Integrated system security operation risk early warning method based on behavior analysis

By constructing a multimodal data acquisition layer and an energy loss integral algorithm, combined with a temporal convolutional hybrid model, the problem of security operation and maintenance risk warning for zero-day attacks and internal misoperations in integrated systems was solved, achieving real-time and accurate risk identification and dynamic adaptation, and reducing the false alarm rate.

CN122226488APending Publication Date: 2026-06-16SHAANXI TONGCUI ELECTRONIC TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHAANXI TONGCUI ELECTRONIC TECHNOLOGY CO LTD
Filing Date
2026-04-29
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

Existing technologies are insufficient to cope with zero-day attacks and internal misoperations. Security operations and maintenance suffer from alarm overload, delayed detection response, and lack of integration of multimodal information, resulting in poor early warning effects for security operation and maintenance risks in complex integrated systems.

Method used

A multimodal data acquisition layer for operation and maintenance behavior is constructed, multi-dimensional features are extracted, and risk warning is carried out through a hybrid model of energy loss integral algorithm and time convolution. Combined with dynamic defense threshold library and asset importance coefficient, multimodal fusion analysis and dynamic risk quantification are realized.

Benefits of technology

It enables real-time, accurate, and explainable early warning of operational risks in integrated systems, reduces false alarm rates, quickly adapts to dynamic environmental changes, and improves the ability to identify complex attack chains.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122226488A_ABST
    Figure CN122226488A_ABST
Patent Text Reader

Abstract

The application discloses a kind of integrated system security operation risk early warning method based on behavior analysis, belong to information security technical field.The method includes: constructing multimodal data acquisition layer, interfacing integrated system data source, collecting operation and maintenance terminal behavior, network traffic and core business data access log;Extract multi-dimensional behavior characteristics, form "terminal-network-data" ternary group behavior vector;"Data access hot field" model is constructed and energy loss integral is calculated;Integral and behavior vector are input into TCN-Transformer hybrid early warning model to generate risk probability;Grade correction is carried out in combination with dynamic defense threshold and asset importance coefficient, and difference response strategy is output.The application realizes the accurate identification of unknown threats and internal abnormal operations through multimodal behavior fusion and energy loss quantification, has short-cycle self-learning, dynamic baseline adjustment and closed-loop immune evolution capabilities, significantly improves the intelligent level and risk early warning efficiency of integrated system security operation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of information security technology and operation and maintenance management, and more specifically, to a method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis. Background Technology

[0002] As enterprise information architecture evolves towards integration and cloudification, modern data centers and industrial control sites exhibit typical characteristics of "diverse equipment, heterogeneous data, and intertwined services." DCS systems, NCS systems, video surveillance, intelligent inspection systems, and third-party interface services coexist within the same network plane, forming a complex integrated system environment. Maintenance personnel must perform routine maintenance on these resources through bastion hosts, VPNs, and various clients. This high-frequency and complex maintenance activity presents a significant challenge to security operations.

[0003] Existing security operation and maintenance risk early warning technologies have the following main shortcomings: First, traditional rule-based static protection methods (such as firewall ACLs and intrusion detection signature databases) are ineffective against zero-day attacks and internal misoperations. These methods rely on updates to prior knowledge bases and are almost powerless against unknown threats (such as anomalous data theft using legitimate operational tools).

[0004] Second, while mainstream Security Information and Event Management (SIEM) systems can aggregate massive amounts of logs, they generally suffer from "alarm overload." Due to a lack of deep understanding of the behavioral context of operations and maintenance personnel, many routine operations (such as table access and configuration file backup) are misjudged as high-risk events, leading to "alarm fatigue" for security teams, and the real covert attacks are thus buried.

[0005] Third, although User Entity Behavior Analysis (UEBA) technology introduces the concept of behavior modeling, most solutions rely on long-term learning cycles of several weeks or even months to establish a baseline, which cannot quickly adapt to dynamic scenarios such as changes in integrated system versions and scaling up or down during peak business periods, resulting in delayed detection response.

