Sparse anomaly behavior detection method and system based on privacy protection semantic evidence
By performing irreversible semantic abstraction and hypergraph modeling on multi-source security data, the problem of detecting multi-entity collaborative behavior and cross-event correlation in privacy-constrained environments is solved, enabling effective detection of low-frequency abnormal behavior and improving the accuracy and stability of detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HAINAN NORMAL UNIV
- Filing Date
- 2026-03-13
- Publication Date
- 2026-07-03
AI Technical Summary
Existing methods for detecting abnormal behavior are insufficient in privacy-restricted environments because they cannot meet the requirement that data cannot leave the domain and cannot effectively characterize the collaborative behavior of multiple entities and the high-order relationships across events.
By performing irreversible semantic abstraction and evidence processing on multi-source security data, a semantic representation of multi-entity collaborative behavior is constructed. Based on the hypergraph structure, a joint modeling of high-order association patterns of abnormal behavior is performed to achieve the detection of cross-event, low-frequency abnormal behavior.
Without exposing the original data, it effectively detects low-frequency, cross-stage recurring abnormal behaviors, improving the accuracy and stability of the detection results and meeting privacy protection requirements.
Smart Images

Figure CN122339731A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cyberspace security and threat intelligence analysis technology, specifically to a sparse anomaly behavior detection method and system based on privacy-preserving semantic evidence. Background Technology
[0002] Currently, with the increasingly severe cybersecurity situation, advanced persistent threats (APTs) and various complex attack activities have become one of the main security threats against critical information infrastructure, government agencies, and large enterprise network systems.
[0003] Against this backdrop, the timely detection and accurate identification of abnormal behavior in network systems are crucial for ensuring the continuity of critical business operations and the secure and stable operation of systems. Attacks typically exhibit characteristics such as low frequency, diverse stages, cross-entity collaboration, and cross-event reproducibility, making abnormal behavior detection a critical link in cyberspace security protection systems. In practical security protection, abnormal behavior detection usually relies on multi-source security data such as host logs, network traffic, and alarm records to identify suspicious activities that deviate from normal behavior patterns. However, in high-security scenarios such as critical information infrastructure, due to privacy protection, data compliance, and system closedness requirements, raw security logs and traffic data often cannot be centrally stored or directly used for external analysis, resulting in significant limitations in the practical deployment of centralized anomaly detection methods based on raw data. Furthermore, abnormal behavior in real-world environments often exhibits characteristics such as sparse evidence, dispersed behavioral patterns, concealed cross-event correlations, and complex multi-entity collaboration, further increasing the difficulty of detection.
[0004] To address the aforementioned issues, traditional anomaly detection methods are mostly based on manual rules, statistical features, or feature engineering-driven machine learning models, identifying anomalies by modeling single entities or local behavioral sequences. However, such methods typically rely on large amounts of high-quality raw data and human experience, making it difficult to adapt to the diversity and evolution of anomalous behaviors in complex attack scenarios. Furthermore, they have limited ability to characterize high-order correlation behaviors across entities and events, easily leading to missed detections or false positives.
[0005] With the development of deep learning technology, related methods automatically learn features from security data through multi-layer neural networks, gradually mapping low-level behavioral features to high-level semantic representations, demonstrating strong modeling capabilities in anomaly detection tasks. Deep learning models can uncover latent patterns from complex data, alleviating the feature design dependency problem to some extent, and have become an important research direction in the current field of anomaly behavior detection. However, most existing deep learning methods are still based on sequence modeling or pairwise relation modeling frameworks, mainly focusing on time dependencies or local entity relationships, making it difficult to fully express high-order behavioral structures involving multi-entity collaboration and semantic associations that recur over long periods across events; at the same time, these methods usually assume that the original data can be directly obtained, which is difficult to meet the practical needs of privacy-constrained environments where data cannot be taken out of its domain or restored.
[0006] In summary, existing abnormal behavior detection methods generally suffer from problems such as scattered evidence of abnormal behavior, extremely sparse abnormal samples, difficulty in characterizing multi-entity collaborative behavior, and insufficient ability to correlate abnormal behavior across events in actual network security protection. In particular, in privacy-restricted environments such as critical information infrastructure, raw security logs and traffic data are difficult to analyze centrally. Summary of the Invention
[0007] To address the aforementioned problems, the present invention aims to provide a sparse anomaly detection method and system based on privacy-preserving semantic evidence. This method involves irreversibly abstracting and evidence-based processing of raw security data to construct a semantic representation of multi-entity collaborative behavior. Furthermore, it uses a hypergraph structure to jointly model high-order association patterns of anomaly behavior, thereby achieving effective detection of cross-event, low-frequency anomaly behavior. The technical solution is as follows:
[0008] A sparse anomaly detection method based on privacy-preserving semantic evidence includes the following steps:
[0009] Step 1: Semantic evidence generation: Irreversible semantic abstraction is performed on the collected multi-source security data to extract semantic evidence elements related to abnormal behavior, and the semantic evidence elements are semantically encoded to obtain semantic evidence units;
[0010] Step 2: Semantic Evidence Hypergraph Construction: Based on the semantic evidence elements and their semantic feature representations, a semantic evidence hypergraph containing intra-event hyperedges and cross-event hyperedges is constructed; wherein, the intra-event hyperedges are constructed based on the co-occurrence relationship of multiple semantic evidence elements in the same behavioral event, and are used to characterize the collaborative behavior relationship of multiple entities; the cross-event hyperedges are constructed based on the semantic theme similarity between different behavioral events, and are used to characterize the semantic association relationship across events;
[0011] Step 3: Sparse Anomaly Detection: Based on the semantic evidence hypergraph, feature aggregation is performed on the semantic evidence nodes and their relationships, anomaly scores are calculated for each behavioral event or semantic evidence, and sparsity is determined by combining the frequency of behavior occurrence to identify abnormal behaviors.
