A deep learning-based data flow risk analysis method

By using deep learning methods to model the entire data flow process, a unified semantic representation sequence is generated and risk analysis is performed. This addresses the shortcomings of existing technologies in risk link tracing and hierarchical management, and enables accurate risk identification and management of complex data flow processes.

CN122268660APending Publication Date: 2026-06-23WEIHAI MUDI INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WEIHAI MUDI INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-04-28
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing technologies are insufficient for tracing the source of risks and classifying risks in complex data flow processes. They also lack the ability to identify hidden relationships between multiple entities, paths, and steps, resulting in low accuracy in locating risk events and inaccurate management.

Method used

A data flow risk analysis method based on deep learning is adopted. By modeling multi-source heterogeneous data, a unified semantic representation sequence is generated. The improved MTAD-GAT model is used to perform link-level risk correlation analysis, cross-path risk propagation analysis, and multi-subject collaborative anomaly identification, generating dynamic risk representation vectors. Finally, the accurate location and hierarchical alarm of risk events are achieved.

Benefits of technology

It enables structured modeling of the entire complex data flow process, improves the accuracy and completeness of risk identification, can identify hidden risk behaviors, and provides standardized audit information and hierarchical alarms, thereby enhancing the interpretability and operability of data security management.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268660A_ABST
    Figure CN122268660A_ABST
Patent Text Reader

Abstract

The application discloses a kind of based on deep learning's data flow risk analysis method, comprising the following steps: acquisition and pre-processing target data security management scene in multi-source heterogeneous flow data;Extract multi-dimensional flow features and execute connection determination and link organization processing;Perform cross-source semantic mapping, node type coding, relationship type coding and timing association alignment processing;Through improved MTAD-GAT model, execute semantic coding, relationship modeling and timing aggregation processing;Perform link-level risk association analysis, cross-path risk propagation analysis and multi-agent collaborative anomaly identification;Perform risk determination and grade division processing;Perform risk link positioning, audit record generation and alarm information output processing, generate data flow risk analysis result.The application utilizes data flow link modeling and dynamic risk analysis method, realizes complex flow risk identification, with the advantages of high accuracy and strong traceability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data security technology, and in particular to a data flow risk analysis method based on deep learning. Background Technology

[0002] As information systems continue to expand in scale and data interaction frequency increases, the flow of data in multiple stages, including generation, access, copying, transmission, storage, and outward distribution, becomes increasingly complex. Data security risks exhibit characteristics of being interconnected, involving multiple stakeholders, and dynamically evolving. Existing technologies typically detect single operational behaviors or localized anomalies based on log analysis or rule matching. By statistically analyzing user behavior data, system log data, and network transmission data, abnormal access or unauthorized operations can be identified, and to some extent, explicit data security risk events can be discovered.

[0003] However, existing technologies mostly focus on the analysis of single-time-point or single-dimensional data, lacking the ability to uniformly model the complete data flow chain. This makes it difficult to effectively characterize the hidden relationships between different entities, paths, and multiple steps, and results in insufficient ability to identify cross-path propagation risks and abnormal collaborative behaviors of multiple entities. Furthermore, existing methods lack joint analysis of temporal evolution characteristics and link structure characteristics during risk assessment, leading to low accuracy in locating risk events. This hinders the ability to trace the source of risks in complex data flow processes and to perform refined risk classification, thus limiting the accuracy and effectiveness of data security management.

[0004] Therefore, how to provide a data flow risk analysis method based on deep learning is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0005] One objective of this invention is to propose a data flow risk analysis method based on deep learning. This invention utilizes data flow link modeling and dynamic risk analysis methods to identify complex flow risks, and has the advantages of high accuracy and strong traceability.

[0006] A data flow risk analysis method based on deep learning according to an embodiment of the present invention includes the following steps: Collect multi-source heterogeneous data in target data security management scenarios and perform preprocessing to generate standardized data transfer datasets; Based on a standardized data transfer dataset, multidimensional transfer features are extracted during the data transfer process, and connection determination and link organization processing are performed on the same data object to generate a set of data transfer links. Based on the data flow link set, cross-source semantic mapping, node type encoding, relation type encoding and temporal association alignment are performed to generate a unified semantic representation sequence corresponding to each data flow link; The unified semantic representation sequence is input into the improved MTAD-GAT model, and after semantic encoding, relation modeling and temporal aggregation, a dynamic risk representation vector is generated. Based on dynamic risk representation vectors, link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification are performed to generate a set of candidate risk events. Risk assessment and classification are performed based on the candidate risk event set to determine the target risk event set and generate the risk parameter set corresponding to each target risk event. Based on the target risk event set and risk parameter set, risk link location, audit record generation and alarm information output processing are performed to generate data flow risk analysis results.

[0007] Optionally, the multi-source heterogeneous data includes user behavior data, system log data, network transmission data, file operation data, terminal device data, subject identity data, and data object attribute data. The preprocessing includes time identifier unification, subject identifier alignment, device identifier alignment, data object identifier alignment, abnormal record removal, missing field completion, field format standardization, and cross-source association mapping processing.

[0008] Optionally, the generation of the data flow link set specifically includes: Based on user behavior data and subject identity data in the standardized circulating dataset, subject interaction features are extracted; Based on the terminal device data and user behavior data in the standardized transfer dataset, device session features are extracted; By combining network transmission data from the standardized transfer dataset, path transmission features are extracted. Based on file operation data and user behavior data in the standardized workflow dataset, extract operation behavior features; Extract semantic features of data objects by utilizing the attribute data of data objects in the standardized circulation dataset; Extract access permission features from subject identity data, terminal device data, user behavior data, and data object attribute data in the collaboratively standardized and transferred dataset; By associating user behavior data, system log data, network transmission data, and file operation data in the standardized data transfer dataset, temporal evolution features are extracted. Based on the subject interaction characteristics, device session characteristics, path transmission characteristics, operation behavior characteristics, data object semantic characteristics, access permission characteristics, and temporal evolution characteristics, adjacent connection determination processing is performed on the flow records in the standardized flow dataset of the same data object, and the flow records that meet the connection relationship are concatenated in chronological order to generate the initial data flow link. Based on the connection relationship between each flow record in the initial data flow link, link breakpoint identification, link branch identification, and link merging are performed to generate a set of data flow links for each data object.

