A method and system for monitoring and early warning of abnormal information for instant messaging platforms
By generating propagation intent fingerprints and abnormal propagation status units in instant messaging platforms, and combining contextual consistency verification and propagation deviation verification, the problems of false alarms and delayed identification of disguised and diffusion-type abnormal information in existing technologies are solved, and efficient early warning and response linkage are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGXI BAISE YINGHUI TECH CO LTD
- Filing Date
- 2026-04-29
- Publication Date
- 2026-07-03
AI Technical Summary
Existing instant messaging platforms struggle to identify disguised and disseminated abnormal information mixed in with normal business communications by combining the message's sequential relationship within the session context, changes in the target audience during propagation, and the characteristics of time evolution. This results in a high false alarm rate and delayed identification, affecting the accuracy of monitoring and the timeliness of response.
By collecting original communication records from instant messaging platforms, message context normalization fragments are generated, semantic inducement features and context deviation features are extracted, and a propagation intent fingerprint is generated. These fingerprints are then spliced together to form an abnormal propagation situation unit. Combined with context consistency verification and propagation deviation verification, the evolution state is determined, and finally, a handling constraint warning result is generated.
It enables continuous identification and accurate hierarchical early warning of disguised and disseminated abnormal information, improves the executability and adaptability of monitoring and early warning, and enables closed-loop linkage between early warning results and actual handling actions, which is in line with the changes in tenant business context and dissemination patterns.
Smart Images

Figure CN122339944A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of instant messaging security early warning technology, specifically to a method and system for monitoring and warning of abnormal information on instant messaging platforms. Background Technology
[0002] As enterprises increasingly rely on instant messaging platforms for collaborative office work, production scheduling, customer service referrals, and external liaison, the types of information carried on these platforms have expanded from ordinary communication to include task assignment, progress tracking, document transfer, link access, and attachment confirmation. Existing instant messaging platforms' anomaly monitoring and early warning technologies typically detect factors such as message content, sending frequency, keyword matching, group activity, and abnormal account activity, and output alerts when preset conditions are met. These technologies are effective in identifying clearly illegal content, abnormal group activity, or known risk patterns, and can meet basic monitoring needs in some scenarios.
[0003] However, in practical applications, abnormal information does not always appear directly as a single suspicious message or a single abnormal behavior. More often, it is interspersed within normal business communication processes, entering the conversation under the guise of notifications, reminders, confirmations, transfers, and document submissions, and then gradually spreading along paths such as group chats, one-on-one chats, replies, quotations, and forwarding. For this type of information, if judgment is based solely on the content of a single message, a single sending action, or static rules, two types of situations often arise: one is that high-frequency notifications, team reminders, and customer service transfer information in normal business are misjudged as abnormal; the other is that abnormal information appears to conform to the business context but continues to spread across multiple conversations and gradually deviates from the normal collaboration boundary, making it difficult to identify in a timely manner. Especially during continuous changes such as cross-group propagation, group-to-one chat conversion, external link migration, and expansion of the target scope, the alarm results output by existing technologies are prone to deviation from the actual handling priorities, affecting the accuracy of on-site monitoring and the timeliness of handling.
[0004] Therefore, existing technologies still need to further address the following issue: In instant messaging platforms, when faced with disguised and spreading abnormal information mixed in with normal business communication, how to combine the message's sequential relationship in the conversation context, the object changes during the propagation process, and the characteristics of time evolution to conduct continuous identification and hierarchical early warning that are closer to the actual business scenario, thereby avoiding the problems of high false alarms, delayed identification, and inconsistencies between early warning results and actual handling needs caused by relying solely on a single message or single behavior judgment. Summary of the Invention
[0005] To address the shortcomings of existing technologies, this invention provides a method and system for monitoring and warning of abnormal information on instant messaging platforms, thereby solving the problems mentioned in the background section.
[0006] To achieve the above objectives, the present invention provides the following technical solution: a method for monitoring and early warning of abnormal information for instant messaging platforms, comprising: S1. Collect raw communication records from the instant messaging platform, and organize them according to session identifier, sender, receiver, time location, and reply reference relationship to generate message context unified fragments. S2. Based on the message context normalization fragment, extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features to generate a propagation intent fingerprint; S3. Based on the reference sequence relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship, multiple propagation intention fingerprints are spliced together to generate an abnormal propagation situation unit. S4. For abnormal propagation situation units, perform contextual consistency verification and propagation deviation verification to determine the evolution state of abnormal propagation situation units; S5. Based on the evolution status, combined with the propagation range, propagation path, and semantic skeleton of the abnormal propagation situation unit, generate early warning results for handling constraints; S6. Based on the feedback from the handling, the determination template for the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline are revised and used for monitoring and early warning of subsequent original communication records.
[0007] Furthermore, S1 includes: Align the message log, reply chain log, reference chain log, and member delivery log in the original communication record using the message identifier as the primary key and the time position as the secondary key; Complete the receiving object based on the session member snapshot, and complete the reply reference relationship based on the preceding and following related logs; After being routed by session identifier, message context normalization fragments are generated based on the continuity of the sending subject, the overlap of the receiving object, and the continuation of the reply reference relationship.
[0008] Furthermore, S2 includes: Read the session identifier, sender sequence, receiver sequence, time location sequence, reply reference relationship sequence, message body fragment sequence, and attachment reference address sequence from the message context normalized fragment; Five types of features were extracted by combining the session history database, organizational relationship directory, and attachment access logs; Five types of features are written into the fingerprint storage area in a fixed field order to form a propagation intent fingerprint.
[0009] Furthermore, S3 includes: Read the response reference sequence, message body fragment sequence, receiving object sequence, sending body sequence, and time location sequence corresponding to the propagation intent fingerprint; The propagation intent fingerprint is determined based on the citation sequence relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship. Write the consistent propagation intent fingerprint into the situation unit storage area to form an abnormal propagation situation unit.
[0010] Furthermore, S4 includes: Read the semantic skeleton sequence, diffusion trajectory of the receiving object, time and location trajectory, and distribution of the sending entity of the abnormal propagation situation unit; Combine the conversation history database, organizational relationship directory, and business arrangement information to perform contextual consistency verification and propagation deviation verification; The evolutionary state is determined based on the contextual consistency check level and the propagation deviation check level, and then written into the evolutionary state record area.
[0011] Furthermore, S5 includes: Read the evolution state, the diffusion trajectory of the receiving object, the time and location trajectory, the reference inheritance chain, the semantic skeleton sequence, the distribution of the session identifier, and the distribution of the sending subject; The propagation range is determined based on the diffusion trajectory of the receiving object and the distribution of session identifiers; the propagation path is determined based on the reference inheritance chain, time and location trajectory, distribution of session identifiers, and distribution of sending entities; and the warning level is determined based on the evolution status, propagation range, propagation path, and semantic skeleton.
[0012] Furthermore, when the evolutionary state is in the formation state, a warning result of disposal constraints with additional risk traceability is generated; When the evolutionary state is in the probing state, generate warning results for handling constraints such as additional identity verification prompts and secondary confirmation of external links; When the evolutionary state is in the diffusion state, generate early warning results for the processing constraints of the same skeleton message rate limit and manual review priority queue; When the evolution state is solidified, the system generates warning results for handling constraints of temporary interception, significant risk warning, and emergency response work orders.
[0013] Furthermore, S6 includes: Read the results of handling constraint warnings, manual review records, platform control logs, and subsequent audit logs; The judgment template, contextual consistency baseline, and dissemination deviation baseline were revised based on the feedback received. The revised judgment template version number, contextual consistency baseline version number, and propagation deviation baseline version number will be written into the rule version library and used in subsequent monitoring and early warning links.
[0014] On the other hand, the present invention provides an abnormal information monitoring and early warning system for instant messaging platforms, comprising: The original communication record normalization module is used to collect the original communication records in the instant messaging platform and normalize them according to the session identifier, sender, receiver, time location, and reply reference relationship to generate message context normalization fragments. The propagation intent fingerprint generation module is used to extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features based on message context normalization fragments to generate a propagation intent fingerprint. The abnormal propagation situation unit generation module is used to concatenate multiple propagation intent fingerprints according to the reference inheritance relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship to generate abnormal propagation situation units. The evolution state determination module is used to perform contextual consistency verification and propagation deviation verification on abnormal propagation situation units to determine the evolution state of the abnormal propagation situation units. The module for generating early warning results of handling constraints is used to generate early warning results of handling constraints based on the evolution status and in combination with the propagation range, propagation path and semantic skeleton of the abnormal propagation situation unit. The feedback correction module is used to correct the judgment template of the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline based on the handling feedback, and is used for monitoring and early warning of subsequent original communication records.
