1. An information processing method applied to big data cloud office is characterized by being applied to a cloud office server, and comprises the following steps:

performing key description mining on to-be-processed visual office information comprising a plurality of visual office information nodes through a key description mining unit of an abnormal office record identification network to obtain key description contents corresponding to each visual office information node; the abnormal office record identification network is used for identifying a plurality of abnormal office record types of the visual office information to be processed;

determining a correlation coefficient between the corresponding visual office information node and each abnormal office record type respectively based on the key description content corresponding to each visual office information node through a correlation analysis unit of the abnormal office record identification network;

and respectively selecting the visual office information nodes of which the correlation coefficients of the abnormal office record types accord with the correlation analysis conditions from the plurality of visual office information nodes, and taking the selected visual office information nodes as the abnormal office visual information mined from the visual office information to be processed.

2. The method according to claim 1, wherein the key description mining unit comprises a plurality of key description mining threads, and each key description mining thread corresponds to one of the visual office information nodes;

the key description mining unit for identifying the network through the abnormal office record performs key description mining on the visual office information to be processed, which comprises a plurality of visual office information nodes, to obtain the key description content corresponding to each visual office information node, and the key description mining unit comprises:

and respectively carrying out the following processing based on each key description mining thread:

performing key description mining on to-be-processed visual office information comprising a plurality of visual office information nodes through the key description mining thread to obtain key description contents of the corresponding visual office information nodes;

correspondingly, the key description mining of the to-be-processed visual office information including a plurality of visual office information nodes through the key description mining thread to obtain the key description content of the corresponding visual office information nodes includes:

converting the visual office information to be processed into a plurality of candidate visual office information nodes through the key description mining thread;

performing key description mining on each candidate visual office information node to obtain key description contents corresponding to each candidate visual office information node;

selecting a candidate visual office information node with the maximum description value corresponding to the key description content from the plurality of candidate visual office information nodes, and taking the key description content of the selected candidate visual office information node as the key description content of the visual office information node corresponding to the key description mining thread;

correspondingly, when the key description mining thread is used for performing key description mining on the visual office information node of the target information quantity, the converting the to-be-processed visual office information into a plurality of candidate visual office information nodes includes:

looking up the office data reports in the visual office information to be processed one by one, and processing each office data report looked up one by one as follows:

and taking the office data reports which are looked up one by one as initial office data reports, and mining candidate visual office information nodes of the target information amount from the visual office information to be processed.

3. The method according to claim 1, wherein the determining, by the relevance analysis unit of the abnormal office record identification network, the relevance coefficient of the corresponding visual office information node and each abnormal office record type based on the key description content corresponding to each visual office information node respectively comprises:

respectively carrying out the following processing aiming at each visual office information node:

acquiring an importance coefficient of each abnormal office record type;

and respectively determining the correlation coefficient between the visual office information node and each abnormal office record type through a correlation analysis unit of the abnormal office record identification network based on the key description content corresponding to the visual office information node and the importance coefficient of each abnormal office record type.

4. The method according to claim 1, wherein the selecting, from the plurality of visual office information nodes, a visual office information node whose correlation coefficient matches a correlation analysis condition with respect to each of the abnormal office record types includes:

respectively carrying out the following processing aiming at each abnormal office record type:

sorting the visual office information nodes based on the correlation coefficient between the visual office information nodes and the abnormal office record type to obtain a visual office information node order;

and selecting the visual office information nodes with the target number from the visual office information node sequence according to the descending mode of the correlation coefficient, and taking the selected visual office information nodes as the visual office information nodes with the correlation coefficient of the abnormal office record type meeting the correlation analysis condition.

5. The method according to claim 1, wherein the selecting, from the plurality of visual office information nodes, a visual office information node whose correlation coefficient matches a correlation analysis condition with respect to each of the abnormal office record types includes:

respectively carrying out the following processing aiming at each abnormal office record type:

acquiring a preset correlation coefficient corresponding to the abnormal office record type;

and selecting the visual office information nodes with the correlation coefficient reaching the preset correlation coefficient from the plurality of visual office information nodes, and taking the selected visual office information nodes as the visual office information nodes with the correlation coefficient of the abnormal office record conforming to the correlation analysis condition.

6. The method according to claim 1, wherein before the key description mining of the to-be-processed visual office information including a plurality of visual office information nodes by the key description mining unit of the abnormal office record identification network, the method further comprises:

acquiring item information of the target cooperative office item from the target cooperative office item;

and mining the visual office information of the item information, and taking the visual office information obtained by mining as the visual office information to be processed.

7. The method according to claim 1, wherein after the selected visual office information node is used as the abnormal office visual information mined from the to-be-processed visual office information, the method further comprises:

generating corresponding abnormal office warning information based on the abnormal office visual information;

and sending the abnormal office warning information.

8. The method according to claim 1, wherein before the key description mining of the to-be-processed visual office information including a plurality of visual office information nodes by the key description mining unit of the abnormal office record identification network, the method further comprises:

performing key description mining on the reference visual office information comprising a plurality of reference visual office information nodes through a key description mining unit of the abnormal office record identification network to obtain key description contents corresponding to each reference visual office information node; the reference visual office information is bound with an abnormal office record identification mark indicating an abnormal office record type corresponding to the reference visual office information;

determining a correlation coefficient between each reference visual office information node and each abnormal office record type respectively based on the key description content corresponding to each reference visual office information node through a correlation analysis unit of the abnormal office record identification network;

performing relevance analysis on the abnormal office record type of the reference visual office information through a relevance analysis unit of the abnormal office record identification network based on the relevance coefficient of each reference visual office information node and each abnormal office record type to obtain a related abnormal office type;

adjusting the configuration parameters of the key description mining unit and the configuration parameters of the correlation analysis unit based on the comparison result between the associated abnormal office type and the abnormal office record identification mark;

correspondingly, the performing relevance analysis on the abnormal office record type of the reference visual office information based on the relevance coefficient between each reference visual office information node and each abnormal office record type to obtain a related abnormal office type includes:

respectively determining the possibility that the reference visual office information corresponds to each abnormal office record type based on the correlation coefficient of each reference visual office information node and each abnormal office record type;

and determining an abnormal office record type corresponding to the reference visual office information based on the possibility that the reference visual office information corresponds to each abnormal office record type, and taking the determined abnormal office record type as the associated abnormal office type.

9. A cloud office server comprising a processor and a memory; the processor is connected in communication with the memory, and the processor is configured to read the computer program from the memory and execute the computer program to implement the method of any one of claims 1 to 8.

10. A computer-readable storage medium, on which a program is stored which, when being executed by a processor, carries out the method of any one of the preceding claims 1 to 8.

Background

Big data (big data) is a data set which cannot be captured, managed and processed by a conventional software tool within a certain time range, and is a massive, high-growth rate and diversified information asset which can have stronger decision-making power, insight discovery power and flow optimization capability only by a new processing mode.

With the advent of the big data age, information resources are continuously expanded, and the requirements of enterprises can not be met by simply searching and browsing from the internet or directly obtaining from a database. In view of this, enterprises need to fully utilize big data technology, establish a powerful data center in a cloud office system, collect, analyze and arrange various information, and finally gather the information into valuable information for the enterprises, so as to provide reference for enterprise leadership decisions. In a series of processing processes of collecting, analyzing, sorting, finally summarizing and the like of the cloud office information, the security of the cloud office environment needs to be considered. To achieve this, it is often necessary to mine abnormal office information to perform corresponding information safeguards. However, the related abnormal office information mining technology has the technical problems of low intelligent degree and poor timeliness.

Disclosure of Invention

In order to solve the technical problems in the related art, the application provides an information processing method, a server and a medium applied to big data cloud office.

The application provides an information processing method applied to big data cloud office on one hand, and the method is applied to a cloud office server and comprises the following steps: performing key description mining on to-be-processed visual office information comprising a plurality of visual office information nodes through a key description mining unit of an abnormal office record identification network to obtain key description contents corresponding to each visual office information node; the abnormal office record identification network is used for identifying a plurality of abnormal office record types of the visual office information to be processed; determining a correlation coefficient between the corresponding visual office information node and each abnormal office record type respectively based on the key description content corresponding to each visual office information node through a correlation analysis unit of the abnormal office record identification network; and respectively selecting the visual office information nodes of which the correlation coefficients of the abnormal office record types accord with the correlation analysis conditions from the plurality of visual office information nodes, and taking the selected visual office information nodes as the abnormal office visual information mined from the visual office information to be processed.

Another aspect of the present application provides a cloud office server, including a processor and a memory; the processor is connected with the memory in communication, and the processor is used for reading the computer program from the memory and executing the computer program to realize the method.

The present application provides in one aspect a computer readable storage medium having stored thereon a program which, when executed by a processor, performs the method of the above-mentioned claims.

Drawings

Fig. 1 is a schematic diagram of a hardware structure of a cloud office server provided in an embodiment of the present application.

Fig. 2 is a schematic flow chart of an information processing method applied to big data cloud office according to an embodiment of the present application.

Detailed Description

The method provided by the embodiment of the application can be executed in a cloud office server, a computer device or a similar operation device. Taking an operation on a cloud office server as an example, fig. 1 is a hardware structure block diagram of a cloud office server implementing an information processing method applied to big data cloud office in an embodiment of the present application. As shown in fig. 1, the cloud office server 10 may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, the cloud office server 10 may further include a transmission device 106 for communication function. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration, and does not limit the structure of the cloud office server 10. For example, the cloud office server 10 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.

An information processing method applied to big data cloud office provided by the embodiment of the present application will be described with reference to exemplary applications and implementations of a cloud office server provided by the embodiment of the present application. Referring to fig. 2, fig. 2 is an optional flowchart of an information processing method applied to big data cloud office according to an embodiment of the present application, and will be described with reference to the steps shown in fig. 2.

Step 101, the cloud office server performs key description mining on to-be-processed visual office information including a plurality of visual office information nodes through a key description mining unit of an abnormal office record identification network to obtain key description content corresponding to each visual office information node.

