CN-122001673-A - Self-adaptive firewall rule generation method and device based on real-time threat information

Abstract

The invention relates to a method and a device for generating self-adaptive firewall rules based on real-time threat information, wherein the method comprises the steps of carrying out semantic analysis on threat information text, extracting attack indexes and attack technical and tactics labels, and generating an information triplet set and an attack technical and tactics label set; calling a language model based on an information analysis result to generate candidate rules and carrying out trust degree grading, intercepting a low-grading rule as a high-risk phantom rule, enabling the other rules to enter a set to be verified, constructing a digital twin subdomain to carry out real-time flow verification on the set to be verified, dividing the set to be verified into an effective rule set and an ineffective rule set according to the verification result, constructing a rule dependency graph based on the ineffective rule set to carry out pollution tracing, adding nodes with excessive pollution into an isolation list, cleaning a historical training sample based on the isolation list and an interception rule log, and carrying out incremental training on the language model to generate an updated model.

Inventors

• WU YAOJIAN
• LI JINGPING
• CHEN WEIFENG

Assignees

• 泉州延陵信息技术有限公司

Dates

Publication Date

20260508

Application Date

20260319

Claims (10)

1. 1. A method for generating self-adaptive firewall rules based on real-time threat information is characterized by comprising the following steps: S1, carrying out semantic analysis on information texts in a plurality of threat information sources accessed in real time, extracting attack indexes, attack modes and attack technical and tactical labels in the information texts, and generating an information triplet set and an attack technical and tactical label set; S2, based on the information triplet set and the attack technique label set, calling a preset second language model to generate candidate rules aiming at attack indexes, performing trust division on each candidate rule, splitting the candidate rules into high-risk illusion rules and rule sets to be verified, and storing the high-risk illusion rules into an interception rule log library; Wherein the second language model is a special language model for scoring the reliability of the large language model output; S3, constructing a digital twin shadow subdomain based on the existing rule set obtained from the current network environment configuration, deploying the rule set to be verified into the digital twin shadow subdomain and superposing the digital twin subdomain with the existing rule set, operating the superposed rule set by utilizing real-time mirror image flow, and dividing the rule set to be verified into an effective rule set and an ineffective rule set according to blocking accuracy and idle time of each rule in the operation process; S4, constructing a rule dependency graph based on the invalid rule set, tracing back information source nodes, model instance nodes and training sample nodes which participate in generating the invalid rule set along the rule dependency graph, updating pollution coefficients of the traced back nodes, and adding the nodes with the pollution coefficients exceeding a preset pollution threshold into a pollution isolation list; and S5, screening historical training samples of the second language model based on the pollution isolation list and the interception rule log library, calculating and identifying a layer to be disturbed according to a signal-to-noise ratio of the screened pollution samples, overlapping a mixed loss constraint, performing incremental training, and generating an updated second language model.
2. 2. The method according to claim 1, wherein S1 comprises: S11, sentence processing and lexical analysis are carried out on the information texts in a plurality of threat information sources which are accessed in real time, candidate attack indexes are extracted from all the sentences based on regular expressions, format normalization processing is carried out on all the candidate attack indexes, and a normalization index set is generated; S12, inputting the normalized index set into a preset first language model for context semantic coding, calculating semantic similarity of each index and a predefined threat type based on an embedded vector output by the first language model, marking the index with the semantic similarity exceeding a preset matching threshold as an attack index, and generating a structured index set containing the attack index and the type mark thereof, wherein the first language model is an encoder model used in the field of network security; S13, extracting verb phrases and object phrases associated with the attack indexes based on a context window of the attack indexes in the information text, combining the verb phrases and the object phrases into attack pattern fragments, performing phrase similarity matching on the attack pattern fragments and technical nodes in an MITRE ATT & CK framework, taking the successfully matched technical nodes as attack technical and tactical labels, and combining the structural index set to generate an information triplet set and an attack technical and tactical label set.
3. 3. The method according to claim 1, wherein S2 comprises: s21, inputting the information triplet set and the attack technical and tactical label set into a second language model, and generating text representation of candidate rules by token based on a decoder of the second language model, wherein the candidate rules comprise source IP conditions, destination IP conditions, protocol type conditions and blocking actions; S22, calculating context correlation scores for each candidate rule based on context semantic information in the information triples, performing rule conflict detection based on the existing rule set in the current network environment configuration parameters to obtain logic consistency scores, performing dynamic deduction on the information source reliability based on the pollution isolation list to obtain information source reliability scores, and performing weighted aggregation on the context correlation scores, the logic consistency scores and the information source reliability scores to generate trust scores; S23, comparing the confidence score with a preset low confidence acceptance threshold and a preset high confidence rejection threshold, marking candidate rules with the confidence score lower than the low confidence acceptance threshold as high risk phantom rules, storing the high risk phantom rules into an interception rule log library, marking candidate rules with the confidence score higher than the high confidence rejection threshold as high confidence rules, marking candidate rules with the confidence score between the low confidence acceptance threshold and the high confidence rejection threshold as low confidence rules to be verified, and combining the high confidence rules and the low confidence rules to be verified to generate a rule set to be verified.
