A model training, information determination method, device and storage medium

By acquiring and training a federated learning-based malicious user prediction model and utilizing the historical security parameters of sample users, the accuracy of malicious user identification was improved and the risk of data leakage was reduced.

CN122365482APending Publication Date: 2026-07-10CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD
Filing Date
2026-03-04
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies are not accurate enough in identifying malicious users, leading to a high risk of data leakage.

Method used

By acquiring historical security parameters related to the historical access behavior of sample users, including historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency, the initial federated learning-based malicious user prediction model is trained based on these parameters to obtain the target federated learning-based malicious user prediction model. This model is then used to determine whether a user is a malicious user.

Benefits of technology

It improved the accuracy of malicious user identification and reduced the risk of data leakage.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122365482A_ABST
    Figure CN122365482A_ABST
Patent Text Reader

Abstract

This application provides a model training method, comprising: acquiring historical security parameters related to the historical access behavior of a sample user; wherein the historical security parameters include one or more of historical access behavior records, historically allowed data unit sets, historical data leakage information, and historical data leakage frequency; determining the identifier of the sample user based on the historical security parameters; wherein the identifier of the sample user is used to indicate whether the sample user is a malicious user; training an initial federated learning-based malicious user prediction model based on the historical security parameters and the identifier of the sample user to obtain a target federated learning-based malicious user prediction model, thus solving the problem of inaccurate malicious user determination results. This application also provides an information determination method, device, and storage medium.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to data security technologies in the field of computer technology, and more particularly to a model training, information determination method, device, and storage medium. Background Technology

[0002] With the widespread adoption of cloud services, data security issues have become increasingly prominent, manifesting as loss of control after data outsourcing and the potential risk of data leakage. To avoid data leakage, the following solutions have emerged: first, watermarking technology to trace the source of data distribution; second, probabilistic models, which typically combine statistics and machine learning techniques to analyze user behavior and historical data to identify and predict malicious users. However, these solutions still struggle to accurately identify complex attacks, leading to inaccurate judgments of malicious users and jeopardizing the risk of data leakage. Summary of the Invention

[0003] This application provides a model training, information determination method, device, and storage medium, which solves the problem of inaccurate judgment results for malicious users in related technologies and further avoids the risk of data leakage.

[0004] The technical solution of this application embodiment is implemented as follows: A model training method, the method comprising: Obtain historical security parameters related to the historical access behavior of sample users; wherein, the historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency; The identifier of the sample user is determined based on the historical security parameters; wherein, the identifier of the sample user is used to indicate whether the sample user is a malicious user; The initial federated learning-based malicious user prediction model is trained based on the historical security parameters and the identifiers of the sample users to obtain the target federated learning-based malicious user prediction model.

[0005] In the above scheme, determining the identifier of the sample user based on the historical security parameters includes: Based on the historical access behavior records, the first evaluation result of the sample users is determined; Based on the historical set of allowed access data units, the second evaluation result corresponding to the sample user is determined; The third evaluation result corresponding to the sample user is determined based on the historical data leakage information. The fourth evaluation result corresponding to the sample users is determined based on the historical data leakage frequency. Based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result, the identifier of the sample user is determined.

[0006] In the above scheme, determining the second evaluation result corresponding to the sample user based on the historically allowed access data unit set includes: The historical allowed data unit sets in the target behavior database are classified to obtain multiple sets of data unit sets; Determine the relationship between the access data corresponding to the historical access behavior and the multiple sets of data units; The second evaluation result corresponding to the sample user is determined based on the relationship.

[0007] In the above scheme, determining the third evaluation result corresponding to the sample user based on the historical data leakage information includes: Determine the total amount of data accessed by the sample users during the target time period; The attack factor is calculated based on the total data access volume and the amount of malicious data distributed by the sample users during the target time period; wherein, the historical data leakage information includes the amount of malicious data distributed. The third evaluation result corresponding to the sample user is determined based on the attack factor.

[0008] In the above scheme, determining the identifier of the sample user based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result includes: Based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result, a comprehensive evaluation result is determined; The identifiers of the sample users are determined based on the comprehensive evaluation results.

[0009] In the above scheme, training the initial federated learning-based malicious user prediction model based on the historical security parameters and the identifier of the sample user to obtain the target federated learning-based malicious user prediction model includes: The historical security parameters and the identifier of the sample user are encrypted to obtain encrypted sample data. Noise information is added to the encrypted sample data, and the user identity information in the noise-added sample data is hidden to obtain the target sample data. The initial federated learning-based malicious user prediction model is trained based on the target sample data to obtain the target federated learning-based malicious user prediction model.

