Search

CN-122021838-A - Novel multi-stage network threat detection and response method

CN122021838ACN 122021838 ACN122021838 ACN 122021838ACN-122021838-A

Abstract

The invention relates to a novel multi-stage network threat detection and response method, and belongs to the technical field of network security. The method comprises the steps of constructing a dynamic vector knowledge base, performing preliminary screening diagnosis, performing deep screening, performing double-track shunt on events based on screening results, performing automatic response treatment on the events by a large model and an intelligent body on one hand, performing cognition generation in a cognition generation path on the other hand, performing analysis and reasoning on the large model according to the events to generate a structured defense scheme, performing cognition closed-loop learning on the scheme, and integrating successful treatment cases into the knowledge base. The invention solves the problems of inflexibility of static semantics of the system and insufficient adaptability to new threat solutions when facing unknown threats, realizes novel network threat detection and response with high adaptability and robustness, and improves the detection capability and generalization of the novel threats.

Inventors

  • PU YANHONG
  • QU RUI
  • HAN LU
  • LIANG HAOYUAN
  • WANG SHILEI
  • MENG XIANGYAN
  • YANG CHUNPING
  • LI YABING
  • TAO TAO
  • SUN XIAOSHU
  • ZHU LIEHUANG
  • ZHOU YONGBIN
  • ZHANG YING
  • HU WENFEI

Assignees

  • 云南省大数据有限公司

Dates

Publication Date
20260512
Application Date
20260410

Claims (10)

  1. 1. A novel multi-stage cyber threat detection and response method, the method comprising the steps of: S1, constructing a dynamic vector knowledge base, namely continuously taking security data from a plurality of data sources, preprocessing the security data to generate a structured knowledge block, adopting an embedded model based on a Transformer architecture, converting the structured knowledge block into vectorization representation, and constructing a dynamic vector knowledge base; S2, performing preliminary screening diagnosis, namely preprocessing and vectorizing the security event to generate an event vector when a new security event is received, and calculating at least one similarity index to obtain a similarity score by comparing the event vector with vectorized representations in the vector knowledge base; S3, performing double-track shunting, namely routing the safety event to one of two preset paths according to the similarity score, namely routing the safety event to an automatic response path if the similarity score is higher than a first preset threshold value, and routing the safety event to a cognition generation path if the similarity score is lower than a second preset threshold value, wherein the first preset threshold value is not lower than the second preset threshold value; S4, performing cognition generation in the cognition generation path, namely analyzing and reasoning by utilizing a large language model and combining the security event and related context information retrieved from the vector knowledge base so as to generate a structured defense scheme; S5, realizing cognitive closed-loop learning, namely integrating knowledge representing a novel security event and a corresponding defense scheme after the defense scheme is successfully executed, and updating vectorized representation of the novel security event into the dynamic vector knowledge base for enabling a system to learn from the response and expanding cognitive ability of the system.
  2. 2. The multi-stage novel cyber threat detection and response method of claim 1, wherein the preliminary screening diagnosis in S2 comprises: Comparing the similarity score to a high confidence threshold for identifying known threats that directly match entries in the vector knowledge base; And comparing the similarity score with a semantic similarity threshold for identifying threat variants related to items in a vector knowledge base on an attack intent or technology core, wherein the high confidence threshold is the first preset threshold, the semantic similarity threshold is the second preset threshold, and the high confidence threshold is greater than the semantic similarity threshold.
  3. 3. The multi-stage novel cyber threat detection and response method of claim 1, wherein the cognitive generation in S4 comprises: The method comprises the steps of adopting a retrieval enhancement generation RAG technology, taking the event vector as a query, and carrying out semantic search in the vector knowledge base for retrieving a group of context knowledge blocks most relevant to the security event; And combining the original data of the security event with the retrieved context knowledge block into an enhanced hint, and submitting the hint to the large language model for processing.
  4. 4. A multi-stage novel cyber threat detection and response method according to claim 3 wherein the analysis and reasoning performed by the large language model simulates at least one of the following analysis methods: Behavior sequence analysis for understanding and reasoning the temporal and logical relationships between behaviors described in the event log to determine whether they conform to the tactics, techniques, and procedures TTPs of known attack organizations; The semantic-based statistical anomaly detection is used for judging whether the current event deviates from a normal behavior baseline or not by analyzing the retrieved context information; Heuristic association for applying logical rules condensed by security expert experience.
  5. 5. The multi-stage novel cyber threat detection and response method of claim 1, wherein the automated response path is performed by a multi-agent system comprising: An orchestration agent configured to receive the diversion decisions and decompose the macroscopic response objective into an ordered sequence of tasks; And at least one mobile agent configured to receive the task instructions from the orchestration agent and perform specific containment, eradication, or restoration operations through an interface with an external security tool.
  6. 6. The multi-stage novel cyber threat detection and response method of claim 5, wherein the orchestration agent determines the task sequence by modeling the response flow as a markov decision process MDP and solves an optimal strategy for minimizing expected losses and response costs, wherein the optimal strategy is obtained by solving bellman's optimal equation.
  7. 7. The multi-stage novel cyber threat detection and response method of claim 1, wherein the structured defense scheme generated in S4 is submitted to an audit by a human security expert before being executed and is authorized for execution only after approval by the human security expert is obtained; the triggering condition of the cognitive closed-loop learning in S5 is that the defending scheme is approved by the human security specialist, and the system confirms that the defending scheme is successfully executed in the actual environment and effectively suppresses the threat.
  8. 8. The multi-stage novel cyber threat detection and response method of claim 1, wherein the structured defense scheme generated in S5 is contained in a package further comprising natural language interpretations of the large language model reasoning process and a structured threat object defining the novel threat.
  9. 9. A multi-stage novel cyber threat detection and response system, comprising: one or more processors; and a memory having stored thereon computer executable instructions that, when executed by the one or more processors, cause the system to perform the multi-stage novel cyber threat detection and response method of any of claims 1 to 8.
  10. 10. The system of claim 9, wherein the instructions stored in the memory are organized into a plurality of functional modules, comprising: a knowledge base construction module configured to perform construction of the dynamic vector knowledge base; A split diagnostic module configured to perform the preliminary screening diagnosis and dual rail split; a cognition generation module configured to perform cognition generation in the cognition generation path; An automated response module configured to perform a response in the automated response path; and the cognitive learning module is configured to realize the cognitive closed-loop learning.

