A log behavior analysis-based level protection risk identification method

By constructing behavioral semantic vectors and dynamic topology structures, the problem of biased risk identification results in existing technologies is solved, and a high-sensitivity identification of covert attacks in network information systems is achieved.

CN122293433APending Publication Date: 2026-06-26WUHAN DINGBAO EVALUATION CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN DINGBAO EVALUATION CO LTD
Filing Date
2026-05-19
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

When faced with complex access scenarios, existing technologies, operating through static rules, struggle to accurately capture the true intentions of subjects moving dynamically over continuous time periods, leading to biased risk identification results and failing to effectively protect network information security.

Method used

By constructing behavioral semantic vectors and establishing a dynamic topology, the connectivity differences between the baseline and the current log node are accurately mapped. The risk ratio is calculated by extracting the topology deviation trajectory, and the mapping change sequence within a continuous time window is tracked to perform weighted deviation calibration, thus fully restoring the hidden dangerous behavioral intentions in the spatiotemporal dimension.

Benefits of technology

It significantly improves the sensitivity to identify multi-step covert attacks, breaks through the limitations of single-point static analysis, and accurately identifies potential risks in network information systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122293433A_ABST
    Figure CN122293433A_ABST
Patent Text Reader

Abstract

This invention relates to the field of internet security service technology, specifically to a method for identifying graded protection risks based on log behavior analysis. The method includes the following steps: collecting identifiers of subjects and accessed resources, as well as semantic vectors of security level construction behavior; constructing a current and baseline log topology according to generation time; calculating the difference in semantic vectors of topology elements to construct a mapping relationship set; extracting non-overlapping edges from the relationship set to calculate the security level risk ratio and generate a baseline result; and extracting the last value of the continuous window mapping change trajectory and weighting and adjusting the baseline result to generate a graded protection risk identification result. In this invention, by fusing multi-dimensional identifiers and security level construction semantic vectors and establishing a dynamic topology according to time sequence, mapping log connectivity differences to uncover node evolution, this method overcomes the limitations of single-point static analysis. It extracts deviation trajectories to calculate risk ratios and tracks continuous window mapping change sequences, performs weighted deviation calibration on abnormally active subject trajectories, restores concealed dangerous intentions, and improves the sensitivity of multi-step attack identification.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of internet security service technology, and in particular to a method for identifying graded protection risks based on log behavior analysis. Background Technology

[0002] The field of Internet security service technology mainly involves core matters such as security protection, risk monitoring, vulnerability detection, intrusion prevention, data encryption and identity authentication of networks and information systems. It includes the overall management of security policy design for information system operating environments, log data collection and analysis, abnormal behavior identification, access control and security policies, and provides technical support for the discovery, analysis and response to network security incidents. It systematically covers the entire process of information collection, data processing, threat identification and risk assessment.

[0003] The traditional method of identifying information security risks based on log behavior analysis refers to identifying different levels of information security risks by collecting, organizing and analyzing the characteristics of information system log data. It usually adopts methods such as log event classification, behavior pattern extraction, risk indicator calculation and level division to analyze and statistically process access records, operation events and abnormal behaviors in system logs one by one, establish a risk identification rule base, and determine the level and risk of multiple types of security events based on log behavior characteristics.

[0004] Existing technologies rely on checking system logs one by one and matching feature rules to determine security risks. The static rule operation mode shows obvious limitations when facing complex access scenarios. Because it analyzes single operation events in isolation and lacks overall control over the characteristics of behavioral sequences, it is difficult to accurately capture the true intentions of the subject's dynamic flow within a continuous time period. It is difficult to reconstruct the coherent context of events based on fragmented data, which can easily lead to the omission of deep-seated abnormal behaviors across different operation nodes, thereby causing deviations in risk identification results and failing to effectively protect network information security. Summary of the Invention

[0005] To achieve the above objectives, the present invention adopts the following technical solution: a method for identifying graded protection risks based on log behavior analysis, comprising the following steps:

[0006] S1: Collect the operation subject identifier, access resource identifier, classification identifier and security level of the centralized log management hardware device, perform mapping calculation on the operation subject identifier, access resource identifier and classification identifier and combine them with the security level of the security level to construct a behavior semantic vector;

[0007] S2: Collect the generation time corresponding to the behavior semantic vector, and make directed connections to the behavior semantic vector in chronological order to obtain the current log topology. Collect logs in independent time periods and establish directed edges according to the same directed connection logic to construct the baseline log topology.

[0008] S3: Based on the baseline behavior element of the baseline log topology and the current behavior element of the current log topology, extract the associated behavior semantic vector and perform difference accumulation calculation. Determine the element pairs whose difference accumulation result does not reach the preset mapping threshold, and construct a mapping relationship set.

[0009] S4: Based on the mapping relationship set, obtain the current and benchmark predecessor element set, extract non-overlapping connection edges and obtain the associated grade protection level, calculate and quantify the risk ratio of the number of grade protection levels exceeding the preset risk definition benchmark to the total number of non-overlapping connection edges, and generate grade protection risk benchmark results.

[0010] S5: Obtain the mapping relationship set within a continuous time window, extract the mapping change frequency trajectory sequence of the same operation subject identifier within the continuous time window and determine the upward trend, extract the last change value of the upward segment in the change frequency trajectory sequence and perform weighted deviation adjustment on the graded protection risk benchmark result, and generate graded protection risk identification result.

[0011] As a further embodiment of the present invention, the behavioral semantic vector includes an operation subject identifier, an access resource identifier, a classification identifier, and a security level classification; the baseline log topology includes log data, directed connection relationships, and time period identifiers; the mapping relationship set includes difference accumulation results, threshold matching element pairs, and associated behavioral semantic vectors; the security level classification risk baseline result includes the current predecessor element set, the baseline predecessor element set, and the associated security level classification; and the security level classification risk identification result includes a mapping change frequency trajectory sequence, an upward trend segment, and a last-place change result.

[0012] As a further aspect of the present invention, the specific steps of S1 are as follows:

[0013] S101: Collect the operation subject identifier, access resource identifier and category identifier through centralized log management hardware device and perform discrete encoding. Convert the character identifier into integer index according to the preset numbering rules, sequentially concatenate multiple indices and perform consistency verification to obtain the identifier mapping value sequence.

[0014] S102: Based on the identified mapping numerical sequence, obtain the security level parameters and insert them into the end of the sequence and align their positions. Rearrange multiple segments of the sequence according to a fixed order rule, and perform interval verification on the rearranged values ​​to eliminate out-of-bounds values, thereby generating a security level combination sequence.

[0015] S103: Perform vectorization transformation on the density-level combination sequence, map multiple values ​​in the sequence to multi-dimensional coordinate axes, perform normalization scaling calculation on multiple coordinate dimension values, and arrange the normalized feature values ​​in order and concatenate the dimensions to obtain the behavioral semantic vector.

