An interaction method and device based on a network twin security agent, equipment and medium

By using the access qualification determination method of the network twin security agent, the problem of sensitive data exposure during the interaction between the client and the AI ​​Agent is solved, thereby improving data security and interaction reliability.

CN122268633APending Publication Date: 2026-06-23PENG CHENG LAB

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
PENG CHENG LAB
Filing Date
2026-03-25
Publication Date
2026-06-23

Smart Images

  • Figure CN122268633A_ABST
    Figure CN122268633A_ABST
Patent Text Reader

Abstract

The application discloses an interaction method and device based on a network twin security agent, equipment and a medium, relates to the technical field of digital network twins, and the network twin security agent is a security agent arranged between an intelligent agent and a client. The method comprises the following steps: when a current user performs an interaction session with a target intelligent agent through a client, an interaction request initiated by the current user is acquired; the trust score of the current user and the current session state are determined, and the data sensitivity level corresponding to the interaction request is determined; the interaction request and the target intelligent agent are subjected to an access qualification discrimination operation based on the trust level information of the target intelligent agent, the trust score and the data sensitivity level; and it is determined whether the target intelligent agent processes the interaction request based on the corresponding access qualification discrimination result. Thus, the interaction request is managed by the network twin security agent between the intelligent agent and the client, the access qualification of the intelligent agent to the interaction request can be determined, and the data security and the reliability of the interaction are improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of digital network twin technology, and in particular to an interaction method, apparatus, device and medium based on a network twin security agent. Background Technology

[0002] Clients can establish communication relationships with multiple AI Agents (Artificial Intelligence Agents, i.e., AI agents) through a unified interface. In this architecture, the client typically acts as the user interaction entry point, responsible for receiving user input instructions or data and forwarding relevant requests to one or more backend AI Agents for processing via standardized communication protocols. Regarding security controls, existing systems generally introduce basic identity authentication and access control mechanisms into the interaction link between the client and the Agent (agent), such as access control based on account, role, or interface-level permissions, and content filtering or compliance review of Agent output results in some scenarios. However, clients typically send user input data directly to the selected Agent as the complete request content, without distinguishing whether the input contains privacy-sensitive information such as identity attributes or behavioral preferences, nor do they determine whether the current Agent has the necessity and security qualifications to access such data. This may result in Agents with low trust levels or those whose functions do not require the relevant data still accessing core user privacy, creating a risk of excessive data exposure.

[0003] Therefore, ensuring the security of interactive data and reducing the risk of sensitive data exposure when users interact with AI Agents through clients is a problem that needs to be solved in this field. Summary of the Invention

[0004] In view of this, the purpose of this invention is to provide an interaction method, apparatus, device, and medium based on a network twin security proxy. By managing interaction requests through a network twin security proxy between the agent and the client, the access qualifications of the agent for interaction requests can be determined, thereby improving data security and the reliability of the interaction. The specific solution is as follows: Firstly, this application provides an interaction method based on a network twin security agent, wherein the network twin security agent is a security agent set up between the agent and the client, and the method includes: When the current user is having an interactive session with the target intelligent agent through the client, the interaction request initiated by the current user is obtained; The credibility score and current session state of the current user are determined, and the data sensitivity level corresponding to the interaction request is determined; the credibility score is a score obtained by quantifying the current user's authentication method and historical behavior logs, and the current session state includes the log information of the current user in this interaction session; Based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level, an access qualification judgment operation is performed on the interaction request and the target intelligent agent; Based on the corresponding access qualification judgment result, it is determined whether the target intelligent agent should process the interaction request.

[0005] Optionally, before obtaining the interaction request initiated by the current user, the method further includes: Obtain registration requests submitted by several intelligent agents; Based on the registration request, a security policy corresponding to each of the several intelligent agents is determined from a preset policy table; the security policy includes the trust level information, risk score and data access scope of the intelligent agent; Accordingly, the operation of determining the access eligibility of the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level includes: Determine the target policy corresponding to the target agent; Based on the credibility score, the data sensitivity level, and the credibility level information in the target policy, an access qualification judgment operation is performed on the interaction request and the target agent.