In specific implementation, the abnormal office record identification network is used for identifying a plurality of types of abnormal office records of the visual office information to be processed. The to-be-processed visual office information can be transmitted by related office users, and can also be acquired by the cloud office server according to related instructions.

In an exemplary embodiment, based on fig. 2, before the technical solution described in step 101, the method may further include the technical contents described below.

The cloud office server acquires item information of the target cooperative office item from the target cooperative office item; and mining the visual office information of the item information, and taking the visual office information obtained by mining as the visual office information to be processed.

In the practical application process, the cloud office server firstly acquires item information from the target collaborative office items, digs corresponding visual collaborative office information from the item information, and takes the digged visual collaborative office information as the visual office information to be processed. For example: the target collaborative office event may be any information type of collaborative office information.

The abnormal office record recognition network may adopt a Convolutional Neural Network (CNN), for example, a Neural network model such as TextCNN, BertCNN, or DPCNN, but is not limited thereto. The type of the abnormal office record used for the identification by the abnormal office record identification network may be a set number of types, and may be used for identification of two types of the abnormal office record, or may be used for identification of two or more types of the abnormal office record. In the embodiment of the present application, the abnormal office record type may be identified from the abnormal office record stage, for example, four stages, which are set as an abnormal office record of a first risk degree, an abnormal office record of a second risk degree, an abnormal office record of a third risk degree, and an abnormal office record without risk (for the risk degree, the first risk degree is higher than the second risk degree, and the second risk degree is higher than the third risk degree). In addition, the abnormal office record type can be identified based on the abnormal office record type, such as a data theft type, an information illegal access type, and the like.

In practice, in other examples. The cloud office server guides the visual office information to be processed into the abnormal office record identification network, and key description mining is carried out on the visual office information to be processed through a key description mining unit of the abnormal office record identification network to obtain key description contents of a plurality of visual office information nodes. The method comprises the steps of firstly extracting the characteristics of the visual office information to be processed by a key description mining unit to obtain the characteristics of the visual office information to be processed, and mining the key description based on the characteristics of the visual office information to be processed. In the embodiment of the application, the key description mining unit extracts key description features of the visual office information to be processed by combining a feature extraction mode of an attention mechanism.

In an exemplary embodiment, the key description mining unit includes a plurality of key description mining threads, and each key description mining thread corresponds to one of the visual office information nodes. For an optional embodiment of the information processing method applied to the big data cloud office, the key description mining unit of the abnormal office record identification network, which is described in step 101, performs key description mining on to-be-processed visual office information including a plurality of visual office information nodes to obtain key description content corresponding to each visual office information node, and may specifically include the content described in step 1011 below.

Step 1011, the cloud office server performs the following processing based on each key description mining thread: and performing key description mining on the visual office information to be processed comprising a plurality of visual office information nodes through the key description mining thread to obtain the key description content of the corresponding visual office information nodes.

Optionally, an implementation manner of the mining process of the abnormal office visualization information provided by the embodiment of the present application is as follows. In an actual application process, one key description mining thread is used for mining key description contents corresponding to one visual office information node, and it should be understood that the number of the visual office information nodes mined from the visual office information nodes to be processed is the number of the key description mining threads. In the practical application process, the number of the key description mining threads of the key description mining unit can be set as a related configuration parameter of the abnormal office record identification network during network construction, and the number of the key description mining threads can be set to be a proper value according to actual needs.

In the embodiment of the application, the cloud office server can set the configuration parameters of the key description mining unit of the abnormal office record identification network based on the number of convolution kernels, the scale of the convolution kernels and the characteristic dimension. It can be understood that, in the embodiment of the present application, each convolution kernel may be understood as a key description mining thread of the visual office information, which is used for mining the visual office information node corresponding to the scale of the convolution kernel and the key description content corresponding to the visual office information node.

In an exemplary embodiment, the key description mining thread described in step 1011 performs key description mining on the to-be-processed visual office information including a plurality of visual office information nodes to obtain key description contents of the corresponding visual office information nodes, and specifically, the key description contents may be implemented by the following contents described in step 10111 to step 10113.

Step 10111, the cloud office server performs the following processing based on each key description mining thread: the cloud office server converts the visual office information to be processed into a plurality of candidate visual office information nodes through the key description mining thread;

step 10112, respectively performing key description mining on each candidate visual office information node to obtain key description content corresponding to each candidate visual office information node;

step 10113, selecting the candidate visual office information node with the largest description value corresponding to the key description content from the plurality of candidate visual office information nodes, and taking the key description content of the selected candidate visual office information node as the key description content of the visual office information node corresponding to the key description mining thread.

In the actual application process, the cloud office server performs the following processing for each key description mining thread: and converting the visual office information to be processed into a plurality of candidate visual office information nodes corresponding to the size of the key description mining thread through the key description mining thread. It can be understood that the scale of the key description mining thread, that is, the convolution kernel, represents the amount of information (such as Mb or Gb) of the visual office information that can be made ahead of time. Illustratively, if the scale of the convolution kernel is set to 3, the convolution kernel is used to mine the visualized office inodes composed of three office material reports. After the convolution kernel convolves the visual office information to be processed for multiple times, a plurality of candidate visual office information nodes and key description contents corresponding to the candidate visual office information nodes are obtained, then the cloud office server compares the key description contents corresponding to the candidate visual office information nodes, the candidate visual office information node with the maximum description value corresponding to the key description contents is used as the visual office information node mined by the convolution kernel, and the key description contents corresponding to the visual office information node are obtained.

In an exemplary embodiment, when the key description mining thread is used to perform key description mining on the visual office information node of the target information volume, the step 10111 may be implemented by converting the to-be-processed visual office information into a plurality of candidate visual office information nodes.

The cloud office server refers (traverses) the office data reports in the visual office information to be processed one by one, and processes each office data report which is referred one by one as follows: and taking the office data reports which are looked up one by one as initial office data reports, and mining candidate visual office information nodes of the target information amount from the visual office information to be processed.

In the practical application process, when the cloud office server performs conversion of the candidate visual office information nodes on the visual office information to be processed, the cloud office server specifically adjusts the office data report in the visual office information to be processed according to the visual office information processing sequence. In the embodiment of the present application, the visualized office information processing order may be set in advance. Illustratively, the cloud office server refers to office data reports in the visual office information to be processed one by one according to a time positive sequence, and selects the visual office information nodes with target information quantity as candidate visual office information nodes according to the time positive sequence when referring to the first office data report one by one. Illustratively, if the scale of the convolution kernel is 3, the target information amount is 3 office data reports, the cloud office server selects 3 office data reports taking the first office data report as an initial office data report as a first mined candidate visual office information node when looking up the first office data report one by one, and when the information amount difference between the office data reports looked up one by one and the last office data report of the visual office information to be processed is equal to the target information amount, the traversal is terminated.

In the practical application process, after the cloud office server obtains the key description contents corresponding to the plurality of visual office information nodes, the key description contents are spliced into one feature to be used as the key description feature of the visual office information to be processed. It should be understood that each key description corresponds to an element of a key description feature. If the number of the visualized office information nodes is 200, the spliced key description features can be a1 × 200 one-dimensional feature.

102, determining, by a relevance analysis unit of the abnormal office record identification network, a relevance coefficient between each corresponding visual office information node and each abnormal office record type based on the key description content corresponding to each visual office information node.

In the practical application process, after the cloud office server excavates key description contents corresponding to a plurality of visual office information nodes of visual office information to be processed through a key description mining unit of the abnormal office record identification network, the plurality of key description contents are led into a correlation analysis unit of the abnormal office record identification network. In the embodiment of the application, the relevance analysis unit includes importance coefficients of the abnormal office record types respectively corresponding to the key description mining threads. Illustratively, if the number of the key description mining threads is 24 and the number of the abnormal office record types is 3, the relevance analysis unit includes a 24 × 4 importance coefficient feature, each column of the importance coefficient feature corresponds to one abnormal office record type, and any element in a certain column of the importance coefficient feature corresponds to one key description mining thread.

In an exemplary embodiment, for an optional embodiment of the information processing method applied to big data cloud office, the relevance analysis unit of the abnormal office record identification network described in step 102 determines the relevance coefficient between the corresponding visualized office information node and each abnormal office record type based on the key description content corresponding to each visualized office information node, and may further be implemented by the following steps.

The cloud office server respectively carries out the following processing aiming at each visual office information node: acquiring an importance coefficient of each abnormal office record type; and respectively determining the correlation coefficient between the visual office information node and each abnormal office record type through a correlation analysis unit of the abnormal office record identification network based on the key description content corresponding to the visual office information node and the importance coefficient of each abnormal office record type.

In the practical application process, the cloud office server obtains importance coefficient characteristics of different office record types, and in the embodiment of the application, the number of elements of the importance coefficient characteristics corresponds to the number of key description mining threads, namely the number of visual office information nodes. Further, the cloud office server performs fusion processing on the key description features of the visual office information to be processed and the weight features of the corresponding abnormal office record types to obtain a fusion processing result of the key description content corresponding to each visual office information feature and the corresponding type, and the fusion processing result is used as a correlation coefficient between the visual office information node and the corresponding abnormal office record type.

103, respectively selecting the visual office information nodes of which the correlation coefficients of the abnormal office record types conform to the correlation analysis conditions from the plurality of visual office information nodes, and taking the selected visual office information nodes as the abnormal office visual information mined from the visual office information to be processed.

In the actual application process, the cloud office server can select the same number of abnormal office visual information for each abnormal office record type, and can also select different numbers of abnormal office visual information for different abnormal office record types. For example, if the abnormal office record types are four stage types, i.e., an abnormal office record with a first risk degree, an abnormal office record with a second risk degree, an abnormal office record with a third risk degree, and an abnormal office record without risk, the cloud office server may select 10 pieces of abnormal office visual information for each abnormal office record type, may select 10 pieces of abnormal office visual information for the abnormal office record with the first risk degree and the abnormal office record with the second risk degree, and may select 5 pieces of abnormal office visual information for the abnormal office record with the third risk degree and the abnormal office record without risk, and the like.

In an exemplary embodiment, the step 103 of selecting the visualized office information nodes from the plurality of visualized office information nodes, where the correlation coefficient of each abnormal office record type meets the correlation analysis condition, may specifically be implemented as follows.

