CN-122020312-A - Asset fingerprint dynamic evolution and intelligent classification prediction method based on large model

Abstract

The invention provides a large model-based asset fingerprint dynamic evolution and intelligent classification prediction method, which relates to the field of network security and comprises the steps of obtaining observation data of a target asset in a continuous time period, extracting a state evolution sequence, constructing an evolution reachability knowledge base by utilizing a large model, executing reverse state matching and deviation analysis, identifying external intervention events, finally determining asset origin categories and generating an isolation strategy. The invention can improve the asset classification precision, timely identify abnormal state conversion and effectively cope with asset disguise attack.

Inventors

• SHI LEI
• LEI XUE
• LI RUI
• LI DONG

Assignees

• 北京禹宏信安科技有限公司

Dates

Publication Date

20260512

Application Date

20260203

Claims (9)

1. 1. The asset fingerprint dynamic evolution and intelligent classification prediction method based on the large model is characterized by comprising the following steps of: acquiring observation data of a target asset in a continuous time period, extracting asset characteristic states at different time points, and organizing the asset characteristic states into an asset fingerprint evolution sequence according to time sequence; Inputting historical evolution data of known category assets into a large model, extracting state conversion rules and conversion pre-conditions of each asset category, and constructing an evolution reachability knowledge base; Starting from the terminal characteristic state of the asset fingerprint evolution sequence, performing reverse state matching according to a state conversion rule, and backtracking layer by layer to generate a candidate origin path set; Extracting characteristic change of each state transition in the asset fingerprint evolution sequence, checking the characteristic change with a transition precondition at a corresponding position in the candidate origin path set, calculating the deviation degree of the characteristic change and the transition precondition, and generating a deviation distribution diagram; Identifying state transition nodes corresponding to deviation peaks from the deviation distribution diagram, calculating semantic transition vectors among the state transition nodes, and inputting the semantic transition vectors into a large model to identify external intervention event types; Calculating a deviation accumulation value for each path in the candidate origin path set, selecting a path with the smallest accumulation value, extracting an asset class corresponding to the initial state of the path as an origin class judgment result, generating an isolation strategy according to the origin class judgment result and the external intervention event type, and transmitting the isolation strategy to an asset management system.
2. 2. The method of claim 1, wherein obtaining observed data of the target asset over a continuous period of time, extracting asset signature states at different points in time, and chronologically organizing the asset fingerprint evolution sequence comprises: Collecting target asset operation data, performing recursive traversal to extract a calling link point identifier and a time stamp, generating an asset initial observation sequence, calculating a calling depth value based on the asset initial observation sequence, and constructing an asset feature matrix; counting node calling intervals according to timestamp information in the asset feature matrix, calculating node weight coefficients, and combining calling depth values and the node weight coefficients to generate an asset behavior feature map; Performing matrix decomposition operation on the asset behavior feature graph to obtain feature vectors, calculating node connectivity values based on the feature vectors, and setting a segmentation threshold to divide asset feature graphs according to the node connectivity values; mapping node features in the asset feature subgraph to a vector space to obtain asset state vectors, calculating Euclidean distances between the asset state vectors at adjacent moments, constructing a state transition probability matrix, and calculating a state evolution direction vector by using the state transition probability matrix; Determining state transition time according to the state evolution direction vector judgment direction change point position, dividing a steady state interval based on the state transition time, and generating an asset fingerprint evolution sequence by organizing asset states in the steady state interval according to time sequence.
3. 3. The method of claim 1, wherein inputting historical evolution data of assets of known categories into a large model, extracting state transition rules and transition preconditions for each asset category, and constructing an evolution reachability knowledge base comprises: Collecting historical evolution data of known category assets, extracting asset state characteristic values from the historical evolution data, calculating adjacent state characteristic value difference values to generate a state difference sequence, and grouping asset states according to categories based on the state difference sequence to construct a category evolution sequence; calculating the length of a division window according to the state difference sequence, dividing the observation window of the category evolution sequence by using the length of the division window, calculating the state change quantity in the observation window, determining a state transition point, and extracting the state data before and after the transition based on the state transition point to form a state transition sequence; Inputting the state conversion sequence into a large model to extract a call chain structure, calculating node call relation weight from the call chain structure, and generating a conversion pre-condition according to the node weight; clustering the feature similarity calculated by the state transition sequence, identifying a state transition path from the clustering result, calculating the probability of the transition path, and combining the transition path and the probability to form a state transition rule; Identifying continuous conversion links in the state conversion rules, calculating the node association degree of the links, generating conversion execution sequences according to the association degree, and combining the conversion links, the conversion preconditions and the conversion execution sequences to construct evolution rules; and storing the evolution rules in groups according to asset categories, constructing an evolution rule mapping relation based on the grouping result, and constructing an asset evolution reachability knowledge base by utilizing the evolution rule mapping relation.