[0006] Fourth, existing early warning mechanisms are mostly isolated judgments based on single points and single dimensions, and do not effectively integrate multimodal information such as "terminal operation behavior - network traffic behavior - data access behavior", making it difficult to accurately identify complex attack chains across systems.

[0007] Therefore, there is an urgent need for an integrated system security operation and maintenance risk early warning method that can perform short-cycle self-learning, multimodal fusion analysis, and dynamic risk quantification. Summary of the Invention

[0008] This invention addresses the shortcomings of existing technologies by providing a behavior-based early warning method for the security operation and maintenance risks of integrated systems. This method constructs a multi-dimensional feature profile of operation and maintenance behavior and introduces a hybrid model combining energy loss integral algorithm and temporal convolution to achieve real-time, accurate, and interpretable early warning of operation and maintenance risks in integrated systems.

[0009] The technical solution adopted by this invention to solve its technical problem includes the following steps: Step S1: Build a multimodal data acquisition layer for operation and maintenance behavior, and connect to and integrate various data sources within the system, including operation and maintenance terminal behavior data, network traffic metadata, and core business data access logs.

[0010] Step S2: Based on the collected multi-source heterogeneous data, extract multi-dimensional behavioral features of the operation and maintenance entities to form an initial behavioral vector containing a "terminal-network-data" triple.

[0011] Step S3: Construct a "data access hotspot" model for different types of data resources and calculate the energy loss integral of hotspot data during the execution of operation and maintenance instructions.

[0012] Step S4: Input the energy loss integral and the multi-dimensional behavior vector into the hybrid early warning model based on TCN-Transformer to generate the target risk probability value.

[0013] Step S5: Combine the preset dynamic defense threshold library with the asset importance coefficient to adjust the risk probability level and output differentiated early warning response strategies.

[0014] Preferably, the operation and maintenance terminal behavior data in step S1 includes at least: keyboard keystroke dynamics characteristics, operation command history sequence, process call relationship tree, and screenshot hash value; the network traffic metadata includes at least: five-tuple information, TCP session timing characteristics, protocol payload length distribution, and encrypted traffic fingerprint; the core business data access log includes at least: database table read and write frequency, file server access path, API interface call parameters, and return codes.

[0015] Preferably, the extraction process of multi-dimensional behavioral features in step S2 further includes: Sub-step S21: Perform NLP modeling on the terminal operation command sequence, using a BERT variant model to convert command strings (such as "cat / etc / passwd", "mysqldump -u root") into semantic vectors to capture the intent similarity of commands.

[0016] Sub-step S22: Aggregate the flow features of the network traffic, divide it into unidirectional and bidirectional flows according to the five-tuple, calculate the mean and variance of the packet arrival interval, the number of bytes transmitted in the small window, and the trend of TCP window size change, and form a network behavior feature tensor.

[0017] Sub-step S23: Perform graph modeling on the data access logs. Construct a knowledge graph of operation and maintenance behavior with "Operation and Maintenance Account - Source IP - Database Table - Field - Operation Type" as edges. Embed entities and relationships into low-dimensional dense vectors using the TransE algorithm to represent the contextual closeness of data access.

[0018] Preferably, the method for constructing the "data access thermal field" model and calculating the energy loss integral in step S3 includes: Sub-step S31: Collect the read and write access frequency of each data row or data object in the production environment database within a preset historical window (such as the past 72 hours), and combine it with data classification tags (such as: core business secrets, personal privacy information, public configuration) to assign a basic heat value Heat_base(i) to each data unit.

[0019] Sub-step S32: Combining the business relevance between data units (calculating the closeness through foreign key relationships or co-occurrence frequency within the same transaction), the PageRank-like algorithm is used to propagate and iterate the heat value to form a global data access heat field distribution Heat_final(i).

[0020] Sub-step S33: When a data processing command (such as DELETE, UPDATE, DROP, SELECT INTO OUTFILE) initiated by the operation and maintenance terminal is detected, the target dataset D_target of the command is determined, and all data units j involved in D_target are traversed.