The cloud office server respectively carries out the following processing aiming at each abnormal office record type: sorting the visual office information nodes based on the correlation coefficient between the visual office information nodes and the abnormal office record type to obtain a visual office information node order; and selecting the visual office information nodes with the target number from the visual office information node sequence according to the descending mode of the correlation coefficient, taking the selected visual office information nodes as the visual office information nodes with the correlation coefficient of the abnormal office record type meeting the correlation analysis condition, and taking the selected visual office information nodes as the abnormal office visual information mined from the visual office information to be processed.

In the practical application process, the cloud office server arranges the visual office information nodes according to the sequence of the relevance coefficients of the visual office information nodes corresponding to the abnormal office record type from large to small aiming at one abnormal office record type in the abnormal office record types to obtain the visual office information node sequence. In the embodiment of the present application, the higher the correlation coefficient is, the more relevant the visualized office information node is to the abnormal office record type.

Further, the cloud office server selects visual office information nodes with the number of the targets arranged in front according to the arrangement of the visual office information sequence, the selected visual office information nodes are visual office information nodes with the degree of correlation with the abnormal office record type ranked in front, and the cloud office server takes the selected visual office information nodes as the abnormal office visual information mined from the visual office information to be processed to complete the mining of the abnormal office visual information. Through the sequencing mode, the abnormal office visual information is selected from the to-be-processed visual office information, and the visual office information nodes with the highest identification correlation with various abnormal office records in the to-be-processed visual office information can be mined.

In an exemplary embodiment, the step 103 of selecting the visualized office information nodes from the plurality of visualized office information nodes, where the correlation coefficient of each abnormal office record type meets the correlation analysis condition, may be specifically implemented as follows.

The cloud office server respectively carries out the following processing aiming at each abnormal office record type: acquiring a preset correlation coefficient corresponding to the abnormal office record type; and selecting the visual office information nodes with the correlation coefficient reaching the preset correlation coefficient from the plurality of visual office information nodes, taking the selected visual office information nodes as the visual office information nodes with the correlation coefficient of the abnormal office record conforming to the correlation analysis condition, and taking the selected visual office information nodes as the visual office information mined from the visual office information to be processed.

In the practical application process, the preset correlation coefficient can be set in advance. And when the correlation coefficient between the visual office information node and the corresponding abnormal office record type reaches the preset correlation coefficient, taking the visual office information node as the abnormal office visual information of the abnormal office record type. It can be understood that, for a certain abnormal office record type, if the correlation coefficients of all the visual office information nodes and the abnormal office record type reach the preset correlation coefficient, the cloud office server does not mine the abnormal office record type visual office information, that is, the correlation between the visual office information to be processed and the abnormal office record type is relatively low. The abnormal office visual information is mined by comparing the preset correlation coefficient, the abnormal office visual information with high correlation with the actual abnormal office record type can be mined, the visual office information nodes with relatively low correlation are prevented from being mined, and therefore the resource overhead of the cloud office server is saved.

In the embodiment of the application, the abnormal office record identification network for identifying the abnormal office record type is used for carrying out key description mining on the visual office information to be processed to obtain key description contents corresponding to a plurality of visual office information nodes of the visual office information to be processed, then the correlation coefficient of each visual office information node and each abnormal office record type is determined based on the key description contents, the abnormal office visual information is selected from the visual office information nodes based on the correlation coefficient, the abnormal office visual information can be automatically and intelligently identified and mined without setting an abnormal office record reference information set, and therefore the defects of low efficiency and information analysis delay caused by actively setting and adjusting the abnormal office record reference information set during the abnormal office visual information mining in a correlation scheme are overcome, the efficiency and the timeliness of the abnormal office visual information mining are improved.

In an exemplary embodiment, after the step 103 of using the selected visual office information node as the abnormal office visual information mined from the to-be-processed visual office information, the method may further include the following description: the cloud office server generates corresponding abnormal office warning information based on the abnormal office visual information; and sending the abnormal office warning information.

In the embodiment of the application, the to-be-processed visual office information is obtained from the target cooperative office item, in an actual application scene, the cloud office server can respond to the processing operation, activated by an office user, on the target cooperative office item, activate the abnormal office record recognition on the target cooperative office item, obtain the to-be-processed visual office information from the target cooperative office item, dig out the abnormal office visual information from the to-be-processed visual office information, further generate abnormal office warning information according to the abnormal office visual information, and send the warning information. In the embodiment of the application, the abnormal office warning information is used for prompting that the target cooperative office matters participated by the office user have the abnormal office visual information. The abnormal office warning information may be displayed in any display form, for example, in a floating form, at the forefront of the current page, and the like.

For an optional embodiment of the information processing method applied to big data cloud office, the method may further include the following contents described in steps 201 to 204 before performing key description mining on to-be-processed visual office information including a plurality of visual office information nodes based on the key description mining unit of the abnormal office record identification network described in step 101.

In step 201, the cloud office server performs key description mining on the reference visual office information including a plurality of reference visual office information nodes through a key description mining unit of the abnormal office record identification network to obtain key description content corresponding to each reference visual office information node.

In specific implementation, the reference visual office information is bound with an abnormal office record identification indicating an abnormal office record type corresponding to the reference visual office information.

Step 202, determining, by a relevance analysis unit of the abnormal office record identification network, a relevance coefficient between each corresponding reference visualized office information node and each abnormal office record type based on the key description content corresponding to each reference visualized office information node.

Step 203, performing, by the correlation analysis unit of the abnormal office record identification network, correlation analysis on the abnormal office record type of the reference visual office information based on the correlation coefficient between each reference visual office information node and each abnormal office record type, so as to obtain a correlated abnormal office type.

And 204, adjusting the configuration parameters of the key description mining unit and the configuration parameters of the correlation analysis unit based on the comparison result between the associated abnormal office type and the abnormal office record identification mark.

In practical application, an embodiment of a classification prediction process of an abnormal office record identification network provided by the embodiment of the present application is provided. The cloud office server imports the benchmark visual office information into the abnormal office record identification network, the key description mining unit of the abnormal office record identification network excavates the key description contents of the benchmark visual office information nodes of the benchmark visual office information, and the excavated key description contents of the plurality of benchmark visual office information nodes are imported into the correlation analysis unit. In the embodiment of the application, the correlation analysis unit comprises a first local correlation analysis unit and a second local correlation analysis unit, the cloud office server obtains importance coefficient characteristics corresponding to each abnormal office record type, the first correlation analysis unit determines correlation coefficients of each reference visual office information node and the corresponding abnormal office record type based on the importance coefficient characteristics of each abnormal office record type and key description contents of a plurality of reference visual office information nodes, and correlation analysis of the abnormal office record type is performed based on the correlation coefficients of each reference visual office information node and the corresponding abnormal office record type.

Illustratively, for an alternative embodiment of the classification prediction process of the abnormal office record recognition network provided by the embodiment of the present application. For the standard visual office information of ABCDEFG, the visual office information is composed of seven office data reports. Some exemplary key description mining units of the abnormal office records identification network include six convolution kernels, including two scale 4 convolution kernels, two scale 3 convolution kernels, and two scale 2 convolution kernels. After key description mining is carried out on the reference visual office information by a convolution kernel with the scale of 4, 4 candidate reference visual office information nodes and corresponding key description contents are obtained, and then the candidate reference visual office information node with the maximum description value corresponding to the key description contents is selected from the 4 candidate reference visual office information nodes by the cloud office server to serve as the reference visual office information node obtained by the convolution kernel mining.

It can be understood that after the reference visual office information is subjected to key description mining by the two convolution cores with the scale of 3, 5 candidate reference visual office information nodes and corresponding key description contents are obtained, and after the reference visual office information is subjected to key description mining by the convolution cores with the scale of 2, 6 candidate reference visual office information nodes and corresponding key description contents are obtained.

And respectively selecting the candidate standard visualized office information node with the maximum description value corresponding to the key description content by each convolution kernel as the standard visualized office information node mined by the convolution kernel. The cloud office server guides key description contents corresponding to the reference visual office information nodes mined by the convolution kernels into a correlation analysis unit of the abnormal office record identification network, obtains correlation coefficients of the reference visual office information nodes and abnormal office record types through the correlation analysis unit based on the key description contents of the reference visual office information nodes and the importance coefficient characteristics of the corresponding abnormal office record types, splices the correlation coefficients of the visual office information nodes and the corresponding abnormal office record types to obtain the correlation coefficient characteristics of the abnormal office record types, determines the possibility that the reference visual office information corresponds to the abnormal office record types based on the correlation coefficient characteristics of the abnormal office record types, and determines the possibility that the reference visual office information corresponds to the abnormal office record types based on the possibility that the reference visual office information corresponds to the abnormal office record types, and determining the abnormal office record type corresponding to the standard visualized office information, and taking the determined abnormal office record type as the associated abnormal office type.

The above illustrated abnormal office record identification network is a two-class network, and includes a first abnormal office record type and a second abnormal office record type, and in an exemplary embodiment, the abnormal office record identification network may be further configured as an abnormal office record identification.

In the actual application process, after the cloud office server obtains the associated abnormal office type of the reference visual office information, the cloud office server adjusts the network configuration parameters of the abnormal office record recognition network based on the comparison result between the associated abnormal office type and the recognition identifier marked on the reference visual office information. In the embodiment of the application, the cloud office server determines a comparison result between the associated abnormal office type and the identification mark by calculating the network evaluation data of the abnormal office record identification network. And when the value of the network evaluation data reaches the comparison result threshold value, the cloud office server determines corresponding deviation information based on the network evaluation data, feeds the deviation information back in the abnormal office record identification network from the output layer of the abnormal office record identification network, and adjusts the network configuration parameters of the abnormal office record identification network in the feedback process.

Explaining feedback in the embodiment of the application, a training sample is transmitted to an input layer of a neural network, passes through a hidden layer, finally reaches an output layer and outputs a result, which is a forward feedback process of the neural network, because the output result of the neural network has an error with an actual result, an error between the output result and the actual value is calculated, the error is fed back from the output layer to the hidden layer until the error is fed back to the input layer, and in the feedback process, the value of a network configuration parameter is adjusted according to the error; and continuously iterating the process until the convergence state is achieved.