[0015] Compared with the prior art, the present invention has the following beneficial effects: 1. By normalizing and organizing the original communication records in the instant messaging platform to form message context normalization fragments, and further extracting the propagation intent fingerprint and splicing them to generate abnormal propagation situation units, and then combining contextual consistency verification and propagation deviation verification to determine the evolution state, the goal of continuously identifying, accurately classifying and providing early warning of disguised and spreading abnormal information mixed in with normal business communication is achieved. This solves the technical problem that existing technologies rely only on single message content, single sending behavior or static rule judgment, which leads to inconsistent warning results with actual handling priorities, easy false alarms and difficulty in timely identification of continuously spreading abnormal information.
[0016] 2. By generating early warning results for handling constraints based on the evolution status and in combination with the propagation scope, propagation path and semantic skeleton, and then correcting the judgment template of propagation intent fingerprint, contextual consistency baseline and propagation deviation baseline based on the handling feedback, the goal of achieving closed-loop linkage between monitoring and early warning results and the platform's actual handling actions, continuously aligning with the changes in tenant business context and propagation form, and improving the executability, stability and adaptability of abnormal information monitoring and early warning. Attached Figure Description
[0017] Figure 1This is a flowchart illustrating an abnormal information monitoring and early warning method for instant messaging platforms according to the present invention. Figure 2 This is a schematic diagram of the structure of an abnormal information monitoring and early warning system for an instant messaging platform according to the present invention; Figure 3 This is a schematic diagram illustrating the process of determining the formation and evolution state of the abnormal propagation state unit in this invention. Detailed Implementation
[0018] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0019] Example 1: Combined with Appendix Figures 1-3 This embodiment provides a method for monitoring and warning of abnormal information on instant messaging platforms, including: S1. Collect raw communication records from the instant messaging platform, and normalize them according to session identifier, sender, receiver, time location, and reply reference relationship to generate a message context normalized fragment. The specific implementation is as follows: First, a normalization and organization program deployed on the access side of the enterprise instant messaging platform continuously receives raw communication records as messages arrive at the gateway, session archive node, or audit mirror node. Within a single platform tenant, records within the same collection interval are normalized and organized according to a unified time reference. The raw communication records are taken from message logs, reply chain logs, reference chain logs, member delivery logs, and session metadata logs in group chat sessions, one-on-one chat sessions, and announcement sessions. The on-site location is between the message gateway server, session storage server, audit trail server, and operation and maintenance management terminal. The execution is completed by the platform-side monitoring service program in conjunction with the operation and maintenance audit process. The collection interval can be set as a continuous arrival interval within a rolling time window. The effective time period covers working hours, duty hours, and batch notification hours, and is sequentially connected with the downstream propagation intent fingerprint generation process through internal call interfaces.
[0020] During the unification and processing, the following information is first obtained from the message log: session identifier, sender, recipient, sending timestamp, message identifier, message body fragment, and attachment reference address. The reply chain log is used to obtain the replied message identifier and reply creation time. The reference chain log is used to obtain the referenced message identifier and reference creation time. The member delivery log is used to obtain the recipient's expanded result and delivery time. The session identifier is a unique session code within the platform, stored as a string. The sender is the account identifier that initiated the message. The recipient is the set of actual receiving accounts within the session. The sending timestamp, reply creation time, and reference creation time are all recorded in milliseconds. The log submission rhythm follows the message arrival rhythm to form a real-time append stream, with a time deviation tolerance set to no more than 50 milliseconds.
[0021] During alignment, the message identifier is used as the primary key and the timestamp as the order key to merge corresponding records of the same message in different logs into the same record item. During noise reduction, platform heartbeat packets, withdrawal placeholder records, duplicate delivery confirmation records, and incomplete records with missing fields that cannot be filled in are removed. During completion, if the recipient is missing, the actual receiving account set is filled in based on the session member snapshot at the time the message was sent. If the reply reference relationship is missing, it is filled in by reverse lookup based on the message identifier in the related logs before and after. The completion range is limited to the current scrolling time window. Records outside this range retain the missing item mark and do not participate in the current segment generation.
[0022] After basic organization, messages are first routed according to session identifiers. Within each session, they are arranged in ascending order by sending timestamp. Then, message context-unified segments are formed based on the continuity of the sending entity, the overlap of receiving objects, and the continuity of reply reference relationships. Each message context-unified segment is a set of records within the same session that have temporal and semantic continuity relationships during continuous communication. It is generated within a local observation window after a message arrives. This observation window can be set from 30 to 300 seconds, with a default of 120 seconds. The starting trigger condition is the arrival of a new message falling into an unsealed segment, and the stopping condition is the observation window closing. The observation window expires, session switches, reply reference chains break after a set number of times, or the set of receiving objects changes beyond a threshold; the overlap of receiving objects is determined by comparing the intersection ratio of receiving account sets in adjacent records, with the ratio threshold set to 0.5 to 0.9, and the default value being 0.7. The parameter is locked to the rule version after offline calibration of the platform's historical communication samples before going online; the continuity of the sending subject is determined by the number of times the same sending subject continuously sends messages within the observation window, which can be set to 2 to 10 times; the continuation of reply reference relationships is determined by whether the current record references or replies to a previous record.
[0023] After generating a unified message context fragment, the normalization and sorting program writes the fragment content into the fragment storage area in a fixed field order. The fields include at least the fragment identifier, rule version, session identifier, sender sequence, receiver sequence, time and location sequence, reply reference relationship sequence, original message identifier sequence, and trace summary. The fragment is stored in the audit database in the form of structured text records and is simultaneously written to the append-only trace log. Downstream processes retrieve fragments according to their identifiers and cross-version mixing is not allowed.
[0024] To ensure unique results in concurrent scenarios, the normalization and sorting program uses an idempotent key composed of a session identifier, the first message identifier, and the rule version. The same idempotent key can only be written once, and if a duplicate message arrives, the existing fragment identifier is returned. Sequence control adopts a first-in-first-out-of-order approach. Reordering is performed within a range of no more than 5 out-of-order messages or a buffer delay of no more than 2 seconds. If the range is exceeded, an out-of-order flag is recorded and the message is added to a compensation queue. The number of compensation retries can be set to 3, the interval between each retry can be set to 200 milliseconds, and the overall sorting delay can be set to a maximum of 1 second.
[0025] The minimum implementation set of the interface can be implemented through internal service calls. The request content should at least include the tenant identifier, rule version, time window start and end, and original record batch number. The return content should at least include the fragment identifier, fragment count, missing item flag, and trace number. When the session identifier is missing, the return code is 1001. When the timestamp reverse order exceeds the limit, the return code is 1002. When the received object cannot be completed, the return code is 1003. When the version is inconsistent, the return code is 1004. The error record will be written to the operation and maintenance audit log.
[0026] This step is applicable to enterprise office collaboration, customer service work order collaboration, and production scheduling group collaboration scenarios, but not to anonymous open chat rooms that do not provide session identifiers or cannot obtain reply reference relationships; the security and compliance boundary is limited to processing audit mirror copies only within authorized tenants, without rewriting the original message content, and without sending back the recipient details to unauthorized personnel.
[0027] During on-site inspection, no less than 500 conversation segments can be sampled for inspection to check the message sequence consistency rate, reply citation completion rate, and recipient filling accuracy rate within the segment. Preferably, the sequence consistency rate should be no less than 99%, the completion rate should be no less than 95%, and the duplicate segment rate should be no higher than 0.5%.
[0028] In a preferred embodiment, on an enterprise platform with 8,000 employee accounts, under mixed working conditions of early shift notifications, equipment maintenance collaboration, and customer service upgrade transfers, an average of 180 raw communication records per second are collected within a 120-second rolling time window. The time deviation tolerance is set to 20 milliseconds, the overlap ratio threshold for receiving objects is set to 0.75, the number of consecutive sending subjects is set to 3, and the out-of-order buffer is set to 1 second. Finally, 423,000 message context normalization fragments are generated from 1.56 million records over a continuous 24-hour period, with a sequence consistency rate of 99.4%, a receiving object backfill accuracy rate of 98.7%, and a single batch processing latency controlled within 620 milliseconds. In an alternative approach, when the session archive node is unavailable, the same-caliber normalization can be completed directly from the message queue replica plus member directory snapshot. As long as the field definitions, sorting rules, idempotent key composition, and version locking methods of the session identifier, sending subject, receiving object, time position, and reply reference relationship are kept consistent, they should all fall within the scope of this step.