[0012] A sparse anomaly detection system based on privacy-preserving semantic evidence includes:
[0013] The semantic evidence generation module is used to perform irreversible semantic abstraction processing on the collected multi-source security data, extract semantic evidence elements related to abnormal behavior, and perform semantic encoding on the semantic evidence elements to obtain semantic evidence units of semantic evidence.
[0014] The semantic evidence hypergraph construction module is used to construct a semantic evidence hypergraph containing intra-event hyperedges and cross-event hyperedges based on the semantic evidence elements and their semantic feature representations. The intra-event hyperedges are constructed based on the co-occurrence relationship of multiple semantic evidence elements in the same behavioral event, and are used to characterize the collaborative behavior relationship of multiple entities. The cross-event hyperedges are constructed based on the semantic theme similarity between different behavioral events, and are used to characterize the semantic association relationship across events.
[0015] The sparse abnormal behavior detection module is used to perform feature aggregation on semantic evidence nodes and their relationships based on the semantic evidence hypergraph, calculate the abnormal score of each behavioral event or semantic evidence, and determine the sparsity by combining the frequency of behavior occurrence, thereby identifying abnormal behavior.
[0016] The beneficial effects of this invention are:
[0017] This invention performs irreversible semantic abstraction and evidence processing on security logs and network behaviors generated in critical information infrastructure environments. It constructs cross-event semantic behavior representations without exposing the original data, and models multi-entity collaborative relationships based on a hypergraph structure. This enables effective detection of low-frequency, cross-stage recurring abnormal behaviors, solving the problems of traditional anomaly detection methods that rely on centralized processing of original logs, are difficult to meet privacy protection requirements, and have insufficient ability to detect cross-event and extremely sparse abnormal behaviors. Attached Figure Description
[0018] Figure 1 This is a schematic diagram of the overall structure of the sparse anomaly behavior detection method based on privacy-preserving semantic evidence of the present invention.
[0019] Figure 2 This is a schematic diagram of the semantic evidence generation module in this invention.
[0020] Figure 3 This is a schematic diagram of the semantic evidence encapsulation and transmission module in this invention.
[0021] Figure 4 This is a schematic diagram of the semantic evidence hypergraph construction module in this invention.
[0022] Figure 5 This is a schematic diagram of the sparse anomaly behavior detection module in this invention.
[0023] Figure 6 This is a schematic diagram of the abnormal behavior output module in this invention. Detailed Implementation
[0024] The present invention will now be described in further detail with reference to the accompanying drawings and specific embodiments.
[0025] By jointly modeling multiple types of semantic evidence related to abnormal behavior in security data and their high-order collaborative behavioral relationships, we can effectively characterize abnormal behavior patterns that can be reproduced across events, thereby improving the accuracy, stability, and practicality of abnormal behavior detection results.
[0026] To address the aforementioned technical problems, one embodiment of the present invention is: a sparse anomaly detection method based on privacy-preserving semantic evidence, mainly comprising three steps: semantic evidence generation, semantic evidence hypergraph construction, and sparse anomaly detection, including the following:
[0027] Step 1: Semantic Evidence Generation: By performing irreversible semantic abstraction on security logs and behavioral data generated in the network system, multiple types of semantic evidence related to abnormal behavior are extracted and a unified semantic representation is formed.
[0028] Step 1.1: Security Data Acquisition: Acquire multi-source security data, including host logs, network traffic logs, system audit records, security alarm information, or other data related to network behavior.
[0029] Step 1.2: Data preprocessing: The security data is preprocessed, including field normalization, noise filtering, and field screening, to obtain behavior-related data.
[0030] Step 1.3: Behavior Slicing: The behavior-related data is segmented at the event level or behavior level to form several behavior segments.
[0031] Step 1.4: Semantic abstraction processing: Based on a predefined system of behavioral semantic elements, irreversible semantic abstraction processing is performed on the behavioral fragments to extract semantic evidence elements related to abnormal behavior from the behavioral fragments. The semantic evidence elements include at least the attack technique or behavior type, the tools or means used, the associated infrastructure, and behavioral description information.
[0032] The specific process of irreversible semantic abstraction is as follows:
[0033] (1) Construct a behavioral semantic element mapping rule base, which includes attack technology label mapping rules, tool category mapping rules, infrastructure type mapping rules, behavioral action template rules, behavioral stage mapping rules, and semantic category normalization rules. The rule base is used to map specific field values in the original logs to a predefined abstract semantic category space to achieve semantic hierarchical reduction.
