A risk data analysis method and device of a resource interaction risk control system

By constructing an interaction behavior sequence for the model API interaction behavior, extracting features and performing state transition analysis, and combining resource consumption indicators, the problem of existing risk control systems being unable to identify advanced persistent threats has been solved, and effective identification and risk assessment of attack patterns have been achieved.

CN122365508APending Publication Date: 2026-07-10BAIRUNHONG TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BAIRUNHONG TECH CO LTD
Filing Date
2026-04-09
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing risk control systems are unable to effectively identify advanced persistent threats formed by combinations of multiple harmless individual actions. In particular, in model API interaction scenarios, they lack the ability to track the state of continuous interactions and analyze contextual relationships, resulting in the inability to capture cross-time dependencies and the correlation between inputs and outputs, and the inability to identify potential attack patterns.

Method used

By assigning associated identifiers to multiple access requests, an interaction behavior sequence is constructed, time interval features and input/output feature summaries are extracted, and state transition analysis is performed in a preset behavior state model. Combined with resource consumption indicators, side channel anomalies are identified, a real-time risk score is generated, and alarm thresholds are dynamically adjusted.

Benefits of technology

It enables stateful tracking and contextual analysis of model API interaction behavior, captures time dependencies and data correlations, identifies attack patterns composed of multiple independent behaviors, and improves the ability to identify advanced persistent threats.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122365508A_ABST
    Figure CN122365508A_ABST
Patent Text Reader

Abstract

This application provides a risk data analysis method and apparatus for a resource interaction risk control system, applied in the field of information security technology. It constructs a sequence of interactive behaviors with temporal characteristics; extracts multi-dimensional feature data from the sequence; performs state transition analysis within a preset behavioral state model based on operational logic and feature changes; calculates the degree of variation in input data and output results to identify potential data theft behaviors and side-channel anomalies; and finally integrates the analysis results to generate a real-time risk score and dynamically adjusts alarm thresholds according to preset scenario parameters to determine the existence of compliance vulnerability risks. Therefore, this application has the beneficial effect of identifying combined patterns of multiple independent behaviors with specific attack intentions.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and in particular to a risk data analysis method and apparatus for a resource interaction risk control system. Background Technology

[0002] In the context of enterprise digital transformation, data sharing has expanded from low-dimensional tabular data to high-value data products, such as trained models for facial recognition and credit scoring. Industries with strong compliance requirements, such as finance, face a new challenge: balancing data sharing with preventing data leakage. Traditional risk control relies primarily on static data attributes and explicit rules (anonymization, field ranges, data volume limits, etc.) to determine compliance for individual sharing requests. This is effective for structured table data but ineffective for model-based assets. Although models do not directly expose raw data, they may implicitly contain sensitive features of the training data. Attackers can use methods such as member inference to determine whether a specific sample participated in training, posing a risk of data leakage.

[0003] To assess the static risks of a model, existing solutions introduce static security pre-checks, generating security scores through simulated attack stress tests. However, when the model is provided externally as an online prediction service, the risk depends not only on the model itself but also strongly correlated with subsequent dynamic invocation behavior. Malicious actors may gradually infer model parameters, reconstruct training data, or extract sensitive information through continuous calls with long durations, multiple rounds, and perturbative inputs; such slow probing attacks often appear normal at the single-call level and can bypass monitoring that only considers frequency or single-call format compliance.

[0004] However, the core shortcoming of the existing risk control system is that it treats each API call as an independent event, lacks the ability to track the state of continuous interactions and analyze contextual relationships, and cannot capture cross-time dependencies, input-output correlations, and side-channel clues such as resource consumption, which leads to the failure to identify advanced persistent threats during the dynamic usage phase.

[0005] Therefore, existing technologies urgently need a risk data analysis method for model API interactions, which can perform correlation modeling and comprehensive judgment on call sequences to identify potential attack patterns formed by combinations of multiple harmless single behaviors, and solve the problem of failure in advanced persistent threat identification caused by the inability to perform correlation analysis on interaction behavior sequences. Summary of the Invention

[0006] In view of the shortcomings of the prior art, this application provides a risk data analysis method and apparatus for a resource interaction risk control system. It can perform stateful tracking and contextual analysis of the interactive behavior of model application interfaces, capture and understand the time dependency and data correlation between continuous application interface calls, and comprehensively consider side-channel information such as runtime resource consumption, thereby identifying a combination pattern with specific attack intent composed of multiple independent behaviors. This effectively solves the problem of failure in identifying advanced persistent threats due to the inability to perform correlation analysis on the sequence of interactive behaviors.

[0007] Firstly, a risk data analysis method for a resource interaction risk control system, the method comprising the following steps: S1: By assigning associated identifiers to multiple access requests for the target resource, discrete interactive behaviors are constructed into a sequence of interactive behaviors with temporal characteristics; S2: Extract the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence; S3: Based on the operation logic and feature changes in the interactive behavior sequence, perform state transition analysis in the preset behavior state model to identify the behavior mode stage of the current interactive session. S4: By calculating the degree of variation of input data and output results in the interaction sequence, the cumulative amount of information acquired during continuous interaction is quantified in order to assess the risk of information leakage; S5: Real-time acquisition of resource consumption indicators of the target resource when processing the interaction behavior sequence, and comparison of the resource consumption indicators with a preset benchmark resource consumption mode to identify side channel anomalies; S6: Integrate the analysis results of the behavior pattern stage, the information leakage risk, and the side channel anomaly to generate a real-time risk score for the interaction behavior sequence, and dynamically adjust the alarm threshold according to preset scenario parameters to determine whether there is a compliance vulnerability risk.

[0008] Furthermore, step S1 includes: S11: Obtain the source identity, target resource path, and communication protocol characteristics from the access request; S12: Based on the combination of the source identity identifier, the target resource path, and the communication protocol features, generate a globally unique session tracking identifier, and assign the session tracking identifier as the association identifier to the corresponding access request, thereby constructing discrete interaction behaviors into a sequence of interaction behaviors with temporal characteristics.

[0009] Furthermore, in step S3, the state transition analysis in the preset behavioral state model includes the following steps: S31: Input the extracted time interval features, the feature summary of the input data, and the feature summary of the output result into the pre-constructed finite state machine; S32: Based on the current state and input features in the finite state machine, retrieve a preset transition rule base to determine the next hop target state; S33: If the next-hop target state belongs to a preset abnormal state set, then the interactive session is determined to enter the risk detection phase; The preset behavioral state model includes a pre-built finite state machine, a preset transition rule base, and a preset abnormal state set.

[0010] Furthermore, the preset behavioral state model predefines compliant interaction mode sequences and non-compliant interaction mode sequences; in step S33, the step of determining that the interaction session has entered the risk detection phase includes: S331: Update the current state of the interactive session in real time and record the state transition path of the interactive session; S332: Match the state transition path with the compliant interaction mode sequence and the non-compliant interaction mode sequence. When the state transition path successfully matches the non-compliant interaction mode sequence, a risk alarm event is triggered.

