Risk decision method and system for power data full life cycle

By employing a method of spatiotemporal feature fusion and causal probabilistic reasoning, and utilizing variational autoencoders, bidirectional long short-term memory networks, and graph convolutional networks, a dynamic decision-making module of Bayesian networks is constructed. This solves the problem of identifying complex attack patterns throughout the entire lifecycle of power data, and enhances the ability to perceive and dynamically manage security risks.

CN122175360APending Publication Date: 2026-06-09HUZHOU ELECTRIC POWER SUPPLY CO OF STATE GRID ZHEJIANG ELECTRIC POWER CO LTD +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUZHOU ELECTRIC POWER SUPPLY CO OF STATE GRID ZHEJIANG ELECTRIC POWER CO LTD
Filing Date
2026-03-02
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively identify and respond to complex attack patterns throughout the entire lifecycle of power data, especially advanced persistent threats, insider misconduct, and cross-domain data breaches. Traditional static protection methods are inadequate to address the stealth and dynamism of attack methods and the scarcity of attack samples in massive log data.

Method used

By synergistically fusing spatiotemporal features and causal probabilistic reasoning, a variational autoencoder is used to extract latent feature vectors. Combined with bidirectional long short-term memory networks and graph convolutional networks for temporal and spatial analysis, a dynamic decision module of a Bayesian network is constructed to identify complex attack patterns across stages.

Benefits of technology

It significantly improves the ability to perceive and dynamically manage security risks in the entire process of power data collection, transmission and processing, optimizes the accuracy of identification and response to attacks such as brute-force attacks, intranet penetration and multi-account collusion, and enhances the model's ability to balance false alarms and false negatives in complex scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122175360A_ABST
    Figure CN122175360A_ABST
Patent Text Reader

Abstract

This application relates to the fields of artificial intelligence and computer technology, specifically providing a risk decision-making method and system for the entire lifecycle of power data. The method includes: acquiring multi-source heterogeneous log data from the entire lifecycle of a power information system; using an unsupervised feature extraction module based on a variational autoencoder to extract latent feature vectors and determine the VAE reconstruction error; performing spatiotemporal feature extraction on the latent feature vectors to obtain the temporal behavior probability from the time-series analysis stream and the spatial graph embedding distance from the spatial analysis stream; and constructing a dynamic decision-making module based on a Bayesian network, using the VAE reconstruction error, temporal behavior probability, and spatial graph embedding distance as multi-source evidence nodes for the dynamic decision-making module to calculate the posterior probability of risk events. This application, through the collaborative fusion of spatiotemporal features and causal probabilistic inference, can significantly improve the safety risk perception and dynamic control capabilities of power data throughout the entire process of acquisition, transmission, and processing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the fields of artificial intelligence and computer technology, and in particular to a risk decision-making method and system for the entire lifecycle of power data. Background Technology

[0002] With the deepening of the digital transformation of the power system and the continuous development of smart grids, power information systems generate massive amounts of multi-source heterogeneous data throughout the entire lifecycle of data acquisition, transmission, processing, sharing, and destruction. This data not only contains user privacy information but also involves key parameters of power grid operation, and its security is directly related to national energy security and social stability. Statistical analysis of the risk distribution and evolution patterns during data flow has become a topic of significant scientific research value and engineering importance.

[0003] Traditional cybersecurity technologies have provided fundamental security for power systems over the past few decades. In practical applications, these static protection measures have been widely used in production fields such as marketing systems, dispatching systems, and office automation systems. However, with the emergence of new attack methods such as advanced persistent threats, insider misconduct, and cross-domain data breaches, power data security faces more challenges. These challenges include, but are not limited to: the stealth and dynamic nature of attack methods, the scarcity of attack samples in massive log data, and the inability of single protection measures to cope with cross-stage, spatiotemporally related attacks (such as multi-account collaborative attacks). Summary of the Invention

[0004] To address the aforementioned issues, this application provides a risk decision-making method and system for the entire lifecycle of power data. By synergistically fusing spatiotemporal features and using causal probabilistic reasoning, it overcomes the limitations of traditional static boundary protection and can identify complex cross-stage attack patterns such as brute-force attacks, intranet penetration, and multi-account collusion. This significantly enhances the ability to perceive and dynamically manage security risks in the entire process of power data collection, transmission, and processing.

[0005] To achieve the objectives of this application, the following technical solution is provided: Firstly, this application provides a risk decision-making method for the entire lifecycle of power data, including: Multi-source heterogeneous log data of the entire life cycle of the power information system is acquired, and latent feature vectors are extracted using an unsupervised feature extraction module based on a variational autoencoder; at the same time, the VAE reconstruction error is determined based on the unsupervised feature extraction module. Spatiotemporal feature extraction is performed on the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream; A dynamic decision-making module based on Bayesian networks is constructed, and the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision-making module to calculate the posterior probability of risk events.

[0006] A further improvement of this application is that the step of using an unsupervised feature extraction module based on a variational autoencoder to extract a latent feature vector includes: using the encoder of the variational autoencoder to map the multi-source heterogeneous log data into a probability distribution in the latent space, and then obtaining the latent feature vector through reparameterized sampling. The unsupervised feature extraction module is trained using an evidence lower bound loss function, specifically: ; In the formula, Let the lower bound of the evidence loss function be... Indicates based on posterior approximate distribution Find the expected value of the quantity in parentheses; The log-likelihood term refers to the term calculated based on the given latent variables. Under these conditions, observation data The logarithm of the conditional probability; Denotes KL divergence, For variational posterior distribution, Latent variables The prior distribution of .

[0007] A further improvement of this application is that the step of determining the VAE reconstruction error based on the unsupervised feature extraction module includes: receiving the latent feature vector through the decoder of the variational autoencoder and reconstructing reconstructed data with the same dimension as the multi-source heterogeneous log data input to the encoder; comparing the reconstructed data with the multi-source heterogeneous log data input to the encoder to obtain the VAE reconstruction error.