[0006] Optionally, determining the current user's trust score and current session state includes: The credibility score of the current user is obtained by weighting and quantifying the authentication method and historical behavior log of the current user according to the preset weight coefficients. By combining the credibility score, the current user's log information in this interaction session, and the duration of this interaction session, the current session state corresponding to the current user is generated in real time.

[0007] Optionally, determining the data sensitivity level corresponding to the interaction request includes: Sensitive information is identified in the data corresponding to the interaction request using a preset data identification method, and the data sensitivity level corresponding to the interaction request is determined based on the type of sensitive information identified. The preset data recognition method refers to data recognition performed through regular expression matching and / or large language model recognition and / or keyword matching.

[0008] Optionally, the step of performing access qualification determination on the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level includes: The trust level information, trust score, and data sensitivity level of the target intelligent agent are matched based on preset matching rules. Based on the corresponding matching results, an access qualification judgment result is output, which indicates whether the target intelligent agent has the qualification to access the interaction request.

[0009] Optionally, determining whether the target agent should process the interaction request based on the corresponding access qualification judgment result includes: If the corresponding access qualification determination result indicates that the target intelligent agent does not have the qualification to access the interaction request, then the first preset processing sub-process is triggered; the first preset processing sub-process is a data desensitization sub-process and / or a re-authentication sub-process; After the preset processing sub-process is executed successfully, the access qualification determination operation is re-executed.

[0010] Optionally, after re-executing the access qualification determination operation, the method further includes: If the new access qualification determination result obtained by re-executing the access qualification determination operation indicates that the target intelligent agent does not have the qualification to access the interaction request, then the second preset processing sub-process is triggered; the second preset processing sub-process is an access restriction sub-process and / or a user alarm sub-process.

[0011] Secondly, this application provides an interactive device based on a network twin security agent, wherein the network twin security agent is a security agent set between the intelligent agent and the client, and the device includes: The interaction request acquisition module is used to acquire the interaction request initiated by the current user when the current user is having an interaction session with the target intelligent agent through the client; The information determination module is used to determine the credibility score and current session state of the current user, and to determine the data sensitivity level corresponding to the interaction request; the credibility score is a score obtained by quantification based on the authentication method and historical behavior logs of the current user, and the current session state includes the log information of the current user in this interaction session; The access qualification determination module is used to perform access qualification determination operations on the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score and the data sensitivity level; An interaction processing module is used to determine whether the target agent should process the interaction request based on the corresponding access qualification judgment result.

[0012] Thirdly, this application provides an electronic device, comprising: Memory, used to store computer programs; A processor for executing the computer program to implement the interaction method based on a network twin security agent as described above.

[0013] Fourthly, this application provides a computer-readable storage medium for storing a computer program, which, when executed by a processor, implements the interaction method based on a network twin security agent as described above.

[0014] Therefore, this application applies to a network twin security proxy between an agent and a client. First, it acquires the interaction request initiated by the current user through the client to the target agent. Then, it determines the current user's trust score and current session state, and determines the data sensitivity level corresponding to the interaction request. The trust score is a score quantified based on the current user's authentication method and historical behavior logs, and the current session state includes the current user's log information in this interaction session. Next, based on the target agent's trust level information, the trust score, and the data sensitivity level, it performs access qualification judgment operations on the interaction request and the target agent. Finally, based on the corresponding access qualification judgment results, it determines whether the target agent should process the interaction request. In this way, this application can manage the data security of interaction requests through a network twin security proxy between the agent and the client. Specifically, by combining the user's trust score, current session state, the data sensitivity level corresponding to the interaction request, and the target agent's trust level information, it determines the access qualification of the interaction request between the agent and the user, thereby improving data security and the reliability of the interaction. Attached Figure Description

[0015] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.

[0016] Figure 1 This is a flowchart of an interaction method based on a network twin security agent disclosed in this application; Figure 2 This application discloses a specific interactive flowchart based on a network twin security agent. Figure 3 This is a schematic diagram of an interactive device structure based on a network twin security agent disclosed in this application; Figure 4This is a structural diagram of an electronic device disclosed in this application. Detailed Implementation

[0017] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0018] See Figure 1 As shown in the figure, this invention discloses an interaction method based on a network twin security proxy, wherein the network twin security proxy is a security proxy set between the intelligent agent and the client, and the method includes: Step S11: When the current user is having an interactive session with the target intelligent agent through the client, obtain the interaction request initiated by the current user.