[0011] Furthermore, step S4 includes: S41: Calculate the conditional entropy of the output result relative to the input data using the information entropy algorithm; S42: Determine the information gain of the interaction sequence based on the decrease in conditional entropy between two adjacent interaction operations, wherein the information gain is the degree of variability; S43: The information gain generated by each interaction in the interaction sequence is weighted and accumulated to obtain the cumulative information acquisition amount, so as to assess the risk of information leakage.

[0012] Furthermore, in step S5, the resource consumption indicators of the target resource during the processing of the interaction behavior sequence are collected in real time, including: S51: By deploying a monitoring agent in the target resource execution environment, capture in real time the processor utilization, memory allocation increment, and disk I / O latency of the target resource when responding to the access request; S52: Encapsulate the processor utilization rate, the memory allocation increment, and the disk input / output latency into a multi-dimensional resource consumption vector, which serves as the resource consumption indicator.

[0013] Furthermore, in step S5, comparing the resource consumption index with a preset baseline resource consumption pattern to identify side-channel anomalies includes: S53: Under a benchmark test environment, obtain the resource consumption distribution characteristics of the target resource under normal load and normal input modes, and construct the benchmark resource consumption mode; S54: Calculate the deviation between the current multidimensional resource consumption vector and the average value of the corresponding index in the baseline resource consumption model; S55: If the deviation exceeds a preset multiple of the standard deviation, it is determined that there is a side channel anomaly.

[0014] Furthermore, in step S6, the analysis results of the behavioral pattern stage, the information leakage risk, and the side-channel anomaly are integrated to generate a real-time risk score for the interaction behavior sequence, including: S61: Obtain the state risk score corresponding to the behavior pattern stage, the gain risk score corresponding to the information leakage risk, and the resource risk score corresponding to the side channel anomaly, and use preset weighting coefficients to perform weighted summation on the state risk score, the gain risk score, and the resource risk score to calculate the real-time risk score; S62: If the real-time risk score is within a preset suspected risk range, an inducing data label with specific coding characteristics is embedded in the output result returned by the target resource to the interaction behavior sequence; S63: Monitor in real time whether subsequent access requests in the interaction behavior sequence contain replay, parsing or further extraction behavior targeting the inducement data tag; S64: If the replay, parsing or further extraction behavior is detected, it is determined that the interaction behavior sequence has a clear malicious probing intent, and the real-time risk score is corrected to the highest risk level.

[0015] Furthermore, in step S6, dynamically adjusting the alarm threshold according to preset scenario parameters includes: S65: Obtain the sensitivity level of the target resource and the trust level of the user who initiated the access request; S66: Determine the threshold adjustment coefficient based on the mapping relationship between the sensitivity level and the user trust level; S67: The baseline alarm threshold is weighted using the threshold adjustment coefficient to obtain a dynamic alarm threshold that matches the current interaction scenario.

[0016] Secondly, a risk data analysis device for a resource interaction risk control system, the device comprising: The sequence construction module is used to construct discrete interaction behaviors into a sequence of interaction behaviors with temporal characteristics by assigning associated identifiers to multiple access requests for a target resource. The feature extraction module is used to extract the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence. The state analysis module is used to perform state transition analysis in a preset behavior state model based on the operation logic and feature changes in the interaction behavior sequence, so as to identify the behavior mode stage of the current interaction session. The risk assessment module is used to quantify the cumulative amount of information acquired during continuous interaction by calculating the degree of variation of input data and output results in the interaction behavior sequence, so as to assess the risk of information leakage. An anomaly detection module is used to collect the resource consumption index of the target resource when processing the interaction behavior sequence in real time, and compare the resource consumption index with a preset benchmark resource consumption mode to identify side channel anomalies. The comprehensive judgment module is used to integrate the analysis results of the behavior pattern stage, the information leakage risk, and the side channel anomaly, generate a real-time risk score for the interaction behavior sequence, and dynamically adjust the alarm threshold according to preset scenario parameters to determine whether there is a compliance vulnerability risk.

[0017] Beneficial Effects: This application proposes a risk data analysis method and apparatus for a resource interaction risk control system. By assigning associated identifiers to multiple access requests to a target resource, discrete interaction behaviors are constructed into a sequence of interaction behaviors with temporal characteristics, solving the problem that traditional methods cannot associate discrete behaviors. It extracts feature summaries of time intervals, input data, and output results from the interaction behavior sequence, providing multi-dimensional data for subsequent analysis. Based on operational logic and feature changes, state transition analysis is performed in a preset behavior state model to identify the behavior pattern stage of the current interaction session, achieving dynamic tracking of interaction behaviors. By calculating the degree of variation in input data and output results, the accumulated information acquisition is quantified, and the risk of information leakage is assessed, effectively identifying potential data theft behaviors. Real-time collection of resource consumption indicators of the target resource when processing the interaction behavior sequence is compared with a preset benchmark resource consumption pattern to identify side-channel anomalies, filling the blind spot of traditional risk control for covert attacks. Finally, the analysis results of behavior pattern stages, information leakage risks, and side-channel anomalies are integrated to generate a real-time risk score, and the alarm threshold is dynamically adjusted according to preset scenario parameters to determine whether there are compliance vulnerability risks, achieving comprehensive assessment and intelligent alarm of multi-dimensional risks. Therefore, this application has the beneficial effect of being able to perform stateful tracking and contextual analysis of the interactive behavior of model application interfaces, capture and understand the time dependency and data correlation between consecutive application interface calls, and comprehensively consider side-channel information such as runtime resource consumption, thereby identifying a combination pattern of multiple independent behaviors with specific attack intentions. Attached Figure Description

[0018] Figure 1 This is a flowchart of a risk data analysis method for a resource interaction risk control system proposed in this application.

[0019] Figure 2 This is a structural diagram of a risk data analysis system for a resource interaction risk control system proposed in this application.

[0020] Figure 3 This is a schematic diagram of a risk data analysis system for a resource interaction risk control system proposed in this application.

[0021] Labeling Explanation: 201, Sequence Construction Module; 202, Feature Extraction Module; 203, State Analysis Module; 204, Risk Assessment Module; 205, Comprehensive Judgment Module. Detailed Implementation

[0022] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of the embodiments. The components of the embodiments of this application described and marked in the accompanying drawings can be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of this application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely to illustrate selected embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.

[0023] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0024] Please refer to Figure 1This application proposes a risk data analysis method for a resource interaction risk control system. This method aims to address the problem that traditional risk control methods cannot effectively identify combined attack patterns consisting of a series of seemingly legitimate independent behaviors in dynamic interaction scenarios such as model application programming interfaces (APIs). In data-intensive industries such as finance and credit reporting, data resources are shifting from static tabular data to dynamic, intelligent models accessible through APIs. For example, a financial institution might encapsulate its internal credit scoring model as a service for partners to call in real time. Attackers no longer need to directly steal the entire database; instead, they can gradually piece together the model's decision boundaries or the sensitive data features it depends on by obtaining small amounts of information each time through a carefully designed series of continuous calls. This attack method, due to the stealth of each individual action, often bypasses traditional risk control mechanisms based on single-request review. The core principle of the method proposed in this application is that it no longer views each resource access request in isolation, but rather places them in a continuous time series for contextual analysis, and combines multi-dimensional information such as behavioral patterns, information leakage quantification, and runtime resource consumption to conduct a comprehensive risk assessment.