Taking the above network evaluation data as an example, the cloud office server determines deviation information based on the network evaluation data, the deviation information is fed back from the output layer of the abnormal office record identification network, the deviation information is fed back layer by layer, when the deviation information reaches each layer, the gradient (which can also be understood as a partial derivative of the network evaluation data to the configuration parameters of the layer) is solved by combining the conducted deviation information, and the configuration parameters of the layer are adjusted to the corresponding gradient values.

In an exemplary embodiment, the correlation analysis is performed on the abnormal office record type of the reference visualized office information based on the correlation coefficient between each reference visualized office information node and each abnormal office record type to obtain the associated abnormal office type, and the method may be further implemented as follows.

The cloud office server respectively determines the possibility that the benchmark visual office information corresponds to each abnormal office record type based on the correlation coefficient of each benchmark visual office information node and each abnormal office record type; and determining an abnormal office record type corresponding to the reference visual office information based on the possibility that the reference visual office information corresponds to each abnormal office record type, and taking the determined abnormal office record type as the associated abnormal office type.

In the practical application process, the cloud office server determines the possibility that the reference visual office information corresponds to the corresponding abnormal office record type based on the correlation coefficient between each reference visual office information node and the corresponding abnormal office record type, determines the abnormal office record type corresponding to the reference visual office information based on the possibility that the reference visual office information corresponds to each abnormal office record type, and identifies the associated abnormal office type of the network correlation analysis by taking the determined abnormal office record type as the abnormal office record.

In the embodiment of the present application, only the reference visual office information needs to be actively marked, and the abnormal visual office information in the embodiment of the present application is one or more visual office information nodes in the reference visual office information, and in the embodiment of the present application, the reference visual office information is defined as the persistent visual office information, and the abnormal visual office information is defined as the intermittent visual office information, it can be understood that the embodiment of the present application is to perform supervised training on the abnormal office record recognition network based on the persistent visual office information actively marked, and then perform mining on the intermittent visual office information based on the abnormal office record recognition network obtained by the supervised training on the persistent visual office information, because the quantity of items for marking the persistent visual office information is less compared with the marking of the intermittent visual office information, therefore, the active marking project load is reduced, the defect that the work load of intermittent visual office information identification is large when the intermittent visual office information needs to be actively marked is avoided, and meanwhile, the accuracy of an abnormal office record identification network is also guaranteed.

Next, description is continued on the information processing method applied to the big data cloud office provided in the embodiment of the present application, and for some optional embodiments, the information processing method applied to the big data cloud office provided in the embodiment of the present application is cooperatively implemented by an online office device and a cloud office server.

In step 301, the online office device generates a participation request for the target collaborative office event in response to the processing operation for the target collaborative office event.

Step 302, the online office equipment sends a participation request to a cloud office server.

Step 303, the cloud office server responds to the participation request, acquires the item information of the target collaborative office item, performs mining on the item information of the visual office information, and uses the visual office information obtained by mining as the visual office information to be processed.

It can be understood that, after receiving the participation request, the cloud office server may access the target cooperative office event and return the accessed event information to the online office device for transmission, and simultaneously activate the abnormal office record analysis of the target cooperative office event, and execute the operation of acquiring the event information of the target cooperative office event. In an exemplary embodiment, after receiving the participation request, the cloud office server may also first interrupt an access process to the target cooperative office item, activate an abnormal office record analysis of the target cooperative office item, continue to access the target cooperative office item and return item information to the online office device after the abnormal office record analysis passes, and return abnormal office warning information when the abnormal office record analysis fails.

And 304, the cloud office server performs key description mining on the to-be-processed visual office information comprising a plurality of visual office information nodes through a key description mining unit of the abnormal office record identification network to obtain key description contents corresponding to each visual office information node.

Step 305, the cloud office server determines a correlation coefficient between each corresponding visual office information node and each abnormal office record type respectively based on the key description content corresponding to each visual office information node through a correlation analysis unit of the abnormal office record identification network.

Step 306, the cloud office server selects, from the plurality of visual office information nodes, visual office information nodes whose correlation coefficients of the abnormal office record types meet the correlation analysis conditions, respectively, and uses the selected visual office information nodes as the abnormal office visual information mined from the to-be-processed visual office information.

And 307, the cloud office server generates abnormal office warning information according to the abnormal office visual information.

And 308, the cloud office server sends abnormal office warning information to the online office equipment.

Step 309, the online office equipment sends the abnormal office warning information.

It can be understood that, when the visual office information nodes meeting the correlation analysis condition exist in the plurality of visual office information nodes, the cloud office server takes all the visual office information nodes meeting the correlation analysis condition as the abnormal office visual information, and generates corresponding abnormal office warning information according to the abnormal office visual information. In this embodiment of the application, the cloud office server may generate the abnormal office warning information of the corresponding content according to the number of the abnormal office visual information and the abnormal office record level corresponding to each abnormal office visual information, or execute a corresponding abnormal office record blocking operation, for example, block participation in the target collaborative office event. When the visual office information nodes which meet the correlation analysis condition do not exist in all the visual office information nodes, the cloud office server generates warning information which is analyzed through abnormal office records to the cloud office server, or the cloud office server directly participates in target cooperative office matters to obtain the item information, and returns the item information to the online office equipment, so that the online office equipment directly displays the item information.

After the online office equipment receives the abnormal office warning information, the user can perform corresponding protection operation on the target cooperative office item based on the abnormal office warning information.

In the embodiment of the application, the online office equipment responds to the processing operation of the target cooperative office item, generates the participation request and sends the participation request to the cloud office server, the cloud office server responds to the participation request to activate the abnormal office record analysis of the target cooperative office item, performs key description mining on the visual office information to be processed through an abnormal office record identification network for identifying the type of the abnormal office record to obtain key description contents corresponding to a plurality of visual office information nodes of the visual office information to be processed, then determines the correlation coefficient of each visual office information node and each abnormal office record type based on the key description contents, and selects the abnormal office visual information from the plurality of visual office information nodes based on the correlation coefficient, and the method can be automated without setting an abnormal office record reference information set, The abnormal office visual information is intelligently identified and mined, so that the timeliness of the abnormal office visual information mining is improved, and the safety of the online office equipment when accessing the target cooperative office items is also guaranteed.

In conclusion, by implementing the above scheme, the abnormal office record identification network for identifying the abnormal office record type is used for performing key description mining on the visual office information to be processed to obtain key description contents corresponding to a plurality of visual office information nodes of the visual office information to be processed, then the correlation coefficient between each visual office information node and each abnormal office record type is determined based on the key description contents, the abnormal office visual information is selected from the plurality of visual office information nodes based on the correlation coefficient, the abnormal office visual information can be automatically and intelligently identified and mined without setting the abnormal office record reference information set, and therefore the defect of information analysis delay caused by actively setting and adjusting the abnormal office record reference information set during the abnormal office visual information mining in the correlation scheme is overcome, the timeliness of the abnormal office visual information mining is improved.

In some optional and independently implementable embodiments, after the step of selecting the selected visual office information node as the abnormal office visual information mined from the to-be-processed visual office information, the method may further include the following steps: and when detecting that the abnormal office visual information has the abnormal risk identification, analyzing the acquired operation behavior data to detect the behavior risk.

In some alternative and independently implementable embodiments, analyzing the obtained operational behavior data for behavior risk detection may include the following: and determining the operation path change degree for generating the behavior risk detection information according to the activity degrees of the operation behaviors of different operation behavior data.

In some alternative and independently implementable embodiments, determining the operation path variation degree for generating the behavior risk detection information according to the operation behavior liveness of different operation behavior data may include the following: acquiring the operation behavior activity of each operation behavior data in the operation behavior data track; summarizing an authentication operation behavior data set from the operation behavior data track according to the operation behavior activity of each operation behavior data; determining safe operation behavior data in the operation behavior data track and operation path variation degree of the safe operation behavior data based on the authentication operation behavior data set; obtaining an operation behavior data set to be verified in the operation behavior data track according to operation behavior data in the operation behavior data track except the safe operation behavior data and a path transfer relationship between the operation behavior data; determining the operation path variation degree of each operation behavior data in the operation behavior data set to be verified based on the operation behavior data set to be verified and the safety operation behavior data; and the determined operation path change degree is used for generating behavior risk detection information corresponding to corresponding operation behavior data.

With respect to the above-described embodiments, which can be implemented independently, the following description is relevant.

S301, obtaining the operation behavior liveness of each operation behavior data in the operation behavior data track.

For example, a data trace is a content that integrates behavioral relationships between operational behavior data, which may also be referred to as data trace nodes, including a series of operational behavior data and path transitive relationships for connecting the operational behavior data. A path transfer relationship exists between the two operation behavior data, which indicates that an association exists between the two operation behavior data. The path passing relationship between two operational behavior data may have a weight.

In this embodiment of the application, the operation behavior data may be cloud office behavior data, such as file uploading, file downloading, file storage, conference video access, and the like. Accordingly, the subsequent business operations and business behaviors can be understood as cloud office operations or cloud office behaviors, and are not limited herein.

The operation behavior liveness of the operation behavior data refers to an operation behavior association degree of associated operation behavior data associated with the operation behavior data, and the associated operation behavior data refers to operation behavior data having a path transfer relationship with the operation behavior data.

In addition, the operational behavior data track is a data track generated from internet-based business operational behavior data. The service operation behavior data may be, for example, service execution trigger flow data and the like, and the corresponding operation behavior data trace may be, for example, a service execution data trace and the like.

It can be understood that, in order to implement analysis of valuable information in a complex network environment, the cloud office server may generate an operation behavior data track based on a large amount of service interaction data in the network environment, and obtain operation behavior liveness of each operation behavior data in the operation behavior data track, thereby implementing data track analysis on the operation behavior data track according to the operation behavior data track and the operation behavior liveness of each operation behavior data therein. The data track analysis refers to a process of analyzing potentially valuable information from the data track by using some algorithm, and the data track analysis may include behavior risk identification of the operation behavior data, operation behavior data set analysis and the like.

