CN-122001654-A - Threat information analysis and response system and method based on model context protocol

Abstract

The invention discloses a threat information analysis and response system and method based on a model context protocol, comprising a front-end interaction module, a core scheduler module, a back-end processing module, a vector retrieval module, a large language model interface module, a report generation module and a scheduling protection module, wherein the front-end interaction module is used for receiving threat information input, the core scheduler module is used for scheduling tasks to the corresponding back-end processing module, the back-end processing module is used for carrying out structural processing on input original threat information data, the vector retrieval module is used for establishing a vector index so as to realize quick retrieval based on semantic similarity, the large language model interface module is used for interfacing and calling a large language model to carry out deep semantic analysis, attack chain reasoning and safety knowledge mapping, the report generation module is used for receiving a structural analysis result output by the large language model interface module, and the scheduling protection module is used for executing automatic detection and response operation.

Inventors

• GAO TIANHAO
• Qiao Mengyu

Assignees

• 北方工业大学

Dates

Publication Date

20260508

Application Date

20260209

Claims (10)

1. 1. The threat information analysis and response system based on the model context protocol is characterized by comprising a server and a client, wherein the server comprises: the front-end interaction module is used for providing a user operation interface and receiving threat information input, natural language query and system configuration instructions; The core scheduler module is used for receiving and analyzing the instruction from the front-end interaction module and scheduling the task to the corresponding back-end processing module according to the predefined business logic; The back-end processing module is used for carrying out automatic cleaning, format standardization and structuring processing on the input original threat information data; The vector search module is used for converting the structured threat information data and the preset authoritative security knowledge base text into high-dimensional semantic vectors, and establishing a vector index so as to realize quick search based on semantic similarity; The large language model interface module is used for interfacing and calling a large language model, and carrying out deep semantic analysis, attack chain reasoning and safety knowledge mapping based on the retrieval result of the vector retrieval module and the original information context; the report generation module is used for receiving the structured analysis result output by the large language model interface module and automatically generating a threat information report and a visual analysis map which accord with the STIX standard; The dispatching protection module is deployed at the client and used for analyzing the structured report issued by the report generation module, calling a local security tool through a model context protocol according to the report content and executing automatic detection and response operation.
2. 2. The threat intelligence analysis and response system based on a model context protocol of claim 1, wherein the front-end interaction module specifically comprises: the threat information uploading unit supports a user to upload an original threat information file comprising a text, a log and a PDF format; The MITRE ATT & CK mapping interaction unit is used for providing an interface for a user to trigger and check the mapping process and result of threat behaviors to MITRE ATT & CK framework tactics, technologies and programs; the MITRE CWE matching interaction unit is used for providing an interface for a user to trigger and check a matching process and a result from vulnerability descriptions to CWE vulnerability library entries; The system comprises an STIX visualization unit, a data processing unit and a data processing unit, wherein the STIX visualization unit is used for importing STIX format data and displaying threat entities and association relations thereof in a graphical mode; the natural language AI interaction unit provides a chat interface, so that a user can inquire threat information or issue a local safety detection instruction in natural language; and the CTI information distribution management unit is used for uploading and packaging the structured threat information by an administrator and selecting a target client for batch distribution.
3. 3. The model context protocol based threat intelligence analysis and response system of claim 1, wherein the core scheduler module is implemented based on a lightweight Web framework Flask, internally packaged with unified task routing and load balancing logic, directs data processing requests to the back-end processing module, directs knowledge query requests to the vector retrieval module, and directs complex analysis requests to the large language model interface module according to the type of user request.
4. 4. The threat intelligence analysis and response system based on a model context protocol of claim 1, wherein the back-end processing module specifically comprises: the data loading sub-module is used for reading original input files in different formats; The data cleaning sub-module is used for carrying out coding detection, abnormal character filtering and non-key information rejection on the loaded data; The structured storage sub-module is used for writing the cleaned data into the database according to a predefined mode and establishing an optimized index to support efficient access; And quality check points for ensuring the reliability and consistency of the whole process from the original data to the retrieval result are arranged among the data loading sub-module, the data cleaning sub-module and the structured storage sub-module.
5. 5. The threat intelligence analysis and response system based on a model context protocol of claim 1, wherein the vector retrieval module specifically comprises: A vectorization model, which adopts a pre-trained Sentence-transducer model, for encoding text input into dense vectors of fixed dimensions; The index construction unit uses FAISS libraries to vectorize all entries of the MITRE ATT & CK technical description library and the CWE vulnerability description library and constructs indexes, and the indexes are optimized by adopting product quantization and inverted file structures; And the semantic retrieval unit is used for vectorizing the information text after the user query or processing, executing approximate nearest neighbor search in the constructed index and returning a candidate item list and the original data thereof which are ordered according to the similarity.