[0025] Specifically, the method includes the following steps: S1: By assigning associated identifiers to multiple access requests for the target resource, discrete interactive behaviors are constructed into a sequence of interactive behaviors with temporal characteristics; S2: Extract the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence; S3: Based on the operational logic and feature changes in the interaction behavior sequence, perform state transition analysis in the preset behavior state model to identify the behavior mode stage of the current interaction session. S4: By calculating the degree of variation in input data and output results in the interaction sequence, the cumulative amount of information acquired during continuous interaction is quantified to assess the risk of information leakage. S5: Real-time acquisition of resource consumption indicators of target resources when processing interactive behavior sequences, and comparison of resource consumption indicators with preset benchmark resource consumption patterns to identify side channel anomalies. S6: Integrate the analysis results of behavioral pattern stages, information leakage risks, and side-channel anomalies to generate real-time risk scores for interaction behavior sequences, and dynamically adjust alarm thresholds according to preset scenario parameters to determine whether there are compliance vulnerability risks.

[0026] In the entire workflow, the first step of constructing the interaction sequence is the foundation for all subsequent analyses. In real-world scenarios, a user's complete business interaction may consist of dozens or even hundreds of independent application programming interface (API) requests. For example, when a third-party credit reporting agency assesses a loan applicant, it might first call an API to query the applicant's basic information, then, based on the returned results, call another API to query the applicant's historical transaction records, and finally call yet another API to predict a credit score. For traditional risk control systems, these three calls are three independent events. However, the method in this application, by assigning a unified association identifier, links these three calls into an ordered sequence. This sequence not only includes the specific content of each call but also preserves their temporal order and logical relationships, thus providing the possibility of understanding the user's overall behavioral intent.

[0027] After constructing the behavioral sequence, it's necessary to extract key information that characterizes the behavioral features. Extracting the time interval features between adjacent interactions is crucial for capturing the rhythm of the interaction. For example, attacks initiated by automated scripts typically have very short and highly regular time intervals between requests, a stark contrast to the random and unpredictable interaction patterns of human users. Extracting feature summaries from the input data is essential for understanding the content of the request. These feature summaries are not the raw data itself, but rather its statistical or structured representation, such as the number of input parameters, the distribution of data types, the mean and variance of numerical parameters, or the length and hash value of textual parameters. For a credit scoring model, the feature summary of the input data might include the numerical value of the applicant's annual income field, the entropy value of the address field, etc. Extracting feature summaries from the output results is equally important for observing the target resource's response to the input. For example, the credit score, confidence level, and error codes returned by the model are all key output features. The combination of these features collectively paints a complete picture of an interaction.

[0028] With the behavioral sequence and extracted features, the next step is in-depth behavioral pattern analysis. The core of this step is to use a pre-defined behavioral state model to track the state of the interaction session. The user's interaction process can be viewed as a journey through a predefined state space. For example, a normal interaction session might follow a state path from initial access to data query, and then to normal exit. An attack, however, might exhibit a different path, such as from initial access, to a small range of normal queries to establish a baseline, and then suddenly entering a boundary probing state, i.e., repeatedly submitting similar but subtly varied inputs to test the model's response. By inputting the extracted features into the behavioral state model, the current state of the session can be determined in real time, and its next possible state transition can be predicted. This state transition analysis makes risk assessment no longer a static judgment based on a single behavior, but a dynamic assessment based on the evolution trend of the entire behavioral sequence, thus enabling the identification of combined patterns with specific attack intentions.

[0029] While identifying behavioral patterns, it is also necessary to quantify the risk of information leakage at the data level. The fundamental purpose of attackers probing models is to obtain the information contained within them. The method in this application quantifies this process by calculating the degree of variation between input data and output results. This degree of variation can be understood as the information gain brought about by each interaction. For example, an attacker might upload a standard face image to an image recognition model and obtain a recognition result; then, they might add tiny, imperceptible noise to the image and upload it again. If the model's output result changes significantly, it indicates that this tiny input variation has successfully detected a sensitive area of ​​the model's decision boundary, and the attacker has gained a significant information gain. By accumulating the information gain generated by each interaction in the entire interaction sequence, a cumulative information acquisition amount can be obtained. This cumulative value intuitively reflects the total amount of information that the attacker may have stolen during the entire session, providing a direct quantitative basis for assessing the risk of information leakage.

[0030] In addition to analyzing direct input and output data, this application's method also introduces monitoring of side-channel information. Side-channel refers to additional information unintentionally leaked during normal system operation due to differences in physical implementation. In model interaction scenarios, processing different input data or executing different internal logic may lead to varying resource consumption of the target resource, such as processor utilization, memory allocation, or disk read / write latency. Attackers can exploit these subtle differences to infer the model's internal operating state or sensitive information. Therefore, by collecting real-time resource consumption metrics of the target resource during the processing of interaction sequences and comparing them with a baseline resource consumption pattern established under normal load, abnormal resource consumption behavior can be detected. For example, a specific query pattern causing an abnormal spike in processor utilization may indicate that an attacker is triggering a computationally intensive, infrequently accessed logical branch in the model, which is itself a warning sign.

[0031] Finally, to arrive at a comprehensive and actionable risk conclusion, the analysis results from all the aforementioned dimensions need to be integrated. The analysis results from the behavioral pattern stage, the quantitative assessment of information leakage risk, and the identification results of side-channel anomalies are weighted and fused into a unified real-time risk score. This score comprehensively reflects the overall risk level of the current interaction behavior sequence. However, a fixed alarm threshold is difficult to adapt to all scenarios. Therefore, the method in this application also introduces a dynamic threshold adjustment mechanism. Based on the sensitivity level of the target resource (e.g., the sensitivity difference between a core risk control model and a regular query model) and the trust level of the user initiating the request (e.g., the trust level difference between an internal administrator and an anonymous user), the risk score threshold for triggering alarms is dynamically adjusted. This context-aware dynamic adjustment makes risk assessment more accurate and flexible, ultimately enabling effective determination of whether compliance vulnerability risks exist and taking corresponding measures.

[0032] Through the collaborative work of the above series of steps, the method proposed in this application constructs a risk data analysis system capable of performing in-depth contextual analysis of interactive behavior, effectively solving the problem of identification failure of traditional methods when facing continuous and combined attacks, and significantly improving the ability to detect and defend against advanced persistent threats.