4. 4. The method of claim 1, wherein starting from an end feature state of the asset fingerprint evolution sequence, performing reverse state matching according to a state transition rule, generating a set of candidate origin paths by layer backtracking comprises: Extracting an end feature vector from the end feature state of the asset fingerprint evolution sequence, comparing the end feature vector with a target state in a state conversion rule to calculate similarity, screening the state conversion rule that the similarity meets a preset similarity threshold, and extracting a conversion constraint condition from the state conversion rule; constructing a state query condition based on the conversion constraint condition, retrieving a history state conforming to the constraint condition in the asset fingerprint evolution sequence, calculating the distance between the history state and the terminal feature vector, and selecting the history state closest to the history state as a current layer backtracking state; Performing feature decomposition on the current layer backtracking state, extracting state feature components, calculating a state feature component change rule, determining a state change direction, and constructing a current layer transition sequence; Performing rule verification on the current layer state transition sequence and the state transition rule, calculating rule matching degree, selecting a sequence with the rule matching degree exceeding a preset matching threshold as a current layer effective transition path, calculating transition probability for the current layer effective transition path, and repeatedly executing a backtracking step until a preset backtracking layer number is reached by taking the current layer backtracking state as a new terminal characteristic state; Detecting branch positions in all hierarchical transfer paths, calculating the association strength among the branch paths, identifying path convergence positions, grouping the multi-layer transfer paths based on the path convergence positions, and generating a candidate origin path set.
5. 5. The method of claim 1, wherein extracting the feature variation for each state transition in the asset fingerprint evolution sequence, verifying with a transition precondition for a corresponding location in the candidate set of origin paths, calculating a degree of deviation of the feature variation from the transition precondition, and generating the deviation profile comprises: extracting feature variation between adjacent states from the asset fingerprint evolution sequence, constructing a state transition feature matrix, performing time sequence decomposition on the state transition feature matrix, and separating to obtain a periodic component and a variation component; extracting periodic conversion characteristics from periodic components, extracting conversion change characteristics from change components, and combining the periodic conversion characteristics and the conversion change characteristics to construct a state conversion sequence; extracting a state conversion position from the candidate origin path set, acquiring a conversion pre-condition corresponding to the conversion position, and executing normalization processing to acquire a normalization condition value; constructing a precondition matrix according to the conversion position by the normalized condition values, executing feature decomposition on the precondition matrix, extracting precondition features, and constructing a precondition sequence based on the precondition features; Performing feature mapping on the state conversion sequence and the pre-condition sequence, obtaining feature mapping vectors, calculating deviation values among the feature mapping vectors, constructing a feature deviation matrix, extracting main deviation features from the feature deviation matrix, and constructing deviation distribution data; and performing density calculation on the deviation distribution data, obtaining a density distribution value, constructing a distribution curve according to the density distribution value, mapping the distribution curve to a coordinate plane, and generating a deviation distribution map.
6. 6. The method of claim 1, wherein identifying state transition nodes from the deviation profile corresponding to the deviation peaks, calculating semantic transition vectors between the state transition nodes, and inputting the semantic transition vectors into the large model to identify external intervention event types comprises: Performing region segmentation on the deviation distribution map to obtain segmented regions, extracting deviation peak point positions in the segmented regions, and mapping the peak point positions to a state transition sequence to obtain state transition nodes; Calculating characteristic differences between adjacent nodes according to the state conversion nodes, constructing a node difference matrix, and extracting a change path between the nodes based on the node difference matrix; Carrying out semantic decomposition on the inter-node change paths to extract semantic basic units, and calculating the inter-node semantic association strength according to the semantic basic units to generate semantic transition vectors; Inputting the semantic transition vector into a large model coding layer to obtain semantic structure features, inputting the semantic structure features into a attention layer to calculate feature weight vectors, and combining the feature weight vectors with the semantic structure features to generate event semantic representation; and calculating an event similarity matrix based on the event semantic representation, performing cluster analysis on the event similarity matrix to obtain an event clustering result, and identifying the external intervention event type according to the event clustering result.
7. 7. The method of claim 1, wherein calculating an accumulated value of deviation for each path in the set of candidate originating paths, selecting a path with a smallest accumulated value, extracting an asset class corresponding to an initial state of the path as an originating class determination result, generating an isolation policy according to the originating class determination result and an external intervention event type, and issuing the isolation policy to the asset management system comprises: Acquiring a state transition sequence from a candidate origin path set, constructing a deviation propagation network for the state transition sequence, calculating node deviation values in the deviation propagation network, extracting propagation characteristics among nodes, constructing a node weight sequence, and generating a candidate path set according to the node weight sequence; calculating a deviation accumulation value for paths in the candidate path set, generating an accumulated deviation sequence, generating a path propagation matrix based on the accumulated deviation sequence, screening paths with minimum deviation accumulation values from the path propagation matrix, and extracting corresponding initial nodes; Acquiring an asset identifier from a starting node, inquiring an asset attribute library through the asset identifier to acquire an asset category as an origin category judging result, generating an asset control sequence according to the origin category judging result, marking an asset affected by an external intervention event in the asset control sequence, determining an isolation boundary based on the affected asset, and dividing an isolation region; and extracting asset identification from the isolation region to construct an isolation group, generating an isolation strategy according to the isolation group, converting the isolation strategy into a management instruction, and issuing the management instruction to an asset management system through a system interface.
8. 8. An electronic device, comprising: A processor; A memory for storing processor-executable instructions; Wherein the processor is configured to invoke the instructions stored in the memory to perform the method of any of claims 1 to 7.
9. 9. A computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of claims 1 to 7.