[0021] Sub-step S34: Assign a destructive coefficient α based on the operation type of the instruction (e.g., SELECT coefficient is 0.1, UPDATE is 0.5, DELETE is 0.9, DROP is 1.0), and combine it with the final heat value of the data unit to calculate the energy loss integral of a single operation E_op = Σ_{j∈D_target} ( α * Heat_final(j) * Act_weight ), where Act_weight is the current activity weight of the operation and maintenance terminal (obtained by normalizing the operation frequency of the previous 15 minutes).

[0022] Sub-step S35: Retrieve the historical operation baseline of the maintenance terminal and determine the energy consumption threshold E_threshold when performing similar operations within the historical maintenance window. If E_op exceeds a set multiple of E_threshold (e.g., 2 times), the operation is determined to have an extremely high risk.

[0023] Preferably, the construction and training of the TCN-Transformer hybrid early warning model in step S4 includes: Sub-step S41: Construct a Temporal Convolutional Network (TCN) module to capture the long-term and short-term dependencies of operational behavior sequences. The TCN effectively expands the receptive field by stacking dilated convolutional layers, extracts the temporal variation patterns of operation command streams and network traffic, and outputs a temporal feature vector H_tcn.

[0024] Sub-step S42: Construct the Transformer encoder module and fuse multi-source heterogeneous features using a multi-head self-attention mechanism. The behavioral semantic vector generated in step S2, the energy loss integral value calculated in step S3, and the temporal features output by the TCN module are concatenated, and temporal information is injected through positional encoding. This concatenation is then input into the Transformer encoder for deep feature interaction and weight allocation.

[0025] Sub-step S43: Map the fusion vector output by the Transformer to the target risk probability value P_risk through the multilayer perceptron (MLP) head, with a value range of [0,1].

[0026] Sub-step S44: During the model training phase, Focal Loss, which is insensitive to positive and negative samples, is used as the loss function to focus on abnormal operational behaviors that are difficult to distinguish (such as penetration tests disguised as normal commands) and improve the robustness of the model.

[0027] Preferably, step S5 further includes: Sub-step S51: Initialization and updating of the dynamic defense threshold library. In the initial stage of the system, unsupervised learning (such as Isolation Forest) is used to cluster most operational behaviors within a short period (such as 24 hours), and the statistical distribution of energy loss integral and behavior vector is used as the initial baseline. As the system runs, online learning algorithms (such as River) are used to update the behavior distribution parameters in real time to achieve adaptive adjustment of the threshold.

[0028] Sub-step S52: Introduce the Asset Importance coefficient, Asset_Value. Based on the security level requirements, availability metrics (RTO / RTO), and business continuity impact of each business system in the integrated system, assign an importance scale of 0-10 to each managed resource (server, database, controller).

[0029] Sub-step S53: Calculate the final warning level Level=f(P_risk,Asset_Value,E_op / E_threshold), using fuzzy logic rules to classify risks into three levels: "Observation," "Alarm," and "Blockade." For operations involving core assets and where energy loss credits are severely exceeded, even if P_risk is at a moderate level, a "Blockade" level response will be triggered.

[0030] Sub-step S54: Response strategy based on warning level. For "Observation" level risks, only logs are recorded and highlighted on the large-screen situational awareness system; for "Alarm" level risks, on-duty personnel are notified via WeChat or SMS, requiring secondary authorization approval; for "Blocking" level risks, the software-defined network (SDN) controller or bastion host disconnects the session connection in real time, locks the operation and maintenance terminal IP, and enables full traffic evidence collection.

[0031] Preferably, the method also includes a closed-loop optimization step based on endogenous threat intelligence: Step S6: For warning events confirmed as genuine attacks, the system automatically traces the source address of the attack, the attack method, and the scope of assets affected.

