Sgui malicious user detection method and device based on multi-dimensional relationship graph neural network
By constructing a multidimensional relational topology graph through a multidimensional relational graph neural network and fusing multi-relational information, and using graph convolutional neural networks and multi-head attention mechanisms to extract high-order feature embeddings, the accuracy and real-time issues of malicious user detection in SGUI software are solved, achieving accurate identification and real-time protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- TRAVELSKY TECHNOLOGY LIMITED
- Filing Date
- 2026-03-10
- Publication Date
- 2026-07-07
AI Technical Summary
Existing malicious user detection solutions in SGUI software suffer from insufficient business adaptability, limited relationship modeling capabilities, and poor anti-spoofing capabilities, resulting in low detection accuracy and failing to meet the needs of precise and real-time protection.
The Multi-Dimensional Relationship Graph Neural Network (MR-GNN) method is adopted. By constructing a multi-dimensional relationship topology graph and fusing multi-relationship information, the high-order feature embedding of user nodes is extracted using graph convolutional neural networks and multi-head attention mechanism. Combined with loss function optimization model, the accurate identification of malicious users can be achieved.
It improves the accuracy and generalization ability of malicious user detection, can identify spoofing behavior, realizes true scenario-based intelligent operation and maintenance, and reduces the complexity of security operation and maintenance.
Smart Images

Figure CN122348837A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of computer network security and artificial intelligence technology, and in particular to a method and apparatus for detecting malicious SGUI users based on a multidimensional relational graph neural network. Background Technology
[0002] With the widespread adoption of SGUI software among domestic agents, the data security risks faced by these devices are increasing exponentially. SGUI software is a graphical operating platform used by China's civil aviation industry for ticket sales and distribution, replacing the traditional "black screen" command system. Recent security audit reports show that approximately 37% of technically skilled users have engaged in unauthorized extraction of core business data, including sensitive information such as customer privacy, transaction records, and product pricing strategies, using script tools and API vulnerabilities. Such data scraping not only significantly increases the risk of leaking corporate trade secrets but may also trigger compliance accountability under the Data Security Law. Therefore, there is an urgent need to build a forward-looking, dynamic defense system capable of real-time analysis of user behavior characteristics and intelligent identification of abnormal access, enabling precise interception and handling before malicious operations cause damage.
[0003] Currently, the industry offers various technical solutions for detecting malicious users: one category consists of traditional detection methods, such as static analysis based on predefined rule bases, blacklist matching relying on user IPs or device fingerprints, and manual review mechanisms that rely entirely on the experience of operations and maintenance personnel. Another category utilizes machine learning algorithms for assisted judgment, such as support vector machines and deep learning models. These methods distinguish between normal and abnormal behavior by learning patterns in historical data. Furthermore, with the increasing advantages of graph data structures in processing relational data, graph neural network technology has been introduced to capture relationships between entities, for example, by constructing a relationship graph based on single connections between users (such as shared access records) for detection.
[0004] Existing technical solutions have significant shortcomings in detecting malicious users in specific business scenarios like SGUI. First, detection solutions for general internet scenarios are disconnected from the core business logic of SGUI, making it difficult to identify industry-specific malicious behavior patterns (such as batch data extraction disguised as business operations). Second, traditional methods, such as rule-based or IP / device fingerprint-based detection, struggle to handle the constantly changing behavioral imitations and disguises of malicious users. Third, traditional machine learning algorithms typically analyze users as isolated individuals, failing to capture the complex networks of relationships between users, which limits detection accuracy. Finally, most existing graph neural network methods only build relationship graphs based on a single user dimension. This single evaluation dimension is incomplete and has limited effectiveness in identifying malicious users with strong disguise capabilities and concealed behavioral patterns, leading to high false positive and false negative rates, failing to meet the precise and real-time protection requirements of SGUI devices.
[0005] In summary, existing technologies have many limitations in terms of business adaptability, relationship modeling capabilities, and anti-spoofing capabilities. There is still a lack of an intelligent detection solution that can deeply integrate with SGUI business characteristics, effectively model multi-dimensional user relationships, and accurately identify highly disguised malicious users. Summary of the Invention
[0006] This invention addresses the shortcomings of existing technologies by providing a method and apparatus for detecting malicious SGUI users based on a multidimensional graph neural network (MR-GNN). By analyzing the multidimensional relationships and behavioral characteristics of users, it achieves accurate identification and real-time early warning of malicious users.