[0009] Optionally, the generation of the unified semantic representation sequence specifically includes: Based on the data flow link set, extract the subject identifier, device identifier, path identifier, operation type identifier, data object identifier, access permission identifier, and time identifier corresponding to the flow record in each data flow link, and perform node organization on each flow record based on the extracted identifiers to generate a link node sequence; Based on the link node sequence and standardized flow dataset, extract the subject semantic information, device semantic information, path semantic information, operation semantic information, data object semantic information and permission semantic information corresponding to each link node to generate a multi-source semantic information set for the node; Based on the set of multi-source semantic information of nodes, the multi-source semantic information of the same link node is merged to generate cross-source semantic mapping results; Based on the cross-source semantic mapping results, node type labeling is performed on each link node to generate the node type encoding results corresponding to each link node. Based on the connection relationship between adjacent link nodes in the data flow link, the relationship classification processing is performed on the association direction and association content between each link node to generate the relationship type encoding result between each link node; Based on the time identifiers of each link node and the time sequence, time interval and stage transition status between each link node, the time sequence arrangement, the same time granularity consolidation and cross-step time sequence connection processing are performed on each link node to generate the time sequence association and alignment results corresponding to each data flow link. Based on the cross-source semantic mapping results, node type encoding results, relation type encoding results, and temporal association alignment results, the link nodes in each data flow link are serialized and organized according to the flow order to generate a unified semantic representation sequence.

[0010] Optionally, the generation of the dynamic risk representation vector specifically includes: The unified semantic representation sequence corresponding to each data flow link is input into the flow semantic sequence input module of the improved MTAD-GAT model, and reorganized into a flow semantic feature sequence containing subject, data object, device, path, operation, permission and sensitivity level according to a continuous time window; The transition semantic sequence input module is used to perform joint embedding, position association encoding and link context mapping on the transition semantic feature sequence to generate the initial transition semantic representation results corresponding to each consecutive time window; The initial flow semantic representation results corresponding to each continuous time window are input into the local temporal feature extraction module to extract the local sequential response information of each flow step within the window, thereby obtaining the local temporal feature sequence. Construct a heterogeneous flow relationship graph between subjects, data objects, devices, paths, operations, and permissions based on local temporal feature sequences; The heterogeneous flow graph attention modeling module performs attention aggregation processing on access relationships, replication relationships, transmission relationships, storage relationships, download relationships, outgoing relationships, and deletion relationships in the heterogeneous flow graph to generate link structure features; The local temporal feature sequence is input into the cross-step flow dependency attention modeling module, and cross-step dependency features are extracted based on the step connection relationship between data generation, access, copying, transmission, storage, downloading, outward transmission and deletion. The link structure features and cross-step dependency features are input into the temporal aggregation coding module, and inter-window aggregation coding is performed according to the time sequence of continuous time windows to generate temporal aggregation features. The temporal aggregation features are input into the risk characterization joint output module, which performs joint mapping on the link structure features, cross-step dependency features and temporal aggregation features to generate dynamic risk characterization vectors corresponding to each data flow link.

[0011] Optionally, the generation of the candidate risk event set specifically includes: The dynamic risk representation vectors corresponding to each data flow link are collected and arranged in time sequence according to the data object identifier, flow path identifier and continuous time window to obtain the link risk representation sequence. Based on the link risk characterization sequence corresponding to each data object, the main body association, path connection and operation continuation information are extracted and the link-level risk association strength is calculated to generate the link-level risk association analysis results. Based on the link-level risk association analysis results, data flow link groups with link-level risk association strength greater than the preset association threshold are selected, and association merging processing is performed on the selected data flow link groups to obtain cross-path risk propagation candidate link groups. Based on the candidate link group for cross-path risk propagation, the risk propagation relationship is determined and the propagation intensity is calculated to generate cross-path risk propagation analysis results; Based on dynamic risk representation vectors, link-level risk correlation analysis results, and cross-path risk propagation analysis results, we extract time-coordination anomaly information, object-sharing anomaly information, path relay anomaly information, operation serialization anomaly information, and permission complementarity anomaly information among multiple subjects, and perform joint judgment to obtain multi-subject coordination anomaly identification results. Based on the results of link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification, the link correlation risk value, path propagation risk value, and collaborative anomaly risk value corresponding to each data flow link group are determined and weighted and fused to obtain a comprehensive risk score. Data flow link groups with a comprehensive risk score greater than a preset risk threshold are selected, and events are aggregated based on data object identifier, source entity identifier, target entity identifier, flow path identifier, abnormal operation type, and risk occurrence time interval to generate a candidate risk event set.

[0012] Optionally, the determination of the target risk event set and the generation of the risk parameter set specifically include: Based on the data object identifier, source entity identifier, target entity identifier, transfer path identifier, and risk occurrence time interval, the candidate risk events in the candidate risk event set are grouped and time-series aligned to obtain candidate risk event groups; Risk aggregation is performed based on the number of events, frequency of events, risk score distribution, degree of subject overlap, degree of path overlap, and degree of time overlap in each candidate risk event group to determine the risk aggregation result corresponding to each candidate risk event group; Based on the risk aggregation results, extract the data object sharing relationship, subject relay relationship, path jump relationship, operation continuation relationship and time adjacency relationship between different candidate risk event groups, and perform association matching processing to obtain hidden association candidate event groups; Based on the hidden association candidate event group, perform hidden association determination, determine the hidden association strength between each hidden association candidate event group, and generate hidden association determination results; Based on the risk aggregation results and the hidden association determination results, cross-step consistency verification is performed on each candidate risk event group to obtain the cross-step consistency verification results. Based on the cross-step consistency verification results, determine the completeness of steps, the degree of step sequence deviation, the degree of subject behavior matching, the degree of path behavior matching, and the degree of permission usage matching for each candidate risk event group, and perform joint judgment to obtain the consistency judgment result. Based on the risk aggregation results, hidden association determination results, and consistency determination results, the aggregated risk value, association risk value, and consistency risk value corresponding to each candidate risk event group are determined respectively, and then weighted and fused to obtain the risk score value corresponding to each candidate risk event group. Based on the risk score values ​​corresponding to each candidate risk event group, risk level classification, event confirmation, and parameter extraction are performed to generate a target risk event set and a corresponding risk parameter set.

[0013] Optionally, the generation of the data flow risk analysis results specifically includes: Based on the set of target risk events and the set of risk parameters, the risk parameters of each target risk event are extracted and arranged in chronological order according to the time interval of risk occurrence, thus obtaining the risk event time sequence. Based on the time sequence of risk events, extract the data object connection relationship, subject transmission relationship, path continuation relationship, operation succession relationship and time adjacency relationship between target risk events, and perform association matching processing on adjacent target risk events to obtain the risk link association relationship; Based on the risk link association relationship, risk link location processing is performed to obtain the risk link location result; Based on the risk link location results and risk parameter set, perform audit field mapping, time sequence sorting and record assembly processing to generate audit records; Based on the target risk event set, risk parameter set, risk link location results and audit records, determine the alarm triggering conditions, alarm output level, alarm output content and alarm output object, and generate alarm output information; Based on the risk link location results, audit records, and alarm output information, the results are collected and processed to generate data flow risk analysis results.