[0010] An information determination method, the method comprising: Receive access requests from target users; Obtain the attribute information of the target user and the security parameters corresponding to the access request; A malicious user prediction model based on federated learning is used to process the user's attribute information and security parameters to determine whether the target user is a malicious user. The malicious user prediction model based on federated learning is trained using the model training method described above.

[0011] A model training device, the device comprising: The first acquisition unit is used to acquire historical security parameters related to the historical access behavior of sample users; wherein, the historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency; A determining unit is configured to determine the identifier of the sample user based on the historical security parameters; wherein the identifier of the sample user is used to indicate whether the sample user is a malicious user; The first processing unit is used to train the initial federated learning-based malicious user prediction model based on the historical security parameters and the identifier of the sample user to obtain the target federated learning-based malicious user prediction model.

[0012] An information determining device, the device comprising: The receiving unit is used to receive access requests from target users; The second acquisition unit is used to acquire the attribute information of the target user and the security parameters corresponding to the access request; The second processing unit is used to process the user's attribute information and security parameters using a target-based federated learning malicious user prediction model to determine whether the target user is a malicious user. The malicious user prediction model based on federated learning is trained using the model training method described above.

[0013] A model training device, the device comprising: a first processor, a first memory, and a first communication bus; The first communication bus is used to establish a communication connection between the first processor and the first memory; The first processor is used to execute the model training program in the first memory to implement the steps of the model training method described above.

[0014] An information determining device, the device comprising: a second processor, a second memory, and a second communication bus; The second communication bus is used to establish a communication connection between the second processor and the second memory; The second processor is used to execute the information determination program in the second memory to implement the steps of the information determination method described above.

[0015] A computer-readable storage medium storing one or more programs that can be executed by one or more processors to implement the steps of the model training method or information determination method described above.

[0016] A computer program product comprising a computer program that, when executed by a processor, implements the aforementioned model training method or information determination method.

[0017] The model training, information determination method, device, and storage medium provided in this application embodiment can acquire historical security parameters related to the historical access behavior of sample users. These historical security parameters include one or more of the following: historical access behavior records, historically allowed data unit sets, historical data leakage information, and historical data leakage frequency. Based on these historical security parameters, an identifier indicating whether a sample user is a malicious user is determined. An initial federated learning-based malicious user prediction model is trained based on the historical security parameters and the sample user's identifier to obtain a target federated learning-based malicious user prediction model. Thus, the target federated learning-based malicious user prediction model is trained using security parameters including one or more of the following: historical access behavior records, historically allowed data unit sets, historical data leakage information, and historical data leakage frequency, along with an identifier that characterizes whether a user is a malicious user. Furthermore, the use of a federated learning-based malicious user prediction model ensures higher accuracy in the obtained target federated learning-based malicious user prediction model. The result of determining whether a user is a malicious user based on this target federated learning-based malicious user prediction model is more accurate, solving the problem of inaccurate malicious user determination results in related technologies and further avoiding the risk of data leakage. Attached Figure Description

[0018] Figure 1 This is a schematic flowchart of a model training method provided in an embodiment of this application; Figure 2 This is a schematic diagram of the training architecture in a model training method provided in an embodiment of this application; Figure 3 This is a flowchart illustrating an information determination method provided in an embodiment of this application; Figure 4 This is a schematic diagram of the structure of a model training device provided in an embodiment of this application; Figure 5 This is a schematic diagram of the structure of an information determination device provided in an embodiment of this application; Figure 6 This is a schematic diagram of the structure of a model training device provided in an embodiment of this application; Figure 7 This is a schematic diagram of the structure of an information determination device provided in an embodiment of this application. Detailed Implementation

[0019] The technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings.

[0020] It should be understood that the phrases "embodiments of this application" or "foreign embodiments" throughout the specification mean that a specific feature, structure, or characteristic related to an embodiment is included in at least one embodiment of this application. Therefore, "embodiments of this application" or "in the foreign embodiments" appearing throughout the specification do not necessarily refer to the same embodiment. Furthermore, these specific features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. In the various embodiments of this application, the sequence numbers of the above-described processes do not imply a sequential order of execution; the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application. The sequence numbers of the above-described embodiments are merely descriptive and do not represent the superiority or inferiority of the embodiments.

[0021] Unless otherwise specified, any step in the embodiments of this application performed by the electronic device may be executed by the processor of the electronic device. It is also worth noting that the embodiments of this application do not limit the order in which the electronic device performs the following steps. Furthermore, the methods used to process data in different embodiments may be the same or different methods. It should also be noted that any step in the embodiments of this application can be executed independently by the electronic device; that is, when the electronic device performs any step in the following embodiments, it may not depend on the execution of other steps.