[0034] (2) Perform structured parsing on the original fields in the behavior fragment to extract the behavior subject, behavior action, behavior object and related resource information, where: the behavior subject includes process, user, host or service entity; the behavior action includes operation types such as execution, derivation, access, communication, loading, etc.; the behavior object includes file, process, network address, registry key or system resource; the related resources include tool name, infrastructure identifier or attack technology identifier;
[0035] (3) Perform semantic normalization on the extracted fields and map the specific log field values to abstract semantic tags, including but not limited to: mapping specific IP addresses to category tags such as "internal network host" and "external server"; mapping specific file paths to abstract behavior tags such as "system directory access" and "sensitive file access"; and mapping specific command strings to behavior categories such as "privilege escalation operation" and "persistence operation".
[0036] (4) Delete or irreversibly transform the original field values, retaining only the abstract semantic labels and behavioral structure relationship information, ensuring that the semantic evidence does not contain recoverable original log information. Irreversibility guarantee: Do not retain the original field values; do not save any reverse mapping relationship or recoverable mapping table; use a local anonymization encoding mechanism for entity identifiers so that entity identifiers are only valid within the current behavioral fragment; or use one-way hashing with random salt values before semantic category mapping; do not output globally stable identifiers that can be used for cross-system association; do not retain timestamps, paths, full addresses or precise command parameters that can be used to reconstruct the original log fields.
[0037] Through the above processing, the generated semantic evidence only contains abstract semantic labels, behavioral structure relationships and statistical feature information, and cannot restore the original log data, thus achieving irreversible abstraction at the semantic level.
[0038] Step 1.5: Semantic Evidence Generation: Semantic encoding is performed on the extracted semantic evidence elements to map semantic evidence elements from different sources and of different types to a unified vector representation space, thereby generating semantic evidence units.
[0039] Semantic encoding specifically includes:
[0040] (1) An embedding encoding method is used for discrete semantic tags to map each type of semantic element into a low-dimensional vector representation;
[0041] (2) The behavioral description text is processed by semantic vectorization using a pre-trained language model to obtain a semantic embedding representation;
[0042] (3) The vector representations of different types of semantic elements are spliced or weighted and merged to form a unified dimension of semantic evidence unit vector representation.
[0043] The semantic encoding is an irreversible process, which is reflected in the following: the vector is a continuous real-valued representation and cannot be restored to the original field; the encoding model does not output a reverse mapping function; and the original semantic text or field value is not retained after encoding.
[0044] Step 2: Semantic Evidence Encapsulation and Transmission:
[0045] Semantic evidence encapsulation and transmission is used to structurally encapsulate, privacy-verify, and securely transmit generated semantic evidence, enabling the secure transfer of semantic evidence between privacy-constrained environments and analysis and detection environments. Based on... Figure 3 As shown, the semantic evidence encapsulation and transmission includes the following steps:
[0046] Step 2.1: Semantic Evidence Reception. Receive the semantic evidence unit output from the semantic evidence generation step. The semantic evidence unit is structured data processed by irreversible semantic abstraction.
[0047] Step 2.2: Structured Encapsulation. The semantic evidence units are encapsulated in a unified format, organizing semantic evidence from different sources and of different types into a predefined data structure for subsequent modeling and processing.
[0048] Step 2.3: Privacy Verification. Perform privacy compliance verification on the encapsulated semantic evidence to ensure that the semantic evidence does not contain original log fields, sensitive identification information, or reversibly recoverable information.
[0049] Step 2.4: Secure Transmission. After passing privacy verification, the semantic evidence is transmitted to the analysis and detection environment via secure communication for subsequent abnormal behavior modeling and detection.
[0050] Step 3: Semantic Evidence Hypergraph Construction:
[0051] By introducing intra-event multi-semantic evidence collaborative behavior relationships and cross-event semantic association relationships, a semantic evidence hypergraph capable of characterizing the high-order structural features of abnormal behavior is constructed.
[0052] Step 3.1: Let the set of semantic evidence nodes be... ,in, Indicates the first A semantic evidence node, ; This represents the total number of semantic evidence nodes; the semantic evidence nodes correspond to the semantic evidence units generated in step 1.
[0053] Step 3.2: Based on the co-occurrence relationships among multiple attack behavior elements in the same attack event, construct an intra-event hyperedge for multiple attack behavior elements belonging to the same attack event, thus forming an intra-event hyperedge set. Let the set of attack behavior elements be... Then the set of superedges within the event is represented as:
[0054] ;
[0055] In this context, each intra-event hyperedge represents the collaborative behavioral relationship among multiple semantic evidence elements within the same behavioral event. A hypergraph structure is constructed using this set of intra-event hyperedges to represent the collaborative behavioral relationships among multiple semantic evidence elements.
[0056] Step 3.3: For the semantic features of semantic evidence elements in multiple behavioral events, use statistical topic models, neural topic models, or semantic clustering methods to perform topic modeling, obtaining the semantic topic representation vector corresponding to each behavioral event. Specifically, this includes:
[0057] (1) Aggregate the semantic evidence element representation vectors in the same behavioral event to form an event-level semantic feature representation;
[0058] (2) Based on the event-level semantic feature representation, a topic modeling algorithm is used to obtain the semantic topic distribution vector;
[0059] The topic modeling algorithms include, but are not limited to: LDA (Latent Dirichlet Allocation) topic model, neural topic model based on variational autoencoder, and semantic clustering model based on Transformer encoder.