6. 6. The threat intelligence analysis and response system based on model context protocol of claim 1, wherein the large language model interface module adopts a dual-mode self-adaptive architecture, and the working method thereof is as follows: if the candidate list returned by the vector retrieval module is empty, a first mode is started, and the large language model is guided to conduct generalized reasoning and information extraction by utilizing the enhanced prompt words containing knowledge of the wide threat information field; if the vector retrieval module returns an effective candidate list, a second mode is started, and the large language model is guided to carry out refining analysis and confirmation based on candidate items by utilizing prompt words focused on accurate matching and association analysis; And finally, the structured JSON data which is output by the large language model and contains attack technology, loopholes, confidence and inference chains is packaged into standard STIX Bundle objects through a STIX2.1 standardization engine.
7. 7. The threat intelligence analysis and response system based on a model context protocol of claim 1, wherein the report generating module specifically comprises: The input analysis unit is used for receiving the STIX Bundle or other structured data output by the large language model interface module; The report synthesis unit fills input data into a complete text report containing attack abstracts, mapped ATT & CK technologies, associated CWE vulnerabilities, risk assessment and defense suggestions according to a predefined template; The visualized generation unit is used for automatically generating an attack chain map or a threat association relation map based on the entity and the relation in the input data; And a format output unit supporting the output of the generated report in a JSON, STIX 2.X standard format or a document format combined with graphics.
8. 8. The model context protocol based threat intelligence analysis and response system of claim 1, wherein the dispatch protection module comprises: The report analysis sub-module is used for analyzing the STIX format threat report received from the server or generated locally, and extracting key action items in the threat report, including the vulnerability number to be detected and the attack technical characteristics to be monitored; The strategy matching sub-module is internally provided with a predefined mapping rule base of threat type-MCP tools, and local MCP tools needing to be called are matched according to the analyzed action items; The protocol calling sub-module initiates a calling request to the matched local security tool through a standardized model context protocol interface and transmits necessary parameters; and the result feedback sub-module receives the execution result of the local security tool, formats the execution result and feeds the formatted execution result back to the user or uploads the formatted execution result to the server for knowledge updating.
9. 9. The model context protocol based threat intelligence analysis and response system of claim 1, wherein the client further comprises: the local MCP server is used for registering and managing the local security tool and exposing the capability of the tool through a standard MCP protocol interface; the local security tool at least comprises a vulnerability scanning tool, a process monitoring tool, a scheduling protection module and a local security tool, wherein the vulnerability scanning tool is used for performing vulnerability investigation on a local host; the communication between the server and the client adopts a hybrid encryption mechanism to ensure the safety, specifically, an SM4 symmetric encryption algorithm is used for encrypting service data, and an asymmetric encryption algorithm is used for encrypting the SM4 session key to form a digital envelope for transmission.
10. 10. A threat intelligence analysis and response method based on a model context protocol, applied to the threat intelligence analysis and response system based on a model context protocol as claimed in any one of claims 1 to 9, comprising the steps of: S1, receiving original threat information data input by a user through the front-end interaction module; The core dispatcher module dispatches the data to the back-end processing module for automatic cleaning and structuring, wherein the structuring specifically comprises the steps of unified coding, irrelevant symbol filtering and key paragraph identification of an input text, and extracting structured fields containing attack description, vulnerability information and affected components; the vector retrieval module converts the structured data into a query vector, and performs semantic retrieval in a pre-constructed ATT & CK and CWE vector index to obtain a preliminary associated safety knowledge item, wherein the semantic retrieval is specifically that a Sentence-transform model is used for encoding a query text and a knowledge base item into the same vector space, cosine similarity between the query vector and the knowledge base vector is calculated through a FAISS library, and Top-K knowledge items with similarity exceeding a preset threshold are returned; S4, the large language model interface module calls a large language model, takes the search result as context enhancement, carries out deep analysis on the original threat information, completes attack chain deduction, ATT & CK technical mapping and CWE vulnerability matching, and outputs a structured result, wherein the deep analysis specifically comprises the following substeps: S41, guiding a large language model to accurately map attack behavior descriptions to specific tactics, technologies and sub-technology numbers based on the retrieved ATT & CK technology candidates; s42, based on the retrieved CWE vulnerability candidates, guiding the large language model to confirm or infer CWE numbers and descriptions corresponding to the vulnerabilities described in the report; s43, generating an inference chain, describing a logic basis from an original text to a final mapping result, and outputting a confidence score of overall analysis; S5, a report generating module receives the structured result and automatically generates a standardized STIX threat information report and a visual map; S6, the dispatching protection module analyzes the report at the client, invokes a matched local security tool through a Model Context Protocol (MCP) to execute automatic detection or protection response, and specifically comprises the following steps: When the report indicates that a specific vulnerability risk exists, a local vulnerability scanning tool is automatically called, and special scanning is conducted on the vulnerability; when the report indicates that a specific process attack technology exists, a local process monitoring tool is automatically called, and corresponding rules are created to monitor and alarm suspicious process behaviors in real time. And S7, distributing the generated standardized report to one or more designated clients in the network through a CTI information distribution management unit in the front-end interaction module, so as to realize the rapid synchronization and collaborative defense of threat information.