[0022] It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of this application.

[0023] This application provides a model training method, which can be applied to a model training device, as described above. Figure 1 As shown, the model training method may include the following steps: Step 101: Obtain historical security parameters related to the historical access behavior of sample users.

[0024] The historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data breach information, and historical data breach frequency.

[0025] Specifically, the sample users can be a large number of users who have historically accessed the Cloud Backup Platform (CBP); historical access behavior refers to the access behaviors performed by the sample users on the Cloud Backup Platform. It should be noted that the historical security parameters related to the historical access behavior of the sample users can be pre-acquired and stored... Figure 2 The target behavior database shown is used for this purpose; therefore, historical security parameters can be directly obtained from the target behavior database in this application. In one feasible implementation, the target behavior database may include a behavior knowledge base.

[0026] In this embodiment of the application, historical data leakage information may include the amount of historical malicious data distributed or the number of data leakages.

[0027] Step 102: Determine the identifier of the sample user based on historical security parameters.

[0028] The sample user's identifier is used to indicate whether the sample user is a malicious user.

[0029] Specifically, the identifier of a sample user can be determined based on one or more of the following historical security parameters: historical access behavior records, historical allowed data unit sets, historical data breach information, and historical data breach frequency. It should be noted that the evaluation result corresponding to the sample user can be determined first based on one or more of these parameters, and then the sample user's identifier can be determined based on the evaluation result.

[0030] Step 103: Train the initial federated learning-based malicious user prediction model based on historical security parameters and sample user identifiers to obtain the target federated learning-based malicious user prediction model.

[0031] Specifically, historical security parameters and sample user identifiers can be preprocessed to obtain target sample data, and the initial federated learning-based malicious user prediction model can be trained based on the target sample data to obtain the target federated learning-based malicious user prediction model.

[0032] It should be noted that the initial federated learning-based malicious user prediction model can be a federated learning-driven Malicious User Prediction Model (FedMUP) whose parameters have already been initialized.

[0033] Based on the foregoing embodiments, in other embodiments of this application, step 102 can be implemented in the following ways: A1. Based on historical access behavior records, determine the first evaluation result corresponding to the sample user.

[0034] Specifically, historical access records can be analyzed to determine whether a sample user is a "known" or "unknown" user. When a sample user is identified as a "known" user, a security identifier is assigned to that user. This indicates that the sample user has been verified through historical records; when a sample user is identified as an "unknown" user, a security identifier is assigned to that sample user. This indicates that the sample user does not have enough historical records for verification. It should be noted that the first evaluation result can be a security flag, which can be either 1 or 0.

[0035] A2. Based on the historical set of allowed data units, determine the second evaluation result corresponding to the sample user.

[0036] Specifically, the historical allowed access data unit set can be analyzed and processed together with the historical allowed access data unit set in the target behavior database, and the second evaluation result corresponding to the sample user can be determined based on the analysis and processing results.

[0037] A3. Determine the third evaluation result corresponding to the sample users based on historical data leakage information.

[0038] Specifically, attack factors corresponding to sample users can be determined based on historical data leakage information, and then the third evaluation result corresponding to the sample users can be determined based on the attack factors.

[0039] A4. Determine the fourth evaluation result corresponding to the sample users based on the frequency of historical data leakage.

[0040] Specifically, the number of times sample users attempted to access unauthorized data units in different time periods is recorded, and the historical data leakage frequency is calculated by accumulating the total number of times sample users attempted to access unauthorized data units in the time period.

[0041] In this embodiment, the historical data leakage frequency can be compared with a preset frequency threshold to determine the fourth evaluation result corresponding to the sample user. If the historical data leakage frequency of the sample user is lower than the frequency threshold, the first authorization identifier of the sample user is determined to be 0; if the historical data leakage frequency of the sample user exceeds the frequency threshold, the first authorization identifier of the sample user is determined to be 1. It should be noted that the fourth evaluation result can be the first authorization identifier, and the first authorization identifier can be 1 or 0.

[0042] A5. Based on the first, second, third, and fourth evaluation results, determine the identifiers of the sample users.

[0043] Specifically, the first, second, third, and fourth evaluation results can be comprehensively evaluated, and the identifier used for the sample can be determined based on the comprehensive evaluation results.