[0016] As a further aspect of the present invention, the specific steps of S2 are as follows:

[0017] S201: Collect the generation time corresponding to the behavior semantic vector, compare the numerical values ​​of multiple generation times, analyze the ascending time series according to the chronological order, perform coordinate mapping and rearrangement of the behavior semantic vector, determine and filter out unmatched timestamp detached vectors, and establish a time-series semantic vector set.

[0018] S202: Call the time-series semantic vector set and perform directed edge mapping on multiple vectors, set a one-way connection path from the preceding vector to the following vector, perform hierarchical stacking and network graph calculation on the path parameters, integrate the distribution status of all one-way connection paths and extract the vector association topology structure to generate the current log topology;

[0019] S203: Extract associated edge paths based on the current log topology, collect logs corresponding to independent time periods, perform time-series mapping and transformation on the logs, calculate the establishment of edges according to the edge paths, determine isolated vectors and remove their coordinates, assemble the remaining edge structure relationships, and obtain the baseline log topology.

[0020] As a further aspect of the present invention, the specific steps of S3 are as follows:

[0021] S301: Extract the baseline behavior element of the baseline log topology and the current behavior element of the current log topology, collect the behavior semantic vector associated with the baseline behavior element, perform vector coordinate dimension-by-dimensional difference operation and accumulate the multi-component sequence item by item to obtain the vector difference accumulation sequence.

[0022] S302: Based on the vector difference accumulation sequence, detect multiple accumulated values ​​and obtain a preset mapping threshold parameter, perform a value comparison operation between the multiple accumulated values ​​and the mapping threshold, mark the element pairs whose accumulated values ​​have not reached the mapping threshold, and generate a difference compliance element index set.

[0023] S303: Based on the difference compliance element index set, extract the corresponding current behavior element and the benchmark behavior element combination pair, perform element pair association binding and analyze the bidirectional mapping record structure, integrate all mapping records, and establish a mapping relationship set.

[0024] As a further aspect of the present invention, the mapping threshold is determined by collecting a vector distance sample set of benchmark logs, calculating the statistical mean and standard deviation of the distance parameters within the sample set, retrieving the tolerance factor to perform a weighted product calculation on the standard deviation, and summing the weighted product value with the statistical mean.

[0025] As a further aspect of the present invention, the specific steps of S4 are as follows:

[0026] S401: Based on the mapping relationship set, obtain the current predecessor element set and the reference predecessor element set, perform set difference operation, match the element identifiers in the current predecessor element set with the element identifiers in the reference predecessor element set item by item, compare the unmatched connection edge identifiers and extract the index to obtain the non-overlapping connection edge index set.

[0027] S402: Extract multiple connection edges associated with the security level protection level based on the non-overlapping connection edge index set, call the preset risk assessment benchmark to compare the values ​​item by item, record the number of records whose security level values ​​exceed the risk assessment benchmark, and calculate the ratio of the number of records to the total number of connection edges to obtain the security level over-limit ratio.

[0028] S403: Quantify the risk of the above-mentioned security level exceeding the limit, map the ratio value to the risk interval identifier sequence, and perform interval classification judgment based on the interval boundary to generate the graded protection risk benchmark result.

[0029] As a further aspect of the present invention, the risk assessment benchmark is determined by collecting abnormal behavior record samples, extracting the security level values ​​associated with the samples, calculating the statistical mean and standard deviation of the security level values, and using a preset risk weight coefficient to perform a weighted summation operation on the standard deviation and mean.

[0030] As a further aspect of the present invention, the specific steps of S5 are as follows:

[0031] S501: Obtain the mapping relationship set within a continuous time window, perform differential counting on the mapping identifiers corresponding to the same operation subject identifier in multiple time windows, and perform discrete sequence encoding on the number of changes of the mapping identifiers in adjacent windows to obtain the change number trajectory sequence;

[0032] S502: Based on the trajectory sequence of the number of changes, compare the values ​​of adjacent elements, determine the size relationship between the value of the next item and the value of the previous item, mark the position index that satisfies the increasing relationship and splice the continuous intervals, extract the value set corresponding to the end position of multiple continuous increasing intervals, and generate the end value set of the increasing segment.

[0033] S503: Based on the set of last values ​​of the incremental segments, call the risk benchmark result of the graded protection system, calculate the difference between the last values ​​of multiple segments and the risk benchmark value, and perform weighted correction by combining the preset risk weight coefficient. Then, aggregate and map the corrected values ​​to generate the graded protection risk identification result.

[0034] Compared with the prior art, the advantages and positive effects of the present invention are as follows:

[0035] In this invention, a semantic vector is constructed by fusing multi-dimensional operation identifiers with security level features and establishing a dynamic topology structure according to temporal correlation. This accurately maps the differences in connectivity between the baseline and the current log node, fully explores the potential evolutionary paths between different access nodes, breaks through the constraints of single-point static analysis, calculates the risk ratio by extracting topology deviation trajectories and tracks the mapping change sequence within a continuous time window, performs weighted deviation calibration on the abnormally active trajectories of the operation subject, fully restores the hidden dangerous behavioral intentions in the spatiotemporal dimension, and significantly improves the sensitivity of identifying multi-step covert attacks. Attached Figure Description

[0036] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0037] Figure 1 This is a schematic diagram of the steps of the present invention;

[0038] Figure 2 This is a detailed schematic diagram of S1 of the present invention;

[0039] Figure 3 This is a detailed schematic diagram of S2 of the present invention;

[0040] Figure 4 This is a detailed schematic diagram of S3 of the present invention;

[0041] Figure 5 This is a detailed schematic diagram of S4 of the present invention;

[0042] Figure 6 This is a detailed schematic diagram of S5 of the present invention. Detailed Implementation

[0043] The technical solution of the present invention will now be described with reference to the accompanying drawings.

[0044] To make the technical problems, technical solutions and advantages of the present invention clearer, a detailed description will be given below in conjunction with the accompanying drawings and specific embodiments.

[0045] Please see Figure 1 This invention provides a method for identifying graded protection risks based on log behavior analysis, comprising the following steps:

[0046] S1: Collect the operation subject identifier, access resource identifier, classification identifier and security level of the centralized log management hardware device, perform mapping calculation on the operation subject identifier, access resource identifier and classification identifier and combine them with the security level of the security level to construct a behavior semantic vector;

[0047] S2: Collect the generation time corresponding to the behavior semantic vector, and make directed connections to the behavior semantic vector in chronological order to obtain the current log topology. Collect logs in independent time periods and establish directed edges according to the same directed connection logic to build the baseline log topology.

[0048] S3: Based on the baseline behavior elements of the baseline log topology and the current behavior elements of the current log topology, extract the associated behavior semantic vectors, perform difference accumulation calculation, determine the element pairs whose difference accumulation results do not reach the preset mapping threshold, and construct a mapping relationship set;

[0049] S4: Based on the mapping relationship set, obtain the current and benchmark predecessor element set, extract non-overlapping connection edges and obtain the associated grade protection level, calculate and quantify the risk ratio of the number of grade protection levels exceeding the preset risk definition benchmark to the total number of non-overlapping connection edges, and generate grade protection risk benchmark results.