[0033] Furthermore, in some embodiments, the step of constructing a sequence of interaction behaviors with temporal characteristics specifically includes: S11: Obtain the source identity, target resource path, and communication protocol characteristics from the access request; S12: Based on the combination of source identity, target resource path and communication protocol characteristics, generate a globally unique session tracking identifier, and assign the session tracking identifier as an association identifier to the corresponding access request, thus constructing discrete interaction behaviors into a sequence of interaction behaviors with temporal characteristics.

[0034] Specifically, to accurately link multiple discrete requests belonging to the same business scenario, it is first necessary to capture key attributes from each independent network request that uniquely identify an interaction session. The source identity is crucial for determining the request initiator, and its specific form varies depending on the application scenario. In one embodiment, if the interaction is conducted through an authenticated application programming interface (API), the source identity can be an API key or token bound to a user account. In another embodiment, for publicly accessible services, the source identity can be the IP address of the client initiating the request, or session cookie information stored in the user's browser. The target resource path clarifies the object of the interaction, typically the portion of a Uniform Resource Locator (URL) pointing to a specific service or function. For example, in a financial services platform, the target resource path ` / api / v2 / credit_score` points to a credit scoring model service, while the target resource path ` / api / v1 / user_profile` points to a user information query service. Communication protocol characteristics provide richer contextual information; for example, the User-Agent field in the HTTP request header indicates the client type, and the Referer field indicates the source page of the request. This information is used to distinguish between normal user behavior and automated script behavior.

[0035] After acquiring these multi-dimensional features, the next step is to use them to generate a session tracking identifier that is unique across the entire system. One specific implementation involves concatenating the acquired source identity, target resource path, and key communication protocol features into a string in a preset order. Then, a high-strength hash algorithm, such as SHA-256, is applied to the concatenated string to generate a fixed-length hash value. This hash value is used as the globally unique session tracking identifier. For example, for an access request from IP address 203.0.113.10, using API key abcdef123456, requesting the target resource path / api / v2 / credit_score, it can be concatenated into the string 203.0.113.10:abcdef123456: / api / v2 / credit_score, and then its SHA-256 hash value is calculated. When a subsequent request has the exact same combination of source identity, target resource path, and other features as the previous request, the same calculation process will inevitably yield the same hash value. In this way, the hash value can be used as an association identifier and attached to all access requests with the same session characteristics. This allows all originally isolated requests to be automatically aggregated and sorted, forming a logically coherent and temporally ordered sequence of interaction behaviors, as long as they share the same session tracking identifier. This lays a solid data foundation for subsequent contextual analysis.

[0036] Furthermore, in some embodiments, the step of performing state transition analysis in a preset behavioral state model specifically includes: S31: Input the extracted time interval features, the feature summary of the input data, and the feature summary of the output results into the pre-constructed finite state machine; S32: Based on the current state and input features in the finite state machine, retrieve the preset transition rule base to determine the next hop target state; S33: If the next hop target state belongs to the preset abnormal state set, the interactive session is determined to enter the risk detection phase; The preset behavioral state model includes a pre-built finite state machine, a preset transition rule base, and a preset set of abnormal states.

[0037] To concretize the analysis of abstract behavioral patterns, a mature computational model, the finite state machine, can be used. A finite state machine consists of a set of states, an initial state, a set of inputs, and a state transition function. In the scenario of this application, this set of states is predefined based on business logic and known attack patterns. For example, the following core states can be defined: S0_Initial represents the initial session establishment state; S1_BenignQuery represents a normal, low-risk business query state; S2_BoundaryProbe represents a state suspected of probing the decision boundary of the model; S3_DataEnumeration represents a state suspected of data enumeration or data breach; and S4_AttackConfirmed represents a confirmed attack state.

[0038] When a new request in an interaction sequence is processed, the time interval features, input data feature summaries, and output result feature summaries extracted from the request and its response are provided as input to the finite state machine. The logic for state transitions is encoded in a pre-defined transition rule base. This rule base is essentially a series of conditional statements, in the form: if the current state is A, and the input features satisfy condition B, then the next state transitions to C.

[0039] The following specific example illustrates how the migration rule base works. Assume the current finite state machine is in the S1_BenignQuery state. At this point, a new interaction occurs, and the extracted features are input.

[0040] Example 1: If the extracted features show that the time interval between the current operation and the previous operation is greater than 5 seconds, the hash value of the input data has a high matching degree with the set of historical normal input hash values, and the output result is a successful business code, then a rule in the migration rule base may be triggered: IF CurrentState=S1_BenignQuery ANDTimeInterval>5s AND InputSimilarity>0.9 AND OutputCode = 200 THEN NextState=S1_BenignQuery. Here, CurrentState represents the current behavioral state of the interaction session. TimeInterval refers to the time interval between the current interaction operation and the previous adjacent interaction operation. InputSimilarity represents the similarity between the input data of the current interaction operation and the set of historical normal input data. OutputCode represents the output result code returned by the target resource after processing the current interaction operation. NextState represents the next state that the finite state machine will transition to after the current interaction operation is completed. This rule means that the behavior is judged as a normal business query, and the state machine remains in the S1_BenignQuery state.

[0041] Example 2: If the extracted features show that the time interval between the current operation and the previous operation is less than 0.5 seconds, the input data differs from the previous input data by only one byte, and the confidence score of the output result changes by more than a threshold, then another rule may be triggered: IF CurrentState=S1_BenignQuery ANDTimeInterval<0.5s AND InputDiff_Bytes = 1 AND OutputConfidenceChange>0.3 THENNextState=S2_BoundaryProbe. Here, InputDiff_Bytes=1 indicates that the input data of the current interaction differs from the input data of the previous interaction by only one byte. OutputConfidenceChange represents the change in the confidence score of the output result. This indicates that a rapid, small change in continuous input has been detected, which is a typical model boundary detection behavior; therefore, the state machine transitions to the S2_BoundaryProbe state.

[0042] The predefined set of abnormal states explicitly defines which states require high attention. In this example, S2_BoundaryProbe and S3_DataEnumeration both belong to the abnormal state set. Once the finite state machine transitions to any state in this set, it means that the current interaction session has exhibited obvious risk characteristics, and it can be preliminarily determined that it has entered the risk detection phase, triggering subsequent higher-level monitoring or analysis processes. Through this collaborative work based on finite state machines, transition rule bases, and abnormal state sets, automated, real-time, and accurate identification of interaction behavior patterns can be achieved.

[0043] Furthermore, in a preferred embodiment, to improve the accuracy of risk identification, the preset behavioral state model also predefines compliant interaction mode sequences and non-compliant interaction mode sequences. In this case, the step of determining whether an interaction session has entered the risk detection phase further includes:

[0044] S331: Update the current state of the interactive session in real time and record the state transition path of the interactive session; S332: Match the state transition path with the compliant interaction mode sequence and the non-compliant interaction mode sequence. When the state transition path successfully matches the non-compliant interaction mode sequence, a risk alarm event is triggered.