[0007] To achieve the above objectives, the present invention adopts the following technical solution: In a first aspect, the present invention provides a method for detecting malicious SGUI users based on a multidimensional relational graph neural network, the method comprising: S1, Data Collection and User Feature Modeling: Collect historical access data information of users from the operation and maintenance logs of the target software device, and generate a dataset containing user nodes and static and dynamic behavioral features of the user nodes for each user based on the historical access data information, and divide the dataset into training set, validation set and test set. Furthermore, in S1, the user's historical access data information includes at least: access time, user IP address, set of important business interfaces accessed, and access frequency; the static and dynamic behavioral features are used to generate the initial feature vector of each user node in the training dataset.
[0008] Furthermore, the data collection and user feature modeling are based on Malicious user detection was performed on a sample of users, among whom... If a real tag is assigned to each user, then the set of real user tags can be represented as: ,in, Indicates the first A user's real tags , A natural number, representing the total number of user samples; Furthermore, the dataset of static and dynamic behavioral characteristics of the user nodes is defined as follows:
[0009] in, Indicates the first Static characteristics of an individual user This represents static features and dynamic behavioral data of user access information extracted from operation and maintenance logs. It indicates that it was used Log information describes the characteristics of users; Furthermore, the dataset of static and dynamic behavioral features of the user nodes is divided into a training set (user-train), a validation set (user-valid), and a test set (user-test), with the three datasets having the same format.
[0010] S2, Construction of Multidimensional Relationship Topology Graph: Based on the connections between user nodes in the training set of the dataset, construct a multidimensional relationship topology graph containing multiple relationship types to represent the complex network of connections between user nodes; Furthermore, the construction of the multidimensional relationship topology graph is represented as follows: ,in, Represents a set of user nodes. This represents a set of predefined relation types, for each relation... , This represents the set of edges connecting user nodes under this relationship.
[0011] S3, Multidimensional Relationship Graph Neural Network Model Training: A multidimensional relationship graph neural network model is trained using the multidimensional relationship topology graph. The multidimensional relationship graph neural network model integrates multi-relationship information and extracts high-order feature embeddings of user nodes through an attention mechanism to predict the probability that each user is a malicious user. Furthermore, S3 specifically includes: S301: For each type of relationship in the multidimensional relationship topology graph, apply a graph convolutional neural network to aggregate and update the node features under that relationship; S302: For each user node, merge its updated feature representations under different relation types to form a unified intermediate feature for that node; S303: A multi-head attention mechanism is used to assign importance weights to the neighboring nodes of the user node, and the neighbor information is aggregated according to the weights to generate a high-order feature embedding that can better reflect the user's core behavior patterns and distinguishability. S304: Embed the higher-order features into a multilayer perceptron and output the probability value of the user being a malicious user through the nonlinear activation function Sigmoid.
[0012] Furthermore, in the model training process in S3, a neighbor sampling strategy is used to construct training batches, that is, starting from a central node, its neighbor nodes are sampled first to form a subgraph for this training iteration. Furthermore, the training of the multidimensional relational graph neural network model in S3 also includes the design of a loss function. Specifically, the loss function is a comprehensive function combining prediction error and model complexity, expressed as follows:
[0013] in, The total number of user samples, Indicates the first One user sample, ; Indicates the first The true labels of a user sample; The model predicts the first... The probability that a given user sample is a malicious user is output by the Sigmoid function of the last layer of the model, and its range is within a certain range. between; The regularization coefficient is . Represents all trainable parameters The square of the L2 norm, i.e. the sum of squared weights, is used to measure the complexity of the model itself and prevent overfitting.
[0014] Furthermore, after the multidimensional relational graph neural network model described in S3 is trained, it also includes model validation using validation set data and testing using a test set, which makes the model more accurate.
[0015] S4, Malicious User Online Detection: Deploy the multidimensional relational graph neural network model that has been trained as described in S3, process user access features online in real time or in batches, and output the corresponding probability of malicious behavior.