In the embodiment of the application, the operation path change degree of each operation behavior data in the operation behavior data track is mainly analyzed, and after the operation path change degree of each operation behavior data is obtained, not only can a set of operation behavior data meeting the specified operation path change degree be found out from the operation behavior data track, but also corresponding behavior risk detection information can be generated according to the operation path change degree of each operation behavior data and used as the input of other machine learning algorithms.

In one embodiment, the operation behavior data trace may be a service execution data trace, and the generating of the service execution data trace includes: acquiring a service execution record corresponding to the cloud service object information; acquiring service execution triggering process data among the cloud service object information according to the service execution record; generating a service execution data track according to the service execution triggering flow data; the operation behavior data of the service execution data track represents cloud service object information, and the path transfer relationship between two operation behavior data in the service execution data track represents that service execution triggering process content exists between two corresponding cloud service object information.

The content of the business execution triggering process is at least one of business testing, business training, business starting, business consultation and other business starting processes. In this embodiment, one piece of cloud service object information is one piece of operation behavior data, and if there is a service execution triggering process content between two pieces of cloud service object information, a path transfer relationship may be formed between the two pieces of cloud service object information. For example, when the cloud service object T1 performs a service test on the cloud service object T2, a path transfer relationship is formed between the cloud service object T1 and the cloud service object T2. It can be understood that when the operation behavior association degree corresponding to the cloud service object group is large, the operation behavior association degree of the path transfer relationship formed between the cloud service object information is large, and thus, the generated service execution network topological graph is large. For example, in a related business execution scenario, the operation behavior association degree of the operation behavior data may reach tens of millions, and the number of path transfer relationships formed among the tens of millions of operation behavior data may reach a large scale of billions.

In one embodiment, the operation behavior data track may be an operation behavior data track formed by the cloud service object in the process of executing the service, and the generating step of the operation behavior data track formed by the cloud service object in the process of executing the service includes: acquiring historical subscription data of cloud service object information; generating an operation behavior data track formed by the cloud service object in the service execution process according to the historical subscription data; the operation behavior data of the operation behavior data track formed by the cloud service object in the service execution process represents cloud service object information, and the path transfer relationship between two operation behavior data in the operation behavior data track formed by the cloud service object in the service execution process represents that historical subscription behavior exists between two corresponding pieces of cloud service object information.

In this embodiment, one piece of cloud service object information corresponds to one piece of operation behavior data. If a historical subscription behavior exists between the two pieces of cloud service object information, a path transfer relationship can be formed between the two pieces of cloud service object information. In another embodiment, if two pieces of cloud service object information form a matching relationship with each other, a path transfer relationship is formed between the two pieces of cloud service object information. Similarly, when the operation behavior association metric corresponding to the cloud service object information is large, the operation behavior data track formed by the cloud service object in the service execution process is also very complex.

In one embodiment, obtaining the operation behavior liveness of each operation behavior data in the operation behavior data track includes: acquiring an operation behavior data track; determining the operation behavior association degree of the associated operation behavior data of each operation behavior data in the operation behavior data track; and taking the operation behavior association degree of the associated operation behavior data as the operation behavior activity degree of the corresponding operation behavior data.

Data tracks may be represented by graph data or a track list. The cloud office server can obtain track lists or graph data corresponding to the operation behavior data tracks, and traverse operation behavior association degrees of adjacent operation behavior data of each operation behavior data in the operation behavior data tracks from the track lists or the graph data, wherein the operation behavior association degrees of the associated operation behavior data can be used as operation behavior liveness of the corresponding operation behavior data.

In a service execution scenario, the operation behavior liveness of certain operation behavior data in a service execution data track may be understood as an operation behavior association degree of the operation behavior data having an execution behavior with the operation behavior data. In a related scenario, the operation behavior liveness of certain operation behavior data in an operation behavior data track formed by a cloud service object in the process of executing a service may be understood as an operation behavior association degree of operation behavior data having a historical subscription behavior with the operation behavior data.

And S302, summarizing an authentication operation behavior data set from the operation behavior data track according to the operation behavior activity of each operation behavior data.

In this embodiment, the operation path change degree of each operation behavior data in the operation behavior data track is mainly analyzed. The Degree of change of the operation path (Degree of variation) is one of the indexes used to determine the importance of the operation behavior data in the whole operation behavior data trajectory. The K groups of operation behavior data sets of a data track refer to candidate operation behavior data sets after operation behavior data with operation behavior liveness smaller than or equal to K are repeatedly removed from the data track, in other words, all data track nodes with operation behavior liveness smaller than K in the data track L are deleted to obtain an operation behavior data set M; and deleting all the data track nodes with the operation behavior liveness smaller than K in the data track M to obtain a new operation behavior data set Mt, …, and so on until the operation behavior liveness of each operation behavior data in the candidate operation behavior data set is larger than K, and obtaining K groups of operation behavior data sets of the data track L. The operation path variation degree of the operation behavior data is defined as the maximum group operation behavior data set corresponding to the operation behavior data, that is, if one operation behavior data exists in the y group operation behavior data set and is deleted in the (y + 1) group operation behavior data set, the operation path variation degree of the operation behavior data is y.

For example, 2 groups of operation behavior data sets are obtained by removing all operation behavior data with an operation behavior liveness smaller than 2 from the data tracks, then removing operation behavior data with an operation behavior liveness smaller than 2 from the remaining data tracks, and so on until the operation behavior data cannot be removed; the 3 groups are that all operation behavior data with the operation behavior liveness smaller than 3 are removed from the data track, then the operation behavior data with the operation behavior liveness smaller than 3 are removed from the rest data track, and the rest is repeated until the operation behavior data can not be removed, so that 3 groups of operation behavior data sets of the data track are obtained. If an operation behavior data is in 5 groups of operation behavior data sets at most and not in 6 groups of operation behavior data sets, the operation path change degree of the operation behavior data is 5.

According to the above analysis, the operation behavior data with the operation path variation degree greater than K inevitably has the operation behavior activity degree greater than K. Therefore, in the embodiment of the application, the cloud office server summarizes the original operation behavior data trajectory into two parts, namely an authentication operation behavior data set and an operation behavior data set to be verified according to the operation behavior activity of each operation behavior data and the relevant threshold value by setting a relevant threshold value, and then sequentially analyzes the operation path change degree of each operation behavior data. The authentication operation behavior data set is summarized from the operation behavior data track through the relevant threshold, the authentication operation behavior data set can be directly analyzed, and the situation that more cycle time and service processing computing resources are spent on operation behavior data which are not focused on and have the operation path change degree smaller than the relevant threshold is avoided, which is very important for the operation path change degree analysis of a large-scale network. It is to be understood that the operation behavior activity of each operation behavior data in the authentication operation behavior data set is necessarily greater than the associated threshold, but the operation behavior data in the operation behavior data trace whose operation behavior activity is greater than the associated threshold does not necessarily exist in the authentication operation behavior data set.

The preset correlation threshold value can be set according to actual needs. Optionally, the preset relevant threshold may be determined according to the needs of a specific service scenario, for example, according to past experience, the operation behavior data with the operation path change degree greater than 300 plays a relatively large role in the operation behavior data trajectory, and then the cloud office server may set the preset relevant threshold to 300.

Optionally, the preset correlation threshold may be determined according to the limit of the business processing computing resource, because the smaller the correlation threshold is set, the greater the operation behavior association degree of the operation behavior data included in the authentication operation behavior data set summarized from the operation behavior data track is, the larger the authentication operation behavior data set is, the more the needed business processing computing resource is, and otherwise, the larger the correlation threshold is set, the smaller the authentication operation behavior data set summarized from the operation behavior data track is, the less the needed business processing computing resource is.

Optionally, the magnitude of the correlation threshold may also be set according to the distribution of the operation activity of each operation activity data in the operation activity data track, for example, if the operation activity of most operation activity data in the operation activity data track is less than a certain value, the correlation threshold may be set to the value.

In one embodiment, summarizing an authenticated operation behavior data set from operation behavior data tracks according to operation behavior activity of each operation behavior data and a preset relevant threshold, the method includes: acquiring a preset correlation threshold; and deleting the operation behavior data with the operation behavior liveness smaller than or equal to the relevant threshold value and the path transfer relationship corresponding to the operation behavior data from the operation behavior data track, and obtaining an authentication operation behavior data set according to the candidate operation behavior data in the operation behavior data track and the path transfer relationship between the candidate operation behavior data.

In some examples, according to a preset relevant threshold, the cloud office server filters out operation behavior data with an operation behavior activity degree smaller than the relevant threshold and equal to the relevant threshold from the historical operation behavior data track, that is, an authentication operation behavior data set is obtained, and the obtained operation behavior activity degrees of all the operation behavior data in the authentication operation behavior data set are larger than the relevant threshold. It can be seen that the larger the relevant threshold is set, the smaller the obtained authentication operation behavior data set is, and the less the required business processing computing resources are.

For example, the embodiments of the operation behavior data track decomposed by data mining and summarized by correlation threshold respectively may be as follows: analyzing the operation path change degree of each operation behavior data in the operation behavior data track according to a data mining algorithm and a set sequence according to K =1, K =2 and K =3 …, starting from K =1, repeatedly removing the operation behavior data with the operation behavior liveness less than or equal to K, for K =1, the cloud office server needs to cycle 2 times, for K =2, the cloud office server needs to cycle 2 times, for K =3, the cloud office server needs to cycle 2 times, K =4, and the cloud office server needs to cycle 2 times, since there is no operation behavior data with an operation behavior liveness greater than 5, therefore, for K =5, the cloud office server needs to cycle 1 time, in other words, the cloud office server needs to cycle 9 times in total, so as to determine the operation path variation degree of each operation behavior data in the data track, and obtain the operation behavior data set composed of the operation behavior data with the same operation path variation degree.