[0019] In this application, a user can initiate an interaction request to a selected target agent via a client based on the AG-UI (Agent-User Interaction Protocol). A network twin security agent is positioned between the client and the agent to ensure data security during the interaction session. Specifically, when the user initiates an interaction session with the target agent through the client, the network twin security agent obtains the interaction request initiated by the user. This request can be initiated to establish an interaction session or it can be a request for specific content initiated during the interaction session. It should be noted that the user can chat with the agent through the client, meaning the agent provides a chat service; the user can also interact with the agent through the client to perform tasks such as drawing and graph generation.

[0020] In one specific embodiment, before obtaining the interaction request initiated by the current user, the process may further include: obtaining registration requests submitted by several intelligent agents; determining the security policies corresponding to each of the several intelligent agents from a preset policy table based on the registration requests; the security policies include the trust level information, risk score, and data access scope corresponding to the intelligent agent. It is understood that the network twin security agent can manage the registration of the intelligent agents it accesses, determining their corresponding trust level information, risk score, and data access scope based on the registration requests submitted by the intelligent agents. The process of determining the security policy of an intelligent agent can be implemented through a maintained policy table. After receiving a registration request initiated by an intelligent agent, the network twin security agent can parse the fields in the registration request and automatically match the initial trust level, risk score, and data access scope corresponding to the intelligent agent by querying the policy table. It is understood that the trust level of an intelligent agent can represent the permission to access specified registered sensitive information, such as a user's identity information being first-level sensitive information and a login password being second-level sensitive information; while the risk score can represent the security of the intelligent agent during the session; and the data access scope can represent the interaction session between the intelligent agent and several clients.

[0021] Step S12: Determine the current user's credibility score and current session state, and determine the data sensitivity level corresponding to the interaction request; the credibility score is a score obtained by quantifying the current user's authentication method and historical behavior logs, and the current session state includes the current user's log information in this interaction session.

[0022] In this embodiment, the interaction requests initiated by the current user during the interaction session with the target agent can be obtained through the above steps. The current user's authentication method and historical behavior logs can be quantified to obtain a security score representing the user's identity, i.e., a reliability score. Simultaneously, the log information of the current user and the target agent during this interaction session can also reflect the security of the interaction process. By organizing the log information related to the interaction session, the current session state can be obtained. In a specific embodiment, the current session state may also include fields such as the current user's basic identity information, reliability score, session duration, and sensitive operation calculations during the session, which can be used to assess the session's risk status. It is understood that the user's reliability score can be updated in real time during the interaction session, and the current session state can also be updated in real time during the interaction session. Furthermore, the data involved in the obtained interaction requests also corresponds to a degree of sensitivity, specifically divided into different sensitivity levels, thus determining the data sensitivity level corresponding to the interaction request.

[0023] In one specific embodiment, the process of determining the current user's credibility score and current session state involves first weighting and quantifying the current user's authentication method and historical behavior logs according to preset weight coefficients to obtain the current user's credibility score. Then, combining the credibility score, the current user's log information in this interaction session, and the duration of this interaction session, the current session state is generated in real time. Specifically, the current user's credibility score is quantified based on the authentication method and historical behavior logs. Different authentication methods may have different weight coefficients; for example, password authentication may have a slightly lower weight coefficient than biometric authentication. Correspondingly, historical behavior logs may contain information such as the number of abnormal accesses or unauthorized authentications by the user, and may also be assigned different weight coefficients. In this way, the user's credibility score can be quantified by combining the authentication method and historical behavior information through weighted calculation.

[0024] In another specific embodiment, in determining the data sensitivity level corresponding to the interaction request, firstly, sensitive information is identified in the data corresponding to the interaction request using a preset data identification method, and the data sensitivity level corresponding to the interaction request is determined based on the type of identified sensitive information. The preset data identification method represents data identification performed through regular expression matching and / or large language model recognition and / or keyword matching. Specifically, the process of determining the data sensitivity level can employ various data identification technologies. For example, regular expressions can be used to match sensitive information with fixed formats such as ID card numbers, mobile phone numbers, and bank card numbers; trained large language models can be used to identify entities such as names, addresses, and organization names in the data; and a custom keyword list can be used for keyword matching to identify sensitive terms specific to certain industries in the data.