[0029] S2. Based on the message context normalization fragment, extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features to generate a propagation intent fingerprint. The specific implementation is as follows: First, the propagation intent fingerprint generation program reads the message context segment by segment according to the segment identifier, and immediately completes feature extraction and propagation intent fingerprint generation after the current segment is closed. The program can be deployed on the same node of the audit database, the streaming computing node, or the security analysis server. The execution entity is the platform-side monitoring service program. The call time period is connected to the end of the time period after the previous step of normalization and sorting. It is suitable for fine-grained identification of the continuous propagation intent of messages in enterprise office collaboration, production scheduling collaboration, customer service upgrade collaboration, and external communication collaboration scenarios. It is not suitable for isolated offline text that lacks a conversation history baseline, member relationship record, or attachment access record.
[0030] During extraction, the session identifier, sender sequence, receiver sequence, time and location sequence, reply reference sequence, message body fragment sequence, and attachment reference address sequence are first obtained from the message context unified fragment. Then, the historical keyword fragments, common receiver ranges, common sending time periods, and common reply intervals of the same session within the baseline observation period are obtained from the session history database. Next, the job level relationship, departmental affiliation relationship, and collaboration authorization relationship between the sender and receiver are obtained from the organizational relationship directory. Finally, the attachment opening time, external link jump time, and download action records are obtained from the attachment access log. Among them, the semantic inducement feature is the in-fragment inducement intensity formed by statistically analyzing the occurrence position, consecutive occurrence frequency, and sequence order of reminder expressions, instruction transfer expressions, identity borrowing expressions, link guiding expressions, and sensitive operation triggering expressions in the current fragment observation window. It is obtained by comparing sentence by sentence according to a fixed term list and context sequence rules, and the typical value range can be set to level 0 to level 5. The context deviation feature is the in-fragment inducement intensity formed by statistically analyzing the occurrence position, consecutive occurrence frequency, and sequence order of reminder expressions, instruction transfer expressions, identity borrowing expressions, link guiding expressions, and sensitive operation triggering expressions in the current fragment. Within the observation window, the deviation is obtained by comparing the current segment's topic segment, sending time period, recipient range, and reply acceptance depth with the corresponding quantities of the same session within the baseline observation period. The baseline observation period can be set to the last 7 to the last 30 days. The propagation rhythm feature is a rhythm quantity formed by statistically analyzing the interval between adjacent messages, the number of consecutive deliveries, and the cross-session transfer interval on the time position sequence, in seconds, obtained by the continuous time difference from the segment's start to the end. The relationship penetration feature is a penetration quantity formed by comparing whether the current recipient sequence breaks through the historically commonly used contact boundaries of the sending subject within the job level, department boundary, and authorization boundary recorded in the organizational relationship directory, obtained by comparing each recipient within the current segment. The carrier migration feature is a migration quantity formed by comparing whether there is a migration order within the same segment from text communication to attachments, external links, download pages, and private chat landing points between the message body segment sequence and the attachment reference address sequence and attachment access log, obtained by comparing in chronological order from the time the message arrives until the attachment access record is returned.
[0031] To ensure consistency, before feature extraction, the text, attachments, and access records within the fragment are aligned according to the message identifier. System template signatures, emoji placeholders, duplicate forwarding endnotes, and expired external link placeholder records are removed. For missing session history baselines, the most recent valid baseline is only obtained under the same type of session in the current tenant. For missing organizational relationship records, the missing item mark is retained and downgraded to use the historical interaction frequency of the receiving object to replace it, without supplementing across tenants.
[0032] The propagation intent fingerprint is generated within a local observation window after the current segment is sealed. The local observation window can be set from 0 to 2 seconds after the segment is sealed, with a default of 1 second. The trigger condition is the completion of writing the message context unified segment, and the stop condition is the acquisition of all 5 types of features or the delay limit is exceeded. During generation, the segment identifier, rule version, semantic inducement feature value, context deviation feature value, propagation rhythm feature value, relationship penetration feature value, carrier migration feature value, and trace number are written in a fixed field order to form a structured text record and store it in the fingerprint storage area. The next stage will retrieve it in the order of segment identifiers. Cross-rule version mixing is not allowed.
[0033] Upstream and downstream connections can be made through internal service calls or message queue push methods. The request content must carry at least a fragment identifier, rule version, and tenant identifier. The returned content must carry at least a propagation intent fingerprint identifier, 5 types of feature values, and a missing item flag. When the session history baseline is missing, code 2001 is returned. When the missing organizational relationship record reaches the threshold, code 2002 is returned. When the attachment access log times out and is not returned, code 2003 is returned. When the rule version is inconsistent, code 2004 is returned, and the information is synchronously written to the audit log.
[0034] To ensure idempotency and deduplication, an idempotency key is formed by combining a fragment identifier with a rule version. Only one propagation intent fingerprint is generated for the same idempotency key, and repeated calls will directly return the existing result. The fragments are executed in the order they are written, and out-of-order fragments enter a waiting queue. The waiting time can be set to 500 milliseconds, the number of retries can be set to 3, and the concurrency can be controlled by fragmentation per tenant.
[0035] During on-site inspection, samples can be taken from no less than 5,000 message context normalization fragments to check the completeness rate of five types of features, fingerprint generation latency, and cross-day recalculation consistency rate. Preferably, the feature completeness rate is not less than 97% and the recalculation consistency rate is not less than 99%.
[0036] In the preferred embodiment, on a manufacturing enterprise platform containing 680 collaborative groups and 9200 employee accounts, the system continuously operates for 24 hours under mixed working conditions, including equipment maintenance notifications, shift scheduling reminders, procurement outsourcing liaisons, and customer service upgrade transfers. The baseline observation period is 14 days, the local observation window is 1 second, the semantic induction feature is graded from level 0 to level 5, and the relationship penetration boundary is jointly determined by the department boundary and the authorization boundary. Finally, 436,000 propagation intent fingerprints are generated from 436,000 message context normalization fragments, with an average generation latency of 430 milliseconds, a feature completeness rate of 98.4%, and a cross-day recalculation consistency rate of 99.3%. In an alternative approach, when the organizational relationship directory is unavailable, the historical collaboration frequency boundary and the commonly used contact scope boundary can be used to generate relationship penetration features before the rule version is locked. As long as the field definitions, value levels, traceability methods, idempotent key composition, and downstream call caliber of the five feature types are consistent, they all fall within the implementation scope of this step.
[0037] S3. Based on the reference sequence relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship, multiple propagation intent fingerprints are concatenated to generate an abnormal propagation situation unit. The specific implementation is as follows: First, the situation splicing program reads the propagation intent fingerprints generated continuously within the same tenant range according to the order of the propagation intent fingerprint identifier. After the current fingerprint enters the splicing observation window, it performs splicing judgments in sequence based on the reference inheritance relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship. Multiple propagation intent fingerprints that meet the splicing conditions are merged into the same abnormal propagation situation unit. The situation splicing program can be deployed on the security analysis server, the adjacent node of the audit database, or the streaming computing node. The execution entity is the platform-side monitoring service program. The period of operation covers the continuous communication period of office collaboration, production scheduling collaboration, external cooperation liaison collaboration, and customer service upgrade collaboration. It connects the propagation intent fingerprint generation stage upstream and the evolution status judgment stage downstream. The purpose is to merge the continuous propagation intents that appear in multiple message contexts into a single monitoring object that can be continuously tracked. It is suitable for instant communication scenarios with reference chains, continuous delivery, cross-session diffusion, and object migration. It is not suitable for offline isolated records where the time location sequence, receiving object sequence, or session inheritance record cannot be obtained.