[0008] A further improvement of this application is that the step of extracting spatiotemporal features from the latent feature vector to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream includes: using a bidirectional long short-term memory network based on an attention mechanism as the temporal analysis stream, taking the user operation sequence vector in the latent feature vector as input, capturing long-distance temporal dependencies, and aggregating the contextual features of key risk events to obtain the temporal behavior probability; and using a graph convolutional network based on a heterogeneous information network as the spatial analysis stream, taking the node interaction graph structure data in the latent feature vector as input, aggregating neighbor node information using a relation-aware propagation mechanism, mining the spatial association features of implicit collusion and lateral movement, and obtaining the spatial graph embedding distance.

[0009] A further improvement in this application is that the step of using the user operation sequence vector in the latent feature vector as input to capture long-distance temporal dependencies and aggregate the contextual features of key risk events to obtain the temporal behavior probability includes: performing temporal alignment and reorganization on the latent feature vector based on the timestamps of the multi-source heterogeneous original log data to construct a user operation sequence vector arranged by time steps to characterize the temporal evolution pattern of user behavior; inputting the user operation sequence vector into the bidirectional long short-term memory network, and obtaining the forward hidden state and backward hidden state at each time step through forward LSTM layer processing and backward LSTM layer processing; for each time step, concatenating the forward hidden state and the backward hidden state to obtain a complete hidden state vector; specifically: ; In the formula, For the first The complete hidden state vector at each time step This represents the computation process of the feedforward LSTM layer, which processes the user operation sequence vector in chronological order from earliest to latest. For the first The input vector at the nth time step, i.e., the user's input vector at the nth time step. Operational characteristics at any given moment For the feedforward LSTM layer at the 1st The forward hidden state vector output at each time step; This represents the computation process of the backward LSTM layer, which processes the user table operation sequence vector in reverse chronological order from latest to earliest. For the backward LSTM layer at the 1st The backward hidden state vector output at each time step; The attention weights at each time step are calculated using the fully connected layers of the bidirectional long short-term memory network, and the hidden states at all time steps are weighted and summed to obtain a context vector aggregating key risk features; specifically: ; ; In the formula, For the first Attention weights at each time step It is an exponential function. For the first Hidden state vector at each time step The feature vector is transformed by a fully connected layer and a tanh activation function to adapt to the computational dimension of the attention weights; yes The transpose of , For the attention mechanism, a learnable weight vector. It sums the exponential dot product results over all time steps; This is the final contextual risk vector; For the first The complete hidden state vector output by the Bi-LSTM at each time step This indicates the time step from the first time step to the second time step. Sum all terms at each time step. The total number of time steps for the user operation sequence vector; the context risk vector is input into the fully connected layer and processed by the Softmax function to obtain the temporal behavior probability.

[0010] A further improvement of this application is that, taking the node interaction graph structure data in the latent feature vector as input, aggregating neighbor node information using a relation-aware propagation mechanism, and mining the spatial association features of implicit collusion and lateral movement to obtain the spatial graph embedding distance, includes: splitting user node features, data asset node features, and IP node features from the latent feature vector; constructing interaction graph structure data based on the interaction relationships between the user node features, data asset node features, and IP node features; and using a relation-aware propagation mechanism, aggregating the feature information of its neighbor nodes according to edge type for a target node, wherein the node embedding update rule of the 1+1 layer is: ; In the formula, For the first Nodes in a layered network Embedded vector, It is the ReLU activation function. This indicates that for all edge types Summation is performed, where, It is the set of all edge types in a heterogeneous graph; Indicates a node Belongs to edge type All neighboring nodes Summation is performed, where, For nodes By edge type The set of connected neighbor nodes; It is the normalization coefficient; For the first corresponding edge types in layered networks The specific transformation matrix is ​​a learnable parameter matrix; For the first Neighbor nodes in a layered network The embedding vector represents the neighboring nodes before the update. The original characteristics; For the first The transformation matrix of the node's own characteristics in the layer network. It is the first Nodes in a layered network The embedding vector before updating; The spatial graph embedding distance is obtained by comparing the distance between the updated node embedding and the normal baseline.

[0011] A further improvement in this application is that the construction of a dynamic decision-making module based on a Bayesian network, using the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance as multi-source evidence nodes of the dynamic decision-making module to calculate the posterior probability of a risk event, includes: constructing a Bayesian network topology, using the true risk state as the root node, and the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance as leaf nodes; quantifying the dependencies between nodes based on a conditional probability table, and calculating the posterior probability of the risk event based on real-time observed multi-source evidence, specifically: ; In the formula, The situation is at risk. This refers to the VAE reconstruction error (VAE output evidence). This represents the probability of the Bi-LSTM sequence (the output evidence of Bi-LSTM). This represents the GCN graph embedding distance (GCN output evidence). For the context of the environment, For a joint probability distribution, This represents the prior probability of the actual risk state. For the prior probability of the environmental context, For evidence nodes The conditional probability, For evidence nodes The conditional probability, For evidence nodes conditional probability A further improvement of this application is that, during the calculation of the posterior probability of a risk event, the optimal response action is selected based on the principle of maximum expected utility.

[0012] A further improvement of this application is that, after acquiring multi-source heterogeneous log data throughout the entire lifecycle of the power information system, the multi-source heterogeneous log data is subjected to standardized cleaning, desensitization, and vectorization preprocessing.

[0013] Secondly, this application provides a risk decision-making system for the entire lifecycle of power data, used to implement the aforementioned risk decision-making method for the entire lifecycle of power data, including: An unsupervised feature extraction unit is used to acquire multi-source heterogeneous log data throughout the entire lifecycle of the power information system, and to extract latent feature vectors using an unsupervised feature extraction module based on a variational autoencoder; simultaneously, the VAE reconstruction error is determined based on the unsupervised feature extraction module. The dual-stream spatiotemporal analysis unit is used to extract spatiotemporal features from the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream. The risk dynamic decision unit is used to construct a dynamic decision module based on Bayesian networks. The VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision module to calculate the posterior probability of the risk event.