[0014] The beneficial effects of this invention are: This invention employs structured modeling of the entire data flow process, unifying the semantic mapping and link organization of multi-source heterogeneous information such as user behavior data, system log data, network transmission data, and data object attributes. This constructs a complete set of data flow links and forms a unified semantic representation sequence, explicitly expressing the relationships between data at each stage of generation, access, replication, transmission, storage, and outward distribution. By introducing a modeling approach oriented towards data flow semantics, it achieves a unified characterization of complex relationships between multiple subjects, paths, and steps, effectively overcoming the information fragmentation problem caused by single-point or single-dimensional analysis in existing technologies, thereby enhancing the ability to perceive the overall structure of the data flow process.

[0015] Furthermore, this invention generates a dynamic risk representation vector by jointly modeling link structure features, cross-step dependency features, and temporal evolution features under continuous time windows. Based on this representation, it performs link-level risk correlation analysis, cross-path risk propagation analysis, and multi-agent collaborative anomaly identification, enabling the effective discovery of hidden relationships and risk propagation paths. Compared to existing methods that rely solely on static rules or local features, this invention can identify hidden risk behaviors across links and across agents, and achieve dynamic characterization of risk evolution processes in complex risk scenarios, thereby significantly improving the accuracy and completeness of risk identification.

[0016] At the risk assessment and output level, this invention constructs a set of candidate risk events and further performs risk aggregation assessment, hidden correlation assessment, cross-step consistency verification, and risk level classification processing. This transforms dispersed risk signals into structured risk events. Simultaneously, by combining risk link location, audit record generation, and alarm information output processing, a complete data flow risk analysis result is formed. This method not only enables precise location and link tracing of risk events but also provides standardized audit information and tiered alarm output, enhancing the interpretability and operability of data security management and improving overall security control capabilities and practical application value. Attached Figure Description

[0017] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1 This is a flowchart of a data flow risk analysis method based on deep learning proposed in this invention; Figure 2 This invention provides a flowchart for generating a unified semantic representation flowchart of a data flow risk analysis method based on deep learning. Figure 3 This is a flowchart illustrating the dynamic risk representation vector generation process of a data flow risk analysis method based on deep learning proposed in this invention. Detailed Implementation

[0018] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.

[0019] refer to Figures 1-3 A data flow risk analysis method based on deep learning includes the following steps: Collect multi-source heterogeneous data in target data security management scenarios and perform preprocessing to generate standardized data transfer datasets; Based on a standardized data transfer dataset, multidimensional transfer features are extracted during the data transfer process, and connection determination and link organization processing are performed on the same data object to generate a set of data transfer links. Based on the data flow link set, cross-source semantic mapping, node type encoding, relation type encoding and temporal association alignment are performed to generate a unified semantic representation sequence corresponding to each data flow link; The unified semantic representation sequence is input into the improved MTAD-GAT model, and after semantic encoding, relation modeling and temporal aggregation, a dynamic risk representation vector is generated. Based on dynamic risk representation vectors, link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification are performed to generate a set of candidate risk events. Risk assessment and classification are performed based on the candidate risk event set to determine the target risk event set and generate the risk parameter set corresponding to each target risk event. Based on the target risk event set and risk parameter set, risk link location, audit record generation and alarm information output processing are performed to generate data flow risk analysis results.

[0020] In this embodiment, the multi-source heterogeneous data includes user behavior data, system log data, network transmission data, file operation data, terminal device data, subject identity data, and data object attribute data. Preprocessing includes time identifier unification, subject identifier alignment, device identifier alignment, data object identifier alignment, abnormal record removal, missing field completion, field format standardization, and cross-source association mapping processing.

[0021] In this embodiment, the generation of the data flow link set specifically includes: Based on user behavior data and subject identity data in the standardized transfer dataset, the number of accesses, interaction direction, interaction frequency, interaction duration, interaction time interval, and permission matching status between the transfer initiator and the transfer receiver are extracted to obtain subject interaction features; Based on the terminal device data and user behavior data in the standardized transfer dataset, terminal login status, session establishment time, session duration, number of session switching, number of session interruptions, changes in terminal online status, and changes in terminal trust status are extracted to obtain device session features; By combining network transmission data from the standardized transfer dataset, source address information, destination address information, transmission channel type, cross-network segment hop status, number of path nodes, number of path changes, transmission delay distribution, and transmission dwell interval are extracted to obtain path transmission characteristics; Based on the file operation data and user behavior data in the standardized circulation dataset, the number of creation operations, access operations, copy operations, transmission operations, storage operations, download operations, outgoing operations, deletion operations, and the adjacent connection relationships between various operations are extracted to obtain operation behavior features; By utilizing the data object attribute data in the standardized flow dataset, we can extract the data name, data category, data business domain, data sensitivity level, data format type, data storage location, and data lifecycle status to obtain the semantic features of the data object. By analyzing the subject identity data, terminal device data, user behavior data, and data object attribute data in the collaborative standardized transfer dataset, we can extract the subject permission level, device permission level, path access permission, data object access control scope, operation authorization status, and approval status to obtain access permission features. By associating user behavior data, system log data, network transmission data, and file operation data in the standardized flow dataset, the temporal sequence relationship, interval length, burst density, periodic repetition state, and stage transition state between each flow record are extracted to obtain the temporal evolution characteristics. Based on subject interaction characteristics, device session characteristics, path transmission characteristics, operation behavior characteristics, data object semantic characteristics, access permission characteristics, and temporal evolution characteristics, adjacency connection determination processing is performed on the flow records in the standardized flow dataset of the same data object. Flow records that satisfy the connection relationship are then concatenated in chronological order to generate an initial data flow link. Adjacency connection determination includes: judging whether there is a valid interaction relationship between the subjects corresponding to adjacent flow records based on subject interaction characteristics; judging whether adjacent flow records are in the same session or a continuous session process based on device session characteristics; judging whether the data transmission path is continuous or reachable based on path transmission characteristics; judging whether the operation sequence between adjacent flow records conforms to the evolutionary relationship between data generation, access, copying, transmission, storage, downloading, outgoing, and deletion based on operation behavior characteristics; judging whether the data objects corresponding to adjacent flow records belong to the same semantic category or the same data instance based on data object semantic characteristics; judging whether the permission transfer between adjacent flow records satisfies access control constraints based on access permission characteristics; and judging whether the time interval between adjacent flow records satisfies the continuous flow condition based on temporal evolution characteristics. Based on the connection relationship between each flow record in the initial data flow link, link breakpoint identification, link branch identification and link merging are performed to generate a set of data flow links for each data object; Link breakpoint identification includes: checking the connection relationship between adjacent flow records in the initial data flow link one by one; when no connection relationship is established between adjacent flow records or the connection relationship is determined to not meet the preset conditions, the position between the adjacent flow records is marked as the breakpoint position; based on the breakpoint position, the initial data flow link is segmented into multiple independent flow path segments, and the starting flow record and ending flow record corresponding to each flow path segment are recorded; Link branch identification includes: statistical analysis of the subsequent connection relationships of each flow record in the initial data flow link; when there are multiple subsequent flow records that satisfy the connection relationship for the same flow record, the flow record is marked as the branch starting point; starting from the branch starting point, path extension processing is performed on each subsequent flow record to form multiple branch flow paths; each branch flow path is independently identified, and the forking relationship between the branch paths and the corresponding branch hierarchy structure are recorded.