[0038] In specific implementation, the following steps are first taken from the fingerprint storage area: the propagation intent fingerprint identifier, fragment identifier, session identifier, sending subject sequence, receiving object sequence, time location sequence, reply reference relationship sequence, five types of feature values, rule version, and trace number. Then, the message body fragment sequence, attachment reference address sequence, and original message identifier sequence are retrieved from the fragment storage area. The reference succession relationship is obtained by checking whether the reply reference relationship sequence corresponding to the current propagation intent fingerprint points to the original message identifier sequence or message identifier within the fragment boundary of the previous propagation intent fingerprint. This is formed by comparing message identifiers one by one within the same splicing observation window. Typical values can be set to two levels: succession established and succession interrupted. The semantic skeleton correspondence relationship is obtained by extracting a stable expression skeleton from the message body fragment sequence corresponding to the current propagation intent fingerprint according to the fixed term merging order, short sentence succession position, and operation guidance order. This skeleton is then compared item by item with the skeleton corresponding to the previous propagation intent fingerprint. This correspondence is obtained after the current fragment is sealed. The propagation object continuity relationship is formed by jointly determining the overlap ratio and arrangement consistency of skeleton items within the time period before splicing is completed. Typical values can be set to level 0 to 5. The propagation object continuity relationship is obtained by checking whether there is a continuous change in the receiving object sequence and the sending subject sequence, such as direct continuation, partial cross continuation, transition from group object to member object, or transition from public object to convergent object. It is formed by comparing each object identifier in the splicing observation window and combining the order of occurrence. Typical values can be set to three levels: disconnected, weakly continuous, and strongly continuous. The propagation time window correlation relationship is formed by calculating whether the interval between the start time of the current propagation intention fingerprint to be spliced and the end time of the previous propagation intention fingerprint falls within the same propagation time window in the time position sequence. The time unit is seconds. It is obtained by comparing the time difference under a unified time reference. The propagation time window can be set to 30 seconds to 1800 seconds, with a default of 300 seconds. The parameters are offline calibrated by the tenant's historical diffusion samples and locked with the rule version.
[0039] To ensure the stability of the splicing interface, alignment is completed according to the fragment identifier and rule version before situation splicing. Fingerprints corresponding to withdrawn fragments, incomplete fingerprints missing more than two necessary fields, and duplicate fingerprints with the same idempotent key are removed. For records that are missing only the text fragment, the most recent valid copy can be retrieved from the current tenant audit cache. Records that exceed the retrieval time limit are marked as missing and do not participate in the current round of splicing.
[0040] The splicing judgment is completed within the scrolling splicing observation window. The trigger condition is the completion of writing a new propagation intention fingerprint, and the stop condition is the failure to find a fingerprint that can inherit the previous one, the continuous interruption of the splicing chain within a set number of times, the expiration of the splicing observation window, or the current abnormal propagation situation unit reaching the sealing condition. Among them, the number of continuous interruptions can be set from 2 to 5 times, with a default of 3 times. The sealing condition can be set to the fact that no new propagation intention fingerprint is connected within the propagation time window and the last connection is followed by a continuous silence for a set duration.
[0041] Only when the reference inheritance relationship is established, or the semantic skeleton correspondence reaches the set threshold and the propagation object continuity relationship is established, or the propagation object continuity relationship is established and the propagation time window association relationship is established, will the current propagation intent fingerprint be concatenated into the preceding abnormal propagation situation unit. If multiple preceding abnormal propagation situation units are satisfied at the same time, the unique attribution will be determined in the order of priority of reference inheritance relationship, priority of more recent propagation time, and priority of stronger object continuity, and the unselected attribution candidates will be written into the trace log.
[0042] After an abnormal propagation situation unit is generated, it is written in a fixed field order as follows: situation unit identifier, rule version, component fingerprint identifier sequence, component fragment identifier sequence, session identifier distribution, sending subject distribution, receiving object propagation trajectory, time and location trajectory, reference inheritance chain, semantic skeleton sequence, and trace number. It is stored in the situation unit storage area in the form of structured text records and is retrieved by the next link in the order of situation unit identifiers. Upstream and downstream can be connected by internal service calls or message queue push. The request content should at least carry the propagation intent fingerprint identifier, rule version, and tenant identifier. The returned content should at least carry the abnormal propagation situation unit identifier, splicing status, attribution result, and missing item mark.
[0043] To prevent duplicate merging, an idempotent key is formed by combining the propagation intent fingerprint identifier with the rule version. Only one abnormal propagation situation unit is allowed to enter the same idempotent key. Sequence control adopts a method of first sorting by time position sequence and then correcting the local order by reference succession relationship. The waiting time for out-of-order arrival can be set to 500 milliseconds to 2000 milliseconds, the number of retries can be set to 3, and the upper limit of single-round splicing delay can be set to 2 seconds. When the reference chain is missing, code 3001 is returned; when the semantic skeleton is missing and the threshold is reached, code 3002 is returned; when the propagation time window is out of bounds, code 3003 is returned; when the rule version is inconsistent, code 3004 is returned, and the results are simultaneously written to the audit and logging.
[0044] The security and compliance boundaries are limited to splicing only within the authorized tenant's audit copy, without writing back the original communication content or merging object traces across tenants.
[0045] During on-site inspection, samples can be taken from no less than 3,000 sets of continuous transmission intent fingerprints to check the uniqueness rate, chain integrity rate, duplicate merging rate, and cross-day recalculation consistency rate. Preferably, the uniqueness rate should be no less than 99%, the chain integrity rate should be no less than 96%, and the duplicate merging rate should be no higher than 0.3%.
[0046] In the preferred embodiment, on a manufacturing enterprise platform containing 720 collaborative groups and 9,600 employee accounts, the system runs continuously for 24 hours under mixed operating conditions including equipment downtime notifications, shift reminders, procurement inquiries, and customer service referrals. The propagation time window is set at 240 seconds, the number of consecutive interruptions is set at 3, and the semantic skeleton correspondence threshold is set at 3 levels. A total of 478,000 propagation intent fingerprints are collected, generating 62,000 abnormal propagation situation units. The average single-round splicing latency is 780 milliseconds, the merging uniqueness rate reaches 99.2%, the chain integrity rate reaches 97.1%, and the duplication merging rate is 0.18%. In alternative approaches, when the reference inheritance relationship cannot be stably obtained, the original message identifier continuous reproduction relationship can be used to replace the reference inheritance relationship in the splicing. As long as the field definitions, threshold calibers, priority order, idempotency strategies, and logging methods of the reference inheritance relationship, semantic skeleton correspondence relationship, propagation object continuous relationship, and propagation time window association relationship are consistent, they all fall within the implementation scope of this step.
[0047] S4. For units exhibiting abnormal propagation behavior, perform contextual consistency checks and propagation deviation checks to determine the evolutionary state of the units exhibiting abnormal propagation behavior. The specific implementation is as follows: First, the evolution status determination program reads the records to be determined in the status unit storage area according to the abnormal propagation status unit identifier sequence. After the status unit is sealed, it immediately performs context consistency verification and propagation deviation verification to determine the evolution status of the abnormal propagation status unit. The evolution status determination program can be deployed on the security analysis server, the audit database adjacent node, or the streaming computing node. The execution entity is the platform-side monitoring service program. The period of operation covers the continuous communication period of office collaboration, production scheduling collaboration, external cooperation liaison collaboration, and customer service upgrade collaboration. It connects upstream to the abnormal propagation status unit generation stage and downstream to the handling constraint warning result generation stage. The purpose is to distinguish the differences in the evolution stages of normal business propagation, continuous probing propagation, accelerated diffusion propagation, and solidified propagation, and to avoid directly triggering inaccurate warnings based on the intensity of a single fragment. It is suitable for enterprise instant messaging scenarios with session history, organizational relationships, object trajectories, and time trajectories. It is not suitable for offline isolated records where it is impossible to obtain session history baselines, job boundary records, or time location sequences.
[0048] In specific implementation, the system first retrieves the situation unit identifier, constituent fingerprint identifier sequence, constituent fragment identifier sequence, session identifier distribution, sending subject distribution, receiver diffusion trajectory, time location trajectory, reference inheritance chain, semantic skeleton sequence, rule version, and trace number from the situation unit storage area. Then, it retrieves historical topic fragments, common receiver ranges, common initiation times, common response inheritance depths, and common diffusion ranges for the same session within the baseline observation period from the session history database. Next, it retrieves the job boundaries, department boundaries, and authorization boundaries between the sending subject and the receiver from the organizational relationship directory. Finally, it retrieves business arrangement information for the current operational period from tenant schedule ledgers, shift records, production scheduling records, or customer service escalation records. Among these, contextual consistency verification checks the semantic skeleton sequence, receiver diffusion trajectory, time location trajectory, and sending subject distribution of the current abnormal propagation situation unit against the same... The consistency measure between corresponding quantities in a session during the baseline observation period is formed by comparing them item by item according to topic continuity, time period matching, object scope matching, job responsibility matching, and reference continuity depth matching. Within the judgment observation window after the situation unit is closed, it is obtained by stratified accumulation of the difference between the current quantity and the baseline quantity. The typical value range can be set to level 0 to level 5. The propagation deviation check is to check whether there is a sudden increase in propagation speed, object boundary crossing, group to member convergence migration, public session to private session migration, or repeated deployment of the same skeleton in a short period of time between the receiving object diffusion trajectory, time location trajectory, sending subject distribution, and semantic skeleton sequence of the current abnormal propagation situation unit. Within the judgment observation window after the situation unit is closed, it is formed by comparing them item by item according to the difference between adjacent trajectories, number of boundary crossings, migration order, and skeleton repetition order. The typical value range can be set to level 0 to level 5.