[0014] Compared with the prior art, this application has the following beneficial effects: The risk decision-making method and system for the entire lifecycle of power data provided in this application acquires multi-source heterogeneous log data of the entire lifecycle of the power information system, and uses an unsupervised feature extraction module based on variational autoencoder to extract latent feature vectors and determine VAE reconstruction errors. Then, spatiotemporal feature extraction is performed on the latent feature vectors to obtain the temporal behavior probability from the time-series analysis stream and the spatial graph embedding distance from the spatial analysis stream. Finally, a dynamic decision-making module based on Bayesian network is constructed, and the above-mentioned VAE reconstruction error, temporal behavior probability, and spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision-making module to calculate the posterior probability of risk events. This application maps high-dimensional sparse log data to a latent space to obtain latent feature vectors. Through spatiotemporal dual-stream analysis, it focuses risk perception on key links where temporal anomalies and spatial collusion coexist, optimizing the accuracy of identifying and responding to specific attack behaviors such as brute-force attacks and intranet penetration in complex dynamic scenarios. Furthermore, by leveraging the probabilistic reasoning capabilities of Bayesian networks and combining them with a dynamic weight update mechanism, it uses posterior probability to dynamically assess the current security situation, achieving adaptive risk management and enhancing the model's ability to balance false alarms and false negatives in complex power business scenarios. Therefore, this application, through the synergistic fusion of spatiotemporal features and causal probabilistic reasoning, overcomes the limitations of traditional static boundary protection, effectively identifying complex cross-stage attack patterns such as brute-force attacks, intranet penetration, and multi-account collusion. This significantly improves the security risk perception and dynamic management capabilities of power data throughout the entire process of collection, transmission, and processing. Attached Figure Description

[0015] The accompanying drawings are provided to further understand this application and form part of the specification. They are used together with the embodiments of this application to explain this application and do not constitute a limitation thereof. Figure 1A schematic diagram of an optional process for a risk decision-making method for the entire lifecycle of power data provided in this application embodiment; Figure 2 A flowchart illustrating the overall architecture of the risk decision-making method for the entire lifecycle of power data, as provided in this application embodiment; Figure 3 This is a schematic diagram of the network structure of the Bi-LSTM network provided in the embodiments of this application. Detailed Implementation

[0016] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0017] The terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature; in the description of this application, unless otherwise stated, "multiple" means two or more.

[0018] With the deepening of the digital transformation of the power system and the continuous development of smart grids, power information systems generate massive amounts of multi-source heterogeneous data throughout the entire lifecycle of data acquisition, transmission, processing, sharing, and destruction. This data not only contains user privacy information but also involves key parameters of power grid operation, and its security is directly related to national energy security and social stability. Statistical analysis of the risk distribution and evolution patterns during data flow has become a topic of significant scientific research value and engineering importance.

[0019] Traditional network security technologies, such as firewalls, static encryption authentication, and rule-based access control (RBAC), have provided fundamental security for power systems over the past few decades. In practical applications, these static protection methods have been widely used in production environments such as marketing systems, dispatching systems, and office automation systems. However, with the emergence of new attack methods such as Advanced Persistent Threats (APTs), insider misconduct, and cross-domain data breaches, power data security faces numerous challenges. These challenges include, but are not limited to: the stealth and dynamic nature of attack methods, the scarcity of attack samples in massive log data, and the difficulty of single protection methods to cope with cross-stage, spatiotemporally related attacks (such as multi-account coordinated attacks). These issues limit the protective performance of traditional security systems and are currently urgent challenges that need to be addressed.

[0020] Deep learning, as a powerful data analysis tool, leverages the non-linear feature extraction capabilities of neural networks to automatically uncover potential anomaly patterns from massive logs. Applying deep learning to cybersecurity tasks can reduce over-reliance on manual rules and enable intelligent perception of unknown threats. For example, variational autoencoders (VAEs) excel in unsupervised anomaly detection, long short-term memory networks (LSTMs) are adept at processing time-series log data, and graph convolutional networks (GCNs) effectively capture spatial topological relationships between entities.

[0021] However, most existing research focuses on risk detection from a single perspective (focusing only on traffic or only on logs), lacking a unified decision-making framework that can cover the entire data lifecycle. Especially in the power sector, there is currently a lack of systematic solutions for how to integrate unsupervised feature learning, temporal behavior analysis, and spatial relationship mining, and combine Bayesian inference to handle the uncertainty of decision-making, in order to achieve dynamic risk management of the entire process of "collection-transmission-storage-use".

[0022] To address the aforementioned technical problems, this application proposes the following technical solutions and corresponding embodiments.

[0023] The following is combined Figures 1 to 3 The embodiments shown illustrate the technical solutions of this application: Example 1 This application provides an embodiment of a risk decision-making method for the entire lifecycle of power data, referring to... Figure 1 As shown, the steps include S101 to S103 as follows: Step S101: Obtain multi-source heterogeneous log data of the entire life cycle of the power information system, and use an unsupervised feature extraction module based on variational autoencoder to extract potential feature vectors; at the same time, determine the VAE reconstruction error based on the unsupervised feature extraction module.

[0024] In this embodiment, multi-source heterogeneous log data refers to a mixed dataset generated by servers, networks, security devices, and various business applications during the operation, maintenance, and management of the power system. This dataset contains structured indicators, semi-structured text, and unstructured error information. It is an unprocessed log stream (RawLogs) originally collected from the power information system, containing unstructured text, timestamps, IP addresses, and other data. The log data includes environmental monitoring logs (computer room temperature, humidity, UPS (Uninterrupted Power System) power status, air conditioning operation), host logs (CPU (Central Processing Unit) utilization, memory usage, disk I / O (Input / Output), power status), network device logs (port traffic of switches and routers, route changes, packet loss rate), operating system logs, database logs, middleware logs, power business system logs, and security device logs. The data formats of the log data from the above different sources are not uniform, including structured data, semi-structured data, and unstructured data.

[0025] In this embodiment, standardized cleaning and vectorized preprocessing are performed on the multi-source heterogeneous log data generated throughout the entire lifecycle of the power information system (including collection, transmission, storage, processing, and destruction). Since clearly labeled malicious attack samples are extremely scarce in real power business scenarios, directly using supervised learning models can easily lead to overfitting. Therefore, this application introduces variational autoencoders (VAEs) to learn the probability distribution of normal business data.