For another example, the operation behavior data with the operation behavior liveness smaller than the preset relevant threshold value can be directly removed from the historical operation behavior data track in a circulating manner, the historical operation behavior data track is summarized into the authentication operation behavior data set and the operation behavior data set to be verified with the relevant threshold value being 2, for example, the cloud office server circularly filters out the operation behavior data with the operation behavior liveness smaller than 2 and the operation behavior data equal to 2, the operation is performed for 2 times in total, the authentication operation behavior data set and the operation behavior data set to be verified can be determined from the historical operation behavior data track, and due to the circularly determined performance to be verified, the operation path change degree of a large number of operation behavior data in the subsequent circulating process is no longer optimized after being determined.

And S303, determining the safe operation behavior data in the operation behavior data track and the operation path change degree of the safe operation behavior data based on the authentication operation behavior data set.

The safety operation behavior data is operation behavior data, wherein the operation path change degree analyzed from the authentication operation behavior data set is greater than a preset relevant threshold value. After summarizing the authentication operation behavior data set from the operation behavior data track, the cloud office server firstly analyzes the authentication operation behavior data set, and determines the safety operation behavior data and the operation path change degree of the safety operation behavior data so as to realize the first step of splitting processing and distributed processing analysis.

In some examples, since the operation behavior activity of each operation behavior data in the operation behavior data set to be verified is less than the preset relevant threshold, each operation behavior data in the operation behavior data set to be verified does not affect the operation path change degree of each operation behavior data in the authentication operation behavior data set, and then the cloud office server may directly focus on the authentication operation behavior data set, analyze the authentication operation behavior data set, determine the operation path change degree of each operation behavior data according to the operation behavior activity of each operation behavior data in the authentication operation behavior data set, and use the operation behavior data with the operation path change degree greater than the preset relevant threshold as the safe operation behavior data in the operation behavior data track.

In one embodiment, the cloud office server may directly perform data mining analysis on the authentication operation behavior data set by using a data mining algorithm, and analyze the security operation behavior data with the operation path change degree greater than a preset relevant threshold from the authentication operation behavior data set. In some examples, according to the condition that the operation behavior data with the operation behavior activity degree smaller than or equal to K is equal to the preset relevant threshold at K =1, K =2, …, K is repeatedly removed from the authentication operation behavior data set to obtain K groups of operation behavior data sets, so as to determine the operation behavior data set with the maximum operation path change degree of each operation behavior data in the authentication operation behavior data set, so as to determine the operation path change degree of each operation behavior data, and the operation behavior data with the operation path change degree larger than the preset relevant threshold is taken as the safe operation behavior data.

In one embodiment, when the cloud office server circulates the authentication operation behavior data set, in the current circulation process, the operation path variation degree of the corresponding operation behavior data in the current circulation process is optimized by using the dominant feedback coefficient of each associated operation behavior data after the previous circulation of the operation behavior data. Moreover, since one operation behavior data does not affect the determination of the operation path change degree of other operation behavior data of which the operation path change degree is greater than that of the operation behavior data, after the operation path change degree of each operation behavior data is optimized in a secondary loop, the cloud office server can further continue to participate in the next loop in the operation behavior data of which the optimized operation path change degree is greater than the preset related threshold, and the operation behavior data of which the optimized operation path change degree is less than or equal to the preset related threshold no longer participate in the next loop, so that the operation behavior data of which the operation path change degree is greater than the preset related threshold in the authentication operation behavior data set can be analyzed.

In one embodiment, the explicit feedback coefficient of all associated operation behavior data of the operation behavior data may be an x coefficient, and if the x coefficient of one operation behavior data is x, it indicates that the operation behavior data has at least x associated operation behavior data, and the operation behavior liveness of the x associated operation behavior data is not less than x. In other words, if the operation behavior data satisfies that the current operation path variation degree of x associated operation behavior data in the associated operation behavior data is greater than or equal to x, and does not satisfy that the current operation path variation degree of x +1 associated operation behavior data is greater than or equal to x +1, determining that the dominant feedback coefficient corresponding to the operation behavior data is x, where x is a positive integer.

In one embodiment, determining the safe operation behavior data in the operation behavior data track and the operation path variation degree of the safe operation behavior data based on the authentication operation behavior data set may include the following.

S401, according to the operation behavior association degree of the operation behavior data in the authentication operation behavior data set, obtaining the operation behavior activity degree of the operation behavior data in the authentication operation behavior data set, and taking the operation behavior activity degree in the authentication operation behavior data set as the initial current operation path change degree of the corresponding operation behavior data.

In some examples, when analyzing the authentication operation behavior data set, the cloud office server may reset the operation path change degree of each operation behavior data in the authentication operation behavior data set by using the operation behavior activity degree of each operation behavior data in the authentication operation behavior data set as the initial current operation path change degree.

It is to be understood that the "current operation path change degree" in the present embodiment is dynamically changed, and refers to an operation path change degree at which each operation behavior data is optimized after the previous cycle, and the "previous cycle process" and the "current cycle process" are also dynamically changed, and at the next cycle, the "current cycle process" becomes the "previous cycle process", and the "current cycle process" becomes the "current cycle process".

S402, circularly executing each operation behavior data in the authentication operation behavior data set, and determining an explicit feedback coefficient corresponding to the operation behavior data according to the current operation path variation degree of the operation behavior data in the authentication operation behavior data set; deleting the operation behavior data from the authentication operation behavior data set when the dominant feedback coefficient is less than or equal to a preset correlation threshold; and when the dominant feedback coefficient is larger than the correlation threshold and smaller than the current operation path change degree of the operation behavior data, optimizing the current operation path change degree of the operation behavior data according to the dominant feedback coefficient of the operation behavior data, and terminating the cycle until the current operation path change degree of each operation behavior data in the authentication operation behavior data set is not optimized in the secondary cycle process.

In some examples, the cloud office server needs to process each operational behavior data in the authentication operational behavior data set during each cycle. Determining an explicit feedback coefficient corresponding to each operation behavior data in the authentication operation behavior data set according to the current operation path variation degree of the associated operation behavior data, namely the operation path variation degree of all associated operation behavior data after the previous round of circulation process, wherein if the explicit feedback coefficient of the operation behavior data is less than or equal to a preset related threshold, the operation behavior data does not influence the determination that the operation path variation degree is greater than the operation path variation degree of other operation behavior data of the operation behavior data, the operation behavior data does not need to participate in the subsequent circulation process, and the operation behavior data can be deleted from the authentication operation behavior data set; if the dominant feedback coefficient of the operation behavior data is larger than the preset relevant threshold and smaller than the current operation path variation degree of the operation behavior data, the dominant feedback coefficient is utilized to optimize the current operation path variation degree of the operation behavior data, and the operation behavior data also needs to continuously participate in the subsequent cycle process.

Because the operation path change degree of each operation behavior data in the current cycle process is determined according to the operation path change degrees of the operation behavior data in the previous cycle process, the method has local expansibility, and can be easily expanded into distributed parallel computing logic, thereby accelerating the whole data analysis process.

And the loop termination condition is that the current operation path change degrees of all the operation behavior data left in the authentication operation behavior data set are not changed in the process of secondary loop. In other words, when the explicit feedback coefficient determined according to the operation path variation degree of the operation behavior data associated with the operation behavior data in the previous cycle is consistent with the current operation path variation degree of the operation behavior data, the operation path variation degree of the operation behavior data is not optimized, and if the current operation path variation degrees of all the remaining operation behavior data in the authentication operation behavior data set are not optimized in the current cycle process, the cycle is terminated.

It can be understood that, since the operation behavior data with the explicit feedback coefficient less than or equal to the preset correlation threshold value in the authentication operation behavior data set is deleted in each loop process, the authentication operation behavior data set is also dynamically changed in the loop process, such that the associated operational behavior data for each operational behavior data in the authentication operational behavior data set is also constantly changing, when determining its dominant feedback coefficient based on the degree of change of the current operation path of the associated operation behavior data of each operation behavior data, should be determined according to the current operation path variation degree of the operation behavior data in the associated operation behavior data in the current authentication operation behavior data set, instead of determining the operation behavior data according to the current operation path change degree of the associated operation behavior data in the initial authentication operation behavior data set, the calculation load can be further reduced.

In one embodiment, after the secondary cycle, if the dominant feedback coefficient of the operation behavior data obtained by calculation is smaller than or equal to the preset related threshold, the cloud office server may summarize the operation behavior data into a security abnormal state, and then the operation behavior data summarized into the security abnormal state will not participate in the next cycle process.

In one embodiment, the method further comprises: after the current cycle is finished, recording operation behavior data with the optimized current operation path change degree in the current cycle process; the recorded operation behavior data is used for indicating that the recorded associated operation behavior data of the operation behavior data in the authentication operation behavior data set is used as target operation behavior data needing to determine the dominant feedback coefficient again in the next circulation process when the next circulation starts; for each operation behavior data in the authentication operation behavior data set, determining an explicit feedback coefficient corresponding to the operation behavior data according to the current operation path variation degree of the operation behavior data in the authentication operation behavior data set, including: and determining an explicit feedback coefficient corresponding to the target operation behavior data according to the current operation path variation degree of the target operation behavior data in the associated operation behavior data in the authentication operation behavior data set.

In this embodiment, by recording the operation behavior data with the optimized current operation path variation degree in the current cycle process, the operation behavior data with the operation path variation degree that needs to be determined again in the next cycle process can be directly determined. When the operation path change degree of a certain operation behavior data is optimized, the operation behavior data will influence the determination of the operation path change degree of the operation behavior data associated with the operation behavior data, therefore, after the secondary cycle process is finished, the operation behavior data with the optimized operation path change degree are recorded, when the next cycle starts, the operation behavior data associated with the operation behavior data are traversed from the candidate operation behavior data in the authentication operation behavior data set and serve as the operation behavior data needing to determine the operation path change degree again in the next cycle process, the operation path change degree can be prevented from being determined again for all the operation behavior data in the authentication operation behavior data set, and the analysis efficiency is improved. It is to be understood that the associated operation behavior data of the operation behavior data for which the degree of change of the current operation path is optimized does not include operation behavior data that has been deleted from the authenticated operation behavior data set.