[0045] This approach further enhances the judgment of individual states. In retrospect, many complex attack behaviors are not composed of a single abnormal state, but rather an ordered combination of a series of specific states. Therefore, predefining these typical state sequences in the behavioral state model can greatly improve the ability to identify specific attack methods. The compliant interaction pattern sequence represents the typical operation flow of a normal user. For example, the normal shopping process on an e-commerce platform might correspond to the following state sequence: S0_Initial->S_UserLogin->S_BrowseProduct->S_AddToCart->S_Checkout->S_Payment->S_End. Here, S0_Initial represents the initial session establishment state; S_UserLogin represents the user login state, where the user authenticates themselves; S_BrowseProduct represents the product browsing state, where the user views product or service information; S_AddToCart represents the adding product to the shopping cart state, where the user adds the selected product to the to-buy list; S_Checkout represents the checkout state, where the user confirms the order information; and S_Payment represents the payment state, where the user completes the order payment. S_End indicates the end of the session, the endpoint of user or system interaction.

[0046] Non-compliant interaction pattern sequences directly encode known attack patterns. For example, a member inference attack targeting a credit scoring model might correspond to the following state transition path: S0_Initial -> S1_BenignQuery (submitting user data known to be in the training set, obtaining a high confidence score as a baseline) -> S2_BoundaryProbe (submitting user data very similar to the baseline user data but not actually existing), observing a significant drop in the confidence score -> S2_BoundaryProbe (repeating the probe multiple times). This sequence S1_BenignQuery -> S2_BoundaryProbe -> S2_BoundaryProbe can be predefined as a non-compliant interaction pattern sequence.

[0047] In actual operation, when an interactive session begins, each state it experiences is recorded in real time, forming a continuously growing state transition path. For example, a session's path might be [S0_Initial, S1_BenignQuery, S1_BenignQuery, S2_BoundaryProbe, S2_BoundaryProbe]. The risk analysis method continuously matches this real-time generated path against a predefined library of non-compliant interaction pattern sequences. Sequence matching algorithms, such as dynamic time warping or substring-based search algorithms, can be used to check whether the current path contains any known non-compliant sequences. Once it is found that the current state transition path completely matches or is highly similar to a non-compliant interaction pattern sequence, it can be determined with high precision that the session is executing a known attack, and the highest priority risk alert event can be triggered immediately. This sequence matching-based determination method is more reliable than relying solely on the occurrence of a single abnormal state, effectively reducing the false positive rate and accurately targeting complex, multi-step attack behaviors.

[0048] Furthermore, in some embodiments, the step of quantifying the cumulative amount of information acquired during continuous interaction specifically includes: S41: Calculate the conditional entropy of the output result relative to the input data using the information entropy algorithm; S42: Determine the information gain of the interaction sequence based on the decrease in conditional entropy between two adjacent interaction operations. The information gain is the degree of variability. S43: Weighted summation of the information gain generated by each interaction in the interaction sequence to obtain the cumulative information acquisition amount in order to assess the risk of information leakage.

[0049] The core idea of ​​this step is to use information theory tools to objectively measure the degree of information leakage. Conditional entropy H(Y|X) measures the uncertainty that still exists for the output Y given the input X. In an ideal, secure model interaction, even if the input X is deterministic, the output Y (especially outputs involving sensitive information) should retain a certain degree of uncertainty to prevent it from being easily inferred.

[0050] Specifically, after each interaction, the conditional entropy of the current output relative to the input data can be calculated. For example, for a model that predicts a user's purchasing tendency based on multi-dimensional user characteristics, the input is the user's feature vector, and the output is the purchase probability. In the early stages of the interaction, the attacker knows very little about the model, so the calculated conditional entropy will be relatively high.

[0051] As the interaction progresses, the attacker learns the model's internal logic by continuously changing the input and observing the changes in the output. For example, the attacker keeps other input features constant and only queries the user's age from youngest to oldest. Each query yields a new data point about the relationship between age and purchase probability. In this process, the attacker's uncertainty about the model's probability of outputting a given age gradually decreases. This reduction in uncertainty is reflected in the decrease in conditional entropy between adjacent interactions. This decrease is called information gain in information theory. It precisely quantifies how much additional information about the model the attacker gains through the latest interaction.

[0052] To assess the total information leakage in the entire interaction session, the information gain generated by each interaction needs to be accumulated. A simple accumulation may not be able to distinguish the importance of different information. Therefore, a weighted accumulation method can be used. For example, if the output of an interaction is directly related to highly sensitive personal information, then the information gain generated by this interaction should be given a higher weight. Conversely, if the output is public or non-sensitive information, its weight should be lower. By weighted summing of all information gains generated in the entire sequence of interaction behaviors, a quantified cumulative information acquisition amount is obtained. The higher this value, the more information the attacker steals through this series of operations, and the greater the risk of information leakage. This method provides an objective and quantifiable indicator for risk assessment, and is particularly suitable for assessing progressive information theft attacks.

[0053] To clarify the information gain accumulation process, in one embodiment, an interaction sequence is first received from the feature extraction module. This sequence contains a summary of the input data features and a summary of the output results for each interaction. The system uses an internal information gain calculation unit to calculate the conditional entropy for each interaction using an information entropy algorithm. For example, for a model service, the input is a user ID and a query type, and the output is some user attributes. In the first interaction, the input is user ID A and query type one, and the output is attribute D. In the second interaction, the input is user ID A and query type two, and the output is attribute E. The information gain calculation unit calculates the decrease in conditional entropy between the second interaction and the first interaction, which is taken as the information gain for this interaction.

[0054] Subsequently, the weighted accumulation unit processes these information gains. This unit maintains a sensitive information weight configuration table, which is predefined by experts in the field as mapping relationships between different types of output results and sensitivity levels. For example, if the output result contains a bank card number field, its sensitivity weight is 0.9; if it contains a user nickname field, its sensitivity weight is 0.2. After the information gain generated by a certain interaction is calculated, the weighted accumulation unit queries the sensitive information weight configuration table based on the feature summary of the output result of that interaction to obtain the corresponding weight coefficient. For example, if the output attribute Y of the second interaction is identified as containing a bank card number, its information gain is multiplied by 0.9.

[0055] Finally, the weighted summation unit sums all the weighted information gains to obtain the cumulative information acquisition amount. This cumulative information acquisition amount is then passed to the comprehensive judgment module as an important input for assessing the risk of information leakage.

[0056] Furthermore, in some embodiments, the step of real-time collection of resource consumption indicators of the target resource during the processing of interactive behavior sequences specifically includes: S51: By deploying a monitoring agent in the target resource execution environment, it captures in real time the processor utilization, memory allocation increment, and disk I / O latency of the target resource when responding to access requests; S52: Encapsulates processor utilization, memory allocation increment, and disk I / O latency into a multi-dimensional resource consumption vector as a resource consumption indicator.

