Search

CN-121984702-A - Data processing method, system and related equipment for intelligent network security operation

CN121984702ACN 121984702 ACN121984702 ACN 121984702ACN-121984702-A

Abstract

The application discloses a data processing method, a system and related equipment for intelligent network safety operation, which relate to the technical field of network safety processing, and dynamically route out a target agent corresponding to a task to be analyzed through a multi-agent cooperative work platform and a mixed expert model mechanism which are constructed by a mixed expert model architecture, so that the problems of narrow manual safety operation coverage, non-uniform treatment standard and delayed response are solved through the dynamic task allocation of the mixed expert model architecture, repeated work can be automated, and labor cost and time are saved, thereby expanding the safety operation coverage. Through the LLM language model, the web page interaction data are subjected to thinking chain analysis and clustering, intelligent noise reduction, clustering and priority ordering of security alarms are realized, and treatment suggestions are generated through a multi-agent cooperative work platform, so that false alarms and repeated alarms can be reduced, the dependence on traditional manual analysis is reduced, and the security alarm studying and judging efficiency in the network security operation process is improved.

Inventors

  • ZHANG XIAOYUE
  • CUI YINGXIA

Assignees

  • 中国建设银行股份有限公司安徽省分行

Dates

Publication Date
20260505
Application Date
20251215

Claims (10)

  1. 1. A data processing method for intelligent network security operation, the method comprising: capturing and processing webpage interaction data corresponding to the suspected attack alarm information through a multi-agent cooperative work platform when the suspected attack alarm information is monitored, wherein the multi-agent cooperative work platform is constructed through a mixed expert model architecture; performing thinking chain analysis and clustering on the webpage interaction data through an LLM language model, and abstracting out tasks to be analyzed; Dynamically routing out a target intelligent agent corresponding to the task to be analyzed through the multi-intelligent agent cooperative work platform and a mixed expert model mechanism; According to the multi-agent cooperative work platform and the target agent, carrying out intelligent research, judgment, analysis and automatic treatment on the task to be analyzed; and (3) carrying out iterative updating and warehousing on the intelligent research and judgment analysis result and the automatic treatment result through an RAG knowledge base enhancement technology so as to form a closed loop link.
  2. 2. The method of claim 1, wherein the web page interaction data at least includes an operation path of a system, alarm data and alarm context, and when suspected attack alarm information is monitored, capturing and processing web page interaction data corresponding to the suspected attack alarm information through a multi-agent cooperative platform includes: When suspected attack alarm information is monitored, capturing and processing an operation path, alarm data and alarm context of a system corresponding to the suspected attack alarm information through the multi-agent cooperative work platform and a browser plug-in, and taking the operation path, the alarm data and the alarm context as data access layer data of a hybrid expert model architecture.
  3. 3. The method of claim 1, wherein the task to be analyzed at least includes standardized knowledge elements, operation flows, analysis ideas and treatment targets, the performing the thought chain analysis and clustering on the web page interaction data through the LLM language model, and abstracting the task to be analyzed includes: And in a convergence layer of the mixed expert model architecture, carrying out thinking chain analysis and clustering on the webpage interaction data through an LLM language model to abstract the standardized knowledge element, the operation flow, the analysis thought and the treatment target.
  4. 4. The method according to claim 1, wherein dynamically routing out the target agent corresponding to the task to be analyzed through the multi-agent collaborative platform and a hybrid expert model mechanism comprises: determining the task type and the task characteristics of the task to be analyzed; And dynamically routing out the target agent corresponding to the task to be analyzed through the multi-agent cooperative work platform and the mixed expert model mechanism, the task type and the task characteristics.
  5. 5. The method of claim 1, wherein the intelligent research analysis and automatic treatment of the task to be analyzed according to the multi-agent collaborative platform and the target agent comprises: automatically grabbing fields which are strongly related to the current alarm in the task to be analyzed in a preset interface through the multi-agent cooperative work platform and the virtual operation agent; Generating a preliminary research and judgment result by combining the multi-agent cooperative work platform and expert agents with a knowledge base reasoning link, a log and a historical case, wherein the preliminary research and judgment result at least comprises an event type, risk analysis, severity assessment, a preliminary root cause, a reasoning basis, a time sequence, a trend and a treatment suggestion draft; The cleaning is used for checking whether key information in the preliminary research and judgment result is complete, whether noise exists or not and whether contradiction fields exist or not; Determining a processing template corresponding to the target research and judgment result through a knowledge base; Generating a treatment proposal of the target research result according to the multi-agent cooperative work platform and the processing template, and generating and executing a treatment proposal according to the treatment proposal.
  6. 6. A data processing system for secure operation of an intelligent network, the system comprising: The system comprises a capturing unit, a multi-agent cooperative work platform and a processing unit, wherein the capturing unit is used for capturing webpage interaction data corresponding to suspected attack alarm information through the multi-agent cooperative work platform when the suspected attack alarm information is monitored, and the multi-agent cooperative work platform is constructed through a mixed expert model architecture; The analysis and clustering unit is used for carrying out thinking chain analysis and clustering on the webpage interaction data through the LLM language model, and abstracting out tasks to be analyzed; The dynamic routing unit is used for dynamically routing out the target intelligent agent corresponding to the task to be analyzed through the multi-intelligent agent cooperative work platform and the mixed expert model mechanism; the analysis and treatment unit is used for carrying out intelligent research, judgment, analysis and automatic treatment on the task to be analyzed according to the multi-agent cooperative work platform and the target agent; and the iteration updating unit is used for carrying out iteration updating and warehousing on the intelligent research and judgment analysis result and the automatic treatment result through the RAG knowledge base enhancement technology so as to form a closed loop link.
  7. 7. The system according to claim 6, wherein the web page interaction data includes at least an operation path of the system, alarm data and alarm context, and the capturing unit is specifically configured to capture and process, by the multi-agent collaborative platform and browser plug-in, the operation path of the system, the alarm data and the alarm context corresponding to the suspected attack alarm information when the suspected attack alarm information is detected by monitoring each security alarm page, and use the operation path, the alarm data and the alarm context as data access layer data of the hybrid expert model architecture.
  8. 8. The system according to claim 6, wherein the task to be analyzed at least includes a standardized knowledge element, an operation flow, an analysis idea and a treatment target, and the analysis clustering unit is specifically configured to abstract the standardized knowledge element, the operation flow, the analysis idea and the treatment target by performing a thought chain analysis and clustering on the web page interaction data through an LLM language model in a convergence layer of a hybrid expert model architecture.
  9. 9. A storage medium comprising stored instructions, wherein the instructions, when executed, control a device in which the storage medium is located to perform the data processing method of intelligent network security operations of any one of claims 1 to 5.
  10. 10. An electronic device comprising a memory and one or more instructions, wherein the one or more instructions are stored in the memory and configured to perform the data processing method of intelligent network security operations of any one of claims 1 to 5 by one or more processors.