4. 4. The method according to claim 1, wherein S3 comprises: s31, constructing a virtualized network environment based on network topology information, service configuration information and service logic parameters in the current network environment configuration parameters to serve as a digital twin-shadow subdomain, deploying the rule set to be verified into the shadow domain and overlapping the rule set with the existing rule set in the current network environment configuration parameters to generate a rule set of the shadow subdomain; s32, mirroring network traffic from a production network in real time and shunting the network traffic to two parallel processing channels, wherein the first channel only loads the existing rule set to process the mirrored traffic, and the second channel loads the shadow domain rule set to process the mirrored traffic, continuously runs a preset verification period and records processing logs of the two channels; And S33, calculating blocking accuracy based on the processing log to count the correct blocking times and the error blocking times of each candidate rule in the verification period, calculating the idle time duty ratio of each candidate rule in the non-triggered time period, performing product operation on the blocking accuracy and the idle time duty ratio to generate a verification score, adding the candidate rule with the verification score exceeding a preset verification threshold value into an effective rule set, adding the candidate rule with the verification score not exceeding the preset verification threshold value into an ineffective rule set, and correlating and recording the verification log.
5. 5. The method according to claim 1, wherein S4 comprises: s41, based on the invalid rule set, extracting an information source identifier, a second language model instance identifier and a historical training sample batch identifier according to which each invalid rule is generated, taking the information source identifier, the model instance identifier and the sample batch identifier as nodes, and taking the generated dependency relationship between the nodes and the invalid rule as an edge to construct a directed rule dependency graph; S42, performing reverse tracing processing on each invalid rule based on the directed rule dependency graph, calculating pollution coefficient increment according to the number of the invalid rules which are participated in generation of each node and the existence time of the invalid rules, accumulating the pollution coefficient increment on the current pollution coefficient of each node, and generating updated pollution coefficient of each node; And S43, screening out nodes with pollution coefficients exceeding a preset pollution threshold based on the updated pollution coefficients of the nodes, respectively classifying the nodes into corresponding isolation sub-lists according to the node types of the information source, the model instance and the training sample, and merging to generate a pollution isolation list.
6. 6. The method of claim 5, wherein the update formula for each node pollution coefficient is: Wherein, the The pollution coefficient of the node at the time t; A set of invalid rules generated via the node; is the size of the invalid rule set; the existence time of the node is in days; Is a step size coefficient; Controlling the contribution attenuation speed of the historical sample to the current pollution coefficient as the time attenuation coefficient; the total number of invalid rules generated for all nodes is used to impose an additional penalty on the nodes that generate the invalid rules at high frequencies.
7. 7. The method according to any one of claims 1-6, wherein S5 comprises: S51, screening sample batches marked by the pollution isolation list from a historical training sample pool based on the pollution isolation list, selecting a preset number of high-risk illusion rules as negative samples based on the interception rule log library, and combining the marked sample batches and the negative samples to generate a sample set to be cleaned; s52, based on the sample set to be cleaned, performing synonym replacement and sentence pattern transformation processing on each pollution sample to generate a countermeasure version with maintained semantics but expressed variation, respectively inputting the countermeasure version and the original sample into a current second language model for output consistency comparison, removing the samples with inconsistent output from a training set, reducing sampling weight of the samples with consistent output according to pollution coefficient proportion, and generating a cleaned training set; And S53, constructing a mixed loss function based on the cleaned training set, performing incremental training on the second language model by taking the mixed loss function as an optimization target, updating model parameters batch by batch until convergence, and generating an updated second language model, wherein the mixed loss function comprises a prediction cross entropy loss term and a hallucination suppression regular term calculated based on a verification set trust degree scoring variance.
8. 8. An adaptive firewall rule generation apparatus based on real-time threat intelligence, the apparatus comprising: The threat information semantic analysis module is used for carrying out semantic analysis on information texts in a plurality of threat information sources accessed in real time, extracting attack indexes, attack modes and attack technical and tactical labels in the information texts, and generating an information triplet set and an attack technical and tactical label set; the candidate rule trust dividing module is used for calling a preset second language model to generate candidate rules aiming at attack indexes based on the information triplet set and the attack technical label set, carrying out trust division on each candidate rule, dividing the candidate rules into high-risk illusion rules and rule sets to be verified, and storing the high-risk illusion rules into an interception rule log library; Wherein the second language model is a special language model for scoring the reliability of the large language model output; The twin domain rule verification module is used for constructing a digital twin subdomain based on the existing rule set acquired from the current network environment configuration, deploying the rule set to be verified into the digital twin subdomain and superposing the digital twin subdomain with the existing rule set, operating the superposed rule set by utilizing real-time mirror image flow, and dividing the rule set to be verified into an effective rule set and an ineffective rule set according to the blocking accuracy and idle time of each rule in the operation process; The pollution node tracing updating module is used for constructing a rule dependency graph based on the invalid rule set, tracing information source nodes, model instance nodes and training sample nodes which participate in generating the invalid rule set reversely along the rule dependency graph, updating the traced nodes by using pollution coefficients, and adding the nodes with the pollution coefficients exceeding a preset pollution threshold value into a pollution isolation list; And the model increment training optimization module is used for screening historical training samples of the second language model based on the pollution isolation list and the interception rule log library, identifying a layer to be disturbed according to signal-to-noise ratio calculation on the screened pollution samples, superposing mixing loss constraint, performing increment training, and generating an updated second language model.
9. 9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the method of any one of claims 1 to 7 when executing the computer program.
10. 10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.

