A conversation intervention method, apparatus and device thereof

By constructing a session view and analyzing correlations, attack risks can be located and precise intervention operations can be performed. This solves the problem of coarse-grained attack risk assessment leading to full-channel blocking in existing technologies, and achieves precise interception and intervention at the session level.

CN122395598APending Publication Date: 2026-07-14中国移动通信集团江西有限公司 +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
中国移动通信集团江西有限公司
Filing Date
2026-04-08
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies use coarse-grained attack risk assessment, leading to full-channel blocking and impacting normal business operations.

Method used

By constructing a session view, we can analyze the correlation between sessions and the success rate of interception, locate and execute targeted intervention operations, and avoid full-channel blocking.

Benefits of technology

It achieves precise interception at the session granularity level, avoiding impact on normal sessions and improving the accuracy of attack identification and intervention.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122395598A_ABST
    Figure CN122395598A_ABST
Patent Text Reader

Abstract

The application discloses a conversation intervention method and device and equipment thereof, and belongs to the technical field of communication security. The conversation intervention method provided by the application comprises the following steps: acquiring first conversations received by a same conversation receiver in a same time window; marking a communication channel type and a conversation keyword of each first conversation to obtain a conversation set composed of the first conversations; determining second conversations which are different from the first conversations in the communication channel type but have the same conversation sender or the same conversation keyword in the conversation set; constructing a first view corresponding to each first conversation according to the conversation receiver, the first conversation, the sender of the first conversation, the second conversation and the sender of the second conversation, respectively, to obtain a first view set; determining an interception success rate of each first conversation according to the correlation between the conversations corresponding to each first view; and performing an intervention operation on a target first conversation according to the interception success rate of each first conversation. Thus, the conversation is intercepted at the conversation granularity level.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of communication security technology, and in particular relates to a session intervention method, device and equipment. Background Technology

[0002] In existing technologies, anti-fraud technologies for telecommunications mostly rely on single-channel blacklists and whitelists, keyword matching, or user-level risk scoring to achieve interception. Some solutions introduce cross-source data fusion or gang-level graph mining, but all have obvious limitations: user risk scoring methods based on multi-source data fusion can integrate voice call details, SMS text, and social metadata, but their judgment granularity often falls at the account or user level. Once a high risk is triggered, they tend to block the entire channel on the user side or request manual review. The judgment granularity is coarse, often triggering a full channel block, which leads to the accidental damage to normal business. Summary of the Invention

[0003] This application provides a session intervention method, apparatus, and device to address the problem of coarse-grained attack risk assessment leading to full-channel blocking in related technologies.

[0004] In a first aspect, embodiments of this application provide a session intervention method, including: Retrieve the first session received by the same session receiver within the same time window; Label the communication channel type and session keywords of each first session to obtain a session set composed of the first sessions; Identify a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keywords; Based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, a first view corresponding to each first session is constructed to obtain a set of first views; Based on the correlation between the sessions corresponding to each first view, the interception success rate of each first session is determined; Intervention operations are performed on the target first session based on the interception success rate of each first session.

[0005] Optionally, determining the interception success rate of each first session based on the correlation between sessions corresponding to each first view includes: The number of sessions running concurrently with the first session in the first view is obtained, and a first feature of each first session is obtained. The first feature is used to characterize the scale of concurrent attacks corresponding to the first session. The switching trajectory of the sender of the first session on different communication channels is analyzed to obtain a second feature of each first session. The second feature is used to characterize the cross-communication channel attack persistence corresponding to the first session. The weight of the third session in the first view is reduced to obtain the third feature of each first session. The third feature is used to characterize the stability of the attack source corresponding to the first session. The third session is the session sent by the sender that appears only once in the first view. Based on the first feature, the second feature, and the third feature, a risk index for each attack involved in the first session is obtained. Determine the statistical data corresponding to each first session. The statistical data includes: the number of senders in the first view, the number of senders associated with the first session, the number of communication channels used by the sender of the first session, the number of fourth sessions, and historical intervention records. The fourth session is a session whose sending time is later than the first session and whose session keywords are the same as those of the first session. The interception success rate of each first session is determined based on the risk indicators and statistics corresponding to each first session.

[0006] Optionally, the step of performing intervention operations on the target first session based on the interception success rate of each first session includes: The intervention resource budget and intervention action set corresponding to the first session are determined based on preset rules and the interception success rate. All the first sessions are sorted according to the interception success rate, and the first session whose sorting order is earlier than the preset order is determined as the target first session; Based on the set of intervention actions corresponding to the target first session, a first intervention action is performed on the target first session, and the intervention resource budget corresponding to the first intervention action is deducted. The set of intervention actions includes the first intervention action.

[0007] Optionally, the method further includes: Determine whether the intervention operation conflicts with session services outside the session set; If the intervention operation conflicts with a session service outside the session set, the intervention operation on the target first session is suspended and the reason for the conflict is recorded.

[0008] Optionally, the step of performing a first intervention action on the target first session according to the set of intervention actions corresponding to the target first session includes: The second intervention action is determined based on the interception success rate corresponding to the first target session, the intervention resource budget, and the set of intervention actions. The force, duration, range, and release conditions of the second intervention action are converted into action parameters; The interception feedback is estimated based on the interception success rate, the intervention resource budget, and the action parameters. The second intervention action is adjusted based on the predicted interception feedback to obtain the first intervention action; The first intervention action is performed on the target in the first session.

[0009] Optionally, the predicted interception feedback includes at least one of the following: Whether there are subsequent sessions after the first session of the target; Has the communication channel of the first session of the target been changed? Interruption of session services outside the aforementioned session set; The timing and force deviations of the second intervention action.

[0010] Optionally, after performing the intervention operation on the target first session based on the interception success rate of each first session, the method further includes: Monitor whether a replacement session for the target first session occurs after the first intervention action. The replacement session is a session with a different communication channel type than the target first session but with the same sender or the same session keywords. If no alternative session is detected, the intervention operation on the target first session is lifted; the time of lifting the intervention operation, the monitoring duration, and the status of the target first session are recorded. If the possibility of the alternative session is detected, the session that is ranked before the preset order among all first sessions other than the target first session is identified as the fifth session, and an intervention operation is performed on the fifth session. The intervention resource budget corresponding to the fifth session is less than the intervention resource budget corresponding to the target first session after deduction.

[0011] Secondly, embodiments of this application provide a conversation intervention device, the device comprising: The acquisition module is used to acquire the first session received by the same session receiver within the same time window; The annotation module is used to annotate the communication channel type and session keywords of each first session, so as to obtain a session set composed of the first sessions; The first determining module is used to determine a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keywords. The construction module is used to construct a first view corresponding to each first session based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, respectively, to obtain a set of first views; The second determining module is used to determine the interception success rate of each first session based on the correlation between the sessions corresponding to each first view; The first execution module is used to perform intervention operations on the target first session based on the interception success rate of each first session.

[0012] Thirdly, embodiments of this application provide an electronic device, including a processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the program or instructions, when executed by the processor, implement the steps in the session intervention method as described in the first aspect.

[0013] Fourthly, embodiments of this application provide a computer-readable storage medium storing a program or instructions that, when executed by a processor, implement the steps in the session intervention method as described in the first aspect.

[0014] Fifthly, embodiments of this application provide a computer program product, including computer instructions that, when executed by a processor, implement the steps in the session intervention method as described in the first aspect.