[0050] S5: Obtain the mapping relationship set within a continuous time window, extract the mapping change frequency trajectory sequence of the same operation subject identifier within the continuous time window and determine the upward trend, extract the last change value of the upward segment in the change frequency trajectory sequence and perform weighted deviation adjustment on the risk benchmark result of the graded protection system, and generate the graded protection system risk identification result.

[0051] The behavioral semantic vector includes the operator entity identifier, access resource identifier, classification identifier, and security level of graded protection. The baseline log topology includes log data, directed connection relationships, and time period identifiers. The mapping relationship set includes the difference accumulation result, threshold matching element pairs, and associated behavioral semantic vectors. The graded protection risk baseline result includes the current predecessor element set, the baseline predecessor element set, and the associated graded protection security level. The graded protection risk identification result includes the mapping change number trajectory sequence, upward trend segment, and last-place change result.

[0052] Please see Figure 2 The specific steps of S1 are as follows:

[0053] S101: Collect the operation subject identifier, access resource identifier and category identifier through centralized log management hardware device and perform discrete encoding. Convert the character identifier into integer index according to the preset numbering rules, sequentially concatenate multiple indices and perform consistency verification to obtain the identifier mapping value sequence.

[0054] A centralized log management hardware device deployed on the mirror port of the core network switch sends log retrieval commands to each service server in the access layer at a polling cycle of 500 milliseconds. It intercepts data packets containing user behavior, parses the packet header and payload data, and extracts the string-formatted operation subject identifier (i.e., the user account name string initiating the access request), the access resource identifier (i.e., the Internet Protocol address string of the target server), and the category identifier (i.e., the standard log action code recording the operation type). The three types of string identifiers are then discretely encoded. Specifically, for each character, its corresponding US Standard Code value is extracted. The standard code values ​​of all characters in the string are summed to obtain an initial feature integer. The character identifier is then converted into an integer index according to a preset numbering rule. This preset numbering rule stipulates that the initial feature integer is modulo a preset hash modulus base value, and the remainder is used as the integer index of each identifier. For example, when the initial feature integer obtained by summing the collected operation subject identifier characters with code values ​​is 1024, and the set hash modulus base value is 997, the remainder of 1024 and 997 is obtained by performing a modulo operation to get a remainder of 27, which means that the integer index corresponding to the operation subject identifier is 27. Similarly, based on another initial feature integer and 997, the integer index of the access resource identifier is calculated to be 310, and the integer index of the category identifier is 42. After obtaining the above three integer indices, the multiple indices are sequentially concatenated and a consistency check is performed. The concatenation operation strictly follows the physical arrangement order of the operation subject integer index in the highest segment, the access resource integer index in the middle segment, and the category identifier integer index in the lowest segment. The text characters of the above three integers are directly merged at the beginning and end to generate an unchecked concatenated string. Then, a consistency check is performed. The digits of each number in the concatenated string are extracted and continuously accumulated to obtain the bit sum integer. The bit sum integer is then moduloed by the preset odd-numbered digit check base of 10 to obtain the check code number. The check code number is directly appended to the end of the concatenated string to obtain the identifier mapping value sequence. For example, the previously generated integer indices 27, 310, and 42 are concatenated sequentially to obtain the concatenated string 2731042. The digits 2, 7, 3, 1, 0, 4, and 2 of this string are continuously added together to obtain the integer sum 19. The remainder of 19 and the check radix 10 is then calculated to obtain the check digit 9. The check digit 9 is appended to the end of the concatenated string, resulting in the final identifier mapping value sequence 27310429.

[0055] S102: Based on the identifier mapping numerical sequence, obtain the grade protection level parameters and insert them into the end of the sequence and align their positions. Rearrange multiple segments of the sequence according to a fixed order rule, and perform interval verification on the rearranged values ​​to eliminate out-of-bounds values, thereby generating a grade protection level combination sequence.

[0056] Based on the generated identifier mapping numerical sequence 27310429, the corresponding resource file record in the security policy database is read through the data bus to obtain the graded protection level parameter. This parameter is an integer value set in advance by the network security administrator according to the national information security graded protection standard, corresponding to the graded protection attribute of the target server. Its value ranges from 1 to 5. The obtained graded protection level parameter is inserted into the end of the sequence and its position is aligned. The insertion and alignment operation here is as follows: the number of digits of the input graded protection level parameter is checked. If it is less than 2 digits, 0 is added before the highest digit of the parameter value to complete the alignment. Then, the aligned 2-digit graded protection parameter is directly appended to the rightmost end of the identifier mapping numerical sequence in character form. For example, if the graded protection level parameter of the target resource is 5, since it is less than 2 digits, zeros are added to align it to obtain the aligned graded protection parameter 05, which is appended to the end of the aforementioned sequence 27310429 to obtain the initial rearranged sequence 2731042905. Next, the sequence is rearranged according to a fixed order rule. This rule requires dividing the initial rearranged sequence into multiple numerical segments of fixed length from left to right. The segmentation rule is that every 3 digits constitute an independent numerical segment. If there are fewer than 3 digits remaining at the end, it is treated as a separate segment. The numerical segments after segmentation are then rearranged in reverse order. That is, the segment at the end of the original sequence is moved to the beginning, the segment at the beginning of the original sequence is moved to the end, and the remaining intermediate segments are swapped in the same order. For example, for the aforementioned initial rearranged sequence 2731042905, the 3-digit segmentation rule yields 4 numerical segments: the first segment containing the number 273, the second segment containing the number 104, the third segment containing the number 290, and the fourth segment containing the number 05. Rearranging these 4 segments in reverse order results in the rearranged numerical sequence 05290104273. Simultaneously, interval verification is performed on the rearranged values ​​to eliminate out-of-bounds values. The maximum verification threshold is pre-extracted from the hardware read-only memory and set as the upper limit of the security computing power. The rearranged value sequence is converted into a decimal long integer. The difference between this long integer and the maximum verification threshold is calculated, and it is determined whether the difference is greater than 0. If the difference is greater than 0, it is considered an out-of-bounds value, triggering an out-of-bounds value elimination operation. This involves truncating and discarding the highest digit of the long integer that exceeds the threshold until it no longer exceeds the bounds. If the difference is not greater than 0, the long integer remains unchanged. This process generates a security level combination sequence. For example, if the extracted maximum verification threshold is 9999999999, the aforementioned string 05290104273, after being converted into a decimal long integer, becomes its actual value 5290104273. Difference calculation between this and the threshold yields a negative number, indicating no out-of-bounds occurrence. The final security level combination sequence is then output as 5290104273.(If the rearranged string is 15290104273, and the integer value is greater than the verification threshold, then the highest digit 1 will be truncated, and the string will still be 5290104273, which is within the bounds.)