[0049] To ensure consistency in terminology, alignment is first performed according to the situation unit identifier and rule version before judgment. Incomplete situation units with missing components reaching a set proportion are removed, closed situation units that have been confirmed to be withdrawn and no longer propagating are removed, and mixed situation units with cross-version writing are removed. For records with missing business arrangement information, the most recent valid copy is only retrieved from the current tenant's scheduling cache or dispatch cache, and not from across tenants. If the retrieval fails, the missing item mark is retained and the contextual consistency level is reduced according to a conservative approach, without directly increasing the propagation deviation level.
[0050] The observation window can be set from 0 to 5 seconds after the situation unit is sealed, with a default of 2 seconds. The trigger condition is the completion of writing the abnormal propagation situation unit, and the stop condition is the completion of both contextual consistency verification and propagation deviation verification or the reaching of the delay limit. The evolution state is determined according to fixed rules. If the contextual consistency verification is at a high level and the propagation deviation verification is at a low level, it is determined to be in the formation state. If the contextual consistency verification is at a medium level and the propagation deviation verification continues to rise, it is determined to be in the probing state. If the contextual consistency verification decreases and the propagation deviation verification reaches a high level, and the diffusion trajectory of the receiving object continues to expand outward within the propagation time window, it is determined to be in the diffusion state. If the propagation deviation verification continues to maintain a high level, the semantic skeleton sequence appears repeatedly and stably in multiple component segments, and the object migration direction remains consistent, it is determined to be in the solidification state.
[0051] The aforementioned high, medium, and low levels are determined offline by the tenant's historical samples and locked according to the rule version. For example, levels 4 to 5 of the contextual consistency check can be set as high level, levels 2 to 3 as medium level, and levels 0 to 1 as low level. Level 4 to 5 of the propagation deviation check can be set as high level.
[0052] After the judgment is completed, the situation unit identifier, rule version, contextual consistency check level, propagation deviation check level, evolution status, judgment time, and trace number are written into the evolution status record area in a fixed field order and stored in the form of structured text records. The next link will then retrieve the records in the order of situation unit identifiers. The upstream and downstream links can be connected by internal service calls or message queue push methods. The request content must carry at least the situation unit identifier, rule version, and tenant identifier, and the returned content must carry at least the evolution status, two types of check levels, and a missing item flag.
[0053] To prevent duplicate judgments, an idempotent key is formed by combining the situation unit identifier and the rule version. Only one evolution state record is allowed to be generated for the same idempotent key, and repeated calls will directly return the existing result. Sequence control adopts a method of sorting by situation unit sealing time first, and then correcting by the first moment of the time position trajectory. The waiting time for out-of-order arrival can be set to 500 milliseconds to 2000 milliseconds, the number of retries can be set to 3, and the upper limit of single-round judgment delay can be set to 3 seconds. When the session history baseline is missing, code 4001 is returned; when the organizational relationship record is missing and the threshold is reached, code 4002 is returned; when business arrangement information is missing and cannot be replenished, code 4003 is returned; when the rule version is inconsistent, code 4004 is returned, and all are synchronously written to the audit and trace log.
[0054] The security and compliance boundaries are limited to verification only within the scope of authorized tenant audit copies, organization directory copies, and business ledger copies, without rewriting the original messages or showing the recipient dissemination details to unauthorized personnel.
[0055] During on-site inspection, the consistency rate of evolution state recalculation, the stability rate of state switching, and the misjudgment control rate after the downgrade of missing items can be sampled and verified from no less than 3,000 abnormal propagation situation units. Preferably, the consistency rate of recalculation is not less than 99%, the stability rate of state switching is not less than 96%, and the misjudgment control rate after the downgrade of missing items is not higher than 1%.
[0056] In a preferred embodiment, on a manufacturing enterprise platform containing 740 collaborative groups and 9,800 employee accounts, the system runs continuously for 24 hours under mixed operating conditions including equipment downtime reporting, maintenance reminders, procurement outreach, and customer service upgrades. The baseline observation period is 14 days, the judgment observation window is 2 seconds, the high-level threshold for contextual consistency verification is level 4, and the high-level threshold for propagation deviation verification is also level 4. A total of 65,000 abnormal propagation status units are judged, including 38,000 in the formation state, 14,000 in the probing state, 9,000 in the diffusion state, and [the remaining units are in a solidified state]. There are 4,000 states, with an average single-round judgment latency of 860 milliseconds, a recalculation consistency rate of 99.1%, and a state switching stability rate of 96.8%. In alternative approaches, when it is not possible to reliably obtain shift schedule records or customer service upgrade records, the historical common time period range and responsibility chain range of the same tenant can be used to replace business arrangement information for contextual consistency verification. As long as the contextual consistency verification, propagation deviation verification, field definition of evolutionary state, level boundary, judgment order, idempotent strategy, and recording method are consistent, they all fall within the implementation scope of this step.
[0057] S5. Based on the evolutionary state, and combined with the propagation range, propagation path, and semantic skeleton of the abnormal propagation situation unit, generate a warning result for handling constraints, specifically implemented as follows: First, the disposal constraint warning generation program reads the judged records in the evolution status record area according to the status unit identifier order. After the evolution status is written, it immediately generates disposal constraint warning results by combining the propagation range, propagation path, and semantic skeleton of the corresponding abnormal propagation status unit. The disposal constraint warning generation program can be deployed on the security analysis server, the adjacent node of the audit database, or the management node of the instant messaging platform. The execution entity is the platform-side monitoring service program, which works in conjunction with the tenant security management process. The period of action covers the continuous communication period of office collaboration, production scheduling collaboration, external cooperation liaison collaboration, and customer service upgrade collaboration. It connects to the evolution status judgment link upstream and the disposal feedback write-back link downstream. The purpose is to transform the evolution status, which only indicates the degree of propagation evolution, into a hierarchical constraint result that can be directly implemented, avoiding manual judgment of propagation boundaries, disposal priorities, and control landing points. It is suitable for enterprise instant messaging scenarios where the complete trajectory of the abnormal propagation status unit has been obtained and the platform has the ability to mark messages, limit the scope, provide link prompts, and manually review the flow. It is not suitable for read-only archive scenarios where it is impossible to perform constraint actions on message sessions.
[0058] In practice, the following steps are taken: First, the situation unit identifier, evolution state, contextual consistency check level, propagation deviation check level, judgment time, rule version, and trace number are obtained from the evolution state recording area. Then, the receiving object diffusion trajectory, time and location trajectory, reference chain, semantic skeleton sequence, session identifier distribution, and sending subject distribution are obtained from the situation unit storage area. Among these, the propagation range is the coverage formed by counting the number of receiving objects, groups, departments, and positions in the receiving object diffusion trajectory and session identifier distribution of the current abnormal propagation situation unit. This coverage is obtained by deduplicating the unique object identifiers in the trajectory from the time the situation unit is sealed until the warning is generated. The unit of measurement can be "one," and the typical value range can be set to a single session local area. There are four levels of diffusion: diffusion of moderate scope, diffusion of cross departments, and diffusion of wide area. The propagation path is the trajectory formed by concatenating the reference inheritance chain, time location trajectory, session identifier distribution, and sending subject distribution according to the starting session, transfer order, number of path forks, and convergence direction. It is obtained by sorting adjacent trajectory nodes in the early warning observation window after the judgment is completed and comparing them in chronological order. The typical value range can be set to four categories: single-line extension, fork diffusion, convergence migration, and round-trip migration. The semantic skeleton is a stable expression sequence extracted from the message text fragment sequence that makes up the fragments according to the fixed term merging order, action guidance order, identity expression order, and link pointing order. It has been retained in the situation unit generation stage. In this step, it is only called according to the skeleton item table corresponding to the rule version for review.
[0059] To ensure consistent early warning results, alignment is performed according to situation unit identifiers and rule versions before generation. Expired old version evolution status records are removed, incomplete situation units with missing propagation range statistics reaching a set proportion are removed, and situation units that have entered the manual termination list and are no longer allowed to be automatically constrained are removed. For missing propagation path nodes, the most recent valid copy is only retrieved from the current tenant's audit cache. The retrieval time limit can be set to 10 to 60 seconds. If the time limit is exceeded, the missing item mark is retained and the automatic constraint strength is reduced according to a conservative approach. Early warning generation is not abandoned directly.