[0044] In other embodiments of this application, the determination of the second evaluation result corresponding to the sample user based on the historically allowed access data unit set includes: Multiple sets of data units are obtained by classifying the historically allowed data unit sets in the target behavior database; Determine the relationship between the access data corresponding to historical access behaviors and multiple sets of data units; The second evaluation result is determined based on the relationship between the sample users.

[0045] Each data unit set includes multiple data units. Specifically, the access data of sample users can be compared with the data in each data unit set. If the access data of a sample user matches the data in multiple data unit sets, a second authorization identifier is assigned to it. If the access data of a sample user does not match the data in each data unit set, a second authorization identifier is assigned to it. It should be noted that the second evaluation result can be a second authorization identifier, and the second authorization identifier can be 1 or 0.

[0046] In other embodiments of this application, the aforementioned determination of the third evaluation result corresponding to the sample user based on historical data leakage information includes: Determine the total data access volume of sample users within the target time period; The attack factor is calculated based on the total amount of data accessed and the amount of malicious data distributed by sample users during the target time period; historical data leakage information includes the amount of malicious data distributed. The third evaluation result for the sample users is determined based on the attack factor.

[0047] This process involves checking whether the data unit requested by each sample user was leaked within the target time period, and calculating the amount of malicious data distributed by the sample user within that target time period. Then, the attack factor is evaluated based on the malicious data distribution of the sample user. Specifically, the attack factor can be calculated as the ratio of the amount of malicious data distributed by the sample user within the target time period to the total amount of data accessed. Based on the relationship between this ratio and a predefined attack threshold, the attack factor corresponding to the sample user is determined.

[0048] It should be noted that if the attack factor of a sample user is less than the attack threshold (for example, the attack threshold is set to 0.5), the sample user is allowed to access the data and the corresponding evaluation value is set; if the attack factor of a sample user is greater than or equal to the attack threshold, the sample user's access request is rejected and the corresponding evaluation value is set.

[0049] In other embodiments of this application, determining the identifier of the sample user based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result includes: Based on the results of the first, second, third, and fourth assessments, a comprehensive assessment result is determined. The identifiers of the sample users are determined based on the comprehensive evaluation results.

[0050] Specifically, a comprehensive evaluation result can be obtained by comprehensively analyzing the first, second, third, and fourth evaluation results. In one feasible implementation, the comprehensive evaluation result can be obtained by calculating the security identifier, the first authorization identifier, the second authorization identifier, and the evaluation value.

[0051] It should be noted that the comprehensive evaluation result is compared with the target threshold, and the sample user's identifier is determined based on the comparison result. In one feasible implementation, if the comprehensive evaluation result is less than 1, the historical access behavior is judged to be non-malicious, and the sample user's identifier is determined to be an allowed identifier; if the comprehensive value is greater than or equal to 1, the historical access behavior is judged to be malicious, and the sample user's identifier is determined to be an unallowed identifier.

[0052] In other embodiments of this application, step 103 described above can be implemented in the following ways: B1. Encrypt the historical security parameters and the identifiers of the sample users to obtain encrypted sample data.

[0053] Specifically, such as Figure 2 As shown, the data processing layer can first clean the historical security parameters and sample user identifiers to eliminate noise and inconsistencies and ensure data quality; then, feature extraction and standardization are performed.

[0054] In this embodiment of the application, after processing, it can be... Figure 2 The privacy protection layer shown is used to encrypt the sample data, resulting in encrypted sample data. Specifically, the Advanced Encryption Standard (AES) encryption algorithm can be used for symmetric encryption to obtain the encrypted sample data.

[0055] B2. Add noise information to the encrypted sample data and hide the user identity information in the noise-added sample data to obtain the target sample data.

[0056] Specifically, differential techniques such as... Figure 2 As shown, noise information is added to the encrypted sample data, and the user identity information in the noise-added sample data is de-identified (i.e., anonymized) in order to hide the user identity information and obtain the target sample data.

[0057] B3. Train the initial federated learning-based malicious user prediction model based on the target sample data to obtain the target federated learning-based malicious user prediction model.

[0058] Specifically, the input can be fed into the initial federated learning-based malicious user prediction model to train the initial federated learning-based malicious user prediction model, thereby obtaining the target federated learning-based malicious user prediction model.

[0059] In the embodiments of this application, it can be achieved through Figure 2 The model training layer shown trains an initial federated learning-based malicious user prediction model. Specifically, a pre-trained global model can be selected, and its initial parameters are distributed to all participating users. Each user trains their local model on their sensitive data based on these global model parameters, generating a local model. Users then upload the parameters of their trained local models to the cloud. The cloud aggregates the parameters of all users' local models, thereby updating the global model. The updated global model is then redistributed to users so they can perform the next round of model training on their local data. This process iterates continuously until the performance of the global model improves.

