligence according to claim 9, characterized in that, Specifically, S54 includes: S541. Concatenate the access prediction vector and access statistics vector of all time steps in dimensional order to construct a joint dataset, and perform mean calculation on the values ​​of each dimension in the joint dataset to generate mean data. S542. Based on the mean data, perform centering processing on the values ​​of each dimension in the joint dataset, calculate the average value of the product of the centered values ​​by dimension, and construct the covariance matrix. S543. Perform matrix decomposition and inversion on the covariance matrix to generate the inverse covariance matrix; S544. Calculate the numerical difference between the access prediction vector and the access statistics vector at each time step according to the dimension. Perform matrix multiplication on the numerical difference and the inverse covariance matrix to generate an intermediate matrix. Then, perform product summation on the intermediate matrix and the numerical difference according to the row and column correspondence to generate the corresponding Mahalanobis distance value. S545. Arrange all Mahalanobis distance values ​​according to time steps to construct a Mahalanobis distance sequence.