[0032] Step S7: Utilize the confirmed attack sample characteristics to automatically generate intrinsic threat intelligence (such as malicious IP reputation, abnormal command regular expressions) and intrinsic attack detection signature rules, and distribute them to probes or terminal detection response platforms at the network edge to form a closed-loop immune capability of "detection-early warning-blocking-evolution". Beneficial effects

[0033] 1. It achieves deep multimodal fusion of operation and maintenance behavior, overcoming the limitations of traditional methods that only analyze a single data source (such as only looking at login logs or only looking at traffic). By constructing a "terminal-network-data" triple behavior vector and combining causal graph and knowledge graph technologies, it more comprehensively and realistically reflects the complete operation trajectory and intent of operation and maintenance personnel in the integrated system, significantly reducing the false alarm rate.

[0034] 2. Introducing the concept of energy loss integral based on "data access hot field", this method, unlike traditional frequency statistics, combines data value (heat), operational destructiveness and business relevance to quantify a seemingly ordinary file access or database query into a comparable energy value. This allows abnormal access to data assets to be accurately quantified, effectively identifying internal threats and data breaches.

[0035] 3. It has short-cycle self-learning and dynamic baseline capabilities. Through unsupervised learning and online update mechanisms, it can quickly build operation and maintenance behavior profiles without relying on long-term training of several months. It can also adapt to version changes and periodic maintenance windows of business systems, solving the problems of poor adaptability and slow response of traditional UEBA technology in dynamic environments. Attached Figure Description

[0036] Figure 1 This is a flowchart of the integrated system security operation and maintenance risk early warning method based on behavior analysis according to the present invention.

[0037] Figure 2 This diagram illustrates the integrated system security operation and maintenance risk early warning method based on behavior analysis, as described in this invention. Detailed Implementation

[0038] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of protection of this invention.

[0039] This embodiment provides an integrated system security operation and maintenance risk early warning method based on behavior analysis, which is applied to a plant-wide comprehensive early warning platform that includes DCS system, NCS system, management information zone (Zone III) and video surveillance system.

[0040] Step 1: Deployment of the Multimodal Behavioral Data Acquisition Layer Operations and maintenance terminal behavior data: A lightweight agent is deployed on the operations and maintenance bastion host (jump host) to capture keystrokes, mouse click events, executed command lines (cmdline), and process creation and destruction events of operations and maintenance personnel (including third-party operations and maintenance personnel) in real time. Remote desktop protocol (RDP / SSH) sessions are recorded, and the perceptual hash value of key screen areas is calculated periodically for subsequent screen content comparison.

[0041] Network traffic metadata: All traffic metadata between the DCS controller and the engineering workstation, between the NCS system and the dispatch data network, and between video cameras and the NVR is collected using NetFlow / IPFIX and deep packet inspection technologies. Protocol field-level parsing is specifically performed for industrial control protocols (such as Modbus / TCP, IEC104) to extract features such as function codes and register address ranges.

[0042] Core business data access logs: These logs connect to real-time databases (such as PI System), relational databases (such as Oracle-stored equipment ledgers), and file servers (such as SMB-shared inspection reports). All SQL statements and file operation records are retrieved through a database auditing system or bypass mirroring, with a focus on recording sensitive operations such as SELECT, INSERT, UPDATE, DELETE, DROP, and ALTER.

[0043] Step 2: Multi-dimensional behavioral feature extraction and vectorization Terminal command semanticization: The collected raw command line strings (such as "systemctl stop turbine_booster" and "rm -rf / backup / logs / *") are input into a CodeBERT model finely tuned for the operations and maintenance domain, outputting a 256-dimensional semantic vector. This vector can distinguish the essential difference between "stopping the service" and "deleting a file".

[0044] Network behavior quantification: Traffic is segmented into sessions based on "source IP-destination IP-protocol-destination port," and 65 statistical features are extracted from each session, including: average packet length, standard deviation of packet length, initial TTL value, TCP flags distribution, request-response packet ratio, etc. For industrial control protocol traffic, function code sequence features are added. All features are normalized to form a network behavior feature vector.