Description

Self-adaptive firewall rule generation method and device based on real-time threat information Technical Field The invention relates to the technical field of digital information transmission safety, in particular to a method and a device for generating a self-adaptive firewall rule based on real-time threat information. Background With the continuous evolution of network attack means and the rapid iteration of threat forms, the traditional firewall based on the static rule base has difficulty in coping with complex and changeable network environments. In order to improve the instantaneity and accuracy of the defending response, the network security field begins to explore the application of artificial intelligence technology to the dynamic generation process of firewall rules. The method utilizes a large language model to carry out semantic analysis on threat information text and automatically generates corresponding blocking rules, so that the method has become an important development direction of the self-adaptive firewall technology. Such methods attempt to translate unstructured threat information into machine-executable firewall configuration policies by parsing attack indicators and attack technical descriptions in the intelligence text in an effort to shorten the response time from threat discovery to rule validation. However, the existing firewall rule generation method based on the large language model has significant defects in practical application. The generation mechanism of the large language model based on probability prediction determines that the output of the large language model has certain uncertainty, and a phenomenon of 'illusion' possibly appears when complex firewall rules are generated, namely rule contents which look like logic integrity but do not actually accord with facts or have semantic deviation are generated. More seriously, when such error rules including illusion are generated, if they are not effectively identified and intercepted, not only the firewall policy may be directly invalid or the normal service may be blocked by mistake, but also an error sample in the subsequent learning process of the system may be formed. Along with the continuous operation of the adaptive system, the error rules enter a model optimization loop, so that the model is self-strengthened on an error optimization path to form propagation and accumulation of illusions, and finally the reliability of the whole rule generating system is continuously deteriorated. Disclosure of Invention Based on the above, the invention aims to provide an adaptive firewall rule generation method based on real-time threat information, which can effectively block a illusion propagation chain and ensure long-term stability and reliability of a rule generation process. The invention adopts the following scheme: In a first aspect, the present invention provides a method for generating a firewall rule based on real-time threat intelligence, comprising the steps of: S1, carrying out semantic analysis on information texts in a plurality of threat information sources accessed in real time, extracting attack indexes, attack modes and attack technical and tactical labels in the information texts, and generating an information triplet set and an attack technical and tactical label set; S2, based on the information triplet set and the attack technical label set, calling a preset second language model to generate candidate rules aiming at attack indexes, performing trust division on each candidate rule, dividing the candidate rules into high-risk illusion rules and rule sets to be verified, and storing the high-risk illusion rules into an interception rule log library; the second language model is a special language model for scoring the reliability of the output of the large language model; S3, constructing a digital twin shadow subdomain based on the existing rule set obtained from the current network environment configuration, deploying the rule set to be verified into the digital twin shadow subdomain and superposing the digital twin subdomain with the existing rule set, operating the superposed rule set by utilizing real-time mirror image flow, and dividing the rule set to be verified into an effective rule set and an ineffective rule set according to the blocking accuracy and idle time of each rule in the operation process; S4, constructing a rule dependency graph based on the invalid rule set, reversely tracing information source nodes, model instance nodes and training sample nodes which participate in generating the invalid rule set along the rule dependency graph, updating pollution coefficients of the traced nodes, and adding the nodes with the pollution coefficients exceeding a preset pollution threshold into a pollution isolation list; And S5, screening historical training samples of the second language model based on the pollution isolation list and the interception rule log library, calculating and identifying a