[0026] Specifically, the VAE network in this embodiment consists of an encoder and a decoder. The encoder maps the high-dimensional input power business data vector to a probability distribution (mean vector and variance vector) of low-dimensional latent variables. The decoder reconstructs the original input data based on the latent variables sampled from this probability distribution. The power business data vector is essentially digitized multi-source heterogeneous log data, specifically a numerical matrix formed after standardization, cleaning, de-identification, and vectorization preprocessing of the multi-source heterogeneous logs. In this embodiment, a loss function based on Evidence Lower Bound (ELBO) is designed, which includes reconstruction loss and KL (Kullback-Leibler) divergence loss, as the optimization direction for model training; specifically: ; In the formula, Let be the loss function of the variational autoencoder. Indicates based on posterior approximate distribution Find the expected value of the quantity inside the parentheses. The log-likelihood term refers to the term calculated based on the given latent variables. Under these conditions, observation data The logarithm of the conditional probability; Denotes KL divergence, For variational posterior distribution, Latent variables The prior distribution is determined by the model. The reconstruction loss measures the difference between the output and input data, ensuring the model retains key information from the original data. The KL divergence loss constrains the distribution of the latent space to approximate a standard normal distribution, preventing the model from degenerating into a typical autoencoder.

[0027] In this embodiment, during the inference phase, the normal data distribution is learned by maximizing the lower bound of evidence, and the reconstruction error of the input sample is calculated. If the error exceeds a preset threshold, it is marked as a potential anomaly and passed to subsequent modules, thereby achieving preliminary anomaly detection for unlabeled data. Specifically, the encoder part of the variational autoencoder maps the input multi-source heterogeneous log data to a probability distribution in the latent space, and obtains a latent feature vector through reparameterized sampling. Subsequently, the decoder receives the latent feature vector, reconstructs reconstructed data with the same dimension as the input data, and compares the reconstructed data with the multi-source heterogeneous log data input to the encoder. By calculating the error between the input data and the reconstructed data, anomaly detection is achieved.

[0028] This embodiment designs an unsupervised feature extraction module based on VAE, which learns the probability distribution of normal business data by maximizing the lower bound of evidence and minimizing the reconstruction error. To detect unknown threats, this task maps high-dimensional sparse log data to a latent space and constructs the reconstruction error as an anomaly indicator, thereby establishing an unsupervised anomaly detection mechanism based on probability distribution to solve the cold start problem caused by the scarcity of attack samples in the power system.

[0029] Step S102: Perform spatiotemporal feature extraction on the latent feature vector to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream.

[0030] In the embodiments of this application, reference is made to Figure 2 As shown, the latent feature vectors obtained in step S101 are input into two parallel deep learning analysis streams: a temporal analysis stream and a spatial analysis stream. Specifically, a bidirectional long short-term memory network based on an attention mechanism is used as the temporal analysis stream. The user operation sequence vectors in the latent feature vectors are used as input to this network to capture long-distance temporal dependencies and aggregate contextual features of key risk events to obtain the temporal behavior probabilities. A graph convolutional network based on heterogeneous information networks is used as the spatial analysis stream. The node interaction graph structure data in the latent feature vectors are used as input to this graph convolutional network. A relation-aware propagation mechanism is used to aggregate neighbor node information, mine spatial association features of implicit collusion and lateral movement, and obtain the spatial graph embedding distance.

[0031] In time-series analysis, to capture the contextual dependencies of attack behavior over time (e.g., brute-force attacks typically manifest as a series of high-frequency failed attempts within a short period, while low-frequency, slow attacks exhibit anomalous patterns over a long period), this embodiment employs a bidirectional Long Short-Term Memory (Bi-LSTM) network. Specifically, in the time-series analysis, firstly, based on the timestamps of the multi-source heterogeneous raw log data, the latent feature vectors are time-aligned and reorganized to construct a user operation sequence vector arranged by time steps, thus characterizing the temporal evolution pattern of user behavior. This involves extracting time-series data of user operations (login timestamps / operation command sequences) from the latent feature vectors, and rearranging the content of the latent feature vectors according to the login timestamp sequence / operation command sequence to form the user operation sequence vector. Then, the user operation sequence vector is input into the Bi-LSTM network, referring to... Figure 3As shown, the forward and backward hidden states at each time step are obtained through forward LSTM and backward LSTM layers, respectively. Then, the forward and backward hidden states at each time step are concatenated to obtain the complete hidden state vector. Specifically: ; In the formula, For the first The complete hidden state vector at each time step This represents the computation process of the feedforward LSTM layer, which processes the user operation sequence vector in chronological order from earliest to latest. For the first The input vector at the nth time step, i.e., the user's input vector at the nth time step. Operational characteristics at any given moment For the feedforward LSTM layer at the 1st The forward hidden state vector output at each time step; This represents the computation process of the backward LSTM layer, which processes the user table operation sequence vector in reverse chronological order from latest to earliest. For the backward LSTM layer at the 1st The backward hidden state vector output at each time step.

[0032] In this embodiment, an attention mechanism is introduced to enhance focus on sudden critical risk events. Attention weights are calculated at each time step using a fully connected layer and a tanh activation function, and the hidden states at all time steps are weighted and summed to obtain a context vector aggregating key risk features; specifically: ; ; In the formula, For the first Attention weights at each time step It is an exponential function. For the first Hidden state vector at each time step The feature vector is transformed by a fully connected layer and a tanh activation function to adapt to the computational dimension of the attention weights; yes The transpose of , For the attention mechanism, a learnable weight vector. It sums the exponential dot product results over all time steps; This is the final context risk vector, which realizes a temporal feature mapping from local operations to global intentions; For the first The complete hidden state vector output by the Bi-LSTM at each time step This indicates the time step from the first time step to the second time step. Sum all terms at each time step. This represents the total number of time steps in the user's action sequence. Here, the contextual risk vector is used to characterize the user's overall behavioral risk pattern over a period of time, realizing a temporal feature mapping from local actions to global intentions.