[0057] S103: Perform vectorization transformation on the density-level combination sequence, map multiple values ​​in the sequence to multi-dimensional coordinate axes, perform normalization and scaling calculation on multiple coordinate dimension values, and arrange the normalized feature values ​​in order and concatenate the dimensions to obtain the behavior semantic vector.

[0058] The generated density-level combination sequence 5290104273 is vectorized by truncating the long integer sequence in two-digit increments from left to right, forming five independent feature coordinate integers. These feature coordinate integers are then mapped to multi-dimensional coordinate axes by assigning them sequentially to the corresponding coordinates of the first through fifth axes of the 5-dimensional vector space. For example, the feature coordinate integers truncated from sequence 5290104273 are 52, 90, 10, 42, and 73. 52 is assigned to the first coordinate axis, 90 to the second, and so on. Subsequently, normalization scaling calculations are performed on the values ​​of multiple coordinate dimensions. The calculation derivation steps are as follows: for each coordinate axis, extract the current feature coordinate integer, obtain the absolute value of the numerator by the difference operation between the integer and the preset coordinate lower limit value, obtain the absolute value of the denominator by the difference operation between the preset coordinate upper limit value and the lower limit value, divide the absolute value of the numerator by the absolute value of the denominator to calculate the normalized scaling calculation result in double-precision floating-point format, and use it to replace the original coordinate values.

[0059] Table 1. Semantic Vector Coordinate Normalization Mapping Table

[0060] coordinate axis dimensions Integer feature coordinates upper limit of coordinates lower limit of coordinates Normalized scaling calculation results First coordinate axis 52 100 0 0.52 Second coordinate axis 90 100 0 0.90 Third coordinate axis 10 100 0 0.10 4th coordinate axis 42 100 0 0.42 5th coordinate axis 73 100 0 0.73

[0061] As shown in Table 1, the numerical examples based on normalized scaling demonstrate the transformation correspondence of dimensional values. The normalized feature values ​​are sequentially arranged and their dimensions concatenated. All floating-point results are rearranged according to the order from the 1st to the 5th coordinate axis to construct a multi-dimensional floating-point coordinate array, ultimately yielding the behavioral semantic vector. For example, combining 0.52, 0.90, 0.10, 0.42, and 0.73 obtained from Table 1 in sequence generates the final behavioral semantic vector [0.52, 0.90, 0.10, 0.42, 0.73].

[0062] Please see Figure 3 The specific steps of S2 are as follows:

[0063] S201: Collect the generation time corresponding to the behavior semantic vector, compare the numerical values ​​of multiple generation times, analyze the ascending time series according to the chronological order, perform coordinate mapping and rearrangement of the behavior semantic vector, determine and filter out the detached vectors with unmatched timestamps, and establish a time series semantic vector set.

[0064] By calling the interface to extract the time field from the operation message, the generation time corresponding to the behavioral semantic vector is collected. Multiple generation times are compared numerically. This comparison process involves retrieving two adjacent timestamp integers from memory, subtracting the later timestamp from the earlier timestamp to obtain the time difference. If this time difference is less than 0, the two timestamps and the behavioral semantic vector are swapped in storage. This subtraction and swapping operation is repeated until the time difference of all adjacent timestamps is greater than or equal to 0. The time series is then analyzed in ascending order according to chronological sequence. The behavioral semantic vectors are then mapped and rearranged, meaning the memory pointers of each behavioral semantic vector are forcibly bound to the sorted timestamps, ensuring a linear arrangement in chronological order. For example, if the first generation time value is 1715731205000 and the second generation time value is 1715731200000, the difference is -5000, triggering a swapping action, and the second vector is moved before the first vector. Next, unmatched timestamp detached vectors are identified and filtered out. Each timestamp integer in the sequence is traversed, and its difference is calculated with the set lower time limit value of 1704067200000. If the difference between the timestamp integer and the lower time limit value is less than 0 or the time field is empty, the corresponding vector is determined to be an unmatched timestamp detached vector. A memory reclamation instruction is executed to overwrite the storage block it occupies with 0 and release it. The remaining mapped data is then integrated to establish a temporal semantic vector set. For example, if a vector's timestamp integer is extracted to be 0, subtracting it from the lower limit value of 1704067200000 results in a negative number, it is determined to be a detached vector and filtered out. The execution node of this operation logic is that the execution result based on the timestamp difference calculation satisfies the triggering condition for temporal sequence cleaning, thereby triggering the directed edge mapping operation.

[0065] S202: Call the temporal semantic vector set and perform directed edge mapping on multiple vectors, set a one-way connection path from the preceding vector to the following vector, perform hierarchical stacking and network graph calculation on the path parameters, integrate the distribution status of all one-way connection paths and extract the vector association topology structure to generate the current log topology;

[0066] The established temporal semantic vector set is invoked, and directed edge mapping is performed on multiple vectors. Specifically, the linearly arranged vector objects within the set are traversed, and adjacent pairs of vectors are extracted into a working group. A unidirectional connection path is established from the preceding vector to the following vector; that is, a source node pointer is assigned to the preceding vector, and a target node pointer is assigned to the following vector, generating a unidirectional path object connecting the two pointers. Next, hierarchical stacking and network graph calculations are performed on the path parameters. The coordinate values ​​of each dimension of the preceding semantic vector are extracted, and the absolute values ​​are subtracted from the corresponding dimensions of the following semantic vector. The absolute differences of each dimension are summed to calculate the path weight value, which is then written into the intersection cell of the source node row and the target node column in the two-dimensional adjacency matrix in memory to complete the hierarchical stacking. For example, subtracting the floating-point value of 0.52 in the first dimension of the preceding vector from the floating-point value of 0.58 in the first dimension of the following vector yields an absolute value of 0.06. This process is repeated to calculate the absolute differences in the five dimensions: 0.06, 0.04, 0.02, 0.00, and 0.01. Performing a continuous summation operation yields a path weight of 0.13, which is then written into the corresponding point in the adjacency matrix. The distribution of all unidirectional paths is integrated, and the vector-related topology is extracted. This involves scanning all rows and columns of the two-dimensional adjacency matrix, extracting the coordinates of cells with values ​​greater than 0, and converting them into a set of graph node pairs with direction and weight attributes to generate the current log topology. For example, if the value 0.13 is found in the 3rd row and 5th column of the matrix, a topology pointing from node 3 to node 5 with a weight parameter of 0.13 is extracted and generated. The execution node of this operation logic is that the extraction of the adjacency matrix weight data satisfies the triggering condition for graph structure instantiation, thereby triggering the topology processing operation for the baseline log.

[0067] S203: Extract the associated edge paths based on the current log topology, collect logs corresponding to independent time periods, perform time-series mapping and transformation on the logs, calculate the connection establishment according to the edge paths, identify isolated vectors and remove their coordinates, assemble the remaining edge structure relationships, and obtain the baseline log topology.