[0025] Step S13: Based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level, perform an access qualification judgment operation on the interaction request and the target intelligent agent.

[0026] In this embodiment, the current user's trust score, current session state, and data sensitivity level corresponding to the interaction request can be obtained through the above steps. Then, combined with the target agent's trust level information, an access qualification determination operation can be performed on the interaction request and the target agent. Further, in a specific embodiment, during the access qualification determination operation on the interaction request and the target agent based on the target agent's trust level information, the trust score, and the data sensitivity level, the trust level information, the trust score, and the data sensitivity level can be matched based on a preset matching rule. Based on the corresponding matching result, an access qualification determination result representing whether the target agent has the qualification to access the interaction request is output. It is understood that the access qualification determination operation can be implemented through an "IF-THEN" rule; executing the relevant determination rule can output an access qualification determination result.

[0027] In a specific embodiment, during the access qualification determination operation for the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level, the target policy corresponding to the target intelligent agent is first determined; then, the access qualification determination operation for the interaction request and the target intelligent agent is performed based on the trust score, the data sensitivity level, and the trust level information in the target policy. Specifically, during the current user's interaction session with the target intelligent agent through the client, the network twin security agent can determine the target policy corresponding to the target intelligent agent, which includes the trust level information of the target intelligent agent; then, the access qualification determination operation is performed by combining the trust level information, the current user's trust score, and the data sensitivity level corresponding to the interaction request; it should be noted that the access qualification determination operation here refers to determining whether the target intelligent agent has the qualification to access the interaction data, and the interaction data refers to the data involved in the current interaction request initiated by the current user.

[0028] Step S14: Determine whether the target agent should process the interaction request based on the corresponding access qualification judgment result.

[0029] In this embodiment, the above steps yield a judgment result characterizing whether the target intelligent agent has the qualification to access interactive data; then, based on this access qualification judgment result, it can be determined whether the target intelligent agent should process the corresponding interactive request. It should be noted that different access qualifications require different processing of interactive requests; for example, some interactive data can be processed by the target intelligent agent after de-identification processing, while some interactive requests are completely illegal and need to be directly restricted.

[0030] Furthermore, in a specific embodiment, the process of determining whether the target intelligent agent should process the interaction request based on the corresponding access qualification judgment result includes triggering a first preset processing sub-process if the access qualification judgment result indicates that the target intelligent agent does not have the qualification to access the interaction request. The first preset processing sub-process is a data desensitization sub-process and / or a re-authentication sub-process. In this case, data desensitization can be attempted, and after completing the corresponding desensitization process, the access qualification judgment operation can be re-executed. Correspondingly, in this case, the current user's identity can also be re-authenticated, and after authentication, the corresponding interaction request can be re-evaluated, i.e., the access qualification judgment operation can be re-executed. It is understood that if, after re-judgment, it is determined that the target intelligent agent has the qualification to access the corresponding interaction data, then the target intelligent agent can process the interaction request.

[0031] Accordingly, after re-executing the access qualification determination operation, if the new access qualification determination result indicates that the target agent does not have the qualification to access the interaction request, then the second preset processing sub-process is triggered; the second preset processing sub-process is an access restriction sub-process and / or a user alarm sub-process. It is understood that if, after data anonymization or re-authentication, the target agent still does not have the qualification to access the interaction request, then the target agent cannot process the interaction request, can immediately terminate the interaction request, return access denied to the client, and disconnect the corresponding interaction session connection; simultaneously, an alarm prompt can be generated in the user interface.

[0032] Therefore, this application can manage data security for interaction requests through a network twin security proxy between the agent and the client. Specifically, it determines the access qualifications of the agent and the user's interaction request by combining the user's trust score, current session state, data sensitivity level corresponding to the interaction request, and trust level information of the target agent. This avoids the problem of indiscriminate access to user privacy data by each agent in parallel interaction scenarios, and improves the controllability and security of agent data access behavior. Furthermore, this identification of privacy-sensitive information in the interaction data at the input stage fundamentally prevents low-trust or unauthorized agents from accessing the user's core privacy information during processing, overcoming the protection lag caused by content filtering only at the output stage, and significantly reducing the risk of privacy leakage.