Description

Threat information analysis and response system and method based on model context protocol Technical Field The invention relates to the technical field of network security protection, in particular to a threat information analysis and response system and method based on a model context protocol. Background With the acceleration of the digitizing process, the network security threat environment is increasingly complex and intelligent. Advanced Persistent Threat (APT), zero-day exploit, AI-driven social engineering attacks, supply chain attacks, and other novel attack modes are endless, and form a serious challenge to the traditional network security defense system. Threat Intelligence (CTI) is used as a core of modern security defense, and decision support is provided for active defense by analyzing information such as attacker behaviors, vulnerability risks and the like. However, current CTI processing and applications face a number of bottlenecks: 1. The traditional defense means have inherent defects that traditional detection methods (such as firewalls, IDS/IPS) based on signature and rule matching are difficult to cope with unknown zero-day attacks and complex multi-stage APT attacks. The static boundary protection model gradually fails under the background of clouding and mobile office popularization, and the effective management and control on internal threat and encrypted traffic are lacked. 2. The threat information processing efficiency is low, CTI data sources are wide and mostly unstructured texts (such as vulnerability reports and hidden network forum information), and the traditional processing mode relying on manual rules and feature matching is low in efficiency. There are data isomerism and semantic separation between multisource informations (such as from MISP, MITRE ATT & CK, CVE/CWE databases), integration is difficult, and it is difficult to form a unified attack chain view. In addition, the lack of an effective dynamic confidence assessment mechanism results in uneven information quality, affecting the reliability of automated decisions. 3. The system coordination and automation are insufficient, and standardized interfaces and coordination mechanisms are lack between the existing security systems (such as SIEM, EDR, SOAR), so that a data island is formed, and the threat response period is long. Although machine learning and a large language model are introduced for auxiliary analysis, the analysis result is often remained at a text level, the subsequent detection and response actions are difficult to directly drive, the analysis, decision and response links are disjointed, the degree of automation is limited, and a large amount of manual intervention is still needed. In recent years, large Language Models (LLMs) exhibit great capabilities in terms of natural language understanding and generation, bringing new opportunities for automated processing of unstructured threat intelligence. However, the existing CTI analysis scheme based on LLM is mostly used as an independent analysis module, lacks a unified context management mechanism, is difficult to maintain analysis continuity in complex and cross-stage attack scenes, and meanwhile, lacks an efficient and standardized linking protocol between the analysis capability of LLM and local security tools and response actions, and cannot form an intelligent closed loop of perception-analysis-decision-response. Therefore, a new threat information analysis and response system capable of deeply fusing LLM semantic understanding capability, standardized protocol coordination capability and localized security tools is needed to systematically solve the above problems and improve the intelligentized, automated level and overall efficiency of network security defense. Disclosure of Invention Aiming at the defects of the prior art, the invention provides a threat information analysis and response system and method based on a model context protocol, which solve the problems of inherent defects, low threat information processing efficiency and insufficient system coordination and automation of the traditional network security defense system defense means. In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: The system comprises a server and a client, wherein the server comprises a front-end interaction module, a core scheduler module, a back-end processing module and a client, wherein the front-end interaction module is used for providing a user operation interface and receiving threat information input, natural language query and system configuration instructions; The back-end processing module is used for carrying out automatic cleaning, format standardization and structuring processing on the input original threat information data; the system comprises a vector search module, a large language model interface module, a report generation module, a dispatch protection module and a local safety tool, wherein