[0045] Data Access Graph Embedding: Constructing a plant-wide operations and maintenance (O&M) knowledge graph. Entities include: O&M personnel accounts, O&M terminal IPs, business systems (DCS / NCS / SIS), database table names (e.g., TURBINE_PARAM), field names (e.g., BEARING_TEMP), and operation types (read / write / modify configuration). Each entity is mapped to a 100-dimensional vector using the RDF2Vec algorithm. For example, when O&M personnel A accesses the TURBINE_PARAM table in the DCS system via IP B, the embedding vector of this access path in the graph represents the contextual features of that data access behavior.

[0046] Step 3: Construction and Energy Integration of the Core Parameter "Data Thermal Field" of the DCS System For the most critical turbine bearing temperature parameter in the DCS system (stored in the BEARING_TEMP row of the TURBINE_PARAM table in the real-time database), calculate its data heat.

[0047] Basic heat calculation: In the past week, the read and write frequency of BEARING_TEMP was 1440 times / day (once per minute). Considering that it is a core protection parameter that directly affects the safety of the unit (classified as "core production data"), the basic heat value Heat_base=9.5 (out of 10) is assigned.

[0048] Proximity propagation: Since BEARING_TEMP, "VIBRATION", and "ROTOR_SPEED" belong to the same device tree and are often queried simultaneously in alarm linkage logic, the heat of these three data units is mutually enhanced through the proximity algorithm, and finally Heat_final(BEARING_TEMP) approaches 9.8.

[0049] Energy loss integral calculation: Scenario A (Routine Inspection): The inspector executes `SELECT BEARING_TEMP FROM TURBINE_PARAMWHERE TIME>SYSDATE-5MIN`. This operation involves only one row of data, the destructive factor α is 0.1 (read operation), and the current terminal activity level (Act_weight) is normally 1.0. E_op is calculated as 0.1 * 9.8 * 1.0 = 0.98. The historical baseline E_threshold is 1.2, and E_op does not exceed the threshold, therefore it is considered normal.

[0050] Scenario B (Suspected Data Theft or Misoperation): An operations and maintenance personnel executes `SELECT * FROM TURBINE_PARAMWHERE TIME>SYSDATE-1YEAR`, intending to export all historical trend data within one year, involving millions of rows. The target dataset D_target contains a large amount of data with a high affinity to `BEARING_TEMP`. Assume the target dataset covers 10^6 rows of high-frequency data, with an average popularity of approximately 7.0. Calculate E_op ≈ α(0.1) * (10^6 * 7.0) * Act_weight (the weight rises to 2.0 due to frequent operations) = 1.4e6. This value far exceeds the historical E_threshold (assuming the largest historical export operation only involved a few hundred rows). This dramatic spike in energy directly reflects the significant "impact" this operation had on the data assets.

[0051] Step 4: Risk Probability Prediction using the TCN-Transformer Hybrid Model The multimodal vector generated in step two (command semantic vector 256-dimensional + network behavior feature 65-dimensional + graph embedding 100-dimensional = 421-dimensional) is used as the sequence input, with each window lasting 5 minutes, forming a T×421 temporal tensor.

[0052] TCN Temporal Feature Extraction: The TCN module employs a 3-layer dilated convolution with a dilation factor d=[1,2,4] and a kernel size of 3. This module effectively captures the gradual changes in operational processes over time. For example, before launching a final destructive command, an attacker typically uses a series of progressively deeper probing commands (such as "ls -la", "cd config", "catcontroller.conf"). These sequence patterns are captured by TCN.

[0053] Transformer Attention Fusion: The temporal features output by the TCN are concatenated with the real-time energy loss integral value E_op calculated in step three, and after adding time-step encoding, they are fed into a 4-head Transformer encoder. The attention mechanism automatically assigns higher weights to high-risk features (such as high E_op values ​​and anomalous external connection network features).

[0054] Probability Output: The MLP layer outputs the risk probability P_risk. In scenario B, considering the large E_op integral, the abnormal SQL statement semantic vector (which differs greatly from the backup operation vector), and network connection characteristics (the maintenance terminal is establishing a TCP connection with a rare external IP), the model outputs a P_risk as high as 0.99.