[0033] like Figure 2 As shown, this embodiment discloses an interaction method based on a network twin security proxy. A network twin security proxy is set up between the front-end and the AI ​​Agent based on network twin technology. The front-end may include a user front-end application and a corresponding client based on the AG-UI protocol, specifically including: First, users can interact with a client based on the AG-UI protocol through a front-end application. Users can log in and authenticate through the front-end application, while a security agent collects the user's contextual information (including historical behavior and other user-related information) and quantifies the user's trustworthiness score. The client sends relevant interaction requests to the network twin security agent, which determines whether the current interaction request can be handled by the corresponding AI Agent (target intelligent agent) through joint access qualification judgment. Specifically, if the judgment result is trustworthy, it can be directly handled by the corresponding target intelligent agent; if the judgment result is untrustworthy, the untrustworthiness can be further subdivided; for example, after data anonymization, it can be handled by the target intelligent agent, or the situation can be reported to the client to trigger alarms / re-authentication / access restrictions, etc. Correspondingly, the AI ​​Agent list includes several AI Agents, and Agents can register with the network twin security agent, which assigns trust levels (high, medium, and low trust levels) and access permissions to each intelligent agent. Furthermore, in the joint access qualification judgment process, the security agent can combine the user's trustworthiness score, the intelligent agent's trust level, and the data sensitivity level of the interaction request itself for joint judgment.

[0034] In a specific embodiment, the above-mentioned interaction method based on a network twin security agent can be implemented through three modules: a network twin AI Agent registration and trust level management module, a network twin user information processing module, and a network twin security agent control module. The network twin security agent control module acts as a protocol-level hub, used for privacy identification, access judgment, and control execution; the AG-UI protocol only serves as a message encapsulation and transmission carrier and does not undertake any security judgment logic itself.

[0035] Specifically, the network twin AI Agent registration and trust level management module can perform operations such as agent registration and management; the security agent can uniformly register and manage AI Agents connected to the system. Each Agent must be associated with at least the following information during registration: Agent unique identifier, Agent function type, Agent trust level, Agent accessible data range, and Agent access risk score. When an AI Agent connects to the system, this management module can provide a RESTful API interface for Agent providers to call and submit registration information; and maintain a "function type-security policy" mapping table. When a registration request is received from an agent, the Agent function type field in the request is parsed, and the preset initial trust level, risk score, and data access range are automatically matched by querying the "function type-security policy" mapping table; and the generated full file (including the system-assigned Agent unique identifier) ​​is written to the "AI Agent Registration Record Table"; this table is stored in a relational database with the Agent unique identifier as the primary key to ensure efficient querying. It can be seen that the security agent's management module can establish a unified trust level and access capability model for different agents without relying on the internal implementation of the agent. This module does not participate in real-time judgment during the interaction process, but provides trusted input parameters for subsequent access control.

[0036] Furthermore, the network twin user information management module maintains the user's security attribute status and current session context information, providing dynamic user-side judgment criteria for the security agent's access qualification assessment. Specifically, when a user initiates a login authentication request through a client, the network twin user information management module of the security agent can integrate the user's identity and role information; for example, combining the device fingerprint information for login authentication to jointly construct a basic user profile. Moreover, this user information management module, through a configurable scoring engine, assigns different weight coefficients to different authentication methods (such as passwords and biometrics), and combines this with the user's historical behavior logs (such as the number of abnormal accesses) to generate a quantified user trust score through weighted calculation. Correspondingly, this user information management module can use the session ID as a key to store structured session objects; these objects not only contain basic user information and trust scores, but can also dynamically record fields used to assess session risk status, such as session duration and the count of sensitive operations within the current session. It should be noted that user attributes (trust scores, etc.) and session status can be updated in real time during the interaction process to support real-time adjustments to subsequent access judgments. This module does not directly participate in real-time judgment during the interaction process, but rather acts as an information provider for the network twin security agent control module.