[0068] Based on the generated current log topology, the associated edge paths are extracted. This involves reading the attributes of the start and end nodes in the node pair set, issuing instructions to the archive database, and collecting logs corresponding to independent time periods. These time periods are configured as intervals 30 calendar days prior to the current time, with all logs within this interval carrying a risk-free marker. The logs are then time-series mapped and transformed using the same absolute difference summation and matrix assignment logic as described earlier. This batch of logs is converted into a baseline matrix containing source and target nodes. Edge establishment calculations are performed according to the edge paths. This baseline matrix is ​​traversed in memory, and for each node, the number of non-zero values ​​in the row direction is accumulated to obtain the out-degree integer, and the number of non-zero values ​​in the column direction is accumulated to obtain the in-degree integer. Isolated vectors are identified and their coordinates are removed. The out-degree and in-degree integers of each node are added together to obtain the total node activity. This total is compared with the set isolation determination baseline value of 0. If the total value equals 0, the current node is determined to be an isolated vector, and a memory release instruction is issued to destroy the node's coordinate data. For example, the out-degree integer 0 and in-degree integer 0 of node 4 are obtained. Their sum equals the baseline value 0, indicating an isolated state, and node 4 is removed. The out-degree integer 1 and in-degree integer 2 of node 5 are added together, resulting in a sum of 3, which is not equal to 0, so node 5 is retained. The remaining edge structure is assembled, and the nodes that were not removed, along with their corresponding path weight integers, are written to the baseline graph data table and persisted, thus obtaining the baseline log topology. The execution point of this operation logic is that the determination that the sum of the in-degree and out-degree of a node equals 0 satisfies the invalid node cleanup trigger condition, thereby triggering the baseline graph storage operation.

[0069] Please see Figure 4 The specific steps of S3 are as follows:

[0070] S301: Extract the baseline behavior element of the baseline log topology and the current behavior element of the current log topology, collect the behavior semantic vector associated with the current baseline behavior element, perform vector coordinate dimension-by-dimensional difference operation and accumulate the multi-component sequence item by item to obtain the vector difference accumulation sequence.

[0071] Extract the baseline behavioral elements from the baseline log topology and the current behavioral elements from the current log topology. By traversing the persistent topology graph data table from the previous steps, read node attribute information and extract the baseline behavioral elements carrying historical risk-free operation characteristics and the current behavioral elements carrying real-time request operation characteristics. Collect the behavioral semantic vector associated with the current baseline behavioral element, call the coordinate data block mapped in memory, and read the coordinate value set of the current and baseline behavioral elements in the same high-dimensional space. Perform dimension-wise vector coordinate difference operations and accumulate the multi-component sequence item by item. Subtract the coordinate values ​​of each dimension of the current behavioral semantic vector from the corresponding dimension of the baseline behavioral semantic vector, extract the absolute value of the calculated difference, forming a multi-component sequence carrying dimensional offset characteristics. Then, perform continuous addition and summation operations on all absolute values ​​in the multi-component sequence to obtain the vector difference accumulation sequence. Repeatedly perform this summation operation on all matching elements, and arrange the accumulated values ​​obtained from each calculation in chronological order into a one-dimensional data queue. For example, if the current behavior element has a floating-point value of 0.52 in the first dimension, 0.68 in the second dimension, and 0.45 in the third dimension, and the corresponding baseline behavior element has a floating-point value of 0.50 in the first dimension, 0.70 in the second dimension, and 0.45 in the third dimension, subtracting the corresponding dimension values ​​yields differences of 0.02, -0.02, and 0, respectively. Extracting the absolute values ​​yields a multi-component sequence of 0.02, 0.02, and 0. Continuously summing the values ​​in this component sequence yields a cumulative value of 0.04 for the element pair, which is then written into a one-dimensional data queue.

[0072] S302: Based on the vector difference accumulation sequence, detect multiple accumulated values ​​and obtain a preset mapping threshold parameter. Perform a value comparison operation between the multiple accumulated values ​​and the mapping threshold, mark the element pairs whose accumulated values ​​have not reached the mapping threshold, and generate a difference compliance element index set.

[0073] Based on the vector difference accumulation sequence, multiple accumulated values ​​are detected and a preset mapping threshold parameter is obtained. Multiple accumulated value objects are read from the one-dimensional data queue generated by the aforementioned operations. Simultaneously, the preset mapping threshold parameter is retrieved from the threshold parameter table in the configuration database. This threshold parameter is obtained by extracting all log records manually determined to be in normal business flow status within the past 30 natural days, extracting the corresponding log vector differences, and calculating the arithmetic mean to obtain the threshold. A value comparison operation is performed item by item between the multiple accumulated values ​​and the mapping threshold. Each accumulated value extracted from the data queue is subtracted from the preset mapping threshold parameter. If the subtraction result is less than 0, the accumulated value is determined to be within the tolerance range. The element pairs corresponding to accumulated values ​​that have not reached the mapping threshold are marked. For values ​​with a judgment result less than 0, a status code 1 is written to the data header of the associated current behavior element and baseline behavior element combination pair. If the subtraction result is greater than or equal to 0, a status code 0 is written. A set of indexes for compliant elements based on differences is generated. The entire log storage block is traversed, and the memory address pointers of all element pairs with status code 1 in the header are extracted. This batch of pointer datasets is then merged and written into a separate index space. For example, if the accumulated value of a certain element pair is 0.04 in the aforementioned calculation, and the preset mapping threshold parameter retrieved from the configuration database is 0.10, the accumulated value 0.04 is subtracted from the preset mapping threshold parameter 0.10, resulting in a difference of -0.06. This difference is determined to be less than 0, and status code 1 is written for this element pair. In subsequent operations, the memory address pointer value 8096 of this element pair is extracted and stored in the compliance set.

[0074] S303: Based on the difference compliance element index set, extract the corresponding current behavior element and the baseline behavior element combination pair, perform element pair association binding and analyze the bidirectional mapping record structure, integrate all mapping records, and establish a mapping relationship set;

[0075] Based on the difference compliance element index set, extract the corresponding current behavior element and baseline behavior element combination pairs. Read the memory address pointer list stored in the independent index space, and batch retrieve the current behavior element data packets and baseline behavior element data packets written with status code 1 in the previous steps according to the physical address pointed to by the pointers, forming a pair of combined data streams. Associate and bind the element pairs and analyze the bidirectional mapping record structure. Generate a connection link in the graph database. Read the unique identification number of the current behavior element as the starting attribute and the unique identification number of the baseline behavior element as the ending attribute to construct a forward directed edge from the current request log to the historical standard log. Then, using the unique identification number of the baseline behavior element as the starting attribute and the unique identification number of the current behavior element as the ending attribute, construct a reverse directed edge. Analyze the bidirectional mapping record structure formed by these two opposite directed edges to verify the data connectivity status of the two nodes. Integrate all mapping records to establish a mapping relationship set. Traverse all objects in the memory address pointer list, and repeatedly execute the aforementioned forward and reverse directed edge generation and connectivity verification operations. Write the bidirectional mapping record structures that have successfully verified connectivity status into a relational mapping table for persistent storage. For example, based on the pointer, a compliant combination pair is extracted. The identification number of the current behavioral element is read as 1001, and the identification number of the baseline behavioral element is 2001. A forward directed edge is created starting from identification number 1001 and ending at identification number 2001. Simultaneously, a reverse directed edge is created starting from identification number 2001 and ending at identification number 1001. After successful verification, a bidirectional mapping record structure is generated and written to the mapping table. The execution node of this operation logic lies in calculating the connectivity state of the bidirectional mapping record structure based on the behavioral element identification number parameter, thereby triggering subsequent operations to persistently save the mapping relationship set.