[0057] To effectively monitor side-channel information, a lightweight monitoring agent needs to be deployed in the server or container environment where the target resource resides. This agent is designed to observe the running status of the target resource process in real time with minimal performance overhead. Processor utilization is a key metric, obtainable by reading process performance counters provided by the operating system, reflecting the computing resources consumed by the target resource when processing requests. Memory allocation increments focus on memory usage; the monitoring agent can hook into the system's memory allocation functions, such as malloc or new, to record the amount of memory requested during each request processing. Disk I / O latency measures the performance of the storage system; the agent can obtain this information by monitoring the completion time of disk read / write operations related to the target resource.

[0058] The selection of these metrics is based on an understanding of typical side-channel attacks. For example, certain complex encryption algorithms or model inference paths have a much higher computational cost than conventional paths, leading to instantaneous spikes in processor utilization. Similarly, processing an input containing a large amount of data may trigger significant increases in memory allocation. Attackers might construct specific inputs to trigger these anomalous changes in resource consumption and then infer the internal logic of the system based on the patterns of these changes.

[0059] To facilitate subsequent analysis and comparison, at each time point or after each request is processed, the monitoring agent combines the captured discrete resource consumption values ​​into a unified data structure, namely a multi-dimensional resource consumption vector. For example, if at a certain moment the processor utilization rate is captured to be 15%, the memory allocation increment is 2 megabytes, and the disk I / O latency is 5 milliseconds, then a vector [15, 2, 5] can be constructed. This vector completely describes the resource consumption profile of the target resource at that moment. Arranging these continuously collected vectors in chronological order forms a time series of resource consumption, providing structured and quantifiable data input for subsequent anomaly detection.

[0060] Furthermore, in a preferred embodiment, the step of comparing resource consumption indicators with a preset baseline resource consumption pattern to identify side channel anomalies specifically includes: S53: In a benchmark testing environment, obtain the resource consumption distribution characteristics of the target resource under normal load and normal input modes, and construct a benchmark resource consumption mode; S54: Calculate the deviation between the current multidimensional resource consumption vector and the average value of the corresponding index in the baseline resource consumption model; S55: If the deviation exceeds the preset multiple of the standard deviation, it is determined that there is a side channel anomaly.

[0061] To accurately determine whether current resource consumption is abnormal, a normal standard, or a preset baseline pattern, must first be established. This process is typically carried out in a controlled benchmark testing environment. In this environment, a large amount of verified request data representing normal user behavior is used to thoroughly test the target resources. During the testing process, the aforementioned monitoring agent continuously collects resource consumption data, forming a massive multi-dimensional resource consumption vector. Subsequently, statistical analysis is performed on this massive amount of data to calculate the statistical distribution characteristics of each resource consumption indicator. The most crucial step is to calculate the mean and standard deviation of each indicator. For example, benchmark testing might show that under normal circumstances, the average processor utilization is 10%, with a standard deviation of 2%; the average memory allocation increment is 1.5 megabytes, with a standard deviation of 0.5 megabytes. The set of these averages and standard deviations constitutes the baseline resource consumption pattern.

[0062] After the system is officially launched, each real-time collected multi-dimensional resource consumption vector will be compared with this preset benchmark. The comparison method is to calculate the deviation of the current value from the benchmark average and normalize it using the standard deviation. Specifically, for processor utilization, the calculation formula is (current processor utilization - benchmark average utilization) / benchmark utilization standard deviation. This calculation result is statistically known as the Z-score, which represents the standard deviation multiple by which the current value deviates from the average.

[0063] Finally, a reasonable threshold is set to determine anomalies. For example, a preset threshold of 3 can be used. This means that if the calculated absolute value of the Z-score is greater than 3, that is, the current resource consumption value deviates from the normal average level by more than 3 standard deviations, then it is considered an event with a very low probability of occurrence, and a side-channel anomaly can be determined. For example, if the processor utilization rate of a certain request reaches 18%, according to the baseline model (average 10%, standard deviation 2%), its Z-score is (18 - 10) / 2 = 4. Since 4 is greater than the preset threshold of 3, a side-channel anomaly alarm will be triggered. This statistically based anomaly detection method can effectively identify truly meaningful abnormal signals from noisy resource consumption data, improving the accuracy of side-channel attack identification.

[0064] Furthermore, in some embodiments, the step of integrating the analysis results and generating a real-time risk score specifically includes: S61: Obtain the state risk score corresponding to the behavior pattern stage, the gain risk score corresponding to the information leakage risk, and the resource risk score corresponding to the side channel anomaly. Then, use the preset weight coefficients to perform a weighted summation of the state risk score, gain risk score, and resource risk score to calculate the real-time risk score. S62: If the real-time risk score is within the preset suspected risk range, a guiding data label with specific coding characteristics is embedded in the output result returned by the target resource to the interaction behavior sequence. S63: Real-time monitoring of whether subsequent access requests in the interaction behavior sequence contain replay, parsing or further extraction behavior targeting inducement data tags; S64: If replay, parsing or further extraction behavior is detected, the interaction behavior sequence is determined to have a clear malicious probing intent, and the real-time risk score is corrected to the highest risk level.

[0065] This step is the core of the entire risk decision-making process. It aggregates the outputs of the various independent analysis modules through a multi-dimensional weighted model. First, each analysis dimension is assigned a quantified risk score. The state risk score is determined based on the current behavioral state of the interaction session; for example, the score for the S2_BoundaryProbe state will be much higher than that for the S1_BenignQuery state. The gain risk score is directly derived from the accumulated information acquired as calculated above. The resource risk score is based on the severity of side-channel anomalies, such as the Z-score. Then, different weight coefficients are assigned according to the importance of different risk dimensions in a specific scenario. For example, for an application where data confidentiality is the primary objective, the weight of the gain risk score might be set to the highest. The final real-time risk score is calculated using the formula: Score = w1 * State Score + w2 * Gain Score + w3 * Resource Score.

[0066] When the calculated real-time risk score falls into a preset gray or suspected range, such as between 60 and 80 points, directly blocking the interaction might inadvertently harm legitimate users, while ignoring it carries risks. To make more accurate judgments in such uncertain situations, a proactive detection mechanism is introduced. Specifically, one or more misleading data tags are embedded in the business data normally returned by the target resource. These tags, also known as honeypot tokens or canary tokens, have no impact on normal business operations but possess unique, monitorable encoded characteristics. For example, in an application interface response returning JSON data, an additional field can be added, such as "internal_trace_id":"honey-token-a9b4c1d8". This field represents a marker specifically set by the system to proactively detect potential malicious behavior and track and identify abnormal interaction patterns.

[0067] After implanting the deceptive data tag, the risk analysis method enters an enhanced monitoring mode, paying particular attention to all subsequent requests in that interaction session. A normal client program typically only parses the fields required for its business logic, ignoring these unrecognizable additional fields. However, an attacker conducting malicious probing is likely to have automated tools scanning and logging all data in the response, and may attempt to exploit this seemingly internal identifier data in subsequent requests. Therefore, if subsequent access requests detect the previously implanted honey-token-a9b4c1d8 string in their input data, request headers, or paths, whether through replaying it as is or attempting to parse or extract it, it constitutes strong evidence that the attacker is not merely using the service, but conducting deep and systematic probing. Once this behavior is captured, all uncertainty can be eliminated, directly determining that the interaction sequence has a clear malicious intent, and immediately raising its risk score to the highest level, triggering strong intervention measures such as blocking and isolation. This proactive deception strategy greatly enhances the ability to identify advanced and covert attacks.