[0060] In one embodiment, a neural network-based variational topic model is used to output a K-dimensional semantic topic distribution vector for each behavioral event: ,in Indicates the first A semantic topic representation vector for each behavioral event. This semantic topic representation vector is used for subsequent cross-event semantic association calculations.
[0061] Initial Semantic Evidence Hypergraph From the set of semantic evidence elements With the set of superedges within the event Composition, represented as:
[0062] ;
[0063] The initial semantic evidence hypergraph is used to characterize the collaborative behavioral relationships among multiple semantic evidence elements within the same behavioral event.
[0064] Step 3.4: Construct cross-event associations based on the semantic topic similarity between different behavioral events. This specifically includes:
[0065] (1) Calculate the similarity between any two behavioral event topic vectors. In this embodiment, the cosine similarity calculation method is used:
[0066] ;
[0067] (2) When the similarity is greater than a preset threshold At that time, a cross-event hyperedge is constructed between the semantic evidence elements of the corresponding behavioral events;
[0068] (3) Form a cross-event super-edge set , For the first The and the first Cross-event hyperedges between behavioral events.
[0069] The threshold can be determined by validation set statistics or adaptively selected based on semantic similarity distribution.
[0070] Step 3.5: Set the superedges within the event. With cross-event super-edge set A unified model is performed to form a complete semantic evidence hypergraph structure. , represented as:
[0071] ;
[0072] Step 4: Sparse anomaly detection:
[0073] Sparse anomaly detection is used to analyze anomalous behavior features based on semantic evidence hypergraphs, identifying anomalous behaviors that occur infrequently, exhibit structural abnormalities, or deviate semantically within the overall behavioral pattern. Based on... Figure 5 As shown, the sparse anomaly detection includes the following steps:
[0074] Step 4.1: Hypergraph Input. Input the semantic evidence hypergraph. As input data, we obtain the node features and associated structural information.
[0075] Step 4.2: Feature Aggregation. Feature aggregation is performed on each semantic evidence node and its relationships in the semantic evidence hypergraph to obtain an aggregated representation reflecting the characteristics of multi-entity collaborative behavior.
[0076] Feature aggregation is as follows:
[0077] (1) Construct a node-hyperedge association matrix based on node features and association structure information. :
[0078] ;
[0079] in, For a set of semantic evidence nodes, Indicates the number of semantic evidence nodes; The set of superedges contains the set of superedges within the event. and cross-event super-edge set , Indicates the total number of superedges; if node Belongs to superedge ,but Otherwise, it is 0. This is a matrix symbol.
[0080] (2) Use a hypergraph neural network for feature propagation and aggregation;
[0081] In this embodiment, the following hypergraph convolution operation is used:
[0082] ;
[0083] in, Let be the hyperedge weight matrix, where This represents the total number of hyperedges; the value is set based on the hyperedge type, semantic topic similarity, or statistical co-occurrence strength. This is the node degree matrix; It is the hypermarginality matrix; For the first Layer node feature representation; For the first Layer trainable parameter matrix; For non-linear activation functions; superscript Indicates the number of network layers; after multiple layers of propagation, the final node's high-order semantic aggregation representation is obtained. ;
[0084] Finally, through multi-layer iterative propagation of the hypergraph convolution operation, at the... Node feature representation obtained from the layer This is the higher-order semantic aggregation representation of semantic evidence nodes. The higher-order semantic aggregation representation integrates the multi-hop propagation information of nodes on hyperedges within multiple events and on hyperedges across events, thereby encoding cross-entity collaborative relationships and cross-event semantic association relationships.
[0085] Step 4.3: Anomaly Score Calculation. Based on high-order semantic aggregation representation, anomaly scores are calculated for each behavioral event or semantic evidence to measure its degree of anomaly relative to the overall behavioral pattern. Specifically:
[0086] Construct a normal behavior distribution model and calculate the degree of deviation between the node or event representation and the normal distribution.
[0087] In this embodiment, the node-level anomaly score is defined as:
[0088] ;
[0089] in, For the first The semantic evidence node at the ... The higher-order semantic aggregation representation vector output by the layer, i.e. The corresponding node vector; The mean vector of normal behavior samples in the higher-order semantic representation space is obtained by statistically calculating the higher-order semantic representation of semantic evidence nodes marked as normal behavior.
[0090] For event-level anomaly scoring, the event-level representation is obtained by averaging or weighting the higher-order semantic representations of all semantic evidence nodes within the same behavioral event, and then the above scoring calculation is performed.
[0091] Step 4.4: Sparsity Determination. Combining the anomaly scoring results with the frequency information of behavior occurrence, the sparsity of the behavior pattern is determined, and low-frequency behavior instances with significant semantic deviation features are identified.
[0092] Specifically:
[0093] 1) Analyze the frequency of occurrence of each behavioral pattern. ,in Indicates the first The frequency or number of occurrences of a behavioral pattern in the dataset; frequency can be statistically analyzed based on a sliding time window.
[0094] 2) Construct a joint scoring function:
[0095] ;
[0096] in, For joint scoring; and For weight parameters, Indicates the first Anomaly scoring for each behavioral pattern is achieved by scoring node-level anomalies in all semantic evidence nodes within that behavioral pattern. Obtained by mean or weighted aggregation.