[0033] In this embodiment, user node features, data asset node features, and IP node features are extracted from the latent feature vector output by the VAE to serve as the initial embedding vectors for each node in the Heterogeneous Information Network (HIN). Simultaneously, the interaction relationships between nodes are extracted, and using the above three types of nodes as vertices and interactive behaviors such as login and access as heterogeneous edges, a complete HIN (interaction graph structure data) is constructed.

[0034] In this embodiment, an interaction graph structure (heterogeneous information network) is constructed for the interaction relationships between user nodes, data asset nodes, and IP addresses in the potential feature vectors. Specifically, a heterogeneous graph is defined. ,in, For a set of nodes, node set This includes user nodes, data asset nodes, and IP address nodes; An edge set is used to represent the interaction relationships between nodes in different node sets. It includes interactive relationships such as user-access-data and user-login-IP; each node initialization includes feature vectors of user role, data sensitivity level, and IP address location.

[0035] Since heterogeneous graphs contain various edge types, and the semantics and interaction patterns of different edge types are completely different, this embodiment focuses on heterogeneous graphs. For different types of edges in a heterogeneous information network, specific transformation matrices are designed to endow each edge type with independent feature transformation capabilities, thus distinguishing different interaction relationships. The business logic and risk weights they carry are completely different. This embodiment designs a specific transformation matrix. This enables feature projection of heterogeneous relationships in an independent semantic space.

[0036] This embodiment pre-constructs a set of edge types. Each of these is assigned a specific learnable weight matrix: a login association matrix, an access association matrix, and a logical connection matrix. The login association matrix (… This matrix is ​​specifically designed to handle the "user node—login—IP node" relationship. Its parameter weights focus on extracting risks at the network communication layer, such as IP physical location offsets and unusual access periods. (Access Association Matrix) This matrix is ​​specifically designed to handle the relationship between "user nodes—operations—data asset nodes." It focuses on permission compliance semantics, projecting the sensitivity level of data assets and operation instructions (such as export and download) into the business risk assessment space. (Logical concurrency matrix) It operates on the "user node - collaboration - user node" relationship to uncover hidden account associations.

[0037] In this embodiment, matrix implementation is based on relation-aware propagation. Specifically, for the target node... The specific implementation steps for state update at layer l+1 with a specific transformation matrix are as follows: Classification feature projection: Traversal and target node All connected edges. For each edge type. Using its corresponding specific transformation matrix Features of neighboring nodes under this type Perform a linear transformation; the calculation formula is as follows: Heterogeneous semantic aggregation: Normalize and sum the features projected from each edge type to obtain the target node. The embedded vector can simultaneously absorb physical environment risks from IP nodes and business violation risks from data asset nodes.

[0038] In this embodiment, a relation-aware propagation mechanism is used to aggregate the feature information of the neighboring nodes of the target node according to the edge type. The node embedding update rule of the (l+1)th layer is as follows: ; In the formula, For the first Nodes in a layered network Embedded vector, It is the ReLU activation function. This indicates that for all edge types Summation is performed, where, It is the set of all edge types in a heterogeneous graph; Indicates a node Belongs to edge type All neighboring nodes Summation is performed, where, For nodes By edge type The set of connected neighbor nodes; It is the normalization coefficient; For the first corresponding edge types in layered networks The specific transformation matrix (weight matrix) is a learnable parameter matrix; For the first Neighbor nodes in a layered network The embedding vector represents the neighboring nodes before the update. The original characteristics; For the first The transformation matrix of the node's own characteristics in the layer network. It is the first Nodes in a layered network The embedding vector before the update. In this embodiment, the relationship-aware propagation mechanism allows risk features to propagate to associated user nodes through specific paths, thereby identifying covert collusion attacks or lateral movement behaviors. For example, a risk feature is a feature that marks a data table as "damaged".

[0039] After updating the node embeddings through GCN relation propagation, the spatial graph embedding distance is obtained by comparing the distance between the updated node embeddings and the normal baseline.

[0040] Finally, the node embeddings are classified through the Readout Layer, and a spatial association risk score is output.

[0041] After extracting node features through a relation-aware propagation mechanism, this embodiment utilizes a readout layer to transform the high-dimensional node embedding vector into a quantifiable spatial association risk score. This readout layer consists of a fully connected layer (MLP) and a normalized exponential function (Softmax / Sigmoid). In this embodiment, the specific criteria and calculation process for determining the spatial association risk score are as follows: Feature dimensionality reduction and nonlinear mapping: The node embedding vector output by the convolution of the Lth layer graph... Input readout layer, through a learnable weight matrix and bias terms Perform a linear transformation and apply an activation function. Increase non-linear expressive power: ; Rating mapping: using fully connected layers to... Mapped to one-dimensional space, and through The function compresses the output value to The interval is used to obtain the final spatial correlation risk score. : ; Among them, spatial correlation risk scoring The physical meaning is a standardized mapping of the graph embedding distance between the current node and the topology baseline. The closer a value is to 1, the more significant the lateral movement or multi-account collusion characteristics exhibited by the node in the spatial graph structure; conversely, the closer a value is to 1, the more normal the spatial association logic tends to be.

[0042] In this embodiment of the application, the output spatial association risk score It is not directly used as an alarm criterion, but rather as input to the Bayesian network dynamic decision-making module for multi-source evidence nodes. Specific applications are as follows: as input to Bayesian evidence nodes: Mapped to a Bayesian network The real-time status. It is related to the VAE reconstruction error. Temporal behavior probability Together they constitute the evidence set; eliminating one-dimensional decision errors: if Bi-LSTM detects a time series anomaly ( High), but the spatial risk score output by GCN is extremely low ( If the probability is low, the Bayesian network will reduce false alarms caused by normal operational procedures (although the timing is abnormal, the spatial relationship is compliant) during inference through probability hedging; driving posterior probability updates: the system based on... The value, combined with the current environmental context and risk state prior Calculate the final posterior probability This determines whether to trigger dynamic control actions for the power business (such as blocking, alarms, or multi-factor authentication).