[0022] The link merging process includes: comparing the termination records of different flow path segments in the initial data flow link; when the termination records of different flow path segments are connected to the same subsequent flow record and satisfy the connection relationship, the corresponding multiple flow path segments are marked as mergeable paths; performing path aggregation processing based on the mergeable paths, merging and connecting multiple flow path segments at the corresponding subsequent flow records to form an aggregated flow path; updating the path identifier of the merged flow path, and retaining the mapping relationship between the original path segments and the merged path.

[0023] In this embodiment, the generation of the unified semantic representation sequence specifically includes: Based on the data flow link set, extract the subject identifier, device identifier, path identifier, operation type identifier, data object identifier, access permission identifier, and time identifier corresponding to the flow record in each data flow link, and perform node organization on each flow record based on the extracted identifiers to generate a link node sequence; Based on the link node sequence and standardized flow dataset, extract the subject semantic information, device semantic information, path semantic information, operation semantic information, data object semantic information and permission semantic information corresponding to each link node to generate a multi-source semantic information set for the node; Based on the set of multi-source semantic information of nodes, the multi-source semantic information of the same link node is merged to generate cross-source semantic mapping results; Based on the cross-source semantic mapping results, node type labeling is performed on each link node to generate the node type encoding results corresponding to each link node. Based on the connection relationship between adjacent link nodes in the data flow link, the relationship classification processing is performed on the association direction and association content between each link node to determine the generation relationship, access relationship, copy relationship, transmission relationship, storage relationship, download relationship, outward transmission relationship, deletion relationship and permission transfer relationship, and generate the relationship type encoding result between each link node; Based on the time identifiers of each link node and the time sequence, time interval and stage transition status between each link node, the time sequence arrangement, the same time granularity consolidation and cross-step time sequence connection processing are performed on each link node to generate the time sequence association and alignment results corresponding to each data flow link. Based on the cross-source semantic mapping results, node type encoding results, relation type encoding results, and temporal association alignment results, the link nodes in each data flow link are serialized and organized according to the flow order to generate a unified semantic representation sequence.