[0068] Furthermore, in a preferred embodiment, the step of dynamically adjusting the alarm threshold according to preset scenario parameters specifically includes: S65: Obtain the sensitivity level of the target resource and the trust level of the user initiating the access request; S66: Determine the threshold adjustment coefficient based on the mapping relationship between sensitivity level and user trust level; S67: The baseline alarm threshold is weighted using the threshold adjustment coefficient to obtain a dynamic alarm threshold that matches the current interaction scenario.

[0069] To make the risk alert mechanism more intelligent and refined, and to avoid using a one-size-fits-all fixed threshold, a dynamic adjustment logic based on interactive contexts is introduced. First, resources and users within the system need to be managed in a hierarchical manner. The sensitivity level of a target resource is determined based on the importance of the data or function it carries. For example, a model processing core transactions might be rated at the highest level, level 5; while a query service providing public market information might only have a sensitivity level of 1. User trust levels are assessed based on a combination of factors, including user identity, historical behavior, and network origin. For example, a system administrator from the internal network who has undergone multi-factor authentication might have a trust level of the highest level, level 5; while an anonymous first-time visitor from the public network might have a trust level of the lowest level, level 1.

[0070] After obtaining the sensitivity level of the target resource and the user trust level involved in the current interaction, a threshold adjustment coefficient is calculated through a preset mapping relationship. The core principle of this mapping relationship is: the higher the risk of the situation, the lower the alarm threshold should be. A specific implementation method is to design a two-dimensional lookup table or a calculation formula. For example, a base adjustment coefficient can be defined, and then the coefficient can be reduced as the resource sensitivity increases and as the user trust decreases.

[0071] For example, in one embodiment, the threshold adjustment factor is calculated using a two-dimensional lookup table. The lookup table is indexed by the sensitivity level of the target resource (e.g., from 1 to 5, where 5 represents the highest sensitivity) as the row index and by the user trust level (e.g., from 1 to 5, where 1 represents the lowest trust) as the column index. Each cell in the lookup table stores a preset threshold adjustment factor value. For example, when the target resource sensitivity level is 5 and the user trust level is 1, the adjustment factor stored in the corresponding cell might be 0.7. When the target resource sensitivity level is 1 and the user trust level is 5, the adjustment factor might be 1.2.

[0072] In another embodiment, the threshold adjustment coefficient is calculated using a formula. This formula can be expressed as: Adjustment Coefficient = Base Adjustment Coefficient - (Resource Sensitivity Level * Weight F) + (User Trust Level * Weight G). Here, the base adjustment coefficient is a constant value, such as 1.0. Weight F and weight G are preset coefficients used to balance the impact of resource sensitivity and user trust level on the adjustment coefficient. For example, weight F can be set to 0.05, and weight G can be set to 0.03 (in practical applications, technicians set these values ​​according to specific circumstances). When the resource sensitivity level is 5 and the user trust level is 1, the adjustment coefficient = 1.0 - (5 * 0.05) + (1 * 0.03) = 1.0 - 0.25 + 0.03 = 0.78. When the resource sensitivity level is 1 and the user trust level is 5, the adjustment coefficient = 1.0 - (1 * 0.05) + (5 * 0.03) = 1.0 - 0.05 + 0.15 = 1.1.

[0073] Finally, the calculated threshold adjustment coefficient is applied to a global baseline alarm threshold. For example, suppose the baseline alarm threshold is set to 80 points. In a high-risk scenario, such as a user with a trust level of 1 accessing a resource with a sensitivity level of 5, the calculated threshold adjustment coefficient might be 0.7. Then, the dynamic alarm threshold for this interaction would be adjusted to 80 * 0.7 = 56 points. This means that an alarm will be triggered whenever the real-time risk score exceeds 56 points. In a low-risk scenario, such as a user with a trust level of 5 accessing a resource with a sensitivity level of 1, the calculated adjustment coefficient might be 1.2, and the dynamic alarm threshold would be adjusted to 80 * 1.2 = 96 points, making it more difficult to trigger an alarm. In this way, the alarm threshold is no longer a rigid value but can adaptively adjust according to the specific context of each interaction, thereby minimizing interference with normal business operations while ensuring security, achieving refined risk management.

[0074] Please refer to Figure 2 , Figure 3 This application also provides a risk data analysis device for a resource interaction risk control system, the device comprising: The sequence construction module 201's core function is to construct a sequence of interactive behaviors with temporal characteristics by assigning associated identifiers to multiple access requests for a target resource. This module can be implemented as a network traffic probe or a plugin deployed on an application programming interface gateway. It is responsible for intercepting and parsing each access request, and generating or matching session tracking identifiers based on the source identity, target resource path, and other characteristics of the request, providing basic data for subsequent contextual analysis.

[0075] The feature extraction module 202 is responsible for extracting the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence output by the sequence construction module. This module typically consists of a series of data processing and computation units, capable of parsing, cleaning, and transforming the raw request and response data to generate structured feature vectors for use by other modules.

[0076] The state analysis module 203 is designed to perform state transition analysis within a preset behavioral state model based on the operational logic and feature changes in the interaction sequence, in order to identify the current behavioral pattern stage of the interaction session. Internally, this module implements a finite state machine and includes a configurable transition rule base and a set of abnormal states, responsible for in-depth analysis and determination of the intent behind the interaction behavior.

[0077] The risk assessment module 204 quantifies the cumulative information acquisition during continuous interaction by calculating the degree of variation in input data and output results within the interaction sequence, thereby assessing the risk of information leakage. This module integrates a series of information theory algorithms to calculate conditional entropy and information gain, and to quantitatively score the cumulative information leakage throughout the session.

[0078] The anomaly detection module 205 is designed to collect real-time resource consumption metrics of the target resource during the processing of interactive behavior sequences, and compare these metrics with a preset baseline resource consumption pattern to identify side-channel anomalies. This module typically communicates with a monitoring agent deployed in the target resource environment to obtain real-time performance data and uses statistical methods for anomaly detection.

[0079] The comprehensive judgment module 206, as the core of the entire device's decision-making, integrates the analysis results of behavioral pattern stages, information leakage risks, and side-channel anomalies to generate real-time risk scores for interactive behavior sequences. It also dynamically adjusts alarm thresholds based on preset scenario parameters to determine the existence of compliance vulnerability risks. This module implements a multi-dimensional risk weighting model and includes logic for dynamic threshold adjustment and proactive detection responses, ultimately outputting risk conclusions and handling recommendations.

[0080] These modules work together to form a complete, end-to-end risk data analysis device that can effectively address complex security threats in modern interactive application scenarios.