[0037] Furthermore, the network twin security agent control module is integrated into the AG-UI protocol as middleware. It is the core module for implementing secure access control and is used to perform unified security review, access discrimination and control execution on user input and Agent access requests. Specifically, it includes the following internal functional units: (1) Privacy sensitive information identification unit: It integrates multiple identification technologies and can quickly match sensitive information with fixed formats such as ID card number, mobile phone number, and bank card number through the regular expression rule library; it can also use pre-trained language models to identify entities such as personal names, addresses, and organization names in text; and it supports custom keyword lists to match sensitive terms in specific industries. This privacy sensitive information identification unit can also preset "sensitivity level" (such as L1 high sensitivity, L2 medium sensitivity, L3 low sensitivity) for each type of sensitive information. The identification result is output as structured data, such as {"type": "ID card number", "level": "L1"}. (2) Access qualification joint discrimination unit: It integrates a rule engine such as Drools (an open source business rule engine) and can write security policies as "IF-THEN" rules. For example: "IF(User trust level is A AND Agent trust level is high AND the content involved in the request does not contain L1 sensitive information) THEN The judgment result is: "Trusted"; indicating that the interaction request can be processed by the corresponding target intelligent agent. It is understandable that when performing access qualification judgment, the AI ​​Agent trust level can be obtained from the cache, the user's corresponding trust rating can be obtained from the session state, and the sensitive information list and the highest level can be obtained from the privacy sensitive information identification unit as fact input rule engine. Then the rule engine executes all the matching rules configured by it and outputs a definite judgment result (such as "trusted" and "untrusted"; or "qualified to access" and "unqualified to access"). (3) Control execution unit: According to the access qualification judgment result output by the judgment unit, call different processing sub-processes; specifically, for the result of "needs to be desensitized", according to the location information provided by the sensitive information identification unit, mask the sensitive fields in the original request text (such as using " The system can handle requests by either replacing or generalizing the information (e.g., keeping only the first few digits of the address); for access restrictions, immediately terminate the subsequent processing of the current request, return an "Access Denied" instruction to the user client, and disconnect the corresponding session connection; for results requiring re-authentication, initiate an upgrade authentication challenge to the user client (e.g., requesting multi-factor authentication), and only after the user completes strong authentication can the interaction request be submitted to the judgment unit for re-evaluation; for results with high risk that require triggering alarms, generate a security alarm message on the user interface (e.g., "This operation has been blocked due to security risks").

[0038] Therefore, this application, by introducing a network twin security agent mechanism into the AG-UI protocol-based interaction link and combining user security trust scores with agent trust levels for joint judgment, technically achieves refined control over user interaction behavior. Specifically, under the premise that the user autonomously selects the agent, the network twin security agent is introduced to uniformly intercept and judge interaction requests, so that agents with different trust levels and risk attributes are clearly distinguished in the same session regarding their accessible data range. This avoids the problem of agents indiscriminately accessing user privacy data in multi-agent parallel interaction scenarios, improving the controllability and security of agent data access behavior. Furthermore, by identifying privacy-sensitive information in the interaction data during the input stage, it fundamentally prevents low-trust or unauthorized agents from accessing the user's core privacy information during processing, overcoming the protection lag caused by content filtering only at the output stage, and significantly reducing the risk of privacy leakage.

[0039] like Figure 3 As shown, this embodiment discloses an interaction device based on a network twin security proxy, wherein the network twin security proxy is a security proxy set between the intelligent agent and the client, and the device includes: The interaction request acquisition module 11 is used to acquire the interaction request initiated by the current user when the current user conducts an interaction session with the target intelligent agent through the client. The information determination module 12 is used to determine the credibility score and current session status of the current user, and to determine the data sensitivity level corresponding to the interaction request; the credibility score is a score obtained by quantification based on the authentication method and historical behavior logs of the current user, and the current session status includes the log information of the current user in this interaction session; The access qualification determination module 13 is used to perform access qualification determination operations on the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score and the data sensitivity level; The interaction processing module 14 is used to determine whether the target intelligent agent should process the interaction request based on the corresponding access qualification judgment result.