[0024] In this embodiment, the generation of the dynamic risk representation vector specifically includes: The unified semantic representation sequence corresponding to each data flow link is input into the improved MTAD-GAT model's flow semantic sequence input module. It is then reorganized into a flow semantic feature sequence containing subjects, data objects, devices, paths, operations, permissions, and sensitivity levels according to continuous time windows. The process of obtaining the flow semantic feature sequence includes: segmenting the unified semantic representation sequence corresponding to each data flow link according to a preset continuous time window length and window sliding interval to obtain window sequence fragments corresponding to each continuous time window; performing field aggregation and location positioning on the subject identity semantic information, data object semantic information, device session semantic information, transmission path semantic information, operation behavior semantic information, permission constraint semantic information, and sensitivity level semantic information in each window sequence fragment to obtain a set of multidimensional semantic fragments corresponding to each continuous time window; performing fragment alignment, sequential arrangement, and associative splicing processing on the set of multidimensional semantic fragments corresponding to each continuous time window based on a unified time order, the same data flow link identifier, and the correlation positional relationship between the semantic information, forming windowed semantic combination fragments corresponding to each continuous time window; and finally, reorganizing the windowed semantic combination fragments according to the order of each continuous time window to obtain the flow semantic feature sequence. Compared to the existing MTAD-GAT model, the improvements of the improved MTAD-GAT model include: First, changing the input module from raw multivariate time series to input sequences of semantic features related to subject identity, data objects, device sessions, transmission paths, operational behaviors, permission constraints, and sensitivity levels. This allows the model to directly capture multi-source semantic information in each data flow link, improving the accuracy of the initial semantic representation results. Second, changing the graph attention modeling module from parallel graph attention modeling that only targets feature-dimensional correlation and temporal dependence to a heterogeneous flow relationship graph attention modeling module and a cross-step flow dependency attention modeling module. These modules respectively characterize the flow relationships between subjects, data objects, devices, paths, operations, and permissions, as well as the dependencies between consecutive steps in the data flow link, thereby enhancing the modeling capabilities of local temporal feature sequences and link structure features. Third, changing the output from a prediction-reconstruction joint output for anomaly detection to a risk representation joint output module, directly generating dynamic risk representation vectors for risk analysis in each data flow link, improving the application value of time-series aggregated features and the ability to identify, aggregate, and trace risk events. The improved MTAD-GAT model's loss function comprises three parts: link structure loss, cross-step dependency loss, and temporal aggregation error loss. The link structure loss uses mean squared error to measure the difference between the model output and the actual link relationship; the cross-step dependency loss uses mean absolute error to measure the deviation of consecutive step dependencies; and the temporal aggregation error loss uses root mean square error to measure the difference between the evolution of link features between windows and the actual trend. Model training employs a stochastic gradient descent algorithm to iteratively update the joint loss function, combined with momentum factor and weight decay for optimization. With the assistance of gradient clipping and early stopping strategies, the model is considered converged and training is stopped when the change in the joint loss function remains within a preset small range over several consecutive iterations and the prediction errors of the link structure features and cross-step dependency features in each consecutive time window reach a preset accuracy. The training parameters of the improved MTAD-GAT model include: mini-batch gradient training, with each training batch containing 256 data flow path samples; an initial learning rate of 0.001, which is gradually reduced exponentially during training; 500 training iterations, with each iteration performing one forward and backward propagation on all training samples; stochastic gradient descent algorithm used to update model parameters during optimization, combined with a momentum factor of 0.9 to accelerate convergence; and evaluation of the validation set every few iterations during training to monitor model performance and trigger an early stopping strategy. The flow semantic sequence input module performs joint embedding, position-associated encoding, and link context mapping on the flow semantic feature sequence to generate initial flow semantic representation results for each continuous time window. The joint embedding includes: segmenting the flow semantic feature sequence according to continuous time windows; extracting data fragments corresponding to the subject, data object, device, path, operation, permission, and sensitivity level in each continuous time window; converting each data fragment into a feature representation of uniform length; and then splicing and fusing the feature representations according to the order within the same data flow link to obtain the fusion result for the corresponding continuous time window. Location association encoding includes: determining the temporal position of each data segment in a continuous time window, the step position in the data flow link, the association position in node connection, and the preceding and following position in relation transmission; marking the order of each part of the fusion result according to the determined position; and then merging the ordered marked result with the original fusion result to obtain the location association result of the corresponding continuous time window. Link context mapping processing includes: determining the correspondence between steps before and after each consecutive time window based on the connection order between data generation, access, copying, transmission, storage, downloading, outgoing and deletion; assigning each part of the location association result to the corresponding step position and link position; and then combining the transmission relationship between adjacent steps, the association relationship between cross steps and the coordination relationship between different nodes in the same consecutive time window for merging processing to obtain the initial flow semantic representation result of each consecutive time window; The initial flow semantic representation results corresponding to each continuous time window are input into the local temporal feature extraction module to extract the local sequential response information of each flow step within the window, thereby obtaining the local temporal feature sequence. The local sequential response information includes: the time interval change information between adjacent flow steps within the same continuous time window, the triggering relationship information of the previous flow step to the next flow step, the operation execution order information corresponding to each flow step, the local path change information formed by multiple consecutive flow steps, the operation continuity change information of the same subject in consecutive steps, the switching change information of different devices or paths in consecutive steps, and the distribution density information of each flow step within the window. Based on local time-series feature sequences, a heterogeneous flow relationship graph is constructed between subjects, data objects, devices, paths, operations, and permissions. The construction of the heterogeneous flow relationship graph includes: extracting data corresponding to subjects, data objects, devices, paths, operations, and permissions from the local time-series feature sequences; separating and organizing the extracted data by category and establishing corresponding nodes for each category; determining the connection relationships between subjects and data objects, subjects and devices, devices and paths, paths and operations, and operations and permissions one by one based on the correspondence between adjacent records in the same data flow link; determining the start and end points for each connection relationship according to the sequential flow direction of data in the link; and aggregating all nodes belonging to the same continuous time window and their connection relationships to obtain the heterogeneous flow relationship graph. The heterogeneous flow graph attention modeling module performs attention aggregation processing on access, replication, transmission, storage, download, outbound, and deletion relationships in the heterogeneous flow graph to generate link structure features. Obtaining these link structure features involves: sequentially reading the corresponding start and end node information for each type of relationship in the heterogeneous flow graph; calculating the relationship strength between each node and its neighboring nodes, and weighting and fusing access frequency, replication count, transmission volume, storage operation count, download operation count, outbound behavior count, and deletion operation count; performing normalization processing on all adjacency relationships of each node to generate the attention weight distribution of the node to its neighbors; then weighting and summing the attention weights of each node with the feature values ​​of the corresponding relationships to obtain the local structure features of each node; finally, summing the local structure features of all nodes within a window to form the link structure features for each consecutive time window. The local temporal feature sequence is input into the cross-step flow dependency attention modeling module. Based on the step connection relationship between data generation, access, copying, transmission, storage, downloading, outgoing, and deletion, cross-step dependency features are extracted. The acquisition of cross-step dependency features includes: reading the data generation, access, copying, transmission, storage, downloading, outgoing, and deletion records sequentially for each data flow link in the local temporal feature sequence; calculating the initial dependency weight based on the triggering influence of the previous step on the subsequent flow step; adjusting and strengthening the initial dependency weight by combining the potential hidden correlation between non-adjacent steps; normalizing the dependency weights of all steps in each link to obtain the attention distribution between each step; and finally, weighted fusion of the normalized attention weights and step features to generate the cross-step dependency features of each data flow link within a continuous time window. Link structure features and cross-step dependency features are input into the temporal aggregation coding module. Inter-window aggregation coding is performed according to the chronological order of consecutive time windows to generate temporal aggregated features. The inter-window aggregation coding process includes: reading the link structure features and cross-step dependency features corresponding to each window according to the chronological order of consecutive time windows; matching the node and edge features of the same data flow links in adjacent consecutive time windows; calculating the difference in link structure features between adjacent windows for each link, including changes in node connection strength, relationship weight, and node activity; calculating the evolution of cross-step dependency features between adjacent windows, including changes in the triggering of preceding steps on subsequent steps, changes in the association strength of non-adjacent steps, and changes in attention weight between steps; weighting and fusing the link structure feature difference values ​​and the cross-step dependency evolution according to preset weights to form an inter-window aggregated representation for each link; repeating the above operations for all consecutive time windows, and combining and splicing the aggregated representations of each window in chronological order to obtain the complete temporal aggregated features. The temporal aggregation features are input into the risk representation joint output module, which performs joint mapping on the link structure features, cross-step dependency features, and temporal aggregation features to generate dynamic risk representation vectors corresponding to each data flow link. The joint mapping includes: aligning the input link structure features, cross-step dependency features, and temporal aggregation features according to the corresponding data flow links to ensure that each feature of the same link corresponds and matches within the same continuous time window; normalizing the aligned features to map the link structure features, cross-step dependency features, and temporal aggregation features to a unified numerical range; weighting and fusing each feature according to preset risk weights, integrating node activity, edge connection strength, step dependency attention, and inter-window evolution changes in calculation; accumulating and weighting the fusion results in chronological order within the continuous time window to obtain the risk contribution value of each data flow link in the current time window; repeating the processing for all continuous time windows and combining the risk contribution values ​​of each link in each window to generate dynamic risk representation vectors.