[0060] It should be noted that the entire iterative process is as follows: Prepare sample users (U), including associated attributes and requested data objects, such as... Set the number of sample users n, the number of selected sample users k, the number of communication rounds T, and the number of training iterations. A global model is generated by aggregating the local models of each sample user. That is, the global model obtained from the local model update. In the FedMUP model, current and historical information of sample users is used for periodic training and retraining. This is performed incrementally within each time interval. For each user, their data access request is received and analyzed to obtain relevant security risk information. The user's data access request intent is analyzed. Global model parameters are initialized. For each round of communication: a set of users participating in this round is defined, including k users. For each participating user, their security parameters and user attributes are input, and local model training is performed without sharing actual local data. Local model updates are calculated and fed back. By aggregating the local model updates of all participating users, a new global model is calculated. Finally, the updated global model is obtained, and the above process is repeated until all request and communication rounds are completed.

[0061] The model training method provided in the embodiments of this application trains a target-based federated learning malicious user prediction model using one or more security parameters, including historical access behavior records, historical allowed access data unit sets, historical data leakage information, and historical data leakage frequency, as well as an identifier that can characterize whether a user is a malicious user. Furthermore, it uses a federated learning-based malicious user prediction model, thereby ensuring higher accuracy of the obtained target-based federated learning malicious user prediction model. The results of determining whether a user is a malicious user based on this target-based federated learning malicious user prediction model are more accurate, solving the problem of inaccurate malicious user determination results in related technologies and further avoiding the risk of data leakage.

[0062] Based on the foregoing embodiments, embodiments of this application provide an information determination method, referring to... Figure 3 As shown, the method may include the following steps: Step 201: Receive the access request from the target user.

[0063] The target users refer to users who want to access the CBP platform in actual applications.

[0064] Step 202: Obtain the target user's attribute information and the security parameters corresponding to the access request.

[0065] Specifically, security parameters can refer to the security parameters corresponding to the current access request of the target user currently accessing the CBP platform; it should be noted that these security parameters can be determined by the historical security parameters corresponding to the target user's historical access requests.

[0066] Step 203: Use a target-based federated learning-based malicious user prediction model to process the user's attribute information and security parameters to determine whether the target user is a malicious user.

[0067] Specifically, user attribute information and security parameters can be used as input information and fed into the target's federated learning-based malicious user prediction model. Then, the target's federated learning-based malicious user prediction model processes the user's attribute information and security parameters to predict whether the target user is a malicious user.

[0068] In other embodiments of this application, it can be achieved through Figure 2 The decision support layer analyzes the prediction results for target users and generates visual reports to identify trends and risks. Based on these analyses and model predictions, the strategy recommendation module automatically generates optimization suggestions to help adjust data access control policies (i.e., strategy recommendations). Simultaneously, the risk assessment report generation module regularly summarizes security risk information and provides comprehensive assessment reports to support management's strategic decisions and resource allocation, thereby improving the security and operational efficiency of the cloud backup system.

[0069] The target malicious user prediction model based on federated learning is determined in the following way: Obtain historical security parameters related to the historical access behavior of sample users.

[0070] The historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data breach information, and historical data breach frequency.

[0071] The identifiers of sample users are determined based on historical security parameters.

[0072] The sample user's identifier is used to indicate whether the sample user is a malicious user.

[0073] The initial federated learning-based malicious user prediction model is trained based on historical security parameters and sample user identifiers to obtain the target federated learning-based malicious user prediction model.

[0074] The information determination method provided in the embodiments of this application can train a target-based federated learning malicious user prediction model using one or more security parameters, including historical access behavior records, historical allowed access data unit sets, historical data leakage information, and historical data leakage frequency, and an identifier that can characterize whether a user is a malicious user. The use of a federated learning-based malicious user prediction model results in higher accuracy, leading to more accurate determinations of whether a user is malicious. This solves the problem of inaccurate malicious user determination results in related technologies and further avoids the risk of data leakage.

[0075] Based on the foregoing embodiments, embodiments of this application provide a model training apparatus, which can be applied to... Figure 1 In the model training method provided in the corresponding embodiment, refer to Figure 4 As shown, the model training device 3 may include: a first acquisition unit 31, a determination unit 32, and a first processing unit 33, wherein: The first acquisition unit 31 is used to acquire historical security parameters related to the historical access behavior of sample users; wherein, the historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency; The determining unit 32 is used to determine the identifier of the sample user based on historical security parameters; wherein, the identifier of the sample user is used to indicate whether the sample user is a malicious user; The first processing unit 33 is used to train the initial federated learning-based malicious user prediction model based on historical security parameters and the identifiers of sample users to obtain the target federated learning-based malicious user prediction model.