[0060] Warning generation is completed within the warning observation window, which can be set from 0 to 3 seconds after the evolution state is written (default is 1 second). The trigger condition is the completion of the evolution state record writing, and the stop condition is the completion of the handling constraint warning result writing or reaching the delay limit. During generation, the warning level and constraint actions are determined according to fixed rules. For example, when the evolution state is in the formation state and the propagation range is local diffusion within a single session with a single-line extension path, a low-level handling constraint warning result is generated, a risk trace marker is added to the corresponding session message list, and it enters the background continuous tracking queue. When the evolution state is in the probing state and the semantic skeleton continuously shows reminders, identity borrowing, and link guidance sequences, and the propagation path shows convergence migration, a medium-level handling constraint warning result is generated. When the information display side adds identity verification prompts and adds secondary confirmation to the external link expansion action, when the evolution state is diffusion state and the propagation scope reaches cross-departmental diffusion and the propagation path shows bifurcation diffusion, a high-level handling constraint warning result is generated, the rate limit is imposed on the continued spread of the same semantic skeleton in the related session, risk warnings are added to the new forwarding action, and the situation unit is pushed into the priority queue for manual review; when the evolution state is solidified state and the propagation scope reaches wide-area diffusion, the propagation path continues to bifurcate and is accompanied by convergence migration and repeated occurrences, the highest level handling constraint warning result is generated, temporary interception is imposed on subsequent messages with the same skeleton of the related sending subject, significant risk warnings are added to the related sessions that have been entered, and an emergency handling work order is pushed to the tenant security management terminal.
[0061] The aforementioned rate limiting, secondary confirmation, temporary blocking, and significant risk warning are all implemented at the platform control node by the message identifier, session identifier, and sender identifier. Rate limiting can be determined by the number of messages with the same skeleton that are allowed to continue to be sent within a unit of time. Secondary confirmation can be determined by whether the confirmation receipt is returned after clicking. Temporary blocking can freeze the continued delivery of messages with the same skeleton for a set duration. The parameters are offline calibrated by the tenant's historical processing samples and locked with the rule version.
[0062] Upon completion, the situation unit identifier, rule version, warning level, constraint action sequence, scope of action session, scope of action subject, generation time, and trace number are written into the warning result storage area in a fixed field order and stored in the form of structured text records. The next stage can retrieve the records in the order of situation unit identifiers. The upstream and downstream can be connected by internal service calls or message queue push methods. The request content should at least carry the situation unit identifier, evolution status, rule version, and tenant identifier, and the returned content should at least carry the warning level, constraint action sequence, scope of action, and missing item flag.
[0063] To prevent duplicate execution, an idempotent key is formed by combining the situation unit identifier and the rule version. Only one handling constraint warning result is allowed to be generated for the same idempotent key. Sequential control adopts a method of sorting by decision time first and then correcting by the beginning time of the propagation path. The waiting time for out-of-order arrival can be set to 500 milliseconds to 1500 milliseconds, the number of retries can be set to 3, and the upper limit of the single-round warning generation delay can be set to 2 seconds. When the propagation range is missing, code 5001 is returned; when the propagation path is missing and the threshold is reached, code 5002 is returned; when the semantic skeleton does not match the rule version, code 5003 is returned; when the rule versions are inconsistent, code 5004 is returned, and all are synchronously written to the audit log.
[0064] The security and compliance boundaries are limited to generating and executing disposal constraint warning results only within the scope of authorized tenant audit copies and platform control permissions, without rewriting the original message text, and without showing the dissemination details of the recipients to unauthorized personnel.
[0065] During on-site inspection, samples can be taken from no less than 3,000 abnormal propagation situation units that have been judged to check the consistency rate of early warning level recalculation, the consistency rate of constraint action hit, the repeat execution rate, and the early warning generation delay compliance rate. Preferably, the recalculation consistency rate should be no less than 99%, the constraint action hit consistency rate should be no less than 97%, and the repeat execution rate should be no higher than 0.2%.
[0066] In a preferred embodiment, on a manufacturing enterprise platform containing 760 collaborative groups and 10,200 employee accounts, the system runs continuously for 24 hours under mixed operating conditions including equipment shutdown broadcasts, shift reminders, procurement outreach, and customer service upgrades. The warning observation window is set to 1 second. Low-level warnings correspond to localized trace markings; medium-level warnings correspond to identity verification prompts and secondary confirmation of external links; high-level warnings correspond to rate limiting of messages with the same backbone and priority push for manual review; and the highest-level warnings correspond to temporary interception and emergency response work order pushes. A total of 64,000 abnormal propagation situation units have generated handling constraint warning results, with an average generation rate of... The latency is 520 milliseconds, the consistency rate of warning level recalculation reaches 99.2%, the consistency rate of constraint action hit reaches 97.6%, and the re-execution rate is 0.14%. In alternative approaches, when the platform does not have the ability to temporarily intercept, it can replace the temporary interception action in the highest level by adding significant risk warnings to the associated sessions and simultaneously increasing the priority of manual review. As long as the evolution state, propagation scope, propagation path, field definition of semantic skeleton, warning level boundary, constraint action order, idempotent strategy and logging method remain consistent, they all fall within the implementation scope of this step.
[0067] S6. Based on the feedback from the handling, the template for determining the propagation intent fingerprint, the baseline for contextual consistency, and the baseline for propagation deviation are revised and used for monitoring and early warning of subsequent original communication records. The specific implementation is as follows: First, the feedback correction program reads the handling constraint warning results from the warning result storage area according to the situation unit identifier order. After the handling action is implemented, it continuously collects the corresponding handling feedback, and corrects the judgment template of the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline accordingly. Then, the correction results are written back to the monitoring and warning link of the subsequent original communication records. The feedback correction program can be deployed on the security analysis server, the adjacent node of the audit database, or the rule management node. The execution entity is the platform-side monitoring service program, which works in conjunction with the tenant's security management process. The period of operation covers office collaboration, production scheduling collaboration, external liaison collaboration, and customer service upgrade collaboration. During the continuous handling period, the upstream connects to the handling constraint warning result generation stage, and the downstream connects back to the original communication record unification and sorting stage and the propagation intent fingerprint generation stage. The purpose is to feed back the authenticity confirmation results, continued propagation results and manual review results obtained after actual handling into the subsequent monitoring and warning process. This avoids the judgment template, context consistency baseline and propagation deviation baseline being fixed for a long time and deviating from the current tenant's business habits and propagation patterns. It is suitable for enterprise instant messaging scenarios where the platform has the ability to manually review the process, handle action receipts and record the subsequent trajectory of the conversation. It is not suitable for read-only archive scenarios where subsequent handling receipts or subsequent propagation trajectories cannot be obtained.
[0068] In specific implementation, the system first retrieves the situation unit identifier, warning level, constraint action sequence, scope of action session, scope of action subject, generation time, rule version, and trace number from the warning result storage area. Then, it retrieves the review conclusion, review submission time, and reviewer role from the manual review record area. From the platform control log, it retrieves the rate limit receipt, secondary confirmation receipt, temporary interception receipt, and risk warning read receipt. From the subsequent audit log, it retrieves the newly added receiving objects, session migration, and repeated semantic skeleton deployment within the tracking period set after the warning generation. The handling feedback is the feedback quantity formed by the manual review conclusion, control receipt status, and subsequent propagation trajectory from the time the warning result is generated until the end of the tracking period. It is obtained by merging items according to the same situation unit identifier, and typical values can be set as four categories: effective warning, false alarm warning, insufficient handling, and excessive handling. The judgment template is used in the propagation intent fingerprint generation stage to determine semantic inducement characteristics, context deviation characteristics, propagation rhythm characteristics, relationship penetration characteristics, and carrier migration characteristics. The fixed set of rules for the boundary and combination threshold of the warning level is used in this step to compare the five types of feature values of the handling feedback and the corresponding propagation intention fingerprint under the current rule version to determine whether to raise, lower or keep the original level boundary; the contextual consistency baseline is a set of historical benchmarks used in the evolution state determination stage to measure the matching of topic inheritance, time period, object scope, job responsibility, and reference inheritance depth. In this step, within the same tenant, the same session category, and the same business time period, the current quantity of the situation unit corresponding to the false alarm warning is compared with the existing baseline quantity, and the allowable deviation range is relaxed or tightened; the propagation deviation baseline is a set of historical benchmarks used in the evolution state determination stage to measure the sudden increase in diffusion speed, object boundary crossing, group to member convergence migration, public session to private session migration, and short-term repeated deployment of the same skeleton. In this step, when the subsequent trajectory of the situation unit corresponding to the effective warning continues to expand, the current expansion quantity is compared with the existing baseline quantity, and the trigger boundary is adjusted in advance or postponed.