[0097] 3) When the joint score exceeds the threshold, it is judged as sparse abnormal behavior.
[0098] Step 4.5: Abnormal Behavior Determination. Based on the sparsity determination results, identify instances of abnormal behavior and generate abnormal behavior detection results.
[0099] Step 5: Output of Abnormal Behavior:
[0100] The abnormal behavior output step is used to organize, label, and output the detection results from the sparse abnormal behavior detection step, enabling alarms and recording of abnormal behaviors. Based on... Figure 6 As shown, the abnormal behavior output includes the following steps:
[0101] Step 5.1: Detection Result Reception. Receive the abnormal behavior detection results output by the sparse abnormal behavior detection step.
[0102] Step 5.2: Abnormal Behavior Type Labeling. The detected abnormal behaviors are labeled to generate corresponding behavior categories or risk identification information.
[0103] Step 5.3: Output Semantic Evidence. Output semantic evidence associated with the anomalous behavior to support subsequent analysis and tracing.
[0104] Step 5.4: Alarms and Logging. Output the abnormal behavior detection results as alarms or logs for security monitoring, auditing, or response processing.
[0105] Another embodiment of the present invention is: a sparse anomaly detection system based on privacy-preserving semantic evidence, the overall structure of which is shown in the schematic diagram below. Figure 1 As shown, it includes:
[0106] (1) Semantic evidence generation module, used to perform irreversible semantic abstraction processing on the collected multi-source security data, extract semantic evidence elements related to abnormal behavior, and perform semantic encoding on the semantic evidence elements to obtain semantic evidence units of semantic evidence.
[0107] The structural diagram of the evidence generation module is as follows: Figure 2 As shown, it includes:
[0108] 1) Security data acquisition unit, used to acquire multi-source security data.
[0109] 2) Data preprocessing unit, used to perform field normalization, noise filtering and field screening on multi-source security data to obtain behavior-related data.
[0110] 3) Behavior slicing unit, used to segment the behavior-related data at the event level or behavior level to form several behavior segments.
[0111] 4) Semantic abstraction unit, used to perform irreversible semantic abstraction processing on the behavior fragment based on a predefined behavioral semantic element system; extract semantic evidence elements from the behavior fragment, the semantic evidence elements including at least the attack technique or behavior type, the tools or means used, the associated infrastructure and behavior description information.
[0112] 5) Semantic encoding unit, used to semantically encode the extracted semantic evidence elements and map them to a unified vector representation space to obtain semantic evidence units.
[0113] (2) Semantic evidence encapsulation and transmission module, used to encapsulate the generated semantic evidence in a structured manner, perform privacy verification and secure transmission, ensure that the semantic evidence does not contain original log fields or reversible information, and transmit it to the analysis and detection environment.
[0114] The structural diagram of the semantic evidence encapsulation and transmission module is shown below. Figure 3 As shown, it includes:
[0115] 1) Semantic evidence receiving module, used to receive semantic evidence units output by semantic evidence generation module, wherein the semantic evidence units are structured data after irreversible semantic abstraction processing.
[0116] 2) The structured encapsulation module is used to encapsulate the semantic evidence units in a unified format, organizing semantic evidence from different sources and of different types into a predefined data structure for subsequent modeling and processing.
[0117] 3) Privacy verification module, used to verify the privacy compliance of the encapsulated semantic evidence, to ensure that the semantic evidence does not contain original log fields, sensitive identification information or reversible information.
[0118] 4) Secure transmission module, used to transmit the semantic evidence to the analysis and detection environment via secure communication after passing privacy verification, for subsequent abnormal behavior modeling and detection.
[0119] (3) Semantic evidence hypergraph construction module, used to construct a semantic evidence hypergraph containing intra-event hyperedges and cross-event hyperedges based on the semantic evidence elements and their semantic feature representations; wherein, the intra-event hyperedges are constructed based on the co-occurrence relationship of multiple semantic evidence elements in the same behavioral event, and are used to characterize the collaborative behavior relationship of multiple entities; the cross-event hyperedges are constructed based on the semantic theme similarity between different behavioral events, and are used to characterize the semantic association relationship across events.
[0120] The structural diagram of the semantic evidence hypergraph construction module is shown below. Figure 4 As shown, it includes:
[0121] 1) Semantic evidence parsing unit, used to perform structural parsing and field recognition on the received semantic evidence unit, extract behavior type identifier, entity category identifier, event identifier information and corresponding semantic feature vector, and establish the mapping relationship between semantic evidence elements and behavior events.
[0122] 2) Node building unit, used to build a set of semantic evidence nodes based on semantic evidence elements.
[0123] 3) Intra-event association construction unit, used to construct intra-event hyperedges based on the co-occurrence relationship between multiple semantic evidence nodes in the same behavioral event.
[0124] 4) A cross-event association construction unit is used to construct cross-event hyperedges based on the semantic topic similarity between different behavioral events. It performs topic modeling on the semantic evidence features of each behavioral event using statistical topic models, neural topic models, or semantic clustering methods to generate corresponding semantic topic representation vectors, and calculates the semantic topic similarity between behavioral events based on these vectors. When the semantic topic similarity is greater than a preset threshold, a cross-event hyperedge is constructed between the semantic evidence nodes of the corresponding behavioral events.