[0025] In this embodiment, the generation of the candidate risk event set specifically includes: The dynamic risk representation vectors corresponding to each data flow link are collected and arranged in time sequence according to the data object identifier, flow path identifier and continuous time window to obtain the link risk representation sequence. Based on the link risk characterization sequence corresponding to each data object, the entity association, path connection and operation continuation information are extracted respectively, and the link-level risk association strength is calculated to generate the link-level risk association analysis results; the calculation of the link-level risk association strength includes weighted fusion processing of the source entity association degree, target entity association degree, path connection degree and operation continuation degree. Based on the results of link-level risk association analysis, data flow link groups with link-level risk association strength greater than the preset association threshold are selected. Then, based on the shared data object, the sharing source subject, the sharing target subject, the shared flow path, and the continuous operation connection relationship, the selected data flow link groups are subjected to association merging processing to obtain cross-path risk propagation candidate link groups. Based on the candidate link group for cross-path risk propagation, the risk propagation relationship is determined and the propagation intensity is calculated to generate cross-path risk propagation analysis results; the calculation of propagation intensity includes the fusion processing of risk change magnitude, path switching frequency and subject switching frequency; Based on dynamic risk representation vectors, link-level risk correlation analysis results, and cross-path risk propagation analysis results, we extract time-coordination anomaly information, object-sharing anomaly information, path relay anomaly information, operation serialization anomaly information, and permission complementarity anomaly information among multiple subjects, and perform joint judgment to obtain multi-subject coordination anomaly identification results. Based on the results of link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification, the link correlation risk value, path propagation risk value, and collaborative anomaly risk value corresponding to each data flow link group are determined and weighted and fused to obtain a comprehensive risk score. Data flow link groups with a comprehensive risk score greater than a preset risk threshold are selected, and events are aggregated based on data object identifier, source entity identifier, target entity identifier, flow path identifier, abnormal operation type, and risk occurrence time interval to generate a candidate risk event set.

[0026] In this embodiment, the determination of the target risk event set and the generation of the risk parameter set specifically include: Based on the data object identifier, source entity identifier, target entity identifier, transfer path identifier, and risk occurrence time interval, the candidate risk events in the candidate risk event set are grouped and time-series aligned to obtain candidate risk event groups; Risk aggregation is performed based on the number of events, frequency of events, risk score distribution, subject overlap, path overlap, and time overlap in each candidate risk event group to determine the risk aggregation result corresponding to each candidate risk event group. The risk aggregation value corresponding to each candidate risk event group is the sum of the products of the quantity contribution value corresponding to the number of events, the frequency contribution value corresponding to the frequency of events, the score contribution value corresponding to the risk score distribution, the subject contribution value corresponding to the subject overlap, the path contribution value corresponding to the path overlap, and the time contribution value corresponding to the time overlap with the corresponding aggregation weight. Based on the risk aggregation results, extract the data object sharing relationship, subject relay relationship, path jump relationship, operation continuation relationship and time adjacency relationship between different candidate risk event groups, and perform association matching processing to obtain hidden association candidate event groups; The hidden association determination is performed based on the hidden association candidate event group to determine the hidden association strength between each hidden association candidate event group. The hidden association strength between each hidden association candidate event group is the sum of the products of the degree of data object sharing, the degree of subject relay, the degree of path jump, the degree of operation continuation, and the degree of temporal adjacency with the corresponding association weights, and the hidden association determination result is generated. Based on the risk aggregation results and the hidden association determination results, cross-step consistency checks are performed on the data generation, access, copying, transmission, storage, download, external transmission and deletion steps in each candidate risk event group to obtain the cross-step consistency check results. Based on the cross-step consistency verification results, determine the completeness of steps, the degree of step sequence deviation, the degree of subject behavior matching, the degree of path behavior matching, and the degree of permission usage matching for each candidate risk event group, and perform joint judgment to obtain the consistency judgment result. Based on the risk aggregation results, hidden association determination results, and consistency determination results, the aggregated risk value, association risk value, and consistency risk value corresponding to each candidate risk event group are determined respectively, and then weighted and fused to obtain the risk score value corresponding to each candidate risk event group. Based on the risk score value corresponding to each candidate risk event group, risk level classification, event confirmation, and parameter extraction are performed to generate a target risk event set and a corresponding risk parameter set. The risk parameter set includes data object identifier, source entity identifier, target entity identifier, flow path identifier, risk type identifier, risk level identifier, risk score value, and risk occurrence time interval.

[0027] In this embodiment, the generation of data flow risk analysis results specifically includes: Based on the set of target risk events and the set of risk parameters, the risk parameters of each target risk event are extracted and arranged in chronological order according to the time interval of risk occurrence, thus obtaining the risk event time sequence. Based on the time sequence of risk events, extract the data object connection relationship, subject transmission relationship, path continuation relationship, operation succession relationship and time adjacency relationship between target risk events, and perform association matching processing on adjacent target risk events to obtain the risk link association relationship; Risk link location processing is performed based on the risk link association to obtain risk link location results. Risk link location processing includes: determining the starting position, transmission position and termination position of each target risk event in the risk propagation process based on the risk link association, and marking the link position of each target risk event in combination with the risk occurrence time interval and flow path identifier to generate risk link location results. Based on the risk link location results and risk parameter set, perform audit field mapping, time sequence sorting and record assembly processing to generate audit records; Based on the target risk event set, risk parameter set, risk link location results and audit records, determine the alarm triggering conditions, alarm output level, alarm output content and alarm output object, and generate alarm output information; Based on the risk link location results, audit records, and alarm output information, the results are collected and processed to generate data flow risk analysis results.

[0028] Example 1: To verify the feasibility of the present invention in practice, it was applied to a data security management scenario of a large enterprise. In this scenario, there are a large number of cross-system data flow behaviors, involving office systems, business systems, database systems and external interface platforms. Different employees access, copy, download and send sensitive data through multiple terminal devices. Data flows frequently between multiple entities and multiple paths. Traditional log rule-based detection methods are difficult to identify hidden risk behaviors formed by cross-system and multi-step connections. There are problems such as difficulty in restoring risk links, difficulty in associating abnormal behaviors and inaccurate risk level classification.

[0029] In this scenario, user behavior data, system log data, network transmission data, file operation data, and terminal device data within the enterprise are first collected uniformly. Data from different systems is then time-aligned, subject-identified, and associated with data objects to form a standardized data flow dataset. Based on this, data generation, access, copying, transmission, storage, and outward distribution behaviors are associated and organized to construct a set of data flow links. Furthermore, a unified semantic representation sequence is generated through cross-source semantic mapping, node type encoding, relation type encoding, and time-series association alignment. This sequence is then input into an improved model to obtain a dynamic risk table corresponding to each data flow link. The system employs a characteristic vector to analyze the relationships, propagation patterns, and multi-entity collaborative behaviors between different links, identifying potential risk links. During this identification process, multiple links with shared data objects, inter-entity relay, and path connection relationships are aggregated for further analysis to uncover risk behaviors propagating across paths. The evolution of risks is then characterized by temporal correlations. Based on this, the system locates the links of identified risk events, clarifying the starting, transmission, and ending points of risks in the data flow process. Corresponding audit records are generated, and alarm information is output based on risk level and propagation scope, thus achieving a comprehensive analysis of risks in complex data flow.