[0076] Please see Figure 5 The specific steps of S4 are as follows:

[0077] S401: Based on the mapping relationship set, obtain the current predecessor element set and the reference predecessor element set, perform set difference operation, match the element identifiers in the current predecessor element set with the element identifiers in the reference predecessor element set item by item, compare the unmatched connection edge identifiers and extract the index to obtain the non-overlapping connection edge index set.

[0078] The process of obtaining the current predecessor element set and the baseline predecessor element set based on the mapping relationship set involves reading the bidirectional mapping record structure persistently stored in the relational mapping table in the previous steps, extracting all starting identification numbers with the current operation request log identification number as the endpoint attribute to construct the current predecessor element set, and simultaneously extracting all starting identification numbers with the historical standard log identification number as the endpoint attribute to construct the baseline predecessor element set. A set difference operation is then performed, traversing each element identifier in the current predecessor element set and comparing it one by one with the element identifiers in the baseline predecessor element set. Each element identifier in the current predecessor element set is matched with the element identifiers in the baseline predecessor element set. If an element identifier in the current predecessor element set does not have a matching identifier in the baseline predecessor element set, it is determined that the connection link corresponding to that element identifier has undergone structural offset. The process involves comparing and extracting the unmatched connection edge identifiers, and for element identifiers determined to have undergone structural offset, reading the connection edge identification code recorded in the graph database, and sending a call instruction to the memory allocation controller to obtain the memory pointer address of the data block corresponding to that connection edge. The set of non-overlapping edge indices is obtained, and all acquired memory pointer addresses are sequentially written into a continuously distributed array queue. For example, if the current predecessor element set contains identification numbers 101, 102, and 103, and the reference predecessor element set contains identification numbers 101 and 102, a difference comparison operation is performed on the two sets. The non-matching identification number 103, which exists in the current set but not in the reference set, is identified. Then, the memory pointer address 8099 of the connection edge data block associated with identification number 103 is extracted, and this address 8099 is written into a continuous array to form the index set. The execution node of this operation logic is that the difference comparison operation based on the element identifier parameter yields the non-overlapping edge address result, thereby triggering subsequent advanced analysis operations to extract associated attribute data.

[0079] S402: Extract the associated security level of multiple connecting edges based on the non-overlapping connecting edge index set, call the preset risk assessment benchmark to compare the values ​​of each item, record the number of records whose security level values ​​exceed the risk assessment benchmark, and calculate the ratio of the number of records to the total number of connecting edges to obtain the security level over-limit ratio.

[0080] The security classification values ​​of multiple connection edges are extracted based on the non-overlapping connection edge index set. This process involves batch reading the attribute fields of non-overlapping connection edges according to the memory pointer addresses stored in the continuous array in the previous steps, parsing the security label carried in the packet header, and converting the label into Arabic numerals in the range of 1 to 5 to obtain the security classification value. The larger the value, the higher the data sensitivity. A preset risk assessment benchmark is called for item-by-item comparison. A security management threshold is extracted from the configuration database as the preset risk assessment benchmark. This benchmark value is calculated by extracting the arithmetic median of the security classification values ​​from the logs of unauthorized access events confirmed by audits within the past 180 calendar days. If the number of records where the security classification value exceeds the risk assessment benchmark is recorded, the extracted multiple security classification values ​​are subtracted from the preset risk assessment benchmark. If the difference is greater than 0, the connection edge is determined to have high-risk access behavior, and the entries with a result greater than 0 are accumulated. The ratio of the number of record entries to the total number of connected edges is calculated. The total number of pointer addresses contained in the aforementioned non-overlapping connected edge index set is extracted as the parameter for the total number of connected edges. The cumulative number of record entries is divided by this parameter to obtain a floating-point value reflecting the density of unauthorized access. The excess security level ratio is then obtained. For example, in the aforementioned processing, the total number of non-overlapping connected edges is 20. Among the security level values ​​obtained from parsing these 20 connected edges, 12 connected edges have a security level value of 4 or 5. The preset risk assessment benchmark value retrieved from the database is 3. Subtracting the extracted security level value from the benchmark value 3 reveals 12 results greater than 0, indicating that the number of records exceeding the limit is 12. Subsequently, the number of entries 12 is divided by the total number 20 to obtain a floating-point value of 0.6. This value of 0.6 is the final excess security level ratio.

[0081] S403: Quantify the risk of exceeding the limit for the security level, map the ratio value to the risk interval identifier sequence, and classify the intervals according to the interval boundaries to generate the risk benchmark result for the graded protection.

[0082] The process quantifies the risk of exceeding security level limits. This involves using the previously calculated floating-point value reflecting the density of unauthorized access as input and invoking a compliance audit judgment strategy table pre-loaded in the memory environment. The percentage value is mapped to a risk interval identifier sequence. This judgment strategy table contains multiple consecutive and non-overlapping numerical ranges as risk intervals. The boundaries of these intervals are set based on data extracted from the past 24 months of security level penetration testing exercises, fitted according to the gradient distribution of successful breach probabilities. Specifically, these include a low-risk interval with a lower limit of 0 and an upper limit of 0.3, a medium-risk interval with a lower limit of 0.3 and an upper limit of 0.6, and a high-risk interval with a lower limit of 0.6 and an upper limit of 1.0. Interval classification is then performed based on the interval boundaries. The input security level exceeding limit percentage is compared with the upper and lower limits of each risk interval. If the percentage is greater than or equal to the lower limit of an interval and less than or equal to the upper limit, the percentage falls within that risk interval. A security level risk benchmark result is generated, and the corresponding status judgment instruction code is extracted and persistently output based on the finally matched risk interval. For example, receiving the security level exceeding the limit ratio of 0.6 calculated in the aforementioned steps, the value of 0.6 is substituted into the judgment strategy table for comparison. The comparison logic first compares 0.6 with the low-risk upper limit of 0.3, and determines that the value exceeds the limit. It then compares it with the high-risk interval lower limit of 0.6 and upper limit of 1.0, and determines that 0.6 is greater than or equal to 0.6 and less than or equal to 1.0, thus classifying it into the high-risk interval. Based on this, a graded protection risk benchmark result carrying a high-risk blocking identification code is generated. The execution node of this calculation logic is to compare the security level exceeding the limit ratio value with the risk interval boundary parameters to obtain the assigned interval result, thereby triggering the generation of the graded protection risk benchmark result and alarm triggering subsequent operations.