[0040] Therefore, this application can manage the data security of interaction requests through a network twin security proxy between the agent and the client. Specifically, by combining the user's trust score, the current session state, the data sensitivity level corresponding to the interaction request, and the trust level information of the target agent, the access qualifications of the agent and the user's interaction request can be determined, thereby improving data security and the reliability of the interaction.

[0041] In one specific embodiment, the device may further include: The registration request acquisition module is used to acquire registration requests submitted by several smart agents; A security policy determination module is used to determine, based on the registration request, a security policy corresponding to each of the plurality of intelligent agents from a preset policy table; the security policy includes the trust level information, risk score, and data access range of the intelligent agent. Accordingly, the access qualification determination module 13 may include: A target policy determination unit is used to determine the target policy corresponding to the target agent; The access qualification determination unit is used to perform access qualification determination operations on the interaction request and the target agent based on the credibility score, the data sensitivity level, and the credibility level information in the target policy.

[0042] In one specific embodiment, the information determination module 12 may include: The credibility scoring quantization unit is used to perform weighted quantization on the authentication method and historical behavior logs of the current user according to preset weight coefficients to obtain the credibility score corresponding to the current user. The session state generation unit is used to combine the credibility score, the log information of the current user in the current interaction session, and the duration of the current interaction session to generate the current session state corresponding to the current user in real time.

[0043] In another specific embodiment, the information determination module 12 may include: A data sensitivity level determination unit is used to identify sensitive information in the data corresponding to the interaction request through a preset data identification method, and to determine the data sensitivity level corresponding to the interaction request based on the type of the identified sensitive information; wherein, the preset data identification method represents data identification through regular expression matching and / or large language model identification and / or keyword matching.

[0044] In one specific embodiment, the access qualification determination module 13 may include: The matching unit is used to match the trust level information, the trust score, and the data sensitivity level of the target intelligent agent based on preset matching rules; The discrimination result output unit is used to output an access qualification discrimination result, which characterizes whether the target intelligent agent has the qualification to access the interaction request, based on the corresponding matching result.

[0045] In one specific embodiment, the interaction processing module 14 may include: The first sub-process triggering unit is used to trigger a first preset processing sub-process when the corresponding access qualification judgment result indicates that the target intelligent agent does not have the qualification to access the interaction request; the first preset processing sub-process is a data desensitization sub-process and / or a re-authentication sub-process; The repeat execution unit is used to re-execute the access qualification determination operation after the preset processing sub-process is successfully executed.

[0046] In another specific embodiment, the device may further include: The first sub-process triggering unit is used to trigger the second preset processing sub-process when the new access qualification judgment result obtained by re-executing the access qualification judgment operation indicates that the target intelligent agent does not have the qualification to access the interaction request; the second preset processing sub-process is an access restriction sub-process and / or a user alarm sub-process.

[0047] Furthermore, embodiments of this application also disclose an electronic device, Figure 4 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application.

[0048] Figure 4 This is a schematic diagram of the structure of an electronic device 20 provided in an embodiment of this application. Specifically, the electronic device 20 may include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input / output interface 25, and a communication bus 26. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the interaction method based on a network twin security agent disclosed in any of the foregoing embodiments. Alternatively, the electronic device 20 in this embodiment may specifically be a computer.

[0049] In this embodiment, the power supply 23 is used to provide operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 25 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.

[0050] In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk or optical disk, etc. The resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage.

[0051] The operating system 221 is used to manage and control the various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, Netware, Unix, Linux, etc. In addition to including a computer program capable of performing the interaction method based on a network twin security agent executed by the electronic device 20 as disclosed in any of the foregoing embodiments, the computer program 222 may further include a computer program capable of performing other specific tasks.

[0052] Furthermore, this application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned disclosed interaction method based on a network twin security agent. Specific steps of this method can be found in the corresponding content disclosed in the foregoing embodiments, and will not be repeated here.

[0053] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.