[0015] In this application, after acquiring the first session received by the same session receiver within the same time window; the communication channel type and session keywords of each first session are labeled to obtain a session set composed of the first sessions; then, a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keywords is identified; a first view corresponding to each first session is constructed based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, respectively, to obtain a set of first views; the interception success rate of each first session is determined based on the correlation between the sessions corresponding to each first view; finally, intervention operations are performed on the target first session based on the interception success rate of each first session. In this way, by constructing and analyzing views for individual sessions, sessions with attack risks can be located and intervened on, thereby achieving session interception at the session granularity level without triggering a full communication channel block, thus avoiding impact on other normal session services. Attached Figure Description

[0016] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 A flowchart illustrating a conversation intervention method provided in an embodiment of this application; Figure 2 This is a flowchart of another session intervention method provided in the embodiments of this application; Figure 3 This is a flowchart illustrating how to determine a key edge sequence, as provided in an embodiment of this application. Figure 4 This is a flowchart of a trigger verification provided in an embodiment of this application; Figure 5 This is a flowchart of an execution and detection process provided in an embodiment of this application; Figure 6 This is a flowchart for determining link breakage provided in an embodiment of this application; Figure 7 This is a flowchart of another session intervention method provided in the embodiments of this application; Figure 8 This is a structural diagram of a conversation intervention device provided in an embodiment of this application; Figure 9 This is a structural diagram of an electronic device provided in an embodiment of this application. Detailed Implementation

[0018] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.

[0019] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and are not used to describe a specific order or sequence. It should be understood that such terms can be used interchangeably where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first" and "second" are generally of the same class, and the number of objects is not limited; for example, the first object can be one or more.

[0020] In this application embodiment, a session intervention method, apparatus and device are proposed to solve the problem of coarse-grained attack risk assessment leading to full-channel blocking in related technologies.

[0021] See Figure 1 , Figure 1 This is a flowchart of a conversation intervention method provided in an embodiment of this application, such as... Figure 1 As shown, the method includes the following steps: Step 101: Obtain the first session received by the same session receiver within the same time window.

[0022] In this embodiment, the time window refers to a preset short period of time, such as the ringing period, the call period, a short period after a call, a short period after an SMS message is sent, or a short period after a social message is sent. The first session can include sessions on various communication channels such as voice, SMS, and social media. When it is detected that multiple channels such as voice, SMS, and social media are sending sessions to the same session recipient in a short period of time, the relevant sessions are obtained, and the session recipient is the potential victim.

[0023] Step 102: Label the communication channel type and session keywords of each first session to obtain a session set composed of the first sessions.

[0024] Each first session is tagged with attributes, including communication channel type (e.g., voice, SMS, social media, data, etc.) and session keywords. The session keywords can be used to determine whether different sessions involve the same transaction, such as financial transactions, meeting transactions, or fraudulent transactions. For example, the session keywords can be determined based on preset session identifiers, session content, and information such as the same sender switching communication channels within a short period. In this embodiment, the communication channel type and session keywords of each first session are tagged, and then an index is created for each first session to obtain a session set consisting of several first sessions. It is understood that the first sessions in the session set are all sessions that are estimated to have an attack risk.

[0025] Optionally, the time window corresponding to the first session can also be labeled as a short time period.

[0026] The resulting session set excludes remote, irrelevant sessions and sessions related to the current transaction but not to the same session recipient. This allows for targeted intervention, minimizing disruption to the user receiving the session and avoiding impact on other users' normal business operations.

[0027] Step 103: Determine the second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keyword.

[0028] It is understood that both the first session and the second session are sessions within the session set. After selecting the first session in the session set, a second session related to the first session is then filtered from the session set according to preset rules. The second session is either a session with a different communication channel type than the first session but the same sender, or a session with a different communication channel type than the first session but the same session keywords.

[0029] The sessions in the session set that have different communication channel types than the first session but share the same sender can be understood as a relay-like pattern where the same sender (e.g., a suspected fraudster) sequentially switches from one communication channel to another, continuously contacting the same session receiver. These sessions are identified as the second session. Sessions in the session set that have different communication channel types than the first session but share the same session keywords can be identified using topology rules. For example, sessions within the same time window can be identified, and sessions initiated from different senders to the same session receiver with the same session keywords can be identified as the second session. The number of second sessions can be one or more, depending on the number of sessions meeting the filtering requirements in practice.

[0030] Step 104: Construct a first view corresponding to each first session based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, to obtain a set of first views.

[0031] In this embodiment, a first view centered on the first session is generated for each first session. The first view includes the session receiver of the first session, the first session, the sender of the first session, the second session, and the sender of the second session. In the first view, sessions are represented as directed edges, and session receivers and senders are represented as nodes. Thus, each session receiver or sender in the first view is limited to the session receiver corresponding to the first session, the sender corresponding to the first session, and the direct cross-channel adjacency of the sender. The direct cross-channel adjacency is the sender corresponding to the second session related to the first session. This means that senders in the same view may belong to the same set. The first view avoids introducing multi-hop forwarding edges, i.e., it excludes indirect sessions that reach the session receiver only through forwarding from other senders. Since all sessions in the first view are related to the first session and directly connected to the session receiver, the size of the first view can be kept small, meeting real-time processing requirements and facilitating rapid risk response.

[0032] It should be noted that in this embodiment, the first view is constructed directly from the event stream based on the indexes established for the first session and the second session.

[0033] In some implementations, a total session graph covering all sessions within the session set can be formed by uniformly identifying and converting all voice, SMS, and social session events based on preset rules. Then, an index is created for the first sessions that point to the same session receiver and satisfy time window constraints. Based on this, a local subgraph view is generated for each edge corresponding to the first session in the total session graph, resulting in the first view. Specifically, after obtaining the total session graph, for each edge corresponding to the first session in the total session graph, only edges directly adjacent across channels within the same session receiver, sender, and time window are included. Edges with different time windows or different session receivers than the first session are filtered out, and multi-hop forwarding edges are masked. The included edges are then used to construct the first view. It is important to note that generating the first view after generating the total session graph, rather than directly extracting the first view from the total session graph, ensures that edges with different time windows or different session receivers than the first session, or multi-hop forwarding edges, are not included.

[0034] Step 105: Determine the interception success rate of each first session based on the correlation between the sessions corresponding to each first view.

[0035] In this embodiment, the correlation between sessions corresponding to the first view can refer to the temporal order of sessions, channel transformation relationships, and connections between session keywords. The interception success rate is used to indicate the probability of successfully intercepting the entire target transaction by intervening in the first session when the first session involves the target transaction. The target transaction refers to the attack event in the first session that needs to be intercepted. It should be noted that the interception success rate may be different for each session.

[0036] Step 106: Perform intervention operations on the target first session based on the interception success rate of each first session.

[0037] In this embodiment, all first sessions can be sorted in descending order of interception success rate to obtain a first session sequence. A target first session is then determined based on the order of the first session sequence, and intervention operations are performed on the target first session. For example, the target first session is the first session with the highest interception success rate in the first session sequence.

[0038] Specifically, the intervention operation can be performed on the communication channel corresponding to the target first session in a preset manner. For example, for the voice channel, routing rewriting and signaling triggering can be used to insert strong prompts or perform short-term rate limiting to intercept the target first session; for the SMS channel, sending rate shaping or short-term freezing can be used; for the social channel, connection rate limiting or built-in reminders can be used; or the intervention operation can be bound to the first session throughout to ensure single-point intervention and traceability.