[0125] 5) Semantic Evidence Hypergraph Generation Unit, used to model intra-event hyperedges and cross-event hyperedges in a unified manner to form a semantic evidence hypergraph.
[0126] (4) Sparse abnormal behavior detection module, which is used to perform feature aggregation on semantic evidence nodes and their associations based on the semantic evidence hypergraph, calculate the abnormal score of each behavioral event or semantic evidence, and make sparsity judgment in combination with the frequency of occurrence of behavior to identify abnormal behavior.
[0127] The structural diagram of the sparse anomaly behavior detection module is shown below. Figure 5 As shown, it includes:
[0128] 1) Hypergraph input unit, used to receive semantic evidence hypergraph.
[0129] 2) Feature aggregation unit, used to perform feature aggregation processing on each semantic evidence node and its association relationship in the semantic evidence hypergraph to obtain an aggregated representation.
[0130] 3) Anomaly scoring calculation unit, used to calculate anomaly scores for each behavioral event or semantic evidence based on aggregate representation.
[0131] 4) Sparsity determination unit, which combines anomaly scores and behavior occurrence frequency to determine sparsity and identify low-frequency behavior instances with significant semantic deviation features.
[0132] 5) Abnormal behavior determination unit, used to determine abnormal behavior instances based on sparsity determination results.
[0133] (5) Abnormal behavior output module, which is used to label the detected abnormal behavior and output the associated semantic evidence in the form of alarm or log record.
[0134] The structural diagram of the abnormal behavior output module is as follows: Figure 6 As shown, it includes:
[0135] 1) Detection result receiving unit, used to receive the abnormal behavior detection results output by the sparse abnormal behavior detection module.
[0136] 2) Abnormal behavior type labeling unit, used to label the detected abnormal behavior and generate the behavior category or risk identification information corresponding to the abnormal behavior.
[0137] 3) The semantic evidence output unit is used to output semantic evidence associated with the abnormal behavior to support subsequent analysis and tracing.
[0138] 4) Alarm and logging unit, used to output abnormal behavior detection results in the form of alarms or logs for security monitoring, auditing or response processing.
[0139] In summary, this invention achieves effective characterization of cross-event reproducibility of abnormal behavior patterns by jointly modeling multiple types of semantic evidence related to abnormal behavior in security data and their high-order collaborative behavior relationships, thereby improving the accuracy, stability and practicality of abnormal behavior detection results.
Claims
1. A privacy-preserving semantic evidence-based sparse anomaly detection method, characterized in that, Includes the following steps: Step 1: Semantic evidence generation: Irreversible semantic abstraction is performed on the collected multi-source security data to extract semantic evidence elements related to abnormal behavior, and the semantic evidence elements are semantically encoded to obtain semantic evidence units; Step 2: Semantic Evidence Hypergraph Construction: Based on the semantic evidence elements and their semantic feature representations, a semantic evidence hypergraph containing intra-event hyperedges and cross-event hyperedges is constructed; wherein, the intra-event hyperedges are constructed based on the co-occurrence relationship of multiple semantic evidence elements in the same behavioral event, and are used to characterize the collaborative behavior relationship of multiple entities; the cross-event hyperedges are constructed based on the semantic theme similarity between different behavioral events, and are used to characterize the semantic association relationship across events; Step 3: Sparse Anomaly Detection: Based on the semantic evidence hypergraph, feature aggregation is performed on the semantic evidence nodes and their relationships, anomaly scores are calculated for each behavioral event or semantic evidence, and sparsity is determined by combining the frequency of behavior occurrence to identify abnormal behaviors.
2. The sparse anomaly detection method based on privacy-preserving semantic evidence according to claim 1, characterized in that, Step 1 specifically includes: Step 1.1: Obtain multi-source security data, including host logs, network traffic logs, system audit records, and security alarm information; Step 1.2: Preprocess the multi-source security data, including field normalization, noise filtering, and field selection, to obtain behavior-related data; Step 1.3: Segment the behavior-related data at the event level or behavior level to form several behavior segments; Step 1.4: Based on a predefined behavioral semantic element system, perform irreversible semantic abstraction on the behavioral fragments to extract semantic evidence elements related to abnormal behavior from the behavioral fragments; the irreversible semantic abstraction specifically includes: 1) Construct a behavioral semantic element mapping rule base, which includes attack technology label mapping rules, tool category mapping rules, infrastructure type mapping rules, behavioral action template rules, behavioral stage mapping rules, and semantic category normalization rules; the rule base is used to map specific field values in the original logs to a predefined abstract semantic category space to achieve semantic hierarchical reduction; 2) Perform structured parsing on the original fields in the behavior fragment to extract the behavior subject, behavior action, behavior object, and related resource information; where the behavior subject includes processes, users, hosts, or service entities; behavior actions include execution, derivation, access, communication, or loading; behavior objects include files, processes, network addresses, registry entries, or system resources; and related resources include tool names, infrastructure identifiers, or attack technology identifiers. 3) Perform semantic normalization on the extracted fields, mapping specific log field values to abstract semantic tags; 4) Delete the original field values or irreversibly transform them, retaining only abstract semantic labels and behavioral structure relationship information to ensure that the semantic evidence does not contain recoverable original log information; specifically, the following measures are taken to ensure irreversibility: do not retain the original field values; do not save any reverse mapping relationships or recoverable mapping tables; use a local anonymization encoding mechanism for entity identifiers so that entity identifiers are only valid within the current behavioral fragment; or use one-way hashing with random salt values before semantic category mapping; do not output globally stable identifiers that can be used for cross-system association; do not retain timestamps, paths, complete addresses, or precise command parameters that can be used to reconstruct the original log fields; Step 1.5: Perform semantic encoding processing on the extracted semantic evidence elements, specifically including: 1) An embedding encoding method is used for discrete semantic tags to map each type of semantic element into a low-dimensional vector representation; and the low-dimensional vector representation is a continuous real value that cannot be reduced to the original field. The encoding model does not output a reverse mapping function; the original semantic text or field value is not retained after encoding. 2) The behavioral description text is semantically vectorized using a pre-trained language model to obtain a semantic embedding representation; 3) The vector representations of different types of semantic elements are spliced or weighted and merged to form a unified dimension of semantic evidence unit vector representation.