[0083] Please see Figure 6 The specific steps of S5 are as follows:

[0084] S501: Obtain the mapping relationship set within a continuous time window, perform differential counting on the mapping identifiers corresponding to the same operation subject identifier in multiple time windows, and perform discrete sequence encoding on the number of changes of the mapping identifiers in adjacent windows to obtain the change number trajectory sequence;

[0085] The process involves obtaining a set of mapping relationships within a continuous time window. This is achieved by reading the raw access logs generated by the application server, dividing the continuous time window into one-hour intervals, and extracting the corresponding association data records between the identification codes of each operating entity and the mapping identifiers of the accessed resources within each time window. For the same operating entity identifier, a differential count is performed on the corresponding mapping identifiers across multiple time windows. This step involves counting the total number of independent resource mapping identifiers associated with each extracted single-target operating entity identification code in each time window arranged chronologically. Then, the total number of mapping identifiers in the current time window is subtracted from the total number of mapping identifiers in the immediately preceding time window, and the absolute value of the result is taken to obtain a differential count value reflecting the drastic nature of the behavioral change. The number of changes in mapping identifiers between adjacent windows is discretely sequence-encoded. Following the chronological order, the differential count values ​​calculated in each iteration are sequentially stored in a one-dimensional continuous storage address space, forming a data queue with temporal characteristics, resulting in a change frequency trajectory sequence. For example, the number of mapping identifiers associated with a certain operation subject in consecutive time windows from the 1st to the 7th is 12, 15, 11, 20, 18, 13, and 19 respectively. By subtracting adjacent items and performing absolute value operations, the difference between the 2nd and 1st windows is calculated to be 3, the difference between the 3rd and 2nd windows is 4, the difference between the 4th and 3rd windows is 9, the difference between the 5th and 4th windows is 2, the difference between the 6th and 5th windows is 5, and the difference between the 7th and 6th windows is 6. These differences are written to the storage address in sequence to generate a trajectory sequence of the number of changes containing the values ​​3, 4, 9, 2, 5, and 6.

[0086] S502: Based on the trajectory sequence of the number of changes, compare the values ​​of adjacent elements, determine the size relationship between the value of the next item and the value of the previous item, mark the index of the position that satisfies the increasing relationship and splice the continuous intervals, extract the value set corresponding to the end position of multiple continuous increasing intervals, and generate the value set of the last position of the increasing segment.

[0087] The process compares adjacent element values ​​based on the change count trajectory sequence. This involves reading the change count trajectory sequence stored in memory from the previous steps, obtaining the current position's value parameter in ascending address order, and comparing it with the value parameter of the immediately following position. The relationship between each subsequent value and the preceding value is determined by subtracting the preceding value from the following value. If the difference is strictly greater than 0, the two values ​​are considered to be in an increasing state. Position indices satisfying the increasing relationship are marked, and continuous intervals are concatenated. For adjacent values ​​in an increasing state, the physical position offset is extracted as an index. If the starting index of the current comparison is found to be exactly equal to the ending index of the previous record, the covered data segments are merged to form a continuous increasing interval. The set of values ​​corresponding to the termination positions of multiple continuous increasing intervals is extracted. From the concatenated increasing interval, the specific value pointed to by the last physical position offset is extracted. A set of the last values ​​of the increasing segment is generated, and all extracted last values ​​are pushed into a new data set in their original order. Substituting the aforementioned trajectory sequence of change counts containing the values ​​3, 4, 9, 2, 5, and 6, we compare 3 and 4. 4 minus 3 is greater than 0, satisfying the increasing condition, so we record positions 1 to 2. We compare 4 and 9. 9 minus 4 is greater than 0, satisfying the increasing condition, so we record positions 2 to 3. At this point, the indices overlap, and we concatenate them to obtain a continuous increasing interval from positions 1 to 3. We compare 9 and 2. 2 minus 9 is less than 0, so the increasing condition is interrupted. We extract the value 9 corresponding to the last position 3 of the concatenated interval and store it in the set. Next, we compare 2 and 5. 5 minus 2 is greater than 0, so we record positions 4 to 5. We compare 5 and 6. 6 minus 5 is greater than 0, so we record positions 5 to 6. At this point, the indices overlap, and we concatenate them to obtain a continuous increasing interval from positions 4 to 6. We extract the value 6 corresponding to the last position 6 and store it in the set. Finally, we generate a data set containing the values ​​9 and 6 as the last value set of the increasing segment.

[0088] S503: Based on the set of last values ​​of the incremental segment, call the risk benchmark result of the graded protection system, calculate the difference between the last values ​​of multiple segments and the risk benchmark value, and perform weighted correction by combining the preset risk weight coefficient. Then, aggregate and map the corrected values ​​to generate the graded protection risk identification result.

[0089] Based on the incremental segment last value set, the process retrieves the risk benchmark result of the graded protection system. This process, based on the incremental segment last value set from the previous steps, sends a read command to the configuration database to extract the risk benchmark value. This benchmark value is set by extracting the maximum fluctuation range record value during the stable operation period over the past 30 natural days. The difference between multiple last values ​​and the risk benchmark value is calculated and weighted by a preset risk weight coefficient. Each specific value in the last value set is traversed, and subtraction is performed with the risk benchmark value to obtain the basic difference. The preset risk weight coefficient is read; this weight coefficient is set based on the average hazard classification of 500 historical unauthorized access cases. The basic difference is multiplied by the preset risk weight coefficient to obtain the individual correction value. The corrected values ​​are aggregated and mapped for output. All individual correction values ​​are summed to obtain a global assessment score parameter. This global assessment score parameter is compared with a preset alarm threshold value. If it exceeds the threshold value, an interception action is triggered. The process generates a risk identification result for graded protection. Substituting the values ​​of the last digit of the aforementioned incremental segment (including the value 9 and the expanded value 6), a risk baseline value of 4 is obtained. A preset risk weighting coefficient of 1.5 is used. Subtracting 9 from 4 yields a difference of 5. Multiplying 5 from 1.5 yields a corrected value of 7.5. Subtracting 6 from 4 yields a difference of 2. Multiplying 2 from 1.5 yields a corrected value of 3.0. Summing 7.5 and 3.0 yields a global assessment score of 10.5. Comparing 10.5 with a preset alarm threshold of 8.0, and determining that 10.5 is greater than 8.0, a graded protection risk identification result carrying a high-risk interception marker is generated. The execution node of this calculation logic is to perform a weighted calculation based on the last digit and the baseline parameter to obtain the global assessment score, thereby triggering subsequent operations such as boundary comparison and risk level determination.