In one embodiment, the method further comprises: when the secondary loop process starts, resetting the optimization times of the operation behavior data to be zero, wherein the optimization times of the operation behavior data are used for recording the operation behavior association degree of the operation behavior data with the optimized current operation path change degree in the secondary loop process; counting the operation behavior association degree of the operation behavior data with the optimized current operation path variation degree in the current circulation process; optimizing the optimization times of the operation behavior data according to the operation behavior association degree; on the premise that the secondary circulation process is finished, if the optimization times of the operation behavior data are nonzero, continuing the next circulation process; and on the premise that the secondary loop process is finished, if the optimization times of the operation behavior data are zero, the loop is terminated.

In this embodiment, in the process of analyzing the authentication operation behavior data set, a flag may be used to record the operation behavior association degree of the operation behavior data with the current operation path variation degree being optimized in the current cycle process. The cloud office server may set an operation behavior association degree for recording operation behavior data of which the current operation path change degree is optimized in each round of loop process, and set the flag to 0 when the secondary loop process starts, and for the operation behavior data participating in the secondary loop, the flag is +1 whenever the operation path change degree of one operation behavior data is optimized, and then after the secondary loop ends, if the flag is not 0, it indicates that the operation behavior data of which the operation path change degree is optimized exists in the secondary loop process, it is necessary to continue the loop, and if the flag is 0, it indicates that the operation behavior data of which the operation path change degree is optimized does not exist in the whole secondary loop process, and the whole loop process ends.

And S403, taking the operation behavior data in the authentication operation behavior data set obtained when the cycle is terminated as safe operation behavior data, and taking the current operation path change degree of the safe operation behavior data when the cycle is terminated as the operation path change degree corresponding to the safe operation behavior data.

After the cycle is finished, the operation path change degrees of the candidate operation behavior data in the authentication operation behavior data set are all larger than the preset relevant threshold, so that the operation behavior data can be called as safe operation behavior data. The operation path variation degree of the safety operation behavior data is the operation path variation degree of the operation behavior data in the whole historical operation behavior data track.

In one possible embodiment, the process of determining the operation path variation degree of each operation behavior data in the authentication operation behavior data set is as follows:

1) determining the operation behavior activity degree of each operation behavior data in the authentication operation behavior data set according to the operation behavior association degree of each operation behavior data in the authentication operation behavior data set in association with the operation behavior data, and resetting the current operation path change degree of each operation behavior data by using the operation behavior activity degree;

2) resetting numRelationDegrid with zero, wherein the numRelationDegrid represents the operation behavior association degree of the operation behavior data with optimized operation path change degree in each cycle;

3) and determining an explicit feedback coefficient for each operation behavior data in the authentication operation behavior data set according to the current operation path variation degree of the associated operation behavior data, wherein the associated operation behavior data of the operation behavior data is the operation behavior data of the operation behavior data in the authentication operation behavior data set and the non-active state of the operation behavior data is filtered out. When the dominant feedback coefficient is smaller than or equal to a preset related threshold value, summarizing the operation behavior data into an inactive state; when the dominant feedback coefficient is larger than a preset related threshold and smaller than the change degree of the current operation path of the operation behavior data, optimizing the change degree of the current operation path of the operation behavior data according to the dominant feedback coefficient, and numrelative Degrid + 1;

4) when numrelatedDegreee is not 0, repeating the steps 2) to 3); otherwise, ending the circulation, wherein the current operation path change degree of the operation behavior data in the authentication operation behavior data set state which is not summarized as the inactive operation behavior data is the operation path change degree of the operation behavior data in the whole historical operation behavior data track, and the operation behavior data which is not summarized as the inactive operation behavior data is the safe operation behavior data in the operation behavior data track.

In this embodiment, the operation path variation degree of each operation behavior data in the authentication operation behavior data set is determined based on the dominant feedback coefficient, the operation path variation degree determined in each cycle is compared with the preset relevant threshold, only when the operation path variation degree determined in each cycle is greater than the relevant threshold, the operation behavior data continues to be cycled, otherwise, the operation behavior data does not participate in the subsequent cycle, and the analysis efficiency of the authentication operation behavior data set can be improved.

S304, obtaining an operation behavior data set to be verified in the operation behavior data track according to the operation behavior data except the safe operation behavior data in the operation behavior data track and the path transmission relationship between the operation behavior data.

In some examples, after the cloud office server determines the safe operation behavior data in the operation behavior data track, the operation path variation degree of the candidate operation behavior data in the operation behavior data track except the safe operation behavior data is smaller than or equal to a preset relevant threshold, and these operation behavior data and the path transmission relationship formed between them are referred to as an operation behavior data set to be verified.

In one embodiment, obtaining an operation behavior data set to be verified in an operation behavior data track according to operation behavior data in the operation behavior data track except for safe operation behavior data and a path transfer relationship between the operation behavior data, includes: deleting the safe operation behavior data from the operation behavior data track; and obtaining an operation behavior data set to be verified according to the candidate operation behavior data after the safe operation behavior data is deleted and the path transmission relation between the candidate operation behavior data.

Based on the above description, the data track may be stored in the form of graph data or a track list, after the cloud office server determines the safe operation behavior data in the operation behavior data track, the cloud office server may traverse from the graph data or the track list, and after deleting the safe operation behavior data, obtain candidate operation behavior data and a transfer relationship between the candidate operation behavior data, and obtain an operation behavior data set to be verified.

S305, determining the operation path change degree of each operation behavior data in the operation behavior data set to be verified based on the operation behavior data set to be verified and the safety operation behavior data.

The determination of the operation path change degree corresponding to each operation behavior data in the operation behavior data set to be verified also follows the above-mentioned dominant feedback coefficient cycle method, but since the secure operation behavior data may affect the determination of the operation path change degree of each operation behavior data in the operation behavior data set to be verified, the change value of the operation path change degree of the operation behavior data in the operation behavior data set to be verified by the secure operation behavior data also needs to be considered in the cycle process. After obtaining the operation behavior data set to be verified and the safe operation behavior data in the operation behavior data track, the cloud office server may determine the operation path variation degree of each operation behavior data in the operation behavior data set to be verified based on the operation behavior data set to be verified and the safe operation behavior data, so as to implement the second step of splitting processing and distributed processing analysis.

In one embodiment, the cloud office server may perform data mining analysis on the operation behavior data set to be verified by using a data mining algorithm, and analyze the operation path change degree of each operation behavior data from the operation behavior data set to be verified. In some examples, according to K =1, K =2, …, where K is equal to a preset correlation threshold, repeatedly removing operation behavior data whose operation behavior liveness is less than or equal to K from the operation behavior data set to be verified to obtain K groups of operation behavior data sets, thereby determining an operation behavior data set in which a maximum operation path variation degree of each operation behavior data in the operation behavior data set to be verified is located, and thus determining an operation path variation degree of each operation behavior data.

In one embodiment, when the operation behavior data set to be verified is circulated, in the current circulation process, after the operation behavior data is circulated for the previous time, the dominant feedback coefficient of the operation behavior data in the operation behavior data track associated with the operation behavior data is used to optimize the operation path variation degree of the corresponding operation behavior data in the current circulation process.

In one embodiment, the explicit feedback coefficient of all associated operation behavior data of the operation behavior data may be an x coefficient, and if the x coefficient of one operation behavior data is x, it indicates that the operation behavior data has at least x associated operation behavior data, and the operation behavior liveness of the x associated operation behavior data is not less than x. In other words, if the operation behavior data satisfies that the current operation path variation degree of x associated operation behavior data in the associated operation behavior data is greater than or equal to x, and does not satisfy that the current operation path variation degree of x +1 associated operation behavior data is greater than or equal to x +1, determining that the dominant feedback coefficient corresponding to the operation behavior data is x, where x is a positive integer.

In an embodiment, the determining of the operation path variation degree of each operation behavior data in the operation behavior data set to be verified based on the operation behavior data set to be verified and the safe operation behavior data may include the following.

S501, resetting the current operation path change degree of each operation behavior data in the operation behavior data set to be verified according to the operation behavior association degree of each operation behavior data in the operation behavior data set to be verified in the historical operation behavior data track.

In some examples, when analyzing the operation behavior data set to be verified, the cloud office server may reset the operation path variation degree of each operation behavior data in the operation behavior data set to be verified by using the operation behavior activity degree of each operation behavior data in the historical operation behavior data track as the initial current operation path variation degree.

In other words, when determining the operation path change degree of each operation behavior data in the operation behavior data set to be verified, in each loop process, not only the influence of the operation behavior data in the operation behavior data set to be verified on the operation behavior data set to be verified, but also the influence of the safe operation behavior data on the operation behavior data set to be verified needs to be considered, so that the change value of the safe operation behavior data on the operation behavior activity degree thereof needs to be considered, in other words, the sum of the operation behavior activity degree of the operation behavior data in the operation behavior data set to be verified and the operation behavior association degree of the operation behavior data connected with the safe operation behavior data is used for resetting the current operation path change degree of the operation behavior data, in other words, the operation behavior activity degree of the operation behavior data in the historical operation behavior data track.

In one embodiment, according to the foregoing steps, the operation path change degrees of the safe operation behavior data are determined, the operation path change degrees of the safe operation behavior data are all greater than the preset relevant threshold, and the operation path change degrees of the operation behavior data in the operation behavior data set to be verified are all less than or equal to the preset relevant threshold, so when determining the operation path change degrees of the operation behavior data in the operation behavior data set to be verified, if the operation path change degrees of the safe operation behavior data are required, in order to reduce resource occupation, the operation path change degrees of the safe operation behavior data may all be set to the preset relevant threshold, may also be set to any value greater than the preset relevant threshold, and may also directly use the operation path change degrees of the safe operation behavior data determined according to the foregoing steps, the setting in different modes does not influence the determination result of the operation path change degree of each operation behavior data in the operation behavior data set to be verified.

S502, circularly executing each operation behavior data in the operation behavior data set to be verified, and determining an explicit feedback coefficient corresponding to the operation behavior data according to the current operation path variation degree of the operation behavior data in the operation behavior data track; and when the dominant feedback coefficient is smaller than the current operation path change degree of the operation behavior data, optimizing the current operation path change degree of the operation behavior data according to the dominant feedback coefficient of the operation behavior data, and ending the circulation when the current operation path change degree of each operation behavior data in the operation behavior data set to be verified is not optimized in the secondary circulation process.