[0081] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. A risk data analysis method for a resource interaction risk control system, characterized in that, The method includes the following steps: S1: By assigning associated identifiers to multiple access requests for the target resource, discrete interactive behaviors are constructed into a sequence of interactive behaviors with temporal characteristics; S2: Extract the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence; S3: Based on the operation logic and feature changes in the interactive behavior sequence, perform state transition analysis in the preset behavior state model to identify the behavior mode stage of the current interactive session. S4: By calculating the degree of variation of input data and output results in the interaction sequence, the cumulative amount of information acquired during continuous interaction is quantified in order to assess the risk of information leakage; S5: Real-time acquisition of resource consumption indicators of the target resource when processing the interaction behavior sequence, and comparison of the resource consumption indicators with a preset benchmark resource consumption mode to identify side channel anomalies; S6: Integrate the analysis results of the behavior pattern stage, the information leakage risk, and the side channel anomaly to generate a real-time risk score for the interaction behavior sequence, and dynamically adjust the alarm threshold according to preset scenario parameters to determine whether there is a compliance vulnerability risk.

2. The risk data analysis method for a resource interaction risk control system according to claim 1, characterized in that, Step S1 includes: S11: Obtain the source identity, target resource path, and communication protocol characteristics from the access request; S12: Based on the combination of the source identity identifier, the target resource path, and the communication protocol features, generate a globally unique session tracking identifier, and assign the session tracking identifier as the association identifier to the corresponding access request, thereby constructing discrete interaction behaviors into a sequence of interaction behaviors with temporal characteristics.

3. The risk data analysis method for a resource interaction risk control system according to claim 1, characterized in that, In step S3, the state transition analysis in the preset behavioral state model includes the following steps: S31: Input the extracted time interval features, the feature summary of the input data, and the feature summary of the output result into the pre-constructed finite state machine; S32: Based on the current state and input features in the finite state machine, retrieve a preset transition rule base to determine the next hop target state; S33: If the next-hop target state belongs to a preset abnormal state set, then the interactive session is determined to enter the risk detection phase; The preset behavioral state model includes a pre-built finite state machine, a preset transition rule base, and a preset abnormal state set.

4. The risk data analysis method for a resource interaction risk control system according to claim 3, characterized in that, The preset behavioral state model predefines compliant interaction mode sequences and non-compliant interaction mode sequences; In step S33, the step of determining that the interactive session has entered the risk detection phase includes: S331: Update the current state of the interactive session in real time and record the state transition path of the interactive session; S332: Match the state transition path with the compliant interaction mode sequence and the non-compliant interaction mode sequence. When the state transition path successfully matches the non-compliant interaction mode sequence, a risk alarm event is triggered.

5. The risk data analysis method for a resource interaction risk control system according to claim 1, characterized in that, Step S4 includes: S41: Calculate the conditional entropy of the output result relative to the input data using the information entropy algorithm; S42: Determine the information gain of the interaction sequence based on the decrease in conditional entropy between two adjacent interaction operations, wherein the information gain is the degree of variability; S43: The information gain generated by each interaction in the interaction sequence is weighted and accumulated to obtain the cumulative information acquisition amount, so as to assess the risk of information leakage.

6. The risk data analysis method for a resource interaction risk control system according to claim 1, characterized in that, In step S5, the resource consumption indicators of the target resource during the processing of the interaction behavior sequence are collected in real time, including: S51: By deploying a monitoring agent in the target resource execution environment, capture in real time the processor utilization, memory allocation increment, and disk I / O latency of the target resource when responding to the access request; S52: Encapsulate the processor utilization rate, the memory allocation increment, and the disk input / output latency into a multi-dimensional resource consumption vector, which serves as the resource consumption indicator.

7. The risk data analysis method for a resource interaction risk control system according to claim 6, characterized in that, In step S5, the resource consumption index is compared with a preset baseline resource consumption pattern to identify side-channel anomalies, including: S53: Under a benchmark test environment, obtain the resource consumption distribution characteristics of the target resource under normal load and normal input modes, and construct the benchmark resource consumption mode; S54: Calculate the deviation between the current multidimensional resource consumption vector and the average value of the corresponding index in the baseline resource consumption model; S55: If the deviation exceeds a preset multiple of the standard deviation, it is determined that there is a side channel anomaly.

8. The risk data analysis method for a resource interaction risk control system according to claim 1, characterized in that, In step S6, the analysis results of the behavioral pattern stage, the information leakage risk, and the side-channel anomaly are integrated to generate a real-time risk score for the interaction behavior sequence, including: S61: Obtain the state risk score corresponding to the behavior pattern stage, the gain risk score corresponding to the information leakage risk, and the resource risk score corresponding to the side channel anomaly, and use preset weighting coefficients to perform weighted summation on the state risk score, the gain risk score, and the resource risk score to calculate the real-time risk score; S62: If the real-time risk score is within a preset suspected risk range, an inducing data label with specific coding characteristics is embedded in the output result returned by the target resource to the interaction behavior sequence; S63: Monitor in real time whether subsequent access requests in the interaction behavior sequence contain replay, parsing or further extraction behavior targeting the inducement data tag; S64: If the replay, parsing or further extraction behavior is detected, it is determined that the interaction behavior sequence has a clear malicious probing intent, and the real-time risk score is corrected to the highest risk level.

9. The risk data analysis method for a resource interaction risk control system according to claim 8, characterized in that, In step S6, dynamically adjusting the alarm threshold according to preset scenario parameters includes: S65: Obtain the sensitivity level of the target resource and the trust level of the user who initiated the access request; S66: Determine the threshold adjustment coefficient based on the mapping relationship between the sensitivity level and the user trust level; S67: The baseline alarm threshold is weighted using the threshold adjustment coefficient to obtain a dynamic alarm threshold that matches the current interaction scenario.

10. A risk data analysis device for a resource interaction risk control system, characterized in that, The device includes: The sequence construction module is used to construct discrete interaction behaviors into a sequence of interaction behaviors with temporal characteristics by assigning associated identifiers to multiple access requests for a target resource. The feature extraction module is used to extract the time interval features between adjacent interactive operations, the feature summary of the input data, and the feature summary of the output results from the interactive behavior sequence. The state analysis module is used to perform state transition analysis in a preset behavior state model based on the operation logic and feature changes in the interaction behavior sequence, so as to identify the behavior mode stage of the current interaction session. The risk assessment module is used to quantify the cumulative amount of information acquired during continuous interaction by calculating the degree of variation of input data and output results in the interaction behavior sequence, so as to assess the risk of information leakage. An anomaly detection module is used to collect the resource consumption index of the target resource when processing the interaction behavior sequence in real time, and compare the resource consumption index with a preset benchmark resource consumption mode to identify side channel anomalies. The comprehensive judgment module is used to integrate the analysis results of the behavior pattern stage, the information leakage risk, and the side channel anomaly, generate a real-time risk score for the interaction behavior sequence, and dynamically adjust the alarm threshold according to preset scenario parameters to determine whether there is a compliance vulnerability risk.