[0043] Thus, this embodiment constructs sequence vectors containing temporal behavioral information and interactive graph structure data containing spatial topology information. After preprocessing both, they are fed into the dual-stream analysis module (dual-stream architecture / dual-stream spatiotemporal analysis unit). The Bi-LSTM network integrates forward and backward hidden states and uses an attention mechanism to weighted summation of risk features at different time steps, outputting the temporal risk probability. The GCN network, through a message passing mechanism on the heterogeneous graph, enables risk features to propagate among users, data assets, and IP addresses, outputting a spatial correlation risk score. The dual-stream architecture achieves feature complementarity in the temporal and spatial dimensions, filling the gap in single-view models for detecting complex cross-stage attacks (such as low-frequency, slow brute-force attacks and multi-account collaborative data theft).

[0044] In this embodiment of the application, through the above-described dual-stream parallel processing, the core evidence indicators input to the subsequent decision-making module are finally established: (1) Derivation of temporal behavior probability (Bi-LSTM sequence probability): In the time-series analysis stream, the bidirectional long short-term memory network (Bi-LSTM) captures the long-distance dependencies of user operation sequences, and the attention mechanism is used to weight and aggregate contextual features to obtain the final contextual risk vector. Subsequently, this context risk vector The input is processed by the fully connected layer and the Softmax function to calculate the probability value of the current operation sequence belonging to the risk category, which is defined as the temporal behavior probability (also known as the Bi-LSTM sequence probability). ).

[0045] (2) Derivation of spatial graph embedding distance (GCN graph embedding distance): In the spatial analysis flow, the topological association features of heterogeneous nodes are aggregated through a graph convolutional network (GCN) to obtain the updated node embedding vectors. Furthermore, by calculating the Euclidean distance between the embedded vector and the preset normal baseline vector, and mapping it via the Sigmoid function, it becomes... The standardized score of the interval is defined as the spatial graph embedding distance (also known as the GCN graph embedding distance). ).

[0046] Step S103: Construct a dynamic decision-making module based on Bayesian networks, using the VAE reconstruction error, temporal behavior probability, and spatial graph embedding distance as multi-source evidence nodes to calculate the posterior probability of risk events.

[0047] In this embodiment, a dynamic decision-making module based on a Bayesian network is constructed to process the VAE reconstruction error calculated in step S102. Temporal behavior probability (i.e., Bi-LSTM sequence probability) and spatial graph embedding distance (i.e., GCN graph embedding distance) serves as a multi-source evidence node to calculate the posterior probability of risk events.

[0048] To address the potential false positives that may arise from single deep learning models in complex environments, this embodiment constructs a dynamic decision-making module based on Bayesian networks. A Bayesian network topology is built, with the true risk state as the root node, and VAE reconstruction error, Bi-LSTM sequence probability, and GCN graph embedding distance as leaf nodes (evidence nodes), while also introducing environmental context nodes (e.g., whether it is non-working time). Then, the dependencies between nodes are quantified based on a Conditional Probability Table (CPT), and the posterior probability of a risk event is calculated based on real-time observed multi-source evidence. Specifically: ; In the formula, The situation is at risk. This refers to the VAE reconstruction error (VAE output evidence). This represents the probability of the Bi-LSTM sequence (the output evidence of Bi-LSTM). This represents the GCN graph embedding distance (GCN output evidence). For the context of the environment, For a joint probability distribution, This represents the prior probability of the actual risk state. For the prior probability of the environmental context, For evidence nodes The conditional probability, For evidence nodes The conditional probability, For evidence nodes The conditional probability.

[0049] As a feasible implementation method, under the condition of environmental hedging / suppression of false alarms, it is assumed that the observed This is a high-frequency query sequence across databases, and the probability of Bi-LSTM identifying it deviates significantly from the mean. If environment C is during the system's routine maintenance window (e.g., Tuesday morning 2:00-4:00), then the actual risk is normal ( Under the condition of ), the probability of observing this anomalous sequence. A higher baseline value will be assigned. At this point, the Bayesian network reduces the contribution of this evidence to the malicious risk assessment through probability cancellation, thereby avoiding false alarms caused by normal maintenance.

[0050] Under the conditions of environmental gain / precise capture, assuming the same observations If environment C is currently experiencing a critical power supply period and the login IP is a remote, unused IP, then the actual risk is malicious ( Under the condition of ), the possibility of observing this concealment feature. The conditional probability weights were significantly increased. Context C reinforced the evidence. The risk-oriented nature of the system allows the posterior probability to quickly cross the alarm threshold, thereby identifying covert infiltration behavior.

[0051] In this embodiment, the system selects the optimal response action (blocking, alarm, or multi-factor authentication) based on the principle of maximum expected utility. For example, when the posterior probability P(R=malicious) > 0.9, a blocking action is automatically triggered; when 0.6 < P ≤ 0.9, multi-factor authentication (MFA) or an alarm is triggered. If the module's prediction result continuously conflicts with the security expert's final feedback, the Bayesian network will dynamically reduce the module's weight in inference, achieving continuous learning and optimization of the model.

[0052] Thus, a dynamic decision-making module based on Bayesian networks was constructed to achieve the fusion and reasoning of multi-source risk evidence. The actual risk state is used as the root node, and the outputs of each deep learning sub-module serve as evidence nodes, establishing decision-making logic under uncertainty through causal reasoning. This dynamic decision-making module fully leverages the probabilistic reasoning capabilities of Bayesian networks, combined with a dynamic weight update mechanism, and uses posterior probability to dynamically assess the current security situation. This achieves adaptive risk management, enhances the model's ability to balance false alarms and false negatives in complex power business scenarios, and provides robust decision support for the security governance of data throughout its entire lifecycle.

[0053] The risk decision-making method for the entire lifecycle of power data provided in this embodiment is implemented based on the PyTorch framework and can be applied to all stages of the entire lifecycle of power data, including but not limited to: (1) acquisition stage: identifying abnormal terminal access behavior; (2) transmission stage: detecting lateral penetration and abnormal traffic in the intranet; (3) processing stage: detecting batch theft or illegal operations targeting sensitive data. In specific applications, this application needs to connect to the unified log center of the power system (such as an ELK cluster) to obtain real-time data streams and issue decision instructions to the security gateway or IAM system to perform blocking operations.