[0016] Furthermore, the SGUI malicious user detection method based on multidimensional relational graph neural network, after outputting the probability of malicious behavior of the corresponding user in step S4, also includes: comparing the output probability of malicious behavior of the corresponding user with a preset threshold, filtering out a list of suspicious users, and providing them to operation and maintenance personnel for manual verification and security handling.
[0017] Secondly, based on the same inventive concept as the first aspect of this invention, a malicious user behavior intelligent detection device based on a multidimensional relational graph neural network is also provided, the device comprising: The pre-trained model module is used to execute the training process of the intelligent detection method for malicious user behavior based on multidimensional relational graph neural network described in the first aspect of the present invention, and to obtain a trained malicious user detection model. The online detection service module is used to load the detection model obtained by the pre-trained model module and provide a calling interface to external devices; The operation and maintenance tool module is configured to input the access characteristic data of the target user by calling the interface of the online detection service module, and obtain the malicious user probability result output by the detection model.
[0018] Thirdly, the present invention provides an electronic device including a processor and a memory, the memory storing a computer program, wherein the processor executes the computer program to implement the steps of the SGUI malicious user detection method based on a multidimensional relational graph neural network as described in the first aspect of the present invention.
[0019] Fourthly, the present invention also provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the SGUI malicious user detection method based on a multidimensional relational graph neural network as described in the first aspect of the present invention.
[0020] Compared with the prior art, the present invention has the following advantages: High detection accuracy: By constructing a multi-dimensional relationship graph, it comprehensively depicts the connections between users across multiple dimensions such as time, IP, and interface access, breaking through the limitations of single-dimensional analysis and more effectively identifying spoofing behavior; Strong generalization ability: The introduction of multi-head attention mechanism and L2 regularization enables the model to focus on learning robust patterns with discriminative power rather than training data noise, improving the model's adaptability to emerging threats; Deep business coupling: The entire solution design is closely centered around the business logs and user behavior patterns of specific devices such as SGUI, solving the problem of the disconnect between general security solutions and business logic, and realizing true scenario-based intelligent operation and maintenance; Good practicality: The entire invention solution design considers actual deployment needs. The model can be pre-trained offline, deployed online as a service, and provides intuitive result output through operation and maintenance tools, reducing the complexity of security operation and maintenance.
[0021] Other features and advantages of the invention will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention may be realized and obtained by means of the structures pointed out in the description, claims and drawings. Attached Figure Description
[0022] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0023] Figure 1 This is a schematic diagram illustrating the process of a malicious user behavior intelligent detection method based on a multidimensional relational graph neural network in one embodiment of the present invention.
[0024] Figure 2 This is an example diagram of training data in one embodiment of the present invention.
[0025] Figure 3 This is a schematic diagram of the user feature extraction process in one embodiment of the present invention.
[0026] Figure 4 This is a flowchart of a feature extraction-based malicious user detection method in one embodiment of the present invention.
[0027] Figure 5 This is an example diagram of the model training results in one embodiment of the present invention.
[0028] Figure 6 This is a flowchart illustrating a specific implementation of the device of the present invention in one embodiment.
[0029] Figure 7 This is a schematic diagram of a typical application scenario of the device of the present invention in one embodiment of the present invention. Detailed Implementation
[0030] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0031] In one embodiment, please refer to Figure 1 A method for detecting malicious SGUI users based on a multidimensional relational graph neural network is provided, the method comprising the following steps: Step S1: Data collection and user feature modeling: Collect historical access data information of users from the operation and maintenance logs of the target software device, and generate a dataset containing user nodes and static and dynamic behavioral features of the user nodes for each user based on the historical access data information. Divide the dataset into training set, validation set and test set. Step S2: Construction of Multidimensional Relationship Topology Graph: Based on the connections between user nodes in the training set of the dataset, construct a multidimensional relationship topology graph containing multiple relationship types to represent the complex network of connections between user nodes; Step S3: Multidimensional Relationship Graph Neural Network Model Training: A multidimensional relationship graph neural network model is trained using the multidimensional relationship topology graph. The multidimensional relationship graph neural network model integrates multi-relationship information and extracts high-order feature embeddings of user nodes through an attention mechanism to predict the probability that each user is a malicious user. Step S4: Online detection of malicious users: Deploy the multidimensional relational graph neural network model that has been trained as described in S3, process user access features in real time or in batches online, and output the corresponding probability of malicious behavior.