[0069] To ensure consistent modification standards, alignment is completed according to situational unit identifiers and rule versions before modification. Records with incomplete handling and unclosed receipts are removed, as are conflicting manual review records that have not been arbitrated, and early records with incomplete tracking periods are removed. For missing manual review conclusions, the most recent valid conclusion is retrieved only from the current tenant's security management queue. For missing subsequent propagation trajectories, the most recent valid copy is retrieved only from the current tenant's audit cache. If retrieval fails, a missing item marker is retained and automatic correction of the corresponding baseline is suspended. Only records that remain in the pending review and correction queue are allowed.
[0070] The tracking period can be set from 10 minutes to 72 hours after the early warning result is generated, with a default of 24 hours. The trigger condition is the completion of the writing of the handling constraint early warning result, and the stop condition is the expiration of the tracking period, the closure of the manual review conclusion and the cessation of subsequent propagation to the set silent period, or the completion of the correction record writing. The correction is performed in a fixed order. First, the feature level boundary of the judgment template is adjusted by adding or subtracting according to the effective early warning and false alarm early warning. Then, the contextual consistency baseline is relaxed according to the false alarm early warning. Then, the propagation deviation baseline is adjusted in advance according to the insufficient handling. If there are corrections in opposite directions under the same rule version, the side with more sample size is given priority. If the sample size is the same, the original boundary is maintained and the conflict record is written. The sample size threshold can be set to no less than 20 consecutive closed situation units under the same session category, with a default of 30. The parameter is locked with the rule version after being offline calibrated by the tenant's historical handling samples.
[0071] After the correction is completed, the corrected judgment template version number, context consistency baseline version number, propagation deviation baseline version number, applicable tenant scope, applicable session category, activation time, and trace number will be written into the rule version library in a fixed field order, and the old version will be retained in an append-only manner without overwriting existing records. When the original communication records enter the monitoring and early warning link, the latest effective version will be pulled first according to the activation time and tenant scope, and then used for the generation of propagation intent fingerprint after message context normalization fragment and the determination of the evolution status of abnormal propagation situation unit. Cross-version mixing is not allowed.
[0072] Upstream and downstream connections can be made through internal service calls or message queue push methods. The request content should at least include the situation unit identifier, rule version, tenant identifier, and the start and end time of the tracking period. The returned content should at least include the three types of corrected version numbers, applicable scope, and missing item flags.
[0073] To prevent duplicate corrections, an idempotent key is formed by combining the situation unit identifier, rule version, and tracking time period end. Only one correction record is allowed to be generated for the same idempotent key. Sequential control adopts a method of sorting by warning generation time first, and then by tracking time period end. The waiting time for out-of-order arrival can be set to 1 to 5 seconds, the number of retries can be set to 3, and the upper limit of single-round correction delay can be set to 5 seconds. When the manual review conclusion is missing and the threshold is reached, code 6001 is returned; when the handling receipt is not closed, code 6002 is returned; when the subsequent propagation trajectory is missing and the threshold is reached, code 6003 is returned; when the rule version is inconsistent, code 6004 is returned, and all are simultaneously written to the audit log.
[0074] The security and compliance boundaries are limited to making corrections only within the scope of authorized tenant audit copies, rule version repository copies, and control receipt copies, without rewriting historical original communication records, and without showing the identity of reviewers and details of recipients to unauthorized personnel.
[0075] During on-site inspection, samples can be taken from no less than 3,000 closed situational awareness units to check and verify the recalculated consistency rate, old version traceability rate, cross-version mixed use interception rate, and false alarm fallback control rate after correction. Preferably, the recalculated consistency rate should be no less than 99%, the old version traceability rate should reach 100%, the cross-version mixed use interception rate should reach 100%, and the false alarm fallback control rate should be no higher than 1%.
[0076] In a preferred embodiment, on a manufacturing enterprise platform containing 780 collaborative groups and 10,500 employee accounts, the system ran continuously for 30 days under mixed operating conditions including equipment downtime reporting, shift follow-up, procurement outreach, and customer service escalation. The tracking period was 24 hours, and the sample size threshold was 30. A total of 61,000 closed-loop situation units were collected and processed, including 43,000 effective warnings, 11,000 false alarms, 5,000 insufficiently handled warnings, and 2,000 over-handled warnings. Nine rule version updates were completed, and the system ran for another 7 days after each update. The false alarm fallback control rate corresponding to the broadcast intent fingerprint was reduced to 0.8%, the consistency rate of evolution state recalculation reached 99.3%, and the cross-version mixed use interception rate after rule switching reached 100%. In alternative approaches, when the platform does not yet have the ability to manually review the process, the handling receipt status plus the subsequent propagation trajectory closure status can be used to replace the manual review conclusion for correction. As long as the field definitions, correction order, version locking, idempotent strategy and logging method of the judgment template, context consistency baseline, and propagation deviation baseline are consistent, they all fall within the implementation scope of this step.
[0077] In the operational scenario shown in this embodiment: the enterprise instant messaging platform of a large manufacturing enterprise is used as the overall operational scenario. The platform has equipment maintenance collaboration groups, production scheduling groups, procurement and outsourcing liaison groups, customer service upgrade and transfer groups, and team duty individual chat channels. It has 10,200 employee accounts and 760 collaboration groups. The platform has message arrival gateway, session archiving node, audit mirror node, organizational relationship directory, team shift records, production scheduling records, platform control nodes, and manual review and transfer capabilities.
[0078] During the early morning maintenance period one day, a series of reminder messages appeared in the equipment maintenance coordination group, with the main content being "complete the signature confirmation immediately" and "submit the maintenance results according to the attachment page". Subsequently, the same sender forwarded similar messages to two shift dispatch groups within a short period of time, and further initiated one-on-one chats with multiple maintenance personnel to urge them. Moreover, the attachment access log showed that some recipients had clicked on the external link page.
[0079] At this point, the unification and organization program receives the original communication records at the message arrival gateway and audit mirror node, aligns, denoises, and completes group chat messages, one-on-one chat messages, reply citation chains, citation chains, and member delivery logs, forming multiple message context unification fragments within the same rolling time window. The propagation intent fingerprint generation program then extracts semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features from each message context unification fragment. Among them, semantic inducement features are manifested by the continuous appearance of reminder expressions, identity borrowing expressions, and link-guided expressions; context deviation features are manifested by such messages not conforming to the common sending time period, common recipient range, and common reply acceptance depth of equipment maintenance notices in the historical baseline; propagation rhythm features are manifested by the continuous delivery of messages with the same skeleton within a short period of time; relationship penetration features are manifested by the sending subject breaking through the historically commonly used contact boundaries to reach cross-shift objects; and carrier migration features are manifested by the message quickly shifting from text communication to external link page access, thereby generating multiple corresponding propagation intent fingerprints.
[0080] Subsequently, the situation splicing program, based on the citation inheritance relationship, semantic skeleton correspondence, propagation object continuity relationship, and propagation time window association relationship, splices multiple propagation intent fingerprints scattered in the maintenance coordination group, team scheduling group, and one-on-one chat channel into the same abnormal propagation situation unit, forming a complete propagation path starting from the maintenance group, spreading through the scheduling group, and then converging towards the one-on-one chat. The evolution state determination program further performs contextual consistency verification and propagation deviation verification on this abnormal propagation situation unit, and finds that although it borrows the context of normal maintenance notification, it deviates significantly from the historical baseline of similar maintenance notifications in terms of the diffusion trajectory of the receiving object, the responsibility boundary of the sending subject, the short-term repeated deployment order, and the direction of migration from group chat to one-on-one chat. Therefore, the abnormal propagation situation unit is determined to be in a diffusion state. The handling constraint warning generation program, combined with its propagation range, propagation path, and semantic skeleton, generates a high-level handling constraint warning result, applies a rate limit to the continued delivery of the same skeleton in the related session, adds a risk warning on the message display side, and pushes the abnormal propagation situation unit into the priority queue for manual review.