[0090] The above are merely specific embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A method for identifying graded protection risks based on log behavior analysis, characterized in that, Includes the following steps: S1: Collect the operation subject identifier, access resource identifier, classification identifier and security level of the centralized log management hardware device, perform mapping calculation on the operation subject identifier, access resource identifier and classification identifier and combine them with the security level of the security level to construct a behavior semantic vector; S2: Collect the generation time corresponding to the behavior semantic vector, and make directed connections to the behavior semantic vector in chronological order to obtain the current log topology. Collect logs in independent time periods and establish directed edges according to the same directed connection logic to construct the baseline log topology. S3: Based on the baseline behavior element of the baseline log topology and the current behavior element of the current log topology, extract the associated behavior semantic vector and perform difference accumulation calculation. Determine the element pairs whose difference accumulation result does not reach the preset mapping threshold, and construct a mapping relationship set. S4: Based on the mapping relationship set, obtain the current and benchmark predecessor element set, extract non-overlapping connection edges and obtain the associated security level, calculate and quantify the risk ratio of the number of security levels exceeding the preset risk definition benchmark to the total number of non-overlapping connection edges, and generate the security level risk benchmark result.

2. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The behavioral semantic vector includes the operator entity identifier, access resource identifier, classification identifier, and security level of graded protection. The benchmark log topology includes log data, directed connection relationships, and time period identifiers. The mapping relationship set includes the difference accumulation result, threshold matching element pairs, and associated behavioral semantic vectors. The graded protection risk benchmark result includes the current predecessor element set, the benchmark predecessor element set, and the associated graded protection security level.

3. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The specific steps of S1 are as follows: S101: Collect the operation subject identifier, access resource identifier and category identifier through centralized log management hardware device and perform discrete encoding. Convert the character identifier into integer index according to the preset numbering rules, sequentially concatenate multiple indices and perform consistency verification to obtain the identifier mapping value sequence. S102: Based on the identified mapping numerical sequence, obtain the security level parameters and insert them into the end of the sequence and align their positions. Rearrange multiple segments of the sequence according to a fixed order rule, and perform interval verification on the rearranged values ​​to eliminate out-of-bounds values, thereby generating a security level combination sequence. S103: Perform vectorization transformation on the density-level combination sequence, map multiple values ​​in the sequence to multi-dimensional coordinate axes, perform normalization scaling calculation on multiple coordinate dimension values, and arrange the normalized feature values ​​in order and concatenate the dimensions to obtain the behavioral semantic vector.

4. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The specific steps of S2 are as follows: S201: Collect the generation time corresponding to the behavior semantic vector, compare the numerical values ​​of multiple generation times, analyze the ascending time series according to the chronological order, perform coordinate mapping and rearrangement of the behavior semantic vector, determine and filter out unmatched timestamp detached vectors, and establish a time-series semantic vector set. S202: Call the time-series semantic vector set and perform directed edge mapping on multiple vectors, set a one-way connection path from the preceding vector to the following vector, perform hierarchical stacking and network graph calculation on the path parameters, integrate the distribution status of all one-way connection paths and extract the vector association topology structure to generate the current log topology; S203: Extract associated edge paths based on the current log topology, collect logs corresponding to independent time periods, perform time-series mapping and transformation on the logs, calculate the establishment of edges according to the edge paths, determine isolated vectors and remove their coordinates, assemble the remaining edge structure relationships, and obtain the baseline log topology.

5. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The specific steps for S3 are as follows: S301: Extract the baseline behavior element of the baseline log topology and the current behavior element of the current log topology, collect the behavior semantic vector associated with the baseline behavior element, perform vector coordinate dimension-by-dimensional difference operation and accumulate the multi-component sequence item by item to obtain the vector difference accumulation sequence. S302: Based on the vector difference accumulation sequence, detect multiple accumulated values ​​and obtain a preset mapping threshold parameter, perform a value comparison operation between the multiple accumulated values ​​and the mapping threshold, mark the element pairs whose accumulated values ​​have not reached the mapping threshold, and generate a difference compliance element index set. S303: Based on the difference compliance element index set, extract the corresponding current behavior element and the benchmark behavior element combination pair, perform element pair association binding and analyze the bidirectional mapping record structure, integrate all mapping records, and establish a mapping relationship set.

6. The method for identifying graded protection risks based on log behavior analysis according to claim 5, characterized in that, The mapping threshold is determined by collecting a vector distance sample set from the benchmark logs, calculating the statistical mean and standard deviation of the distance parameters within the sample set, retrieving the tolerance factor to calculate the weighted product of the standard deviation, and summing the weighted product value with the statistical mean.

7. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The specific steps of S4 are as follows: S401: Based on the mapping relationship set, obtain the current predecessor element set and the reference predecessor element set, perform set difference operation, match the element identifiers in the current predecessor element set with the element identifiers in the reference predecessor element set item by item, compare the unmatched connection edge identifiers and extract the index to obtain the non-overlapping connection edge index set. S402: Extract multiple connection edges associated with the security level protection level based on the non-overlapping connection edge index set, call the preset risk assessment benchmark to compare the values ​​item by item, record the number of records whose security level values ​​exceed the risk assessment benchmark, and calculate the ratio of the number of records to the total number of connection edges to obtain the security level over-limit ratio. S403: Quantify the risk of the above-mentioned security level exceeding the limit, map the ratio value to the risk interval identifier sequence, and obtain the corresponding risk benchmark value by interval classification judgment based on the interval boundary, and generate the graded protection risk benchmark result.

8. The method for identifying graded protection risks based on log behavior analysis according to claim 7, characterized in that, The risk assessment benchmark is determined by collecting abnormal behavior records, extracting the security level values ​​associated with the samples, calculating the statistical mean and standard deviation of the security level values, and then using preset risk weight coefficients to perform a weighted summation operation on the standard deviation and mean.

9. The method for identifying graded protection risks based on log behavior analysis according to claim 1, characterized in that, The method further includes: S5: Obtain the mapping relationship set within a continuous time window, extract the mapping change number trajectory sequence of the same operation subject identifier between continuous time windows and judge the upward trend, extract the last change value of the upward segment in the change number trajectory sequence and perform weighted deviation adjustment on the graded protection risk benchmark result, and generate graded protection risk identification result. The risk identification results of the graded protection system include the trajectory sequence of the number of mapping changes, the upward trend segment, and the last change results.

10. The method for identifying graded protection risks based on log behavior analysis according to claim 9, characterized in that, The specific steps of S5 are as follows: S501: Obtain the mapping relationship set within a continuous time window, perform differential counting on the mapping identifiers corresponding to the same operation subject identifier in multiple time windows, and perform discrete sequence encoding on the number of changes of the mapping identifiers in adjacent windows to obtain the change number trajectory sequence; S502: Based on the trajectory sequence of the number of changes, compare the values ​​of adjacent elements, determine the size relationship between the value of the next item and the value of the previous item, mark the position index that satisfies the increasing relationship and splice the continuous intervals, extract the value set corresponding to the end position of multiple continuous increasing intervals, and generate the end value set of the increasing segment. S503: Based on the set of last values ​​of the incremental segments, call the risk benchmark result of the graded protection system, calculate the difference between the last values ​​of multiple segments and the risk benchmark value, and perform weighted correction by combining the preset risk weight coefficient. Then, aggregate and map the corrected values ​​to generate the graded protection risk identification result.