[0054] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0055] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0056] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0057] The technical solutions provided in this application have been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only intended to help understand the methods and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. An interaction method based on a network twin security agent, characterized in that, The network twin security proxy is a security proxy set up between the intelligent agent and the client, wherein the method includes: When the current user is having an interactive session with the target intelligent agent through the client, the interaction request initiated by the current user is obtained; The credibility score and current session state of the current user are determined, and the data sensitivity level corresponding to the interaction request is determined; the credibility score is a score obtained by quantifying the current user's authentication method and historical behavior logs, and the current session state includes the log information of the current user in this interaction session; Based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level, an access qualification judgment operation is performed on the interaction request and the target intelligent agent; Based on the corresponding access qualification judgment result, it is determined whether the target intelligent agent should process the interaction request.

2. The interaction method based on a network twin security agent according to claim 1, characterized in that, Before obtaining the interaction request initiated by the current user, the method further includes: Obtain registration requests submitted by several intelligent agents; Based on the registration request, a security policy corresponding to each of the several intelligent agents is determined from a preset policy table; the security policy includes the trust level information, risk score and data access scope of the intelligent agent; Accordingly, the operation of determining the access eligibility of the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level includes: Determine the target policy corresponding to the target agent; Based on the credibility score, the data sensitivity level, and the credibility level information in the target policy, an access qualification judgment operation is performed on the interaction request and the target agent.

3. The interaction method based on a network twin security agent according to claim 1, characterized in that, Determining the current user's credibility score and current session state includes: The credibility score of the current user is obtained by weighting and quantifying the authentication method and historical behavior log of the current user according to the preset weight coefficients. By combining the credibility score, the current user's log information in this interaction session, and the duration of this interaction session, the current session state corresponding to the current user is generated in real time.

4. The interaction method based on network twin security agent according to claim 1, characterized in that, Determining the data sensitivity level corresponding to the interaction request includes: Sensitive information is identified in the data corresponding to the interaction request using a preset data identification method, and the data sensitivity level corresponding to the interaction request is determined based on the type of sensitive information identified. The preset data recognition method refers to data recognition performed through regular expression matching and / or large language model recognition and / or keyword matching.

5. The interaction method based on a network twin security agent according to claim 1, characterized in that, The access qualification determination operation for the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score, and the data sensitivity level includes: The trust level information, trust score, and data sensitivity level of the target intelligent agent are matched based on preset matching rules. Based on the corresponding matching results, an access qualification judgment result is output, which indicates whether the target intelligent agent has the qualification to access the interaction request.

6. The interaction method based on a network twin security agent according to any one of claims 1 to 5, characterized in that, The step of determining whether the target agent should process the interaction request based on the corresponding access qualification judgment result includes: If the corresponding access qualification determination result indicates that the target intelligent agent does not have the qualification to access the interaction request, then the first preset processing sub-process is triggered; the first preset processing sub-process is a data desensitization sub-process and / or a re-authentication sub-process; After the preset processing sub-process is executed successfully, the access qualification determination operation is re-executed.

7. The interaction method based on a network twin security agent according to claim 6, characterized in that, After re-executing the access qualification determination operation, the method further includes: If the new access qualification determination result obtained by re-executing the access qualification determination operation indicates that the target intelligent agent does not have the qualification to access the interaction request, then the second preset processing sub-process is triggered; the second preset processing sub-process is an access restriction sub-process and / or a user alarm sub-process.

8. An interactive device based on a network twin security agent, characterized in that, The network twin security proxy is a security proxy set up between the intelligent agent and the client, wherein the device includes: The interaction request acquisition module is used to acquire the interaction request initiated by the current user when the current user is having an interaction session with the target intelligent agent through the client; The information determination module is used to determine the credibility score and current session state of the current user, and to determine the data sensitivity level corresponding to the interaction request; the credibility score is a score obtained by quantification based on the authentication method and historical behavior logs of the current user, and the current session state includes the log information of the current user in this interaction session; The access qualification determination module is used to perform access qualification determination operations on the interaction request and the target intelligent agent based on the trust level information of the target intelligent agent, the trust score and the data sensitivity level; An interaction processing module is used to determine whether the target agent should process the interaction request based on the corresponding access qualification judgment result.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the interaction method based on a network twin security agent as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, Used to store computer programs, which, when executed by a processor, implement the interaction method based on a network twin security agent as described in any one of claims 1 to 7.