[0054] The risk decision-making method for the entire lifecycle of power data provided in this embodiment acquires multi-source heterogeneous log data of the entire lifecycle of the power information system, and uses an unsupervised feature extraction module based on variational autoencoder to extract latent feature vectors and determine VAE reconstruction errors. Then, spatiotemporal feature extraction is performed on the latent feature vectors to obtain the temporal behavior probability from the time-series analysis stream and the spatial graph embedding distance from the spatial analysis stream. Finally, a dynamic decision-making module based on Bayesian network is constructed, using the above-mentioned VAE reconstruction error, temporal behavior probability, and spatial graph embedding distance as multi-source evidence nodes of the dynamic decision-making module to calculate the posterior probability of risk events. This application maps high-dimensional sparse log data to a latent space to obtain latent feature vectors. Through spatiotemporal dual-stream analysis, it focuses risk perception on key links where temporal anomalies and spatial collusion coexist, optimizing the accuracy of identifying and responding to specific attack behaviors such as brute-force attacks and intranet penetration in complex dynamic scenarios. Furthermore, by leveraging the probabilistic reasoning capabilities of Bayesian networks and combining them with a dynamic weight update mechanism, it uses posterior probability to dynamically assess the current security situation, achieving adaptive risk management and enhancing the model's ability to balance false alarms and false negatives in complex power business scenarios. Therefore, this application, through the synergistic fusion of spatiotemporal features and causal probabilistic reasoning, overcomes the limitations of traditional static boundary protection, effectively identifying complex cross-stage attack patterns such as brute-force attacks, intranet penetration, and multi-account collusion, significantly improving the security risk perception and dynamic management capabilities of power data throughout the entire process of collection, transmission, and processing.

[0055] Example 2 Based on the above embodiments, this embodiment also provides a risk decision-making system for the entire lifecycle of power data, used to implement the above-described risk decision-making method for the entire lifecycle of power data. The system includes: An unsupervised feature extraction unit is used to acquire multi-source heterogeneous log data throughout the entire lifecycle of the power information system, and to extract latent feature vectors using an unsupervised feature extraction module based on a variational autoencoder; simultaneously, the VAE reconstruction error is determined based on the unsupervised feature extraction module. The dual-stream spatiotemporal analysis unit is used to extract spatiotemporal features from the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream. The risk dynamic decision unit is used to construct a dynamic decision module based on Bayesian networks. The VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision module to calculate the posterior probability of the risk event.

[0056] This application also provides a computer-readable storage medium storing a computer program. When executed by a processor, the computer program implements the method in any of the embodiments of this application. Specifically, a system or apparatus equipped with a storage medium may be provided, on which software program code implementing the functions of any of the above embodiments is stored, and the computer (or CPU (Central Processing Unit) or MPU (Microprocessor Unit) of the system or apparatus may read and execute the program code stored in the storage medium.

[0057] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable storage medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication component, and / or installed from a removable medium. When the computer program is executed by a central processing unit (CPU), it performs the functions defined above in the system of this application.

[0058] It should be noted that the computer-readable storage medium shown in this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) or flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. The transmitted data signal can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable storage medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable storage medium can be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF (Radio Frequency), etc., or any suitable combination thereof.

[0059] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0060] The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.

[0061] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to the embodiments of this application, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

[0062] In the several embodiments provided in this application, it should be understood that the disclosed systems, modules, and methods can be implemented in other ways. For example, the module embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces, or indirect coupling or communication connection between modules or units, and may be electrical, mechanical, or other forms.

[0063] The above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit it. This application is not limited to the exact structures described above and illustrated in the accompanying drawings, and it should not be considered that the specific implementation of this application is limited to these descriptions. For those skilled in the art, various changes and modifications made without departing from the concept of this application should be considered to fall within the protection scope of this application.

Claims

1. A risk decision-making method oriented towards the entire lifecycle of power data, characterized in that, include: Multi-source heterogeneous log data of the entire life cycle of the power information system is acquired, and latent feature vectors are extracted using an unsupervised feature extraction module based on a variational autoencoder; at the same time, the VAE reconstruction error is determined based on the unsupervised feature extraction module. Spatiotemporal feature extraction is performed on the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream; A dynamic decision-making module based on Bayesian networks is constructed, and the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision-making module to calculate the posterior probability of risk events.

2. The risk decision-making method for the entire lifecycle of power data as described in claim 1, characterized in that, The unsupervised feature extraction module based on variational autoencoder extracts latent feature vectors, including: The encoder of the variational autoencoder is used to map the multi-source heterogeneous log data into a probability distribution in the latent space, and then the latent feature vector is obtained through reparameterized sampling. The unsupervised feature extraction module is trained using an evidence lower bound loss function, specifically: ; In the formula, Let the lower bound of the evidence loss function be used. Indicates based on posterior approximate distribution Find the expected value of the quantity in parentheses; The log-likelihood term refers to the term calculated based on the given latent variables. Under these conditions, observation data The logarithm of the conditional probability; Denotes KL divergence, For variational posterior distribution, Latent variables The prior distribution of .

3. The risk decision-making method for the entire lifecycle of power data as described in claim 2, characterized in that, The determination of VAE reconstruction error based on the unsupervised feature extraction module includes: The latent feature vector is received by the decoder of the variational autoencoder, and reconstructed to obtain reconstructed data with the same dimension as the multi-source heterogeneous log data input to the encoder. The VAE reconstruction error is obtained by comparing the reconstructed data with the multi-source heterogeneous log data input to the encoder.

4. The risk decision-making method for the entire lifecycle of power data as described in claim 1, characterized in that, The process of extracting spatiotemporal features from the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream includes: Using a bidirectional long short-term memory network based on an attention mechanism as the temporal analysis stream, the user operation sequence vector in the latent feature vector is taken as input to capture long-distance temporal dependencies and aggregate the contextual features of key risk events to obtain the temporal behavior probability. Using a graph convolutional network based on heterogeneous information networks as the spatial analysis stream, the node interaction graph structure data in the latent feature vector is taken as input, and the neighbor node information is aggregated by the relation-aware propagation mechanism to mine the spatial association features of implicit collusion and lateral movement, so as to obtain the spatial graph embedding distance.