[0032] Furthermore, in this embodiment, the SGUI malicious user detection method based on multidimensional relational graph neural network, after outputting the malicious behavior probability of the corresponding user in step S4, further includes: comparing the output malicious behavior probability of the corresponding user with a preset threshold, filtering out a list of suspicious users for manual verification and security handling by operation and maintenance personnel.
[0033] In one embodiment, based on step S1 above, the user's historical access data information includes at least: access time, user IP address, set of important business interfaces accessed, and access frequency; the static and dynamic behavioral features are used to generate initial feature vectors for each user node in the training dataset. Figure 2 As shown, Figure 2 Based on When performing malicious user detection on a sample of users, the data collected is from historical access data; where a real label is assigned to each user, the set of real user labels can be represented as: ,in, Indicates the first A user's real tags , A natural number, representing the total number of user samples; Furthermore, the dataset of static and dynamic behavioral characteristics of the user nodes is defined as follows:
[0034] in, Indicates the first Static characteristics of an individual user This represents static features and dynamic behavioral data of user access information extracted from operation and maintenance logs. It indicates that it was used Log information describes the characteristics of a user.
[0035] In one embodiment, the dataset of static and dynamic behavioral features of the user nodes is divided into a training set (user-train), a validation set (user-valid), and a test set (user-test), with all three datasets having the same format. For example, the specific format is as follows: {username:42357,operatorData:[{operatorTime:2025-09-09 10:43:12,053,userIp:102.0.3.115,uri: / sgui-sor / v2 / apiAvSearch / computeInterAirPrice}], status:1}, In this dataset, username represents the passenger agent, operatorTime represents the user's request time, userIp represents the user's client IP address, uri represents the address of the user's business operation access interface, and status indicates whether the current user is a legitimate user (1 for legitimate, 0 for illegitimate). Each passenger corresponds to an interaction sequence, with the last two data points in the sequence divided into the validation set and the test set, and the remaining data used as the training set.
[0036] In one embodiment, the construction of the multidimensional relationship topology graph in step S2 above is represented as follows: ,in, Represents a set of user nodes. This represents a set of predefined relation types, for each relation... , This represents the set of edges connecting user nodes under this relationship.
[0037] In one embodiment, during the training of the multidimensional relational graph neural network model in step S3, further details are provided regarding user feature extraction. Combining steps S1-S3, this embodiment describes in detail how to start from raw log data from a service device (such as SGUI), and through multidimensional relational graph construction and feature engineering, ultimately form a user feature representation that can be used for malicious user detection. The entire process is divided into four main stages: data acquisition, preprocessing, multidimensional relational graph construction, and feature extraction. Figures 3-4 As shown: First, the data acquisition and preprocessing stage: Raw data input involves collecting user access records from the operation and maintenance logs of the business devices, including raw fields such as access time, IP address, access interface, and operation type. Data cleaning: The raw data is cleaned, handling missing values, outliers, and duplicate records. For example, missing access times can be filled using interpolation or default values based on business logic; abnormal IP addresses can be verified and corrected using an IP database. Data standardization: Data from different sources and formats is standardized, such as unifying timestamps to UTC format, converting IP addresses to integer representation, and encoding operation types as categorical variables.
[0038] Secondly, the multidimensional relationship graph construction stage includes: Relationship definition: Define a set of multidimensional relationships between users based on business logic and security requirements; Graph structure construction: Build a multidimensional relationship graph based on the defined relationships; Graph embedding representation: Convert the constructed multidimensional relationship graph into a graph embedding representation.
[0039] Then, in the feature extraction stage: **Separate Relationship Feature Extraction:** For each relationship in the multidimensional relationship graph, a graph convolutional neural network (GCN) is independently applied to process the corresponding relationship graph to update the node representation. **Information Fusion:** The information of each user node obtained after processing by the GCN in each relationship graph is fused to form a comprehensive representation of the user in the multidimensional relationship. **Attention Weighting:** A multi-head attention mechanism is applied to the fused information, assigning different importance weights to different neighbor nodes to aggregate neighbor information and learn the user's high-order embedding representation. **Classification Output:** The learned user high-order embedding representation is input into a multilayer perceptron (MLP), and the probability of the corresponding user being a malicious user is output through a sigmoid function.