[0039] This embodiment constructs and analyzes a first view of the first session to locate risky sessions and intervene in them, thereby achieving anti-fraud at the session level and avoiding impact on other normal session services. Compared with existing solutions, user risk scoring methods often determine the granularity at the account or user level, and graph mining solutions use heterogeneous relationship networks to identify clustered groups, often outputting the overall risk label of the group. In contrast, this embodiment focuses the determination granularity on the first session across communication channels in a short period of time, a more granular object. By using the first view to locate the target first session in real time and intervene, it avoids uniformly banning the entire communication channel or the entire account while dismantling the attack chain.

[0040] Optionally, determining the interception success rate of each first session based on the correlation between sessions corresponding to each first view includes: The number of sessions running concurrently with the first session in the first view is obtained, and a first feature of each first session is obtained. The first feature is used to characterize the scale of concurrent attacks corresponding to the first session. The switching trajectory of the sender of the first session on different communication channels is analyzed to obtain a second feature of each first session. The second feature is used to characterize the cross-communication channel attack persistence corresponding to the first session. The weight of the third session in the first view is reduced to obtain the third feature of each first session. The third feature is used to characterize the stability of the attack source corresponding to the first session. The third session is the session sent by the sender that appears only once in the first view. Based on the first feature, the second feature, and the third feature, a risk index for each attack involved in the first session is obtained. Determine the statistical data corresponding to each first session. The statistical data includes: the number of senders in the first view, the number of senders associated with the first session, the number of communication channels used by the sender of the first session, the number of fourth sessions, and historical intervention records. The fourth session is a session whose sending time is later than the first session and whose session keywords are the same as those of the first session. The interception success rate of each first session is determined based on the risk indicators and statistics corresponding to each first session.

[0041] As an optional embodiment, after generating the first view corresponding to the first session, feature aggregation is performed on each first view. First, the number of sessions parallel to the first session in the first view is obtained. That is, among multiple sessions within the same time window, sessions that are clustered and adjacent in terms of time sequence and topology are selected and merged to obtain the first feature. The first feature is used to characterize the scale of concurrent attacks corresponding to the first session. Then, the communication channel switching trajectory is serialized and aggregated. That is, all sessions in the first view are sorted in chronological order and feature aggregation is performed at the communication channel level to extract continuous segments of cross-communication channel relay. The continuous segments of cross-communication channel relay refer to: within the same view, around the same sender or the same session keyword, the communication channel type changes over time but the session content progresses without interruption. For example, the continuous link formed by the successive reach from SMS to voice to social applications within the time window is used to obtain the second feature. The second feature is used to characterize the persistence of cross-communication channel attacks corresponding to the first session. The weight of the low-risk third session in the first view is further reduced. The third session is a session sent by a sender that appears only once in the first view and has no subsequent actions. This yields the third feature, which characterizes the stability of the attack source corresponding to the first session. The attack source refers to the sender of the first session. Combining the first, second, and third features, two summaries are obtained: one is the convergence precursor strength, which is the risk indicator of the attack involved in the first session. The first is used to reflect the scale of concurrent attacks and the persistence of cross-communication channel attacks in the first session; the second is the key link location, which is located in the session most likely to cause the target transaction coordination link to break, in order to support the subsequent interception success rate assessment.

[0042] Next, the interception success rate for each first session is determined based on the risk indicators and statistical data. The interception success rate can be divided into single-point disruption value and bypass risk. The single-point disruption value indicates the attack force that can be dismantled by cutting off the session, while the bypass risk indicates the sender's ability to bypass the blockade and continue the attack after the session is cut off. The single-point disruption value and bypass risk are calculated sequentially: first, the single-point disruption value is calculated. In the first view The process involves counting the number of senders (i.e., the total number of upstream sources), then counting the number of senders associated with the first session (i.e., the number of session dependencies that can only reach the session receiver via the session edge corresponding to the first session), calculating the percentage of session dependencies in the total number of upstream sources, and examining the possibility of alternative sessions within a time window, then using risk indicators... Weight the percentages; then estimate the risk of bypassing. The number of communication channels used by the sender of the first session, which is also the number of switching channels and the number of fourth sessions, are counted. The fourth session is a session whose sending time is later than the first session and whose session keywords are the same as those of the first session. Historical intervention records are introduced as an amplification factor to weight the statistical results.

[0043] In this way, risk indicators are obtained based on the scale of concurrent attacks, the persistence of cross-communication channel attacks, and the stability of attack sources, and high-risk sessions are located, which facilitates the subsequent accurate assessment of the interception success rate. Then, the value of single-point disruption is quantified based on the risk indicators, the risk of bypassing and supplementing is assessed, and then the interception success rate of the first session is obtained by further integration. Thus, the target first session that can be cut off based on the interception success rate can be found, and the attack behavior can be accurately countered.

[0044] Optionally, the step of performing intervention operations on the target first session based on the interception success rate of each first session includes: The intervention resource budget and intervention action set corresponding to the first session are determined based on preset rules and the interception success rate. All the first sessions are sorted according to the interception success rate, and the first session whose sorting order is earlier than the preset order is determined as the target first session; Based on the set of intervention actions corresponding to the target first session, a first intervention action is performed on the target first session, and the intervention resource budget corresponding to the first intervention action is deducted. The set of intervention actions includes the first intervention action.

[0045] As an optional implementation, firstly, the complete set of intervention actions can be obtained according to preset rules (such as regulations in the relevant field). The intervention actions include: inserting strong prompts into the voice channel during the call; implementing short-term speed limiting or freezing for any single channel; and guiding users to switch to human assistance for cross-device interactions. A hierarchical set of intervention resource budgets is established for each type of intervention action. This is a set of intrusion level classifications, which clearly defines the intensity, warning strength, and resource consumption from light to heavy.

[0046] Optionally, you can also preset action parameters for each intervention action in the entire set of intervention actions, such as duration, and limit the execution granularity to the session edge level, prohibit simultaneous execution on multiple session edges, and prohibit cross-session execution to sessions other than the target's first session.

[0047] Optionally, the set of intervention actions and the intervention resource budget can be bound to each type of time window, and the conditions for entering and exiting the time window can be specified, as well as the minimum cooldown interval for the execution of intervention actions within the same time window can be set. The cooling interval refers to the period during which intervention actions are prohibited from being triggered again, in order to avoid repeated interventions in the same time window or repeated intervention operations triggered for the same transaction in different time windows, thereby reducing the waste of intervention resource budget.

[0048] Then, the single-point breakdown value can be determined based on the interception success rate. and the risk of bypassing and filling in The intervention resource budget and intervention action set corresponding to the first session are determined from the complete set of intervention actions, for example, by the following formula: , in, The session-side intervention resource budget for the first session is taken from... , For the complete set of intervention actions, This is the set of intervention actions for the first session. To break down value at a single point As for the risk score of bypassing and filling in, For the preset threshold, This represents the empty set.

[0049] Optionally, the single-point scatter value tag of the first session can also be obtained synchronously based on the obtained results. Risk label of bypassing and filling , used for subsequent sorting.

[0050] In this way, by setting intervention resource budget and intervention action set, and binding the first session with intervention execution operation constraints such as intervention resource budget and cooling interval, intervention operations that meet the requirements of intervention resource budget and communication channel can be given simultaneously when the target first session is determined. This is different from the practice of separately determining intervention operations in the prior art, which can improve the response speed of intervention operations.