[0055] Step 5: Risk Level Mapping and Differentiated Response Asset importance coefficient: The Asset_Value of the DCS system is set to 10 (highest level), while the Asset_Value of the video surveillance system is set to 5.

[0056] Dynamic threshold correction: Based on the distribution of all maintenance activities over the past 24 hours, the MAD (Median Absolute Difference) algorithm is used to dynamically adjust E_threshold. For example, during a major unit overhaul, a large number of unconventional operations cause the baseline to be automatically widened, avoiding frequent false alarms.

[0057] Level Determination and Response: For scenario B above (P_risk=0.99, Asset_Value=10, E_op / E_threshold>>100), a "blocking" level risk warning is triggered.

[0058] Response in tandem: The bastion host immediately terminates the maintenance session, locks the account, and flashes a high-level alarm on the large screen of the plant's central control center, displaying "Abnormal export of DCS core data - blocked." Simultaneously, the network administrator is notified to add the terminal IP to the dynamic blacklist on the core switch and initiate full-traffic packet capture for evidence collection.

[0059] Step Six: Closed-Loop Immune Evolution After analysis by the security team, it was confirmed that Scenario B involved an outsourced operations and maintenance personnel maliciously stealing core process parameters using legitimate privileges. The system automatically executed the following evolutionary operations: Intelligence generation: Extract the attack source IP, the JDBC driver version characteristics used, and the abnormal template of the SQL statement (SELECT * FROM TURBINE_PARAM WHERE TIME>...).

[0060] Rule issuance: Generate new database audit rules based on abnormal SQL templates; generate firewall blocking policies based on IP addresses; generate EDR detection rules based on command sequence characteristics (such as detecting specific parameter combinations like "mysqldump -where").

[0061] Model fine-tuning: This case was added to the training set as a high-weight negative sample, and the TCN-Transformer model was subjected to online incremental learning, so that the system would be highly vigilant for similar data volume export operations in the future.

[0062] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection, an electrical connection, or a connection that allows communication between them; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components, unless otherwise explicitly limited. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances. Obviously, the embodiments described above are only some embodiments of this invention, not all embodiments. The accompanying drawings show preferred embodiments of this invention, but do not limit the patent scope of this invention. This invention can be implemented in many different forms; on the contrary, the purpose of providing these embodiments is to make the disclosure of this invention more thorough and complete. Although the invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing specific embodiments or make equivalent substitutions for some of the technical features. Any equivalent structures made using the content of this specification and drawings, directly or indirectly applied to other related technical fields, are similarly within the patent protection scope of this invention.

Claims

1. A method for early warning of security operation and maintenance risks in an integrated system based on behavior analysis, characterized in that, Includes the following steps: Step S1: Construct a multimodal data acquisition layer for operation and maintenance behavior, connect to and integrate various data sources within the system, and collect operation and maintenance terminal behavior data, network traffic metadata, and core business data access logs. Step S2: Based on the collected multi-source heterogeneous data, extract multi-dimensional behavioral features of the operation and maintenance entities to form an initial behavioral vector containing a triplet of terminal operation, network communication, and data access. Step S3: Construct a "data access hotspot" model for different types of data resources and calculate the energy loss integral of hotspot data during the execution of operation and maintenance instructions; Step S4: Input the energy loss integral and the multi-dimensional behavior vector into the hybrid early warning model based on TCN-Transformer to generate the target risk probability value; Step S5: Combine the preset dynamic defense threshold library with the asset importance coefficient to adjust the risk probability level and output differentiated early warning response strategies.

2. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, The operation and maintenance terminal behavior data in step S1 includes at least keyboard keystroke dynamics, operation command history sequence, process call relationship tree, and screenshot hash value; the network traffic metadata includes at least five-tuple information, TCP session timing characteristics, protocol payload length distribution, and encrypted traffic fingerprint; the core business data access log includes at least database table read and write frequency, file server access path, API interface call parameters, and return codes.

3. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, Step S2 further includes: Sub-step S21: Perform NLP modeling on the terminal operation command sequence and use a BERT variant model to convert the command string into a semantic vector; Sub-step S22: Perform flow feature aggregation on network traffic, calculate the mean and variance of packet arrival interval, the number of bytes transmitted in a small window, and the trend of TCP window size change, and form a network behavior feature tensor; Sub-step S23 involves graph modeling of the data access logs, constructing an operational behavior knowledge graph, and embedding entities and relationships into low-dimensional dense vectors using a graph embedding algorithm to represent the contextual closeness of data access.

4. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, The construction of the "data access thermal field" model and the method for calculating the energy loss integral in step S3 include: Sub-step S31: Collect the read and write access frequency of each data row or data object in the production environment database within the preset history window, and assign a basic heat value to each data unit in combination with the data classification and labeling. Sub-step S32 combines the business relevance and proximity between data units and uses an iterative algorithm to propagate the heat value, forming a global data access heat field distribution. Sub-step S33: When a data processing instruction initiated by the operation and maintenance terminal is detected, the target dataset of the instruction is determined, and all data units involved are traversed. Sub-step S34: Assign a destructive coefficient based on the operation type of the instruction, and calculate the energy loss integral for a single operation by combining the final heat value of the data unit and the current activity weight of the operation and maintenance terminal. Sub-step S35: retrieve the historical operation baseline of the maintenance terminal, determine the energy consumption threshold when performing the same type of operation within the historical maintenance window, and if the current energy consumption integral exceeds the set multiple, it is judged as a high-risk operation.

5. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, The construction of the TCN-Transformer hybrid early warning model in step S4 includes: Sub-step S41: Construct a temporal convolutional network module, extract the temporal change pattern of the operation and maintenance behavior sequence by stacking dilated convolutional layers, and output a temporal feature vector; Sub-step S42: Construct the Transformer encoder module and use a multi-head self-attention mechanism to perform deep feature interaction and weight allocation on the behavior semantic vector, energy loss integral value and temporal feature vector. Sub-step S43: The fusion vector output by the Transformer is mapped to the target risk probability value through the multi-layer sensing head; Sub-step S44: Focal Loss is used as the loss function during the model training phase.

6. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, Step S5 further includes: Sub-step S51: Initialization and updating of the dynamic defense threshold library. In the initial stage of the system, a behavioral baseline is established within a short period of time through unsupervised learning, and the behavioral distribution parameters are updated in real time using an online learning algorithm. Sub-step S52 introduces an asset importance coefficient and assigns an importance scale based on the security level requirements of the business system and the impact on business continuity. Sub-step S53: Calculate the final warning level using fuzzy logic rules, and classify it into at least three levels: "observation", "alarm", and "blocking". Sub-step S54: Implement differentiated response strategies based on the warning level.

7. The method for early warning of security operation and maintenance risks of integrated systems based on behavior analysis according to claim 1, characterized in that, It also includes closed-loop optimization steps based on endogenous threat intelligence: Step S6: For warning events confirmed as real attacks, the system automatically traces the source address of the attack, the attack method, and the scope of assets affected. Step S7: Using the confirmed attack sample characteristics, automatically generate intrinsic threat intelligence and intrinsic attack detection signature rules, and distribute them to probes or endpoint detection response platforms at the network edge.

8. A behavior-based integrated system security operation and maintenance risk early warning system, used to implement the method described in any one of claims 1-7, characterized in that, include: The image data acquisition layer covers data from DCS systems, NCS systems, on-site inspection systems, fire alarm systems, video surveillance systems, and intelligent monitoring systems. The data governance layer is used to clean, normalize, and extract features from the collected multi-source heterogeneous data; The early warning analysis layer uses a three-level process—weight calculation, severity assessment, and score correction—to achieve alarm classification. The application interaction layer works in conjunction with the early warning analysis layer to trigger differentiated push strategies based on the alarm level. The security protection layer meets the requirements of Level 3 or above of the network security level protection.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the behavior analysis-based integrated system security operation and maintenance risk early warning method as described in any one of claims 1 to 7.

10. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the integrated system security operation and maintenance risk early warning method based on behavior analysis as described in any one of claims 1 to 7.