[0040] Finally, in the feature application stage: Model training: The extracted user features and corresponding labels (malicious user or normal user) are input into the pre-trained detection model, and the model parameters are trained by optimizing the loss function. Real-time detection: After the model training is completed, the model is deployed as an inference service. When a new user visits, their behavioral data is collected in real time. Through the same preprocessing and mapping process, the generated feature map is input into the service, and the probability that the user is a malicious user can be obtained in real time.
[0041] In one embodiment, during the model training process in S3, a neighbor sampling strategy is used to construct training batches, that is, starting from a central node, its neighbor nodes are sampled first to form a subgraph for this training iteration. Furthermore, the training of the multidimensional relational graph neural network model in S3 also includes the design of a loss function. Specifically, the loss function is a comprehensive function combining prediction error and model complexity, expressed as follows:
[0042] in, The total number of user samples, Indicates the first One user sample, ; Indicates the first The real labels of a sample of users, among which... When this happens, it indicates that the user is a malicious user. When this happens, it indicates that the user is a normal user; The model predicts the first... The probability that a given user sample is a malicious user is output by the Sigmoid function of the last layer of the model, and its range is within a certain range. between; The regularization coefficient is . Represents all trainable parameters The square of the L2 norm, i.e. the sum of squared weights, is used to measure the complexity of the model itself and prevent overfitting. The calculation model is responsible for malicious users. The prediction loss of the sample; Responsible for calculating the model for normal users ( The prediction loss of the sample; and This constitutes a complete supervisory signal, which is optimized for both types of samples to ensure that the model has the ability to identify malicious users and exclude normal users at the same time.
[0043] In one embodiment, such as Figures 5-7 As shown, an example is given based on the solution proposed in this invention: Use SGUI operation and maintenance log data (training set) to train and deploy a malicious user detection model, such as... Figure 7 As shown, the specific process is as follows: Figure 6 As shown: The training set extracts access time, IP address, important interface set, and access frequency from logs. During dataset construction, firstly, the criteria for judging malicious users used by dataset annotators should remain consistent; otherwise, training accuracy will be affected. Secondly, to ensure that each sampled training data is valid, the number of malicious users cannot be too small. Finally, to reflect actual access patterns and meet the needs of real-world devices, the number of malicious users should be set according to the actual proportion. An excessively high proportion of malicious users will cause their neighbor node model to become unrealistic, leading to biased feature extraction, misleading the attention mechanism's focus, and ultimately failing to cope with real-world situations.
[0044] Using mini-batch and neighbor sampling strategies for each sampling reduces the computation and memory usage of each iteration, improving training efficiency; at the same time, introducing noise to a certain extent can help the model generalize better.
[0045] After the model is trained, it is deployed on the SGUI device, exposing an HTTP interface. When a user accesses resources on the SGUI device, the system detects the user, obtains their static features and dynamic behavior data, extracts their feature information according to the modeling process, and inputs it into a multilayer perceptron. The system then outputs in real time the probability that the user is malicious. The training results are as follows... Figure 5 As shown, name represents agent, status training result 1 represents a malicious user, 0 represents a normal user, and probability represents the probability that the user is a malicious user.
[0046] SGUI device maintenance personnel should promptly handle malicious user probabilities based on the algorithm and in accordance with the manual.
[0047] In one embodiment, an electronic device is provided, including a processor and a memory, the memory storing a computer program, wherein the processor executes the computer program to implement the steps of a SGUI malicious user detection method based on a multidimensional relational graph neural network as described in the first aspect of the present invention.
[0048] In one embodiment, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the steps of a SGUI malicious user detection method based on a multidimensional relational graph neural network as described in the first aspect of the present invention.