[0051] Optionally, the method further includes: Determine whether the intervention operation conflicts with session services outside the session set; If the intervention operation conflicts with a session service outside the session set, the intervention operation on the target first session is suspended and the reason for the conflict is recorded.

[0052] As an optional implementation, the sessions in the session set are suspected attack sessions, and the conflict refers to the simultaneous occurrence of a suspected attack session and a normal session. For example, a session recipient receives two calls at the same time: one from the session set and the other from a friend or relative (a normal session). Both calls ring at the same moment. In this case, rules can be set to ensure that only one session can obtain execution permissions within the same time window. When a session conflict occurs, intervention on the suspected attack session (i.e., the target first session) is suspended to ensure that session services outside the conflicting session set can still access normally. The reason for the suspension is recorded for subsequent decision-making, thus prioritizing the continuity of normal user services.

[0053] Optionally, the step of performing a first intervention action on the target first session according to the set of intervention actions corresponding to the target first session includes: The second intervention action is determined based on the interception success rate corresponding to the first target session, the intervention resource budget, and the set of intervention actions. The force, duration, range, and release conditions of the second intervention action are converted into action parameters; The interception feedback is estimated based on the interception success rate, the intervention resource budget, and the action parameters. The second intervention action is adjusted based on the predicted interception feedback to obtain the first intervention action; The first intervention action is performed on the target in the first session.

[0054] As an optional embodiment, a state-action reinforcement learning decision framework is first designed based on the interception success rate corresponding to the first target session, the intervention resource budget, and the set of intervention actions. The second intervention action is then determined using a reinforcement learning algorithm. The state space of the reinforcement learning includes information directly related to the target transaction, such as the risk indicators, interception success rate, and remaining intervention resource budget corresponding to the first target session. The action space of the reinforcement learning is the set of intervention actions corresponding to the first session, and is constrained by a one-time principle and a cooldown interval. The one-time principle refers to the constraint rule that only one intervention is allowed for the same session within the same time window. Furthermore, the decision-making tendency of reinforcement learning is mainly influenced by the interception success rate (including the priority of single-point disruption value and the risk of bypass replacement). For example, for targets with high single-point disruption value and low bypass replacement risk, the first session may choose to immediately trigger an intervention action with an intervention resource budget lower than the preset value; for targets with high single-point disruption value and high bypass replacement risk, the first session may choose to increase the intensity of the intervention action or switch to the manual template within the time window; when the single-point disruption value is low, or the bypass replacement risk is high and it is not appropriate to increase the intensity under the constraint of intervention resource budget, the intervention action may be delayed or abandoned; for multiple concurrent sessions, a preset order rule of prioritizing single-point disruption value, bypass replacement risk constraint, and the time window that is about to close is adopted.

[0055] After determining the second intervention action using a reinforcement learning algorithm, to quantify the intervention effect and obtain predicted interception feedback, the second intervention action can be converted into action parameters. This step can also be performed before determining the second intervention action, converting all intervention actions within the intervention action set into action parameters. Specifically, converting the second intervention action into action parameters can begin by establishing four sets of action parameters, namely, force... Duration Scope of application , release conditions Then according to the intervention resource budget Cutting strength The upper limit, according to the time window Constraint duration Within the specified range, the withdrawal of intervention operations must strictly adhere to the release conditions. Go back.

[0056] Then, the second action is simulated using a reinforcement learning algorithm. Based on the interception success rate, the intervention resource budget, and the action parameters, the estimated interception feedback is calculated and recorded. The system adjusts the overall decision-making process, including whether to trigger intervention, when to trigger intervention, what intervention action to trigger, and the action parameters, in conjunction with the budget consumption of intervention resources. The final adjustment yields the timing of the first action, the type of intervention action, and the action parameters, which are then used as the policy output. This enables dynamic decision-making regarding the timing and intensity of intervention actions, whereas traditional rule engines or static ranking strategies struggle to adapt in real time and may lead to over-intervention.

[0057] Optionally, the predicted interception feedback includes at least one of the following: Whether there are subsequent sessions after the first session of the target; Has the communication channel of the first session of the target been changed? Interruption of session services outside the aforementioned session set; The timing and force deviations of the second intervention action.

[0058] As an optional embodiment, the predicted interception feedback can be obtained according to at least one of the following designs: (1) Determine whether there are subsequent sessions after the first session of the target, such as judging the lack of subsequent calls / SMS / social applications / data, and generating a break vector; (2) Determine whether the communication channel of the target first session has been changed, detect same-direction retry, cross-channel connection, and relay continuation, and generate a filler vector. The same-direction retry is when the sender initiates a session again to the same session receiver on the same communication channel. The cross-channel connection is when the sender switches the communication channel but the session content is interrupted in the target first session. The relay continuation is when the sender continues to advance according to the original communication channel sequence. (3) Detect the impact of interruption, delay and other effects on session services outside the session set, and generate false alarm vectors; (4) Apply regularization constraints to the timing and intensity deviation of the second intervention action to construct the loss term.

[0059] By using at least one of (1) to (4) above, stable feedback can be provided for the joint decision-making of the timing and intensity of the first intervention action determined by reinforcement learning, so as to obtain the minimum sufficient intervention action, ensure the cut-off of the attack link, and reduce the impact on the user's normal business.

[0060] Optionally, the above four items can be combined with risk indicators, interception success rate, intervention resource budget, and action parameters to synthesize a predicted interception feedback. It can be calculated using the following formula: , in, The gating factor (the session edge is still valid and within the time window) If the value is 1, then 0; otherwise, 0. To break down the value weight at a single point; The fracture vector; Assigning risk weights to bypass replacements; It is a complement vector; To intervene in resource budget weighting; This is the vector of accidental damage; This corresponds to the weight vector; The relative time window for the second intervention action Time deviation at the midpoint; For positive part operators; These represent the force and duration of the second intervention action, respectively. To intervene in resource budgeting The given baseline; This is a set of tags used to predict the reasons for deductions in interception feedback.

[0061] Optionally, after performing the intervention operation on the target first session based on the interception success rate of each first session, the method further includes: Monitor whether a replacement session for the target first session occurs after the first intervention action. The replacement session is a session with a different communication channel type than the target first session but with the same sender or the same session keywords. If no alternative session is detected, the intervention operation on the target first session is lifted; the time of lifting the intervention operation, the monitoring duration, and the status of the target first session are recorded. If the possibility of the alternative session is detected, the session that is ranked before the preset order among all first sessions other than the target first session is identified as the fifth session, and an intervention operation is performed on the fifth session. The intervention resource budget corresponding to the fifth session is less than the intervention resource budget corresponding to the target first session after deduction.

[0062] As an optional embodiment, continuous monitoring is performed during the intervention operation. Specifically, the real-time monitoring data during the intervention operation is aligned with the time window and event stream. Whether a replacement session for the target first session occurs after the first intervention action is set as the core indicator, and the monitoring period is limited to the time window. Within this context, the alternative session is either a session with a different communication channel type than the target first session but the same sender, or a session with a different communication channel type than the target first session but the same session keywords; for each intervention action, a timestamp, communication channel type, session sender, session status, and intervention action release status are recorded.

[0063] If no alternative session is detected, the target first session is deemed stable and automatically deactivated. Automatic deactivation means maintaining the intervention for the preset minimum duration, then resolving the intervention on the target first session. Voice prompts, communication channel rate limits, and freezes are deactivated item by item according to the original communication channel. The time of deactivation, monitoring duration, remaining monitoring period, and target first session status are recorded and bound to the aforementioned index to ensure the execution chain is reproducible. Any abnormalities in the deactivation are recorded and marked for review to facilitate subsequent conservative strategy selection. The intervention resource budget is recalculated for surplus and re-triggered within the same time window. Subsequent sessions still within the time window are only recorded without further action.