In some examples, during each cycle, the cloud office server needs to process each operational behavior data in the operational behavior data set to be verified. And determining an explicit feedback coefficient corresponding to the operation behavior data according to the current operation path variation degree of the associated operation behavior data in the operation behavior data track, namely the operation path variation degree of all the associated operation behavior data after the previous round of circulation process, of each operation behavior data in the operation behavior data set to be verified. It can be understood that, if the associated operation behavior data includes the safety operation behavior data, the operation path variation degree of the safety operation behavior data is determined in the foregoing steps, so that in the cyclic process of the operation behavior data set to be verified, the operation path variation degree of the safety operation behavior data does not participate in the optimization. And if the dominant feedback coefficient of the operation behavior data is smaller than the current operation path change degree of the operation behavior data, optimizing the current operation path change degree of the operation behavior data by using the dominant feedback coefficient. Because the operation path change degree of each operation behavior data in the current cycle process is determined according to the operation path change degree of all the associated operation behavior data of the operation behavior data in the previous cycle process, the method has local expansibility, and can be easily expanded into distributed parallel computing logic, thereby accelerating the whole analysis process.

And the cycle termination condition is that the change degrees of the current operation paths of all the operation behavior data in the operation behavior data set to be verified are not changed in the process of secondary cycle. In other words, when the dominant feedback coefficient determined according to the operation path variation degree of the operation behavior data associated with the operation behavior data in the previous cycle is consistent with the current operation path variation degree of the operation behavior data, the operation path variation degree of the operation behavior data is not optimized, and if the current operation path variation degrees of all the operation behavior data in the operation behavior data set to be verified are not optimized in the current cycle process, the cycle is terminated.

In one embodiment, the method further comprises: after the current cycle is finished, recording operation behavior data with the optimized current operation path change degree in the current cycle process; the recorded operation behavior data is used for indicating that when the next cycle starts, the recorded associated operation behavior data of the operation behavior data in the operation behavior data set to be verified is used as target operation behavior data of which the dominant feedback coefficient needs to be determined again in the next cycle process; for each operation behavior data in the operation behavior data set to be verified, determining an explicit feedback coefficient corresponding to the operation behavior data according to the current operation path variation degree of the operation behavior data in the operation behavior data track, wherein the determining comprises: and determining an explicit feedback coefficient corresponding to the target operation behavior data according to the current operation path variation degree of the associated operation behavior data of the target operation behavior data in the operation behavior data track for the target operation behavior data in the operation behavior data set to be verified.

In this embodiment, by recording the operation behavior data with the optimized current operation path variation degree in the current cycle process, the operation behavior data with the operation path variation degree that needs to be determined again in the next cycle process can be directly determined. When the operation path change degree of a certain operation behavior data is optimized, the operation behavior data will influence the determination of the operation path change degree of the operation behavior data associated with the operation behavior data, therefore, after the secondary cycle process is finished, the operation behavior data with the optimized operation path change degree is recorded, when the next cycle starts, the operation behavior data associated with the operation behavior data is traversed from the operation behavior data to be verified in a centralized manner and is used as the operation behavior data needing to determine the operation path change degree again in the next cycle process, the operation path change degree can be prevented from being determined again for all the operation behavior data in the operation behavior data to be verified, and the analysis efficiency is improved. It can be understood that, after determining the associated operation behavior data of the operation behavior data with the optimized current operation path change degree, if the associated operation behavior data includes the safety operation behavior data, the safety operation behavior data does not need to determine the operation path change degree again.

In one embodiment, the method further comprises: when the secondary loop process starts, resetting the optimization times of the operation behavior data to be zero, wherein the optimization times of the operation behavior data are used for recording the operation behavior association degree of the operation behavior data with the optimized current operation path change degree in the secondary loop process; counting the operation behavior association degree of the operation behavior data with the optimized current operation path variation degree in the current circulation process; optimizing the optimization times of the operation behavior data according to the operation behavior association degree; on the premise that the secondary circulation process is finished, if the optimization times of the operation behavior data are nonzero, continuing the next circulation process; and on the premise that the secondary loop process is finished, if the optimization times of the operation behavior data are zero, the loop is terminated.

In this embodiment, in the process of analyzing the operation behavior data set to be verified, a flag may be used to record the operation behavior association degree of the operation behavior data with the optimized current operation path change degree in the current cycle process. The cloud office server may set an operation behavior association degree for recording operation behavior data of which the current operation path change degree is optimized in each round of loop process, and set the flag to 0 when the secondary loop process starts, and for the operation behavior data participating in the secondary loop, the flag is +1 whenever the operation path change degree of one operation behavior data is optimized, and then after the secondary loop ends, if the flag is not 0, it indicates that the operation behavior data of which the operation path change degree is optimized exists in the secondary loop process, it is necessary to continue the loop, and if the flag is 0, it indicates that the operation behavior data of which the operation path change degree is optimized does not exist in the whole secondary loop process, and the whole loop process ends.

And S503, taking the current operation path change degree of the operation behavior data at the time of ending the loop as the operation path change degree corresponding to the operation behavior data.

After the circulation is finished, the operation path change degree of each operation behavior data in the operation behavior data set to be verified is the operation path change degree of the operation behavior data in the whole historical operation behavior data track.

In a possible embodiment, the process of determining the operation path variation degree of each operation behavior data in the operation behavior data set to be verified is as follows:

a1, determining the operation behavior activity of each operation behavior data in the operation behavior data set to be verified;

a2, counting the number q of each operation behavior data in the operation behavior data set to be verified, connecting the operation behavior data with the safety operation behavior data, and resetting the current operation path change degree of the operation behavior data by the sum of the q value and the operation behavior activity degree;

a3, resetting numRelationDegrid with zero, wherein numRelationDegrid represents the operation behavior association degree of the operation behavior data with optimized operation path change degree in each cycle;

a4, determining an explicit feedback coefficient according to the current operation path change degree of the operation behavior data associated with each operation behavior data in the operation behavior data set to be verified. The association set herein refers to the associated operation behavior data of the operation behavior data in the historical operation behavior data track, in other words, the associated operation behavior data includes not only the operation behavior data in the operation behavior data set to be verified, but also the security operation behavior data. And when the dominant feedback coefficient is smaller than the current operation path change degree of the operation behavior data, optimizing the current operation path change degree of the operation behavior data according to the dominant feedback coefficient, and numrelationship Degrid + 1.

A5, repeating A3-A4 when numrelatildegreee is not 0; otherwise, ending the circulation, wherein the operation path change degree of each operation behavior data in the operation behavior data set to be verified is the operation path change degree of each operation behavior data in the whole historical operation behavior data track.

According to the information security processing method for the cloud computing environment, after the operation behavior activity of each operation behavior data in the operation behavior data track is obtained, the operation behavior data track is subjected to splitting processing and distributed processing analysis based on splitting processing and distributed processing ideas, and therefore operation behavior data set analysis of a large-scale network can be supported. In other words, the complete operation behavior data track is divided into the authentication operation behavior data set and the operation behavior data set to be verified according to the operation behavior activity of each operation behavior data, and then the authentication operation behavior data set and the operation behavior data set to be verified are divided into two parts for analysis, so that the resource utilization rate in the data analysis and processing process is greatly improved, the resource occupation of the whole layer is reduced, the authentication operation behavior data set can be directly concerned, the situation that much cycle time and business processing calculation resources are spent on the operation behavior data which is not concerned mainly is avoided, and the analysis efficiency, the analysis accuracy and other capabilities for the operation behavior data are improved.

Since each operation behavior data in the operation behavior data set to be verified does not affect the operation behavior data in the authentication operation behavior data set, therefore, the safety operation behavior data and the operation path change degree corresponding to the safety operation behavior data in the authentication operation behavior data set are directly determined, then, the candidate parts except the path transmission relation between the safe operation behavior data and the safe operation behavior data in the operation behavior data track form an operation behavior data set to be verified, considering that the safe operation behavior data in the authentication operation behavior data set can influence the operation behavior data in the authentication operation behavior data set, therefore, for the operation behavior data set to be verified, the operation path change degree of each operation behavior data in the operation behavior data set to be verified needs to be determined according to the operation behavior data set itself to be verified and the safety operation behavior data in the authentication operation behavior data set. After the operation path change degree of each operation behavior data in the operation behavior data track is analyzed, the operation path change degree can be used as the characteristic of the corresponding operation behavior data to generate corresponding behavior risk detection information for other business processing analysis.

In one embodiment, the operation path variation degree of the operation behavior data may be used to generate behavior risk detection information corresponding to the operation behavior data according to the operation path variation degree, and the behavior risk detection information is used to perform behavior risk identification on the operation behavior data according to the behavior risk detection information. In some examples, the operation path variation degree of the operation behavior data can be input into a machine learning algorithm as a feature, and behavior risk identification of the operation behavior data is achieved.

In one embodiment, the operation behavior data track is a service execution data track, the operation behavior data in the service execution data track represents cloud service object information, and a path transfer relationship between two operation behavior data in the service execution data track represents that service execution trigger flow content exists between two corresponding pieces of cloud service object information, where the method further includes: generating behavior risk detection information corresponding to cloud service object information represented by operation behavior data according to the operation path change degree of each operation behavior data in the service execution data track; and identifying the information security risk category corresponding to the cloud service object information based on the behavior risk detection information through a pre-trained behavior risk identification model.

In a specific application scene, the cloud office server can acquire a service execution record corresponding to the cloud service object information; acquiring service execution triggering process data among the cloud service object information according to the service execution record; generating a service execution data track according to service execution trigger flow data, processing the service execution data track by using the information security processing method for the cloud computing environment provided by the embodiment of the application to obtain the operation path variation degree of each operation behavior data, generating corresponding behavior risk detection information according to the operation path variation degree of each operation behavior data, and performing behavior risk identification on each operation behavior data by using a behavior risk identification algorithm based on machine learning to identify whether each operation behavior data has a data intrusion risk.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.