[0081] After review by the tenant's security management personnel, it was confirmed that the sending entity's account had been stolen, and the page linked to by the attachment was an external page disguised as an internal maintenance confirmation page. Therefore, the platform's control node continued to apply temporary blocking to subsequent messages with the same skeleton from the associated sending entity. During the subsequent 24-hour tracking period, the feedback correction program, based on the manual review conclusion, temporary blocking receipt, risk warning read receipt, and subsequent cessation of propagation, classified this incident as a valid warning and corrected the judgment template for propagation intent fingerprint, contextual consistency baseline, and propagation deviation baseline. This ensures that similar propagation patterns such as "business notification disguise, short-term cross-group diffusion, group-to-one chat convergence, and external link migration" can enter the high-level monitoring and warning chain earlier.
[0082] Compared to conventional approaches that rely solely on keyword matching, single message categorization, and single-account mass messaging thresholds, conventional solutions in this scenario typically only recognize terms like "signature," "confirmation," and "attachment," which are superficially present in normal maintenance notices. This can easily lead to misclassifying early messages as normal business messages, or triggering action only after a large number of recipients complain, click on external links, or the account resends mass messages. It fails to identify the continuous propagation of abnormal information across sessions, objects, and paths, and also struggles to correlate warning levels with specific constraint actions. This solution, however, does not isolate and judge individual messages but rather groups fragments around the message context and transmits... The system constructs a continuous judgment chain based on broadcast intention fingerprints, abnormal propagation status units, evolution states, and handling constraint warning results. It can suppress false alarms of high-frequency business messages such as normal maintenance notices, team reminders, and customer service transfers by using contextual consistency verification. It can also identify the abnormal diffusion process that gradually emerges from the normal business appearance by using propagation deviation verification. When the abnormal propagation status unit reaches the diffusion state, it outputs a high-level handling constraint warning result, realizing forward warning time, clear scope of action, closed handling path, and subsequent rule self-correction. Therefore, it is more suitable for monitoring and warning of disguised and diffusion-type abnormal information in real enterprise instant messaging platforms than existing technologies.
[0083] Example 2: An abnormal information monitoring and early warning system for instant messaging platforms, comprising: The original communication record normalization module is used to collect the original communication records in the instant messaging platform and normalize them according to the session identifier, sender, receiver, time location, and reply reference relationship to generate message context normalization fragments. The propagation intent fingerprint generation module is used to extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features based on message context normalization fragments to generate a propagation intent fingerprint. The abnormal propagation situation unit generation module is used to concatenate multiple propagation intent fingerprints according to the reference inheritance relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship to generate abnormal propagation situation units. The evolution state determination module is used to perform contextual consistency verification and propagation deviation verification on abnormal propagation situation units to determine the evolution state of the abnormal propagation situation units. The module for generating early warning results of handling constraints is used to generate early warning results of handling constraints based on the evolution status and in combination with the propagation range, propagation path and semantic skeleton of the abnormal propagation situation unit. The feedback correction module is used to correct the judgment template of the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline based on the handling feedback, and is used for monitoring and early warning of subsequent original communication records.
[0084] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for monitoring and early warning of abnormal information for instant messaging platforms, characterized in that, include: S1. Collect raw communication records from the instant messaging platform, and organize them according to session identifier, sender, receiver, time location, and reply reference relationship to generate message context unified fragments. S2. Based on the message context normalization fragment, extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features to generate a propagation intent fingerprint; S3. Based on the reference sequence relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship, multiple propagation intention fingerprints are spliced together to generate an abnormal propagation situation unit. S4. For abnormal propagation situation units, perform contextual consistency verification and propagation deviation verification to determine the evolution state of abnormal propagation situation units; S5. Based on the evolution status, combined with the propagation range, propagation path, and semantic skeleton of the abnormal propagation situation unit, generate early warning results for handling constraints; S6. Based on the feedback from the handling, the determination template for the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline are revised and used for monitoring and early warning of subsequent original communication records.
2. The method for monitoring and early warning of abnormal information for instant messaging platforms according to claim 1, characterized in that, S1 includes: Align the message log, reply chain log, reference chain log, and member delivery log in the original communication record using the message identifier as the primary key and the time position as the secondary key; Complete the receiving object based on the session member snapshot, and complete the reply reference relationship based on the preceding and following related logs; After being routed by session identifier, message context normalization fragments are generated based on the continuity of the sending subject, the overlap of the receiving object, and the continuation of the reply reference relationship.
3. The method for monitoring and early warning of abnormal information for instant messaging platforms according to claim 1, characterized in that, S2 include: Read the session identifier, sender sequence, receiver sequence, time location sequence, reply reference relationship sequence, message body fragment sequence, and attachment reference address sequence from the message context normalized fragment; Five types of features were extracted by combining the session history database, organizational relationship directory, and attachment access logs; Five types of features are written into the fingerprint storage area in a fixed field order to form a propagation intent fingerprint.
4. The abnormal information monitoring and early warning method for instant messaging platforms according to claim 1, characterized in that, S3 include: Read the response reference sequence, message body fragment sequence, receiving object sequence, sending body sequence, and time location sequence corresponding to the propagation intent fingerprint; The propagation intent fingerprint is determined based on the citation sequence relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship. Write the consistent propagation intent fingerprint into the situation unit storage area to form an abnormal propagation situation unit.
5. The abnormal information monitoring and early warning method for instant messaging platforms according to claim 1, characterized in that, S4 include: Read the semantic skeleton sequence, diffusion trajectory of the receiving object, time and location trajectory, and distribution of the sending entity of the abnormal propagation situation unit; Combine the conversation history database, organizational relationship directory, and business arrangement information to perform contextual consistency verification and propagation deviation verification; The evolutionary state is determined based on the contextual consistency check level and the propagation deviation check level, and then written into the evolutionary state record area.
6. The abnormal information monitoring and early warning method for instant messaging platforms according to claim 1, characterized in that, S5 include: Read the evolution state, the diffusion trajectory of the receiving object, the time and location trajectory, the reference inheritance chain, the semantic skeleton sequence, the distribution of the session identifier, and the distribution of the sending subject; The propagation range is determined based on the diffusion trajectory of the receiving object and the distribution of session identifiers; the propagation path is determined based on the reference inheritance chain, time and location trajectory, distribution of session identifiers, and distribution of sending entities; and the warning level is determined based on the evolution status, propagation range, propagation path, and semantic skeleton.
7. The method for monitoring and early warning of abnormal information for instant messaging platforms according to claim 6, characterized in that, S5 also includes: When the evolutionary state is the formation state, generate early warning results for disposal constraints with additional risk traceability markers; When the evolutionary state is in the probing state, generate warning results for handling constraints such as additional identity verification prompts and secondary confirmation of external links; When the evolutionary state is in the diffusion state, generate early warning results for the processing constraints of the same skeleton message rate limit and manual review priority queue; When the evolution state is solidified, the system generates warning results for handling constraints of temporary interception, significant risk warning, and emergency response work orders.
8. The abnormal information monitoring and early warning method for instant messaging platforms according to claim 1, characterized in that, S6 include: Read the results of handling constraint warnings, manual review records, platform control logs, and subsequent audit logs; The judgment template, contextual consistency baseline, and dissemination deviation baseline were revised based on the feedback received. The revised judgment template version number, contextual consistency baseline version number, and propagation deviation baseline version number will be written into the rule version library and used in subsequent monitoring and early warning links.
9. An abnormal information monitoring and early warning system for an instant messaging platform, used to implement the abnormal information monitoring and early warning method for an instant messaging platform as described in any one of claims 1-8, characterized in that, include: The original communication record normalization module is used to collect the original communication records in the instant messaging platform and normalize them according to the session identifier, sender, receiver, time location, and reply reference relationship to generate message context normalization fragments. The propagation intent fingerprint generation module is used to extract semantic inducement features, context deviation features, propagation rhythm features, relationship penetration features, and carrier migration features based on message context normalization fragments to generate a propagation intent fingerprint. The abnormal propagation situation unit generation module is used to concatenate multiple propagation intent fingerprints according to the reference inheritance relationship, semantic skeleton correspondence relationship, propagation object continuity relationship, and propagation time window association relationship to generate abnormal propagation situation units. The evolution state determination module is used to perform contextual consistency verification and propagation deviation verification on abnormal propagation situation units to determine the evolution state of the abnormal propagation situation units. The module for generating early warning results of handling constraints is used to generate early warning results of handling constraints based on the evolution status and in combination with the propagation range, propagation path and semantic skeleton of the abnormal propagation situation unit. The feedback correction module is used to correct the judgment template of the propagation intent fingerprint, the contextual consistency baseline, and the propagation deviation baseline based on the handling feedback, and is used for monitoring and early warning of subsequent original communication records.