[0064] If a potential alternative session is detected, the target first session, judged as a suspected or confirmed alternative session, is identified as the fifth session within the first sessions of the same session recipient. The fifth session can be determined using a sequence sorted by interception success rate as a reference. After excluding the target first session, sessions meeting the intervention resource budget and falling within a time window where no intervention action has been triggered are selected. Meeting the intervention resource budget means the intervention resource budget of the fifth session is less than the reduced intervention resource budget of the target first session. Then, the session in the next-ranked communication channel in the communication channel sequence corresponding to the target first session is prioritized. An intervention operation is performed on the fifth session, and the reason for the remedy is recorded. If no fifth session meets the requirements, the risk is downgraded to simply monitoring and recording that no remedy is available.

[0065] Optionally, execution conclusions can be generated based on remediation and resolution records. Specifically, each session can output conclusion tags, intervention actions and parameters, intervention resource budget consumption, time windows, and subsequent monitoring requirements. Execution conclusions can be aggregated into a batch of session status views by session recipients, submitted to the policy side for subsequent scheduling, and submitted to the audit side for record-keeping and review. A summary of the target's first session record with alternative sessions is provided, including the target's first session, fifth session, and their respective time windows, facilitating the tracking of the termination position of the target's first session.

[0066] Compared to existing technologies with fixed settings for intervention action types, durations, and termination conditions, this embodiment can automatically terminate or remedy interventions and record them based on intervention resource budgets and real-time monitoring results. In cases where alternative sessions may exist, a fifth session can be scheduled for remedy, achieving minimal and sufficient intervention. This ensures that intervention operations are accurate and traceable, reduces disruption to normal business operations, increases the possibility of rapidly dismantling attacks, and meets compliance audit requirements.

[0067] See Figure 2 , Figure 2 This is a flowchart of another session intervention method provided in this application, including the following steps: S1. Establishing Disposal Boundaries and Whitelists. In this embodiment, the rules to be followed by intervention operations are first preset. The disposal boundary refers to the allowed range of intervention operations, which is defined using a set of edge-level audit fields (i.e., the attributes marked above), such as communication channel type, time window, etc. In this embodiment, the disposal boundary is set to sessions that cross voice, SMS, or social communication channels and point to the same victim (i.e., the aforementioned session recipient) within a short period of time, and intervention operations are prohibited for other sessions; the sessions pointing to the same victim refer to sessions with the victim as the final recipient, including sessions sent directly to the victim (i.e., one-hop sessions), as well as sessions forwarded or indirectly delivered to the victim by other senders. Compliance gating is set, that is, the digital signature and source permission of the intervention request are verified to ensure that the intervention request is only processed when it is issued from a pre-authorized legitimate system. A pre-defined action whitelist (i.e., the aforementioned complete set of intervention actions) is used. For each type of intervention action, an intrusion budget (i.e., the aforementioned intervention resource budget), duration, and rollback conditions (i.e., the aforementioned release conditions) are set. A one-time execution principle and a cooldown interval are established for the intervention actions. The one-time principle refers to the constraint that only one intervention operation is allowed to be performed on the same session within the same time window. The cooldown interval refers to the cooling-off period triggered after the intervention operation is performed, during which the intervention action is prohibited from being triggered again on the same session. Time windows are defined, such as the ringing period, the call period, a short period after a call, a short period after an SMS message is sent, and a short period after a social message is sent. Then, an action subset and an intrusion budget are set for each time window. The action subset is a subset of the action whitelist. Finally, a minimum cooldown interval is set for the intervention actions within the time window.

[0068] S2. Graph Mapping and Construction of Local Views. The graph mapping refers to constructing a multi-channel heterogeneous graph (i.e., the aforementioned total session graph) based on voice conversations, SMS dialogues, and social application conversations. This multi-channel heterogeneous graph is a view constructed from conversations across multiple communication channels. Conversations are represented as edges in the multi-channel heterogeneous graph, and senders and victims are represented as nodes. It is understood that senders or victims can be represented by accounts, devices, etc., and the same sender or victim in different communication channels uses a unified identifier. Attribute annotations are applied to each edge, such as session identifier, direction, communication channel type, time window label, and session keywords.

[0069] Unlike existing technologies, after obtaining the multi-channel heterogeneous graph, instead of directly mining the entire graph, a local view is constructed: using the victim node as the anchor point, only edges corresponding to one-hop adjacencies directly facing the victim node within the same time window (i.e., the aforementioned direct cross-channel adjacencies) are filtered, and the filtered edges are defined as candidate edges. For each candidate edge, a local view (i.e., the aforementioned first view) is constructed, consisting of the victim, the sender, the one-hop adjacency, and the candidate edges between them. For example, an index is created on the candidate edges between the victim, the sender, and the one-hop adjacency within the same time window (i.e., creating a same-window inbound edge index), while other candidate edges are not indexed. Sessions with different session keywords that need to be forwarded by other senders, as well as sessions with the same session keywords but not the same victim, are blocked. A local view is generated for each candidate edge based on the index. A local view number and tracking identifier are created for each candidate edge.

[0070] Optionally, the initial merging precursor strength (i.e., the aforementioned risk indicator) can be calculated from the local view using a Multi-stream Graph Neural Network (MSGNN). Precursor identification represents the risk identification of a session being attacked, which is represented here as the initial merging precursor strength. Optionally, the initial merging precursor strength can be divided into a hierarchical label set from low to high, such as... .

[0071] In one test case, the area under the curve (AUC) for candidate edge identification (i.e., judgment of risk) within a 1-second time window reached 0.93, meaning the probability of indexing the risk session and generating a local view based on it was 93%. The candidate edges identified in this test case were highly consistent with the risk sessions located by manual review.

[0072] S3. Determine the key edge sequence. See also Figure 3 , Figure 3 This is a flowchart of determining a key edge sequence provided in an embodiment of this application, including the following steps: Step 301: Set Gating. Gating is applied to the obtained local views, with the gating scope including candidate edges that are from the same victim, within the same time window (i.e., within the same window), and sharing the same session keyword. Candidate edges that fail the gating in the local views are filtered out and not displayed, and the reason for failing the gating is recorded. Optionally, when the local views constructed for multiple candidate edges highly overlap, to avoid duplicate processing, only one local view is selected for subsequent processing, while the remaining local views are left for observation (i.e., mutual exclusion and rollback); this process can be called concurrent mutual exclusion. The selection criteria are that the trigger window of the candidate edge is closer to the current processing time, the communication channel type of the candidate edge is more concentrated, and the candidate edges have the same direction. An intervention request is triggered when a candidate edge appears and the session intervention process is started; the trigger window of the candidate edge refers to the time window when the intervention request is triggered.

[0073] Step 302, Local View Aggregation. Feature aggregation is performed on each local view that passes the gating. For example, an aggregated summary (i.e., the aforementioned risk indicators and critical link locations) is calculated by combining data such as concurrent merging (i.e., the scale of the aforementioned concurrent attacks), relay sequence (i.e., the aforementioned continuity of attacks across communication channels), and stability gating (i.e., the aforementioned stability of the attack source) from the local views.