[0076] In other embodiments of this application, the determining unit 32 is further configured to perform the following steps: Based on historical access behavior records, determine the first evaluation result for the sample users; Based on the historical set of allowed data units, determine the second evaluation result for the sample user; The third assessment result for the sample users was determined based on historical data breach information. The fourth evaluation result for the sample users is determined based on the frequency of historical data leaks. Based on the first, second, third, and fourth evaluation results, the identifiers of the sample users are determined.

[0077] In other embodiments of this application, the determining unit 32 is further configured to perform the following steps: Multiple sets of data units are obtained by classifying the historically allowed data unit sets in the target behavior database; Determine the relationship between the access data corresponding to historical access behaviors and multiple sets of data units; The second evaluation result is determined based on the relationship between the sample users.

[0078] In other embodiments of this application, the determining unit 32 is further configured to perform the following steps: Determine the total data access volume of sample users within the target time period; The attack factor is calculated based on the total amount of data accessed and the amount of malicious data distributed by sample users during the target time period; historical data leakage information includes the amount of malicious data distributed. The third evaluation result for the sample users is determined based on the attack factor.

[0079] In other embodiments of this application, the determining unit 32 is further configured to perform the following steps: Based on the results of the first, second, third, and fourth assessments, a comprehensive assessment result is determined. The identifiers of the sample users are determined based on the comprehensive evaluation results.

[0080] In other embodiments of this application, the first processing unit 33 is further configured to perform the following steps: The encrypted sample data is obtained by encrypting historical security parameters and sample user identifiers. Noise information is added to the encrypted sample data, and the user identity information in the noisy sample data is hidden to obtain the target sample data. The initial federated learning-based malicious user prediction model is trained based on the target sample data to obtain the target federated learning-based malicious user prediction model.

[0081] It should be noted that the specific implementation process of the steps performed by each unit in the embodiments of this application can be referred to Figure 1 The implementation process of the model training method provided in the corresponding embodiment will not be described in detail here.

[0082] The model training apparatus provided in the embodiments of this application is used to train a target-based federated learning malicious user prediction model. This model is trained using one or more security parameters, including historical access behavior records, historical allowed access data unit sets, historical data leakage information, and historical data leakage frequency, as well as an identifier that can characterize whether a user is a malicious user. Furthermore, the use of a federated learning-based malicious user prediction model ensures higher accuracy of the obtained model. The results of determining whether a user is a malicious user based on this model are more accurate, solving the problem of inaccurate malicious user determination in related technologies and further avoiding the risk of data leakage.

[0083] Based on the foregoing embodiments, embodiments of this application provide an information determining device, which can be applied to... Figure 3 In the information determination method provided in the corresponding embodiment, refer to Figure 5 As shown, the information determining device 4 may include: a receiving unit 41, a second acquiring unit 42, and a second processing unit 43, wherein: Receiving unit 41 is used to receive access requests from target users; The second acquisition unit 42 is used to acquire the target user's attribute information and the security parameters corresponding to the access request; The second processing unit 43 is used to process the user's attribute information and security parameters using a target-based federated learning malicious user prediction model to determine whether the target user is a malicious user. Among them, the malicious user prediction model based on federated learning is achieved through... Figure 1 The model was trained using the model training method provided in the corresponding embodiment.

[0084] It should be noted that the specific implementation process of the steps performed by each unit in the embodiments of this application can be referred to Figure 3 The implementation process of the information determination method provided in the corresponding embodiments will not be described in detail here.

[0085] The information determination device provided in the embodiments of this application can train a target-based federated learning malicious user prediction model using one or more security parameters, including historical access behavior records, historical allowed access data unit sets, historical data leakage information, and historical data leakage frequency, and an identifier that can characterize whether a user is a malicious user. The use of a federated learning-based malicious user prediction model results in higher accuracy, leading to more accurate determinations of whether a user is malicious. This solves the problem of inaccurate malicious user determination results in related technologies and further avoids the risk of data leakage.