5. The risk decision-making method for the entire lifecycle of power data as described in claim 4, characterized in that, The step of taking the user operation sequence vector in the latent feature vector as input, capturing long-distance temporal dependencies, and aggregating the contextual features of key risk events to obtain the temporal behavior probability includes: Based on the timestamps of the multi-source heterogeneous log data, the potential feature vectors are time-series aligned and reorganized to construct user operation sequence vectors arranged by time steps, so as to characterize the time-series evolution pattern of user behavior. The user operation sequence vector is input into the bidirectional long short-term memory network, and the forward hidden state and backward hidden state at each time step are obtained through forward LSTM layer processing and backward LSTM layer processing. For each time step, the forward hidden state and the backward hidden state are concatenated to obtain the complete hidden state vector; specifically: ; In the formula, For the first The complete hidden state vector at each time step This represents the computation process of the feedforward LSTM layer, which processes the user operation sequence vector in chronological order from earliest to latest. For the first The input vector at the nth time step, i.e., the user's input vector at the nth time step. Operational characteristics at any given moment For the feedforward LSTM layer at the 1st The forward hidden state vector output at each time step; This represents the computation process of the backward LSTM layer, which processes the user table operation sequence vector in reverse chronological order from latest to earliest. For the backward LSTM layer at the 1st The backward hidden state vector output at each time step; The attention weights at each time step are calculated using the fully connected layers of the bidirectional long short-term memory network, and the hidden states at all time steps are weighted and summed to obtain a context vector aggregating key risk features; specifically: ; ; In the formula, For the first Attention weights at each time step It is an exponential function. For the first Hidden state vector at each time step The feature vector is transformed by a fully connected layer and a tanh activation function to adapt to the computational dimension of the attention weights; yes The transpose of , For the attention mechanism, a learnable weight vector. It sums the exponential dot product results over all time steps; This is the final contextual risk vector; For the first The complete hidden state vector output by the Bi-LSTM at each time step This indicates the time step from the first time step to the second time step. Sum all terms at each time step. The total number of time steps for the user operation sequence vector; The context risk vector is input into the fully connected layer and processed by the Softmax function to obtain the temporal behavior probability.

6. The risk decision-making method for the entire lifecycle of power data as described in claim 5, characterized in that, The step of taking the node interaction graph structure data in the latent feature vector as input, aggregating neighbor node information using a relation-aware propagation mechanism, mining spatial association features of implicit collusion and lateral movement, and obtaining the spatial graph embedding distance includes: User node features, data asset node features, and IP node features are obtained by splitting the potential feature vector; Based on the interaction relationships between the user node characteristics, the data asset node characteristics, and the IP node characteristics, an interaction graph structure data is constructed. Using a relation-aware propagation mechanism, for a target node, the feature information of its neighboring nodes is aggregated according to the edge type. The node embedding update rule for layer 1+1 is as follows: ; In the formula, For the first Nodes in a layered network Embedded vector, It is the ReLU activation function. This indicates that for all edge types Summation is performed, where, It is the set of all edge types in a heterogeneous graph; Indicates a node Belongs to edge type All neighboring nodes Summation is performed, where, For nodes By edge type The set of connected neighbor nodes; It is the normalization coefficient; For the first corresponding edge types in layered networks The specific transformation matrix is ​​a learnable parameter matrix; For the first Neighbor nodes in a layered network The embedding vector represents the neighboring nodes before the update. The original characteristics; For the first The transformation matrix of the node's own characteristics in the layer network. It is the first Nodes in a layered network The embedding vector before updating; The spatial graph embedding distance is obtained by comparing the distance between the updated node embedding and the normal baseline.

7. The risk decision-making method for the entire lifecycle of power data as described in claim 6, characterized in that, The construction of a Bayesian network-based dynamic decision-making module uses the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance as multi-source evidence nodes to calculate the posterior probability of risk events, including: Construct a Bayesian network topology, with the actual risk state as the root node and the VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance as leaf nodes; Based on the conditional probability table, the dependencies between nodes are quantified, and the posterior probability of a risk event is calculated according to multi-source evidence observed in real time. Specifically: ; In the formula, The situation is at risk. For VAE reconstruction error, For Bi-LSTM sequence probabilities, For GCN graph embedding distance, For the context of the environment, For a joint probability distribution, This represents the prior probability of the actual risk state. For the prior probability of the environmental context, For evidence nodes The conditional probability, For evidence nodes The conditional probability, For evidence nodes The conditional probability.

8. The risk decision-making method for the entire lifecycle of power data according to claim 7, characterized in that, During the calculation of the posterior probability of a risky event, the optimal response action is selected based on the principle of maximizing expected utility.

9. The risk decision-making method for the entire lifecycle of power data according to any one of claims 1-8, characterized in that, After acquiring multi-source heterogeneous log data throughout the entire lifecycle of the power information system, the multi-source heterogeneous log data is subjected to standardized cleaning, de-identification, and vectorization preprocessing.

10. A risk decision-making system for the entire lifecycle of power data, used to implement the risk decision-making method for the entire lifecycle of power data as described in any one of claims 1-9, characterized in that, include: An unsupervised feature extraction unit is used to acquire multi-source heterogeneous log data throughout the entire lifecycle of the power information system, and to extract latent feature vectors using an unsupervised feature extraction module based on a variational autoencoder; simultaneously, the VAE reconstruction error is determined based on the unsupervised feature extraction module. The dual-stream spatiotemporal analysis unit is used to extract spatiotemporal features from the latent feature vectors to obtain the temporal behavior probability from the temporal analysis stream and the spatial graph embedding distance from the spatial analysis stream. The risk dynamic decision unit is used to construct a dynamic decision module based on Bayesian networks. The VAE reconstruction error, the temporal behavior probability, and the spatial graph embedding distance are used as multi-source evidence nodes of the dynamic decision module to calculate the posterior probability of the risk event.