[0074] Step 303: Calculate the scattering value and replacement risk of graph cut. Simulate cutting the candidate edge corresponding to the local view, count the number of nodes that cannot reach the victim due to the cutting of the candidate edge, count the number of communication channels through which the sender of the candidate edge can continue to advance, and calculate the scattering value and replacement risk of the candidate edge based on the number of nodes, the number of communication channels, and the aggregate digest (i.e., the aforementioned single-point scattering value and the aforementioned bypass replacement risk, which can be combined to obtain the aforementioned interception success rate).

[0075] Step 304: Calculate the intrusion budget. Based on the scattering value and the replacement risk, calculate the intrusion budget and action limit (i.e., the set of intervention actions for the first session of the aforementioned target) corresponding to each candidate edge; optionally, the scattering value and the replacement risk can also be converted into high, medium, or low level labels. Warning sign identification represents the risk identification of a session being attacked, which here is represented by the scattering value and replacement risk.

[0076] Step 305: Sort the key edge sequence and set a cooldown period. For example, sort all candidate edges according to their scattering value, and if the scattering values ​​are the same, sort them according to their replacement risk to obtain the key edge sequence (i.e., the sequence obtained by sorting the first session in a preset order). Bind each candidate edge in the key edge sequence to the aforementioned intrusion budget, trigger window, and cooldown interval. Determine the first-ranked candidate edge in the key edge sequence as the key edge (i.e., the edge corresponding to the aforementioned target first session). It should be noted that if the trigger window of the first-ranked candidate edge is inconsistent with the current time window, then the latter candidate edge will be determined as the key edge.

[0077] In one test case, within a 1-second time window, the recall rate of the top 3 critical edges remained around 0.88, meaning that processing only the first 3 candidate edges in the critical edge sequence was sufficient to intercept 88% of attacks. The critical edges identified in this test case were highly consistent with the risky sessions identified through manual review. In another test case, the probability that the identified critical edge was the session with the highest risk was 95.8%; within a 30-second time window, the probability of successfully intercepting the attack by intervening in the critical edge was 93.6%; the normal session service interruption rate was 0.06%; and the rollback success rate of undoing the intervention within the time window was 99.3%. The critical edges identified in this test case were highly consistent with the risky sessions identified through manual review, and had minimal impact on normal session services.

[0078] The "cooling-off re-entry" condition indicates that the intrusion budget, trigger window, and cooling interval bound to the candidate edge can also be used to constrain the gating of local views in subsequent session intervention processes. For example, if an intervention operation has already been performed on a candidate edge (including time windows before the current time window), then when gating the local view this time, it will be constrained by the cooling interval. If the candidate edge's cooling-off period has not expired, it cannot pass the gating and will not be displayed in the relevant local view; however, if the candidate edge meets the remaining conditions after its cooling-off period expires, it can pass the gating and be displayed in the relevant local view.

[0079] S4. Trigger Verification. Trigger verification refers to verifying the intervention request; see [link to documentation]. Figure 4 , Figure 4 This application provides a flowchart of a trigger verification process, which includes the following steps: Step 401: Verify Triggering Conditions. Optionally, select an intervention action from the intersection of the action whitelist and the action limit of the key edge, and determine whether the following triggering conditions are met: the key edge is valid, the key edge is within the triggering window, the intrusion budget of the intervention action does not exceed the intrusion budget of the key edge, the duration of the intervention action is within the time window, and the one-time principle is not violated; and verify the digital signature and source permission of the intervention request. A valid key edge means that the key edge is in a gated state at the current time, the session identifier, direction, and session keywords of the key edge have not changed, and it has not lost its eligibility to trigger an intervention request due to the one-time principle, cooling-off interval, automatic fallback, or link breakage. Intervention requests that fail the verification continue to be observed, and triggering intervention operations is not allowed.

[0080] Step 402: Constructing State and Action Boundaries. For the verified intervention requests, a strategy decision is made to obtain the proposed intervention action for the key edge (i.e., the aforementioned first intervention action, also known as a one-time lightweight action and parameters). Optionally, a reinforcement learning algorithm is used for strategy decision-making. The edge-level state space of the key edge is constructed using the content of the local view, the value of scattering and the risk of filling gaps, and the intrusion budget. The action whitelist is constrained according to the one-time principle and the cooldown interval to form the action boundary of the key edge (i.e., the aforementioned action space).

[0081] Step 403: Action Parameterization and Constraints. The intervention actions in the action space are parameterized and constrained, transforming them into the aforementioned four sets of action parameters: force, duration, range of action, and fallback condition (i.e., the aforementioned release condition). Based on these parameters, the intrusion budget of the intervention action can be calculated. Using the action upper limit of the key edge as a mask, the action whitelist is constrained to obtain the available action types. The intrusion budget of the intervention actions in the action space is guaranteed not to exceed the intrusion budget of the key edge (i.e., budget pruning). When the intrusion budget of an intervention action exceeds the intrusion budget of the key edge, the intervention action is discarded and replaced with an intervention action with a smaller intrusion budget (i.e., downgrading), and the reason for discarding is recorded.

[0082] Step 404: Set the reward signal and gating. The reward signal of the reinforcement learning algorithm is designed as a break vector, a replacement vector, a false positive vector, and a regularized loss term for time and force deviations. The break vector, replacement vector, false positive vector, and the regularized loss term for time and force deviations are continuously gated. Only when the gating is passed is the reward of the key edge (i.e., the aforementioned predicted interception feedback) included. The gating range is when the key edge is valid and the time window remains unchanged, thereby avoiding delayed feedback or cross-session feedback caused by key edge failure or time window switching from being included in the key edge's reward. Specifically, gating feedback pruning means that the reward is not only used to optimize the reinforcement learning algorithm for policy decision-making, but also to limit the intervention force, duration, scope, and backoff conditions of the key edge within the time window, so that the obtained policy is within a more suitable range of action parameters.

[0083] Step 405: Policy Output and Concurrent Scheduling. Based on the reported rewards, an intervention strategy is determined within a time window using a reinforcement learning algorithm. This strategy includes the target key edge and the intervention action to be performed. It is understood that during this dynamic decision-making process, intervention operations may have already been performed on other candidate edges with the same victim, time window, and session keyword. This can lead to concurrent conflicts between the target key edge and other candidate edges, preventing it from being identified as the target key edge. In this case, another candidate edge needs to be selected for policy decision-making to determine the target key edge; this process can be called concurrent scheduling. The selection criteria are high value (i.e., value priority) and a trigger window closer to the current time (i.e., window proximity).

[0084] After determining the target key edge and the intervention action to be performed, the one-time principle and cooling interval constraint are synchronized to the state space of the reinforcement learning algorithm to prevent the target key edge from being selected again to perform the intervention operation during the cooling period; this process can be called one-time and cooling update.

[0085] S5. Implementation and Monitoring. See also Figure 5 , Figure 5 This is a flowchart of an execution and detection process provided in an embodiment of this application, including the following steps: Step 501: Execute access and pre-check. Connect the obtained target critical edge and the intervention action to be executed to the execution side. Before executing the intervention action on the critical edge, perform a pre-check, that is, check the trigger window, intrusion budget, one-time principle, and cooling interval as in step 401, and check the digital signature and source permission of the intervention request.

[0086] Step 502, Template Mapping and Planning. After successful verification, identify the communication channel type corresponding to the target key edge and determine the preset template library (i.e., template mapping) corresponding to the communication channel type. Then, generate an intervention plan within the communication channel according to the target key edge and the intervention action to be performed.