[0030] By applying the above scenarios, the flow trajectory of data across different time periods, entities, and paths can be fully reconstructed. Operations originally scattered across multiple systems are organized into a continuous data flow chain, revealing hidden cross-step relationships, clearly locating risk propagation paths, accurately reflecting the entire data flow process in audit records, and covering key risk points with alarm information. Compared to traditional methods relying solely on single-point log analysis, this invention enables unified identification of multi-link collaborative risks within the same time frame and data environment. This makes the data flow risk analysis process more complete, more interconnected, and more traceable, thereby effectively improving the accuracy and reliability of data security management.

[0031] Table 1. Performance Comparison of the Invention and Traditional Data Flow Risk Analysis Methods

[0032] As can be clearly seen from Table 1, the method of the present invention is superior to the traditional method in many indicators.

[0033] In terms of risk identification accuracy, the traditional method achieves 88.2%, while the method of this invention achieves 91.4%, an improvement of 3.2 percentage points. This improvement stems from the fact that this invention integrates multi-source data through a unified semantic representation sequence, enabling user behavior data, system log data, and network transmission data to be expressed within the same semantic space. This reduces identification bias caused by data dispersion and improves overall identification capability.

[0034] Regarding the accuracy of risk link location, the traditional method achieves 82.6%, while this invention reaches 87.1%, an improvement of 4.5 percentage points. This improvement is mainly attributed to the heterogeneous flow relationship graph modeling, which structurally represents the relationships between subjects, data objects, devices, and paths. Combined with temporal correlation alignment processing, the preceding and following relationships within the link become clearer, thereby enhancing the accuracy of risk link location.

[0035] The multi-agent anomaly detection rate increased from 78.9% to 84.3%, a rise of 5.4 percentage points. This improvement stems from a cross-step flow dependency modeling mechanism. By analyzing the dependencies between data generation, access, transmission, and outward transmission steps, the collaborative behavior of multiple agents can be continuously identified, thereby enhancing the ability to capture complex anomaly patterns.

[0036] In terms of processing efficiency, the average processing latency was reduced from 176ms to 158ms, a reduction of 18ms. This result demonstrates that the present invention, by structuring the semantic features of the flow and combining them with temporal aggregation features to reduce redundant calculations, makes the overall processing flow more compact, thereby improving processing efficiency while ensuring analytical accuracy.

[0037] The alarm effectiveness rate increased from 83.7% to 89.1%, a rise of 5.4 percentage points. This improvement is mainly attributed to the risk aggregation judgment and consistency verification mechanism, which reduces false alarms triggered by a single anomaly by comprehensively analyzing multiple links, making the output alarms more focused on real risk events.

[0038] The completeness of audit records improved from 85.4% to 91.2%, an increase of 5.8 percentage points. This improvement stems from risk link location and time sequence alignment, which enables the complete connection of various operational behaviors during data flow, thereby enhancing the audit records' coverage of the entire data flow process.

[0039] The above are merely preferred embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A data flow risk analysis method based on deep learning, characterized in that, Includes the following steps: Collect multi-source heterogeneous data in target data security management scenarios and perform preprocessing to generate standardized data transfer datasets; Based on a standardized data transfer dataset, multidimensional transfer features are extracted during the data transfer process, and connection determination and link organization processing are performed on the same data object to generate a set of data transfer links. Based on the data flow link set, cross-source semantic mapping, node type encoding, relation type encoding and temporal association alignment are performed to generate a unified semantic representation sequence corresponding to each data flow link; The unified semantic representation sequence is input into the improved MTAD-GAT model, and after semantic encoding, relation modeling and temporal aggregation, a dynamic risk representation vector is generated. Based on dynamic risk representation vectors, link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification are performed to generate a set of candidate risk events. Risk assessment and classification are performed based on the candidate risk event set to determine the target risk event set and generate the risk parameter set corresponding to each target risk event. Based on the target risk event set and risk parameter set, risk link location, audit record generation and alarm information output processing are performed to generate data flow risk analysis results.

2. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The multi-source heterogeneous data includes user behavior data, system log data, network transmission data, file operation data, terminal device data, subject identity data, and data object attribute data. The preprocessing includes time identifier unification, subject identifier alignment, device identifier alignment, data object identifier alignment, abnormal record removal, missing field completion, field format standardization, and cross-source association mapping processing.

3. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The generation of the data flow link set specifically includes: Based on user behavior data and subject identity data in the standardized circulating dataset, subject interaction features are extracted; Based on the terminal device data and user behavior data in the standardized transfer dataset, device session features are extracted; By combining network transmission data from the standardized transfer dataset, path transmission features are extracted. Based on file operation data and user behavior data in the standardized workflow dataset, extract operation behavior features; Extract semantic features of data objects by utilizing the attribute data of data objects in the standardized circulation dataset; Extract access permission features from subject identity data, terminal device data, user behavior data, and data object attribute data in the collaboratively standardized and transferred dataset; By associating user behavior data, system log data, network transmission data, and file operation data in the standardized data transfer dataset, temporal evolution features are extracted. Based on the subject interaction characteristics, device session characteristics, path transmission characteristics, operation behavior characteristics, data object semantic characteristics, access permission characteristics, and temporal evolution characteristics, adjacent connection determination processing is performed on the flow records in the standardized flow dataset of the same data object, and the flow records that meet the connection relationship are concatenated in chronological order to generate the initial data flow link. Based on the connection relationship between each flow record in the initial data flow link, link breakpoint identification, link branch identification, and link merging are performed to generate a set of data flow links for each data object.

4. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The generation of the unified semantic representation sequence specifically includes: Based on the data flow link set, extract the subject identifier, device identifier, path identifier, operation type identifier, data object identifier, access permission identifier, and time identifier corresponding to the flow record in each data flow link, and perform node organization on each flow record based on the extracted identifiers to generate a link node sequence; Based on the link node sequence and standardized flow dataset, extract the subject semantic information, device semantic information, path semantic information, operation semantic information, data object semantic information and permission semantic information corresponding to each link node to generate a multi-source semantic information set for the node; Based on the set of multi-source semantic information of nodes, the multi-source semantic information of the same link node is merged to generate cross-source semantic mapping results; Based on the cross-source semantic mapping results, node type labeling is performed on each link node to generate the node type encoding results corresponding to each link node. Based on the connection relationship between adjacent link nodes in the data flow link, the relationship classification processing is performed on the association direction and association content between each link node to generate the relationship type encoding result between each link node; Based on the time identifiers of each link node and the time sequence, time interval and stage transition status between each link node, the time sequence arrangement, the same time granularity consolidation and cross-step time sequence connection processing are performed on each link node to generate the time sequence association and alignment results corresponding to each data flow link. Based on the cross-source semantic mapping results, node type encoding results, relation type encoding results, and temporal association alignment results, the link nodes in each data flow link are serialized and organized according to the flow order to generate a unified semantic representation sequence.

5. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The generation of the dynamic risk representation vector specifically includes: The unified semantic representation sequence corresponding to each data flow link is input into the flow semantic sequence input module of the improved MTAD-GAT model, and reorganized into a flow semantic feature sequence containing subject, data object, device, path, operation, permission and sensitivity level according to a continuous time window; The transition semantic sequence input module is used to perform joint embedding, position association encoding and link context mapping on the transition semantic feature sequence to generate the initial transition semantic representation results corresponding to each consecutive time window; The initial flow semantic representation results corresponding to each continuous time window are input into the local temporal feature extraction module to extract the local sequential response information of each flow step within the window, thereby obtaining the local temporal feature sequence. Construct a heterogeneous flow relationship graph between subjects, data objects, devices, paths, operations, and permissions based on local temporal feature sequences; The heterogeneous flow graph attention modeling module performs attention aggregation processing on access relationships, replication relationships, transmission relationships, storage relationships, download relationships, outgoing relationships, and deletion relationships in the heterogeneous flow graph to generate link structure features; The local temporal feature sequence is input into the cross-step flow dependency attention modeling module, and cross-step dependency features are extracted based on the step connection relationship between data generation, access, copying, transmission, storage, downloading, outward transmission and deletion. The link structure features and cross-step dependency features are input into the temporal aggregation coding module, and inter-window aggregation coding is performed according to the time sequence of continuous time windows to generate temporal aggregation features. The temporal aggregation features are input into the risk characterization joint output module, which performs joint mapping on the link structure features, cross-step dependency features and temporal aggregation features to generate dynamic risk characterization vectors corresponding to each data flow link.

6. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The generation of the candidate risk event set specifically includes: The dynamic risk representation vectors corresponding to each data flow link are collected and arranged in time sequence according to the data object identifier, flow path identifier and continuous time window to obtain the link risk representation sequence. Based on the link risk characterization sequence corresponding to each data object, the main body association, path connection and operation continuation information are extracted and the link-level risk association strength is calculated to generate the link-level risk association analysis results. Based on the link-level risk association analysis results, data flow link groups with link-level risk association strength greater than the preset association threshold are selected, and association merging processing is performed on the selected data flow link groups to obtain cross-path risk propagation candidate link groups. Based on the candidate link group for cross-path risk propagation, the risk propagation relationship is determined and the propagation intensity is calculated to generate cross-path risk propagation analysis results; Based on dynamic risk representation vectors, link-level risk correlation analysis results, and cross-path risk propagation analysis results, we extract time-coordination anomaly information, object-sharing anomaly information, path relay anomaly information, operation serialization anomaly information, and permission complementarity anomaly information among multiple subjects, and perform joint judgment to obtain multi-subject coordination anomaly identification results. Based on the results of link-level risk correlation analysis, cross-path risk propagation analysis, and multi-entity collaborative anomaly identification, the link correlation risk value, path propagation risk value, and collaborative anomaly risk value corresponding to each data flow link group are determined and weighted and fused to obtain a comprehensive risk score. Data flow link groups with a comprehensive risk score greater than a preset risk threshold are selected, and events are aggregated based on data object identifier, source entity identifier, target entity identifier, flow path identifier, abnormal operation type, and risk occurrence time interval to generate a candidate risk event set.

7. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The determination of the target risk event set and the generation of the risk parameter set specifically include: Based on the data object identifier, source entity identifier, target entity identifier, transfer path identifier, and risk occurrence time interval, the candidate risk events in the candidate risk event set are grouped and time-series aligned to obtain candidate risk event groups; Risk aggregation is performed based on the number of events, frequency of events, risk score distribution, degree of subject overlap, degree of path overlap, and degree of time overlap in each candidate risk event group to determine the risk aggregation result corresponding to each candidate risk event group; Based on the risk aggregation results, extract the data object sharing relationship, subject relay relationship, path jump relationship, operation continuation relationship and time adjacency relationship between different candidate risk event groups, and perform association matching processing to obtain hidden association candidate event groups; Based on the hidden association candidate event group, perform hidden association determination, determine the hidden association strength between each hidden association candidate event group, and generate hidden association determination results; Based on the risk aggregation results and the hidden association determination results, cross-step consistency verification is performed on each candidate risk event group to obtain the cross-step consistency verification results. Based on the cross-step consistency verification results, determine the completeness of steps, the degree of step sequence deviation, the degree of subject behavior matching, the degree of path behavior matching, and the degree of permission usage matching for each candidate risk event group, and perform joint judgment to obtain the consistency judgment result. Based on the risk aggregation results, hidden association determination results, and consistency determination results, the aggregated risk value, association risk value, and consistency risk value corresponding to each candidate risk event group are determined respectively, and then weighted and fused to obtain the risk score value corresponding to each candidate risk event group. Based on the risk score values ​​corresponding to each candidate risk event group, risk level classification, event confirmation, and parameter extraction are performed to generate a target risk event set and a corresponding risk parameter set.

8. The data flow risk analysis method based on deep learning according to claim 1, characterized in that, The generation of the data flow risk analysis results specifically includes: Based on the set of target risk events and the set of risk parameters, the risk parameters of each target risk event are extracted and arranged in chronological order according to the time interval of risk occurrence, thus obtaining the risk event time sequence. Based on the time sequence of risk events, extract the data object connection relationship, subject transmission relationship, path continuation relationship, operation succession relationship and time adjacency relationship between target risk events, and perform association matching processing on adjacent target risk events to obtain the risk link association relationship; Based on the risk link association relationship, risk link location processing is performed to obtain the risk link location result; Based on the risk link location results and risk parameter set, perform audit field mapping, time sequence sorting and record assembly processing to generate audit records; Based on the target risk event set, risk parameter set, risk link location results and audit records, determine the alarm triggering conditions, alarm output level, alarm output content and alarm output object, and generate alarm output information; Based on the risk link location results, audit records, and alarm output information, the results are collected and processed to generate data flow risk analysis results.