Description

Novel multi-stage network threat detection and response method Technical Field The invention relates to a novel multi-stage network threat detection and response method, and belongs to the technical field of network security. Background In the current increasingly complex network threat environment, existing computer network security defense systems are facing a serious crisis in the technical architecture level. The evolution of these systems, while undergoing three stages from first generation static signature matching-based, second generation association rule-based analysis to third generation machine learning anomaly detection, has its core technology logic trapped in a common, fundamental technological dilemma, namely the "passive recognition" paradigm. Specifically, the first generation of signature-based defense systems, which are technically essential to character string or pattern matching, are computationally inefficient and very vulnerable to failure in the face of polymorphic malware whose code structure can be easily changed. The second generation of systems represented by Security Information and Event Management (SIEM) platforms attempts to promote intelligence through association rule engines, but their knowledge bases rely on manual updates, with inherent knowledge hysteresis and logic stiffness problems. This not only slows down its reaction in front of new attack tactics, techniques and procedures (TTPs), but also, due to its broad rule design, creates massive alarm data, directly leading to huge waste of computing resources and catastrophic "alarm fatigue" problems for the Secure Operation Center (SOC). Industry reports show that 77% of organizations face a surge in alert quantity and 73% of security analysts feel professional burnout. The third generation machine learning-based system introduces the capability of automatic anomaly discovery, but has two core defects in technical implementation, namely firstly, the system cannot effectively distinguish 'statistics anomaly' from 'real malicious behavior' due to lack of deep semantic understanding of business and security context, so that the false alarm rate is high, and secondly, the 'black box' decision process lacks of interpretability, so that a security team is difficult to trust and effectively utilize analysis results of the security team. In summary, the fundamental shortcoming common to the prior art is that they all attempt to define and identify future, evolving cyber threats using a static or semi-static, past experience-based computational model. This architectural "semantic rigidity" results in the defenses being permanently at strategic disadvantage in technical betting with the continuously innovating aggressors. Therefore, a brand new technical solution is urgently needed in the industry to realize a revolutionary paradigm transition from 'passive recognition' to 'active recognition', so that the efficiency, accuracy and adaptability of the computer system in the aspect of network security defense are fundamentally improved. Disclosure of Invention Aiming at the technical problems existing in the prior art, namely the specific technical bottlenecks of insufficient adaptability, low calculation efficiency, saturated alarm processing capacity and the like of the traditional network security system when facing unknown threats due to the semantic rigidity and the passive identification technical paradigm, the invention provides a novel multi-stage network threat detection and response method, and aims to radically improve the functions of a computer security system by constructing a cognitive security architecture capable of autonomous learning and evolution. The technical scheme of the invention is that in a first aspect, the invention provides a novel multi-stage network threat detection and response method, which comprises the following steps: S1, constructing a dynamic vector knowledge base, namely continuously taking security data from a plurality of data sources, preprocessing the security data to generate a structured knowledge block, adopting an embedded model based on a Transformer architecture, converting the structured knowledge block into vectorization representation, and constructing a dynamic vector knowledge base; S2, performing preliminary screening diagnosis, namely preprocessing and vectorizing the security event to generate an event vector when a new security event is received, and calculating at least one similarity index to obtain a similarity score by comparing the event vector with vectorized representations in the vector knowledge base; S3, performing double-track shunting, namely routing the safety event to one of two preset paths according to the similarity score, namely routing the safety event to an automatic response path if the similarity score is higher than a first preset threshold value, and routing the safety event to a cognition generation path if the similarity score is lower than a second