Description

Asset fingerprint dynamic evolution and intelligent classification prediction method based on large model Technical Field The invention relates to a network security technology, in particular to an asset fingerprint dynamic evolution and intelligent classification prediction method based on a large model. Background With the deep advancement of digital transformation, enterprises and organizations have increasingly large and diverse asset sizes, and effective management and protection of these assets has become an important challenge in the field of network security. Asset fingerprints are digital representations describing asset characteristics, containing key data such as configuration information, behavioral characteristics, and operational status of the asset. The traditional asset management method mainly relies on static scanning and fixed rules to classify and manage assets, and is difficult to adapt to dynamic changes of asset states in modern network environments. With the wide application of internet of things equipment, cloud services and virtualization technologies, the life cycle and state transition of assets become more complex, and asset fingerprints also exhibit dynamic evolution characteristics. The traditional asset classification method is mainly based on static feature analysis, ignores the evolution process of the asset state along with time, and cannot capture the state transition rule and evolution trend of the asset at different time points, so that the classification accuracy is obviously reduced when the asset classification method faces to a dynamically-changing network environment. Particularly, after the asset undergoes operations such as configuration change, function upgrading or security patch updating, the fingerprint characteristics of the asset can be changed obviously, so that the classification method based on the static characteristics is invalid. The existing asset classification technology lacks the capability of identifying and analyzing external intervention events, and cannot distinguish the state change caused by the natural evolution of the asset and human intervention. In an actual network environment, the asset state changes may come from normal software updates, and may also originate from malicious attacks or illegal tampering, so that it is difficult for the prior art to accurately identify these different types of external interventions, and effective decision support cannot be provided for security management. The prior art generally lacks the capability of backtracking and predicting an evolution track, and cannot infer the original category of an asset or predict the possible future evolution direction based on historical data. This limitation makes it difficult for the security management system to effectively monitor and manage the complete life cycle of the asset, and to implement and timely effectively protect against abnormal changes in the status of the asset, increasing the complexity and risk of network security management. Disclosure of Invention The embodiment of the invention provides an asset fingerprint dynamic evolution and intelligent classification prediction method based on a large model, which can solve the problems in the prior art. In a first aspect of the embodiment of the present invention, a method for dynamically evolving and intelligently classifying and predicting an asset fingerprint based on a large model is provided, including: acquiring observation data of a target asset in a continuous time period, extracting asset characteristic states at different time points, and organizing the asset characteristic states into an asset fingerprint evolution sequence according to time sequence; Inputting historical evolution data of known category assets into a large model, extracting state conversion rules and conversion pre-conditions of each asset category, and constructing an evolution reachability knowledge base; Starting from the terminal characteristic state of the asset fingerprint evolution sequence, performing reverse state matching according to a state conversion rule, and backtracking layer by layer to generate a candidate origin path set; Extracting characteristic change of each state transition in the asset fingerprint evolution sequence, checking the characteristic change with a transition precondition at a corresponding position in the candidate origin path set, calculating the deviation degree of the characteristic change and the transition precondition, and generating a deviation distribution diagram; Identifying state transition nodes corresponding to deviation peaks from the deviation distribution diagram, calculating semantic transition vectors among the state transition nodes, and inputting the semantic transition vectors into a large model to identify external intervention event types; Calculating a deviation accumulation value for each path in the candidate origin path set, selecting a path with the smallest accum