3. The sparse anomaly detection method based on privacy-preserving semantic evidence according to claim 1, characterized in that, Step 2 specifically includes: Step 2.1: Let the set of semantic evidence nodes be... ,in, Indicates the first A semantic evidence node, ; This represents the total number of semantic evidence nodes; each semantic evidence node corresponds to a semantic evidence unit generated in step 1. Step 2.2: Based on the co-occurrence relationships among multiple attack behavior elements in the same attack event, construct an intra-event hyperedge set. Superedge within each event It indicates the collaborative behavioral relationship among multiple semantic evidence elements in the same behavioral event; Step 2.3: For the semantic features of semantic evidence elements in multiple behavioral events, use statistical topic models, neural topic models, or semantic clustering methods to perform topic modeling, obtaining the semantic topic representation vector corresponding to each behavioral event. Specifically, this includes: 1) Aggregate the semantic evidence element representation vectors in the same behavioral event to form an event-level semantic feature representation; 2) Based on the event-level semantic feature representation, a topic modeling algorithm is used to obtain the semantic topic distribution vector; specifically, a variational topic model based on a neural network is used to output the semantic topic distribution vector for each behavioral event. Dimensional semantic topic distribution vector: ,in Indicates the first Semantic topic representation vectors for each behavioral event; Step 2.4: Construct cross-event associations based on the semantic topic similarity between different behavioral events, specifically including: 1) Calculate the similarity between any two behavioral event topic vectors using cosine similarity. : ; in, Indicates the first Semantic topic representation vectors for each behavioral event; 2) When the similarity is greater than a preset threshold At that time, a cross-event hyperedge is constructed between the semantic evidence elements of the corresponding behavioral events; 3) Form a cross-event superedge set , For the first The and the first Cross-event hyperedges between individual behavioral events; Step 2.5: Set the superedges within the event and cross-event super-edge set A unified model is performed to form a semantic evidence hypergraph: .
4. The sparse anomaly detection method based on privacy-preserving semantic evidence according to claim 1, characterized in that, Step 3 includes: Step 3.1: Transform the semantic evidence hypergraph As input, obtain the set of semantic evidence nodes. Set of superedges within an event and cross-event super-edge set And based on the hypergraph structure, node features and associated structural information are extracted; Step 3.2: Perform feature aggregation processing on each semantic evidence node and its relationships in the semantic evidence hypergraph, specifically including: 1) Based on the aforementioned semantic evidence hypergraph Construct the node-hyperedge association matrix : ; in, Indicates the number of semantic evidence nodes; The set of superedges contains the set of superedges within the event. and cross-event super-edge set , Indicates the total number of superedges; if node Belongs to superedge ,but Otherwise, it is 0; 2) Hypergraph neural networks are used for feature propagation and aggregation, specifically: ; in, Let be the hyperedge weight matrix, where This represents the total number of hyperedges; the value is set based on the hyperedge type, semantic topic similarity, or statistical co-occurrence strength. This is the node degree matrix; It is the hypermarginality matrix; For the first Layer node feature representation; For the first Layer trainable parameter matrix; For non-linear activation functions; superscript Indicates the number of network layers; after multiple layers of propagation, the final node's high-order semantic aggregation representation is obtained. ; Step 3.3: Based on the aforementioned high-order semantic aggregation representation, calculate anomaly scores for semantic evidence nodes or behavioral events; the node-level anomaly score is defined as follows: ; in, For the first The semantic evidence node at the ... The higher-order semantic aggregation representation vector output by the layer; The mean vector of normal behavior samples in the higher-order semantic representation space is obtained by statistically calculating the higher-order semantic representation of semantic evidence nodes marked as normal behavior. For event-level anomaly scoring, the event-level representation is obtained by averaging or weighting the higher-order semantic representations of all semantic evidence nodes within the same behavioral event, and then the above scoring calculation is performed. Step 3.4: Combining the anomaly scoring results with the frequency of behavior occurrence, determine the sparsity of the behavior pattern and identify low-frequency behavior instances with semantic deviation features, specifically: 1) Analyze the frequency of occurrence of each behavioral pattern. ,in Indicates the first The frequency or number of occurrences of a behavioral pattern in the dataset; 2) Construct a joint scoring function: ; in, For joint scoring; and For weight parameters, Indicates the first Anomaly scoring for each behavioral pattern is achieved by scoring node-level anomalies in all semantic evidence nodes within that behavioral pattern. Obtained by mean or weighted aggregation; 3) When the joint score exceeds the threshold, it is judged as sparse abnormal behavior; Step 3.5: Based on the sparsity determination results, identify instances of abnormal behavior and output the abnormal behavior detection results.