[0049] Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A method for detecting malicious SGUI users based on a multidimensional relational graph neural network, characterized in that, Includes the following steps: S1, Data Collection and User Feature Modeling: Collect historical access data information of users from the operation and maintenance logs of the target software device, and generate a dataset containing user nodes and static and dynamic behavioral features of the user nodes for each user based on the historical access data information, and divide the dataset into training set, validation set and test set. S2, Construction of Multidimensional Relationship Topology Graph: Based on the connections between user nodes in the training set of the dataset, construct a multidimensional relationship topology graph containing multiple relationship types to represent the complex network of connections between user nodes; S3, Multidimensional Relationship Graph Neural Network Model Training: A multidimensional relationship graph neural network model is trained using the multidimensional relationship topology graph. The multidimensional relationship graph neural network model integrates multi-relationship information and extracts high-order feature embeddings of user nodes through an attention mechanism to predict the probability that each user is a malicious user. S4, Malicious User Online Detection: Deploys the multidimensional relational graph neural network model trained in S3 to process user access features in real time or in batches online and output the corresponding probability of malicious behavior.
2. The SGUI malicious user detection method based on a multidimensional relational graph neural network according to claim 1, characterized in that: In step S1, the user's historical access data includes at least: access time, user IP address, a set of important business interfaces accessed, and access frequency; the feature set includes static features and dynamic behavioral sequence features extracted from the historical access data.
3. A method for detecting malicious SGUI users based on a multidimensional relational graph neural network according to claim 1 or 2, characterized in that: The construction of the multidimensional relational topology graph is represented as follows: ,in, Represents a set of user nodes. This represents a set of predefined relation types, for each relation... , This represents the set of edges connecting user nodes under this relationship.
4. The SGUI malicious user detection method based on a multidimensional relational graph neural network according to claim 1, characterized in that, Step S3 specifically includes: S301: For each type of relationship in the multidimensional relationship topology graph, apply a graph convolutional neural network to aggregate and update the node features under that relationship; S302: For each user node, merge its updated feature representations under different relation types to form a unified intermediate feature for that node; S303: A multi-head attention mechanism is used to assign importance weights to the neighboring nodes of the user node, and the neighbor information is aggregated according to the weights to generate a high-order feature embedding that can better reflect the user's core behavior patterns and distinguishability. S304: Embed the higher-order features into a multilayer perceptron and output the probability value of the user being a malicious user through the nonlinear activation function Sigmoid.
5. The SGUI malicious user detection method based on a multidimensional relational graph neural network according to claim 4, characterized in that: In the model training process of step S3, a neighbor sampling strategy is used to construct training batches, that is, starting from a central node, its neighbor nodes are sampled first to form a subgraph for this training iteration. 6. The SGUI malicious user detection method based on a multidimensional relational graph neural network according to claim 4, characterized in that: Step S3, training the multidimensional relational graph neural network model, also includes designing a loss function. Specifically, the loss function is a comprehensive function combining prediction error and model complexity, expressed as follows: in, The total number of user samples, Indicates the first One user sample, ; Indicates the first The true labels of a user sample; The model predicts the first... The probability that a user sample is a malicious user, ranging from... between; The regularization coefficient is . Represents all training parameters The square of the L2 norm, i.e. the sum of squared weights, is used to measure the complexity of the model itself and prevent overfitting.
7. A method for detecting malicious SGUI users based on a multidimensional relational graph neural network according to any one of claims 6, characterized in that: Step S4 is followed by: comparing the probability of malicious users output by the model with a preset threshold, filtering out a list of suspicious users for manual verification and security handling by operations and maintenance personnel.
8. A malicious user behavior intelligent detection device based on a multidimensional relational graph neural network, characterized in that, include: The pre-trained model module is used to execute the training process of the intelligent detection method for malicious user behavior based on a multidimensional relational graph neural network as described in any one of claims 1 to 7, and to obtain a trained malicious user detection model. The online detection service module is used to load the detection model obtained by the pre-trained model module and provide a calling interface to external devices; The operation and maintenance tool module is configured to input the access characteristic data of the target user by calling the interface of the online detection service module, and obtain the malicious user probability result output by the detection model.
9. An electronic device comprising a processor and a memory, the memory storing a computer program, characterized in that, When the processor executes the computer program, it implements a SGUI malicious user detection method based on a multidimensional relational graph neural network as described in any one of claims 1 to 7. 10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements a SGUI malicious user detection method based on a multidimensional relational graph neural network as described in any one of claims 1 to 7.