[0087] Step 503: Templated Execution and Rollback. Execute the intervention action according to a preset template, such as inserting prompts or limiting the speed of the voice channel, or freezing the SMS channel. Set the minimum duration of the intervention action to the lower limit of the duration interval, and set automatic rollback according to the rollback conditions. It is understood that, as mentioned above, concurrent conflicts may still occur during this dynamic execution process. In this case, the intervention action can be downgraded to an intervention action with a smaller intrusive budget, such as reducing the action intensity, narrowing the scope of effect, or shortening the duration. If downgrading cannot eliminate concurrent conflicts, postpone execution to the next available time point within the time window, such as the time point after the cooldown interval within the time window ends. If the postponement cannot eliminate concurrent conflicts due to constraints such as the one-time principle or cooldown interval, then do not execute further, and only monitor the target critical edge.

[0088] Step 504: Monitoring and Alignment. Monitor the target critical edge during the intervention action execution. Trigger a rollback when the rollback conditions are met, canceling the intervention action. Record real-time monitoring data for target critical edge disconnection (i.e., no subsequent sessions after the first session of the aforementioned target), substitute session replacement, or normal service mishap (i.e., interruption of session services outside the aforementioned session set), including timestamps, communication channel types, sender identifiers, connection status, and rollback status. Bind this monitoring record to the intervention action execution log by session identifier, local view number, and tracking identifier (i.e., key-value pair). Then verify whether the timestamps, communication channel types, sender identifiers, connection status, and rollback status of the two are consistent. If they are consistent, it indicates that the monitoring record is aligned with the intervention action execution log. If more than two monitoring records record the same fact, deduplication is performed, retaining only one monitoring event record. If more than two monitoring event records are records of different times or different states of the same intervention (such as target critical edge disconnection, substitute session replacement, etc.), all are retained to form a complete record.

[0089] Step 505: Recording and Packaging of Receipts. Optionally, the monitoring records of the aforementioned target critical edge disconnection, alternative session replacement, and normal business accidental damage can be encoded, and the action parameters of the intervention actions performed can be recorded. The obtained encoding and action parameters are packaged to obtain an execution receipt, and the execution receipt is bound to an index to form an observation stream of the target critical edge. The execution receipt is fed back to the state space of the reinforcement learning algorithm in S4 policy decision-making for policy updates.

[0090] S6. Determine if the link is broken. See also... Figure 6 , Figure 6 This application provides a flowchart for determining link breakage, including the following steps: Step 601, Alignment and Attribution. Align the intervention action execution records and the observation flow with the target key edge as the anchor point, and classify the status of each target key edge into three categories: stable, suspected alternative session replacement, and confirmed alternative session replacement.

[0091] Step 602, Suboptimal Edge Remediation. If the target critical edge is suspected or confirmed to have been replaced by an alternative session, then available critical edges other than the target critical edge are screened from the critical edge sequence targeting the same victim. For example, within the remaining intrusion budget, the suboptimal edge (i.e., the edge corresponding to the aforementioned fifth session) is remediated. The intervention action of the suboptimal edge is adjusted according to the remaining intrusion budget (i.e., the intervention resource budget corresponding to the target first session after deduction) and the action limit of the suboptimal edge (i.e., budget pruning), ensuring that the intensity and duration of the suboptimal edge's intervention action are less than the intensity and duration of the target critical edge's intervention action (i.e., lightweight action without escalation). The suboptimal edge and its intervention action are then submitted to step S5 for execution. If no available critical edge is screened (i.e., no available remedy), only monitoring is performed and a conclusion that no remedy is available is generated.

[0092] Step 603: Automatic rollback. If the state of the target critical edge is stable or becomes stable after remediation, the minimum duration of the intervention action is set to the lower limit of the duration interval, and automatic rollback is executed according to the rollback conditions. The surplus of the intrusion budget is calculated, and the one-time principle is set to the completed state, prohibiting the intervention from being triggered again in the same time window. Subsequent sessions that are still within the time window are only monitored and not intervened.

[0093] Step 604: Conclusion and Write-back. After the intervention operation is lifted (i.e., reversal complete), an execution conclusion is generated. A link summary is recorded for the alternative session replacement scenario. This link summary includes the target key edge, the remedial edge, and their time sequence, facilitating the tracking of the session's termination position. A cooling-off interval is set for the target key edge and remedial edge for which intervention operations have been performed, i.e., an expiration period and freezing rules are set. During the cooling-off interval, triggering the intervention operation again is prohibited (i.e., frozen during the effective period). The execution conclusion is written back to the state space of the reinforcement learning algorithm in the S4 policy decision-making process to update the policy and maintain the accuracy of the candidate edge states.

[0094] See Figure 7 The solution provided in this application constructs a local view for each candidate edge and calculates the scattering value and replacement risk based on the local view, enabling edge-level risk assessment, which differs from user-level or group-level risk assessment in existing technologies. By using reinforcement learning algorithms and feedback from execution receipts and conclusions for policy decision-making, a dynamically adaptive session intervention strategy can be obtained, significantly different from existing technologies that rely on static rules or full-channel blocking.

[0095] See Figure 8This application provides a conversation intervention device 80, which includes: The acquisition module 801 is used to acquire the first session received by the same session receiver within the same time window; The annotation module 802 is used to annotate the communication channel type and session keywords of each first session to obtain a session set composed of the first sessions; The first determining module 803 is used to determine a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keyword. The construction module 804 is used to construct a first view corresponding to each first session based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, respectively, to obtain a set of first views; The second determining module 805 is used to determine the interception success rate of each first session based on the correlation between sessions corresponding to each first view; The first execution module 806 is used to perform intervention operations on the target first session based on the interception success rate of each first session.

[0096] Optionally, the second determining module 805 is further configured to: The number of sessions running concurrently with the first session in the first view is obtained, and a first feature of each first session is obtained. The first feature is used to characterize the scale of concurrent attacks corresponding to the first session. The switching trajectory of the sender of the first session on different communication channels is analyzed to obtain a second feature of each first session. The second feature is used to characterize the cross-communication channel attack persistence corresponding to the first session. The weight of the third session in the first view is reduced to obtain the third feature of each first session. The third feature is used to characterize the stability of the attack source corresponding to the first session. The third session is the session sent by the sender that appears only once in the first view. Based on the first feature, the second feature, and the third feature, a risk index for each attack involved in the first session is obtained. Determine the statistical data corresponding to each first session. The statistical data includes: the number of senders in the first view, the number of senders associated with the first session, the number of communication channels used by the sender of the first session, the number of fourth sessions, and historical intervention records. The fourth session is a session whose sending time is later than the first session and whose session keywords are the same as those of the first session. The interception success rate of each first session is determined based on the risk indicators and statistics corresponding to each first session.

[0097] Optionally, the first execution module 806 is further configured to: The intervention resource budget and intervention action set corresponding to the first session are determined based on preset rules and the interception success rate. All the first sessions are sorted according to the interception success rate, and the first session whose sorting order is earlier than the preset order is determined as the target first session; Based on the set of intervention actions corresponding to the target first session, a first intervention action is performed on the target first session, and the intervention resource budget corresponding to the first intervention action is deducted. The set of intervention actions includes the first intervention action.

[0098] Optionally, the device 80 further includes: The judgment module is used to determine whether the intervention operation conflicts with session services outside the session set; The second execution module is used to suspend the intervention operation on the target first session and record the reason for the conflict when the intervention operation conflicts with the session service outside the session set.