5. The sparse anomaly detection method based on privacy-preserving semantic evidence according to claim 1, characterized in that, Between steps 1 and 2, there is also a semantic evidence encapsulation and transmission step: the generated semantic evidence unit is structurally encapsulated, privacy verified and securely transmitted to ensure that the semantic evidence does not contain original log fields or reversible information, and is transmitted to the analysis and detection environment; after step 3, there is also an abnormal behavior output step: the detected abnormal behavior is labeled with type and the associated semantic evidence is output in the form of alarm or log record.
6. A sparse anomaly behavior detection system based on privacy-preserving semantic evidence, characterized in that, include: The semantic evidence generation module is used to perform irreversible semantic abstraction processing on the collected multi-source security data, extract semantic evidence elements related to abnormal behavior, and semantically encode the semantic evidence elements to obtain semantic evidence units. The semantic evidence hypergraph construction module is used to construct a semantic evidence hypergraph containing intra-event hyperedges and cross-event hyperedges based on the semantic evidence elements and their semantic feature representations. The intra-event hyperedges are constructed based on the co-occurrence relationship of multiple semantic evidence elements in the same behavioral event, and are used to characterize the collaborative behavior relationship of multiple entities. The cross-event hyperedges are constructed based on the semantic theme similarity between different behavioral events, and are used to characterize the semantic association relationship across events. The sparse abnormal behavior detection module is used to perform feature aggregation on semantic evidence nodes and their relationships based on the semantic evidence hypergraph, calculate the abnormal score of each behavioral event or semantic evidence, and determine the sparsity by combining the frequency of behavior occurrence, thereby identifying abnormal behavior.
7. The sparse anomaly detection system based on privacy-preserving semantic evidence according to claim 6, characterized in that, The semantic evidence generation module includes: A security data acquisition unit is used to acquire security data from multiple sources. The data preprocessing unit is used to perform field normalization, noise filtering, and field selection on multi-source security data to obtain behavior-related data. The behavior slicing unit is used to segment the behavior-related data at the event level or the behavior level to form several behavior segments. A semantic abstraction unit is used to perform irreversible semantic abstraction processing on the behavior fragment based on a predefined system of behavioral semantic elements; and to extract semantic evidence elements from the behavior fragment, wherein the semantic evidence elements include at least the attack technique or behavior type, the tools or means used, the associated infrastructure, and the behavior description information. Semantic encoding units are used to semantically encode the extracted semantic evidence elements and map them to a unified vector representation space to obtain semantic evidence units.
8. The sparse anomaly detection system based on privacy-preserving semantic evidence according to claim 6, characterized in that, The semantic evidence hypergraph construction module includes: Node building unit, used to construct a set of semantic evidence nodes based on semantic evidence elements; The intra-event association building unit is used to construct intra-event hyperedges based on the co-occurrence relationship between multiple semantic evidence nodes in the same behavioral event; The topic modeling unit is used to perform topic modeling on the semantic features of semantic evidence elements in multiple behavioral events, and obtain the semantic topic representation vector corresponding to each behavioral event; The cross-event association construction unit is used to construct cross-event hyperedges based on the semantic theme similarity between different behavioral events. When the semantic theme similarity between two behavioral events is greater than a preset threshold, a cross-event hyperedge is constructed between the semantic evidence nodes of the corresponding behavioral events. The Semantic Evidence Hypergraph Generation Unit is used to model intra-event hyperedges and cross-event hyperedges in a unified manner to form a semantic evidence hypergraph.
9. The sparse anomaly behavior detection system based on privacy-preserving semantic evidence according to claim 6, characterized in that, The sparse anomaly behavior detection module includes: The hypergraph input unit is used to receive the semantic evidence hypergraph; The feature aggregation unit is used to perform feature aggregation processing on each semantic evidence node and its relationship in the semantic evidence hypergraph to obtain an aggregated representation. Anomaly scoring calculation unit, used to calculate anomaly scores for each behavioral event or semantic evidence based on aggregated representation; The sparsity determination unit is used to combine the anomaly score and the frequency of behavior occurrence to determine sparsity and identify low-frequency behavior instances with significant semantic deviation features. The abnormal behavior determination unit is used to determine instances of abnormal behavior based on the sparsity determination results.
10. The sparse anomaly detection system based on privacy-preserving semantic evidence according to claim 6, characterized in that, It also includes a semantic evidence encapsulation and transmission module, which is used to encapsulate the generated semantic evidence in a structured manner, perform privacy verification and secure transmission, ensure that the semantic evidence does not contain original log fields or reversibly reproducible information, and transmit it to the analysis and detection environment; It also includes an abnormal behavior output module, which is used to label the detected abnormal behavior and output the associated semantic evidence in the form of alarms or log records.