[0086] Based on the foregoing embodiments, embodiments of this application provide a model training device that can be applied to... Figure 1 In the model training method provided in the corresponding embodiment, refer to Figure 6 As shown, the model training device 5 may include: a first processor 51, a first memory 52, and a first communication bus 53, wherein: The first communication bus 53 is used to realize the communication connection between the first processor 51 and the first memory 52; The first memory 52 is used to store computer programs that can run on the first processor 51; The first processor 51 is used to run computer programs to perform the following steps: Obtain historical security parameters related to the historical access behavior of sample users; wherein, historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency; The identifier of the sample user is determined based on historical security parameters; the identifier of the sample user is used to indicate whether the sample user is a malicious user. The initial federated learning-based malicious user prediction model is trained based on historical security parameters and sample user identifiers to obtain the target federated learning-based malicious user prediction model.

[0087] In other embodiments of this application, the first processor 51 is used to run a computer program and can also perform the following steps: Based on historical access behavior records, determine the first evaluation result for the sample users; Based on the historical set of allowed data units, determine the second evaluation result for the sample user; The third assessment result for the sample users was determined based on historical data breach information. The fourth evaluation result for the sample users is determined based on the frequency of historical data leaks. Based on the first, second, third, and fourth evaluation results, the identifiers of the sample users are determined.

[0088] In other embodiments of this application, the first processor 51 is used to run a computer program and can also perform the following steps: Multiple sets of data units are obtained by classifying the historically allowed data unit sets in the target behavior database; Determine the relationship between the access data corresponding to historical access behaviors and multiple sets of data units; The second evaluation result is determined based on the relationship between the sample users.

[0089] In other embodiments of this application, the first processor 51 is used to run a computer program and can also perform the following steps: Determine the total data access volume of sample users within the target time period; The attack factor is calculated based on the total amount of data accessed and the amount of malicious data distributed by sample users during the target time period; historical data leakage information includes the amount of malicious data distributed. The third evaluation result for the sample users is determined based on the attack factor.

[0090] In other embodiments of this application, the first processor 51 is used to run a computer program and can also perform the following steps: Based on the results of the first, second, third, and fourth assessments, a comprehensive assessment result is determined. The identifiers of the sample users are determined based on the comprehensive evaluation results.

[0091] In other embodiments of this application, the first processor 51 is used to run a computer program and can also perform the following steps: The encrypted sample data is obtained by encrypting historical security parameters and sample user identifiers. Noise information is added to the encrypted sample data, and the user identity information in the noisy sample data is hidden to obtain the target sample data. The initial federated learning-based malicious user prediction model is trained based on the target sample data to obtain the target federated learning-based malicious user prediction model.

[0092] It should be noted that a detailed description of the steps performed by the first processor can be found in [reference needed]. Figure 1 The model training method provided in the corresponding embodiments will not be described in detail here.

[0093] The model training device provided in the embodiments of this application can acquire sample data and determine the sample feature information of the sample data. The sample feature information is processed to obtain sample quantum state data. Based on the sample feature information and sample quantum state data, an initial hybrid expert model with a target quantum gating network and an expert network is trained to obtain a target hybrid expert model. In this way, the gating network of the initial hybrid expert model used to train the target hybrid expert model is a quantum gating network, and the initial hybrid expert model is trained with the corresponding sample quantum state data and sample feature information. Thus, the gating network in the obtained target hybrid expert model is a quantum gating network, which is not a traditional neural network and does not require a large number of neurons for training. This solves the problem of low training efficiency in related technologies and improves the adaptability of the hybrid expert model.

[0094] Based on the foregoing embodiments, embodiments of this application provide an information determining device, which can be applied to... Figure 3 In the information determination method provided in the corresponding embodiment, refer to Figure 7 As shown, the information determining device 5 may include: a second processor 61, a second memory 62, and a second communication bus 63, wherein: The second communication bus 63 is used to realize the communication connection between the second processor 61 and the second memory 62; The second memory 62 is used to store computer programs that can run on the second processor 61; The second processor 61 is used to run computer programs to perform the following steps: Receive access requests from target users; Obtain the target user's attribute information and the security parameters corresponding to the access request; A target-based federated learning-based malicious user prediction model is used to process user attribute information and security parameters to determine whether the target user is a malicious user. Among them, the malicious user prediction model based on federated learning is achieved through... Figure 1 The model was trained using the model training method provided in the corresponding embodiment.

[0095] It should be noted that a detailed description of the steps performed by the second processor can be found in [reference needed]. Figure 3 The information determination method provided in the corresponding embodiments will not be described again here.

[0096] The information determination device provided in the embodiments of this application can train a target-based federated learning malicious user prediction model using one or more security parameters, including historical access behavior records, historical allowed access data unit sets, historical data leakage information, and historical data leakage frequency, and an identifier that can characterize whether a user is a malicious user. The use of a federated learning-based malicious user prediction model results in higher accuracy, leading to more accurate determinations of whether a user is malicious. This solves the problem of inaccurate malicious user determination results in related technologies and further avoids the risk of data leakage.