[0099] Optionally, the device 80 further includes: The third determining module is used to determine the second intervention action based on the interception success rate corresponding to the target first session, the intervention resource budget, and the set of intervention actions; The conversion module is used to convert the force, duration, range, and release condition of the second intervention action into action parameters; The calculation module is used to calculate the estimated interception feedback based on the interception success rate, the intervention resource budget, and the action parameters; An adjustment module is used to adjust the second intervention action based on the estimated interception feedback to obtain the first intervention action; The third execution module is used to execute the first intervention action on the target first session.

[0100] Optionally, the predicted interception feedback includes at least one of the following: Whether there are subsequent sessions after the first session of the target; Has the communication channel of the first session of the target been changed? Interruption of session services outside the aforementioned session set; The timing and force deviations of the second intervention action.

[0101] Optionally, the device 80 further includes: The monitoring module is used to monitor whether a replacement session of the target first session occurs after the first intervention action. The replacement session is a session with a different communication channel type than the target first session but with the same sender or the same session keywords. The deactivation module is used to deactivate the intervention operation on the target first session when no alternative session is detected; and to record the time of the deactivation operation, the monitoring duration, and the status of the target first session. The fourth execution module is used to determine the fifth session among all first sessions other than the target first session, whose sorting order is earlier than the preset order, when the possibility of the alternative session is detected. The fifth session is then subjected to an intervention operation, and the intervention resource budget corresponding to the fifth session is less than the intervention resource budget corresponding to the target first session after deduction.

[0102] The conversation intervention device 80 provided in this application embodiment can implement the various processes implemented in the above-described conversation intervention method embodiment and achieve the same technical effect. To avoid repetition, it will not be described again here.

[0103] See Figure 9 This application provides an electronic device 90, including a processor 901, a memory 902, and a program or instructions stored in the memory 902 and executable on the processor 901. When the program or instructions are executed by the processor 901, they implement the various processes in the above-mentioned session intervention method and achieve the same technical effect. To avoid repetition, they will not be described again here.

[0104] This application also provides a computer-readable storage medium storing a program or instructions. When the program or instructions are executed by a processor, they implement the various processes in the above-described session intervention method and achieve the same technical effect. To avoid repetition, they will not be described again here.

[0105] This application also provides a computer program product, including computer instructions. When the computer instructions are executed by a processor, they implement the various processes in the above-described session intervention method embodiments and achieve the same technical effect. To avoid repetition, they will not be described again here.

[0106] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.

[0107] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the various embodiments of the present invention.

[0108] The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of the present invention without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of the present invention.

Claims

1. A conversation intervention method, characterized in that, The method includes: Retrieve the first session received by the same session receiver within the same time window; Label the communication channel type and session keywords of each first session to obtain a session set composed of the first sessions; Identify a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keywords; Based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, a first view corresponding to each first session is constructed to obtain a set of first views; Based on the correlation between the sessions corresponding to each first view, the interception success rate of each first session is determined; Intervention operations are performed on the target first session based on the interception success rate of each first session.

2. The method according to claim 1, characterized in that, The step of determining the interception success rate of each first session based on the correlation between sessions corresponding to each first view includes: The number of sessions running concurrently with the first session in the first view is obtained, and a first feature of each first session is obtained. The first feature is used to characterize the scale of concurrent attacks corresponding to the first session. The switching trajectory of the sender of the first session on different communication channels is analyzed to obtain a second feature of each first session. The second feature is used to characterize the cross-communication channel attack persistence corresponding to the first session. The weight of the third session in the first view is reduced to obtain the third feature of each first session. The third feature is used to characterize the stability of the attack source corresponding to the first session. The third session is the session sent by the sender that appears only once in the first view. Based on the first feature, the second feature, and the third feature, a risk index for each attack involved in the first session is obtained. Determine the statistical data corresponding to each first session. The statistical data includes: the number of senders in the first view, the number of senders associated with the first session, the number of communication channels used by the sender of the first session, the number of fourth sessions, and historical intervention records. The fourth session is a session whose sending time is later than the first session and whose session keywords are the same as those of the first session. The interception success rate of each first session is determined based on the risk indicators and statistics corresponding to each first session.

3. The method according to claim 1, characterized in that, The step of performing intervention operations on the target first session based on the interception success rate of each first session includes: The intervention resource budget and intervention action set corresponding to the first session are determined based on preset rules and the interception success rate. All the first sessions are sorted according to the interception success rate, and the first session whose sorting order is earlier than the preset order is determined as the target first session; Based on the set of intervention actions corresponding to the target first session, a first intervention action is performed on the target first session, and the intervention resource budget corresponding to the first intervention action is deducted. The set of intervention actions includes the first intervention action.

4. The method according to claim 1, characterized in that, The method further includes: Determine whether the intervention operation conflicts with session services outside the session set; If the intervention operation conflicts with a session service outside the session set, the intervention operation on the target first session is suspended and the reason for the conflict is recorded.

5. The method according to claim 3, characterized in that, The step of performing a first intervention action on the target first session according to the set of intervention actions corresponding to the target first session includes: The second intervention action is determined based on the interception success rate corresponding to the first target session, the intervention resource budget, and the set of intervention actions. The force, duration, range, and release conditions of the second intervention action are converted into action parameters; The interception feedback is estimated based on the interception success rate, the intervention resource budget, and the action parameters. The second intervention action is adjusted based on the predicted interception feedback to obtain the first intervention action; The first intervention action is performed on the target in the first session.

6. The method according to claim 5, characterized in that, The predicted interception feedback includes at least one of the following: Whether there are subsequent sessions after the first session of the target; Has the communication channel of the first session of the target been changed? Interruption of session services outside the aforementioned session set; The timing and force deviations of the second intervention action.

7. The method according to claim 3, characterized in that, After performing intervention operations on the target first session based on the interception success rate of each first session, the method further includes: Monitor whether a replacement session for the target first session occurs after the first intervention action. The replacement session is a session with a different communication channel type than the target first session but with the same sender or the same session keywords. If no alternative session is detected, the intervention operation on the target first session is lifted; the time of lifting the intervention operation, the monitoring duration, and the status of the target first session are recorded. If the possibility of the alternative session is detected, the session that is ranked before the preset order among all first sessions other than the target first session is identified as the fifth session, and an intervention operation is performed on the fifth session. The intervention resource budget corresponding to the fifth session is less than the intervention resource budget corresponding to the target first session after deduction.

8. A conversation intervention device, characterized in that, The device includes: The acquisition module is used to acquire the first session received by the same session receiver within the same time window; The annotation module is used to annotate the communication channel type and session keywords of each first session, so as to obtain a session set composed of the first sessions; The first determining module is used to determine a second session in the session set that has a different communication channel type than the first session but has the same sender or the same session keywords. The construction module is used to construct a first view corresponding to each first session based on the session receiver, the first session, the sender of the first session, the second session, and the sender of the second session, respectively, to obtain a set of first views; The second determining module is used to determine the interception success rate of each first session based on the correlation between the sessions corresponding to each first view; The first execution module is used to perform intervention operations on the target first session based on the interception success rate of each first session.

9. An electronic device, characterized in that, It includes a processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the program or instructions, when executed by the processor, implement the steps of the session intervention method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The readable storage medium stores a program or instructions that, when executed by a processor, implement the steps of the session intervention method as described in any one of claims 1 to 7.

11. A computer program product, characterized in that, It includes computer instructions that, when executed by a processor, implement the steps in the session intervention method as described in any one of claims 1 to 7.