Description

Data processing method, system and related equipment for intelligent network security operation Technical Field The application relates to the technical field of network security processing, in particular to a data processing method, a system and related equipment for intelligent network security operation. Background The network security operation refers to a dynamic management process for systematically guaranteeing the security of information assets by combining technical means with a management flow. Most of the current network security operations adopt a situation awareness platform to deploy probes in each network area to collect the total network traffic, and upload the total network traffic to a unified analysis platform for traffic cleaning and aggregation to form suspected attack alarm information, and then the alarm information is manually analyzed and judged by security operators. Under the existing operation system, the manual judgment and treatment of alarms are still the most dominant mode. Because the manpower is limited, the comprehensive and all-weather continuous monitoring of massive alarms and data cannot be realized, the coverage is limited, and the safety operation coverage is reduced. And the operating habits and the judging standard differences of different personnel are large, so that false alarm, repeated alarm and other conditions are caused, and the security alarm judging efficiency is reduced. Therefore, how to improve the security alarm research and judgment efficiency and expand the security operation coverage in the network security operation process is a problem to be solved in the application. Disclosure of Invention In view of the above, the application discloses a data processing method, a system and related equipment for intelligent network security operation, aiming at improving security alarm research and judgment efficiency and expanding security operation coverage in the network security operation process. In order to achieve the above purpose, the technical scheme disclosed by the method is as follows: the first aspect of the application discloses a data processing method for intelligent network security operation, which comprises the following steps: capturing and processing webpage interaction data corresponding to the suspected attack alarm information through a multi-agent cooperative work platform when the suspected attack alarm information is monitored, wherein the multi-agent cooperative work platform is constructed through a mixed expert model architecture; performing thinking chain analysis and clustering on the webpage interaction data through an LLM language model, and abstracting out tasks to be analyzed; Dynamically routing out a target intelligent agent corresponding to the task to be analyzed through the multi-intelligent agent cooperative work platform and a mixed expert model mechanism; According to the multi-agent cooperative work platform and the target agent, carrying out intelligent research, judgment, analysis and automatic treatment on the task to be analyzed; and (3) carrying out iterative updating and warehousing on the intelligent research and judgment analysis result and the automatic treatment result through an RAG knowledge base enhancement technology so as to form a closed loop link. Preferably, the web page interaction data at least includes an operation path of the system, alarm data and alarm context, and when suspected attack alarm information is monitored, capturing and processing, by a multi-agent cooperative platform, web page interaction data corresponding to the suspected attack alarm information includes: When suspected attack alarm information is monitored, capturing and processing an operation path, alarm data and alarm context of a system corresponding to the suspected attack alarm information through the multi-agent cooperative work platform and a browser plug-in, and taking the operation path, the alarm data and the alarm context as data access layer data of a hybrid expert model architecture. Preferably, the task to be analyzed at least includes standardized knowledge elements, operation flow, analysis ideas and treatment targets, the task to be analyzed is abstracted by performing thinking chain analysis and clustering on the web page interaction data through the LLM language model, and the task to be analyzed includes: And in a convergence layer of the mixed expert model architecture, carrying out thinking chain analysis and clustering on the webpage interaction data through an LLM language model to abstract the standardized knowledge element, the operation flow, the analysis thought and the treatment target. Preferably, the dynamically routing the target agent corresponding to the task to be analyzed through the multi-agent cooperative work platform and the hybrid expert model mechanism includes: determining the task type and the task characteristics of the task to be analyzed; And dynamically routing out the target