[0097] Based on the foregoing embodiments, embodiments of this application provide a computer-readable storage medium storing one or more programs, which can be executed by one or more first processors 51 and second processors 61 to achieve... Figure 1 The corresponding implementation provides the model training method and Figure 3 The corresponding embodiments provide the steps of the information determination method.

[0098] Based on the foregoing embodiments, embodiments of this application provide a computer program product, including a computer program that can be executed by a first processor 51 and a second processor 61 to perform... Figure 1 The corresponding implementation provides the model training method and Figure 3 The corresponding embodiments provide the steps of the information determination method.

[0099] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of hardware embodiments, software embodiments, or embodiments combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage and optical storage) containing computer-usable program code.

[0100] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0101] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0102] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0103] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A model training method, characterized in that, The method includes: Obtain historical security parameters related to the historical access behavior of sample users; wherein, the historical security parameters include one or more of the following: historical access behavior records, historical allowed data unit sets, historical data leakage information, and historical data leakage frequency; The identifier of the sample user is determined based on the historical security parameters; wherein, the identifier of the sample user is used to indicate whether the sample user is a malicious user; The initial federated learning-based malicious user prediction model is trained based on the historical security parameters and the identifiers of the sample users to obtain the target federated learning-based malicious user prediction model.

2. The method according to claim 1, characterized in that, Determining the identifier of the sample user based on the historical security parameters includes: Based on the historical access behavior records, the first evaluation result of the sample users is determined; Based on the historical set of allowed access data units, the second evaluation result corresponding to the sample user is determined; The third evaluation result corresponding to the sample user is determined based on the historical data leakage information. The fourth evaluation result corresponding to the sample users is determined based on the historical data leakage frequency. Based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result, the identifier of the sample user is determined.

3. The method according to claim 2, characterized in that, The determination of the second evaluation result corresponding to the sample user based on the historically allowed access data unit set includes: The historical allowed data unit sets in the target behavior database are classified to obtain multiple sets of data unit sets; Determine the relationship between the access data corresponding to the historical access behavior and the multiple sets of data units; The second evaluation result corresponding to the sample user is determined based on the relationship.

4. The method according to claim 2, characterized in that, The process of determining the third evaluation result corresponding to the sample user based on the historical data leakage information includes: Determine the total amount of data accessed by the sample users during the target time period; The attack factor is calculated based on the total data access volume and the amount of malicious data distributed by the sample users during the target time period; wherein, the historical data leakage information includes the amount of malicious data distributed. The third evaluation result corresponding to the sample user is determined based on the attack factor.

5. The method according to claim 2, characterized in that, The step of determining the identifier of the sample user based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result includes: Based on the first evaluation result, the second evaluation result, the third evaluation result, and the fourth evaluation result, a comprehensive evaluation result is determined; The identifiers of the sample users are determined based on the comprehensive evaluation results.

6. The method according to claim 1, characterized in that, The process of training an initial federated learning-based malicious user prediction model based on the historical security parameters and the identifiers of the sample users to obtain a target federated learning-based malicious user prediction model includes: The historical security parameters and the identifier of the sample user are encrypted to obtain encrypted sample data. Noise information is added to the encrypted sample data, and the user identity information in the noise-added sample data is hidden to obtain the target sample data. The initial federated learning-based malicious user prediction model is trained based on the target sample data to obtain the target federated learning-based malicious user prediction model.

7. An information determination method, characterized in that, The method includes: Receive access requests from target users; Obtain the attribute information of the target user and the security parameters corresponding to the access request; A malicious user prediction model based on federated learning is used to process the user's attribute information and security parameters to determine whether the target user is a malicious user. The malicious user prediction model based on federated learning is obtained by training the model training method as described in any one of claims 1-6.

8. A model training device, characterized in that, The device includes: a first processor, a first memory, and a first communication bus; The first communication bus is used to establish a communication connection between the first processor and the first memory; The first processor is configured to execute a model training program in the first memory to implement the steps of the model training method as described in any one of claims 1-6.

9. An information determining device, characterized in that, The device includes: a second processor, a second memory, and a second communication bus; The second communication bus is used to establish a communication connection between the second processor and the second memory; The second processor is used to execute the information determination program in the second memory to implement the steps of the information determination method as described in claim 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores one or more programs, which can be executed by one or more processors to implement the steps of the model training method as described in any one of claims 1-6 or the information determination method as described in claim 7.