CN-122021854-A - Industrial Internet vulnerability library establishment method

Abstract

The invention belongs to the technical field of industrial Internet security, relates to an industrial Internet vulnerability database establishment method, and solves the problems that an existing vulnerability database is low in establishment quality, weak in traceability, insufficient in continuous evolution capability and difficult to support deep security application. The method comprises the steps of obtaining industrial Internet multi-source vulnerability data and external feedback data, obtaining an extraction result and initial confidence coefficient by adopting rule extraction and remote supervision deep learning combined extraction based on the multi-source vulnerability data, dividing a deterministic knowledge base and a queue to be checked according to double thresholds after optimizing the confidence coefficient through a graph rolling network, analyzing the external feedback data of a sample in the queue to be checked as an instant reward signal, periodically extracting a ternary structure construction knowledge graph from the deterministic knowledge base through a deep reinforcement learning optimization sampling strategy and updating a model, and generating a version hash chain to obtain a structured vulnerability knowledge base with hash chains and confidence coefficient evaluation. The method realizes high-precision construction and dynamic optimization of the vulnerability database.

Inventors

• Men Jiaping
• ZHOU XIAOJUN

Assignees

• 北京中关村实验室

Dates

Publication Date

20260512

Application Date

20260414

Claims (10)

1. 1. The industrial Internet vulnerability library building method is characterized by comprising the following steps of: Acquiring industrial Internet multi-source vulnerability data and external feedback data; based on the multi-source vulnerability data, extracting entities and relations by adopting a rule extraction and remote supervision deep learning model to obtain an initial extraction result and a corresponding initial confidence coefficient; Constructing the initial extraction result as an abnormal graph, wherein the nodes comprise entity nodes and relation nodes, edges represent co-occurrence or semantic association, and carrying out propagation optimization on the confidence coefficient of each node in the abnormal graph by using a graph rolling network to obtain an optimized confidence coefficient; Setting a double threshold according to the optimized confidence, wherein the double threshold comprises a high threshold and a low threshold, extracting results higher than the high threshold are directly stored in a deterministic knowledge base, and results between the two thresholds are sent into a queue to be checked; Acquiring external feedback data aiming at samples in the queue to be checked, analyzing the external feedback data into a reinforcement learning instant reward signal, utilizing a deep reinforcement learning network learning sampling strategy, dynamically outputting a sampling threshold value, and selecting the samples to be checked from the newly acquired data according to the sampling threshold value to be added into the queue to be checked; Storing the samples indicated to pass in the external feedback data in the deterministic knowledge base, periodically updating the remote supervised deep learning model with the accumulated external feedback data, and periodically updating the deep reinforcement learning network with an experience playback pool; And extracting newly added or updated triples from the deterministic knowledge base according to a set period, constructing a knowledge graph of a current version, calculating Merkle root hash of the current version, and linking with hash of a previous version to form a version hash chain to obtain a vulnerability knowledge base containing the version hash chain.
2. 2. The method for establishing the industrial internet vulnerability database according to claim 1, wherein the method for performing propagation optimization on the confidence coefficient of each node in the heterogram by using the graph convolution network to obtain the optimized confidence coefficient comprises the following steps: Taking the initial confidence coefficient of each node as the input characteristic of the node; Stacking two layers of graph convolution layers for iterative propagation, wherein each layer carries out node update in a mode that confidence coefficients of neighbor nodes are aggregated, square root inverse of the product of the node degrees is used as a normalization factor to weight an aggregation result, the weighted aggregation result is multiplied by a trainable parameter and added with a trainable bias, and then the confidence coefficient of the output of the layer is obtained through a ReLU activation function; And taking the confidence coefficient output by the second layer as the optimized confidence coefficient.
3. 3. The method for building an industrial internet vulnerability database according to claim 1 or 2, wherein the training of the graph rolling network adopts an unsupervised mode; The loss function of the graph convolution network comprises a graph smoothing term and a fidelity term, wherein the graph smoothing term is obtained by calculating the square sum of the differences between the optimized confidence degrees of all connected nodes, and the fidelity term is obtained by calculating the square sum of the differences between the optimized confidence degrees of all nodes and the initial confidence degrees and multiplying the square sum by a balance coefficient.
4. 4. The method for building the industrial internet vulnerability database according to claim 1, wherein the state space adopted when the deep reinforcement learning network learns the sampling strategy comprises average prediction entropy of a last batch of unlabeled samples, an F1 value of a model on a verification set, a normalized value of total number of labeled samples, a normalized value of external feedback data length, a normalized value of data quantity to be processed, and sine and cosine coding values of time characteristics.
5. 5. The method for building an industrial internet vulnerability database according to claim 1, wherein the calculation mode of the instant reward signal is as follows: For each sample to be checked selected at this time, if the external feedback instruction passes, the value of the model uncertainty reduction after adding the sample into the training set is increased, if the external feedback instruction does not pass, the preset error sample cost constant is subtracted from the reward, the time consumption for obtaining the external feedback by subtracting the sample is multiplied by the time cost coefficient, and the three calculation results of all the selected samples are summed to obtain the instant reward at this time.
6. 6. The method for building the industrial internet vulnerability database according to claim 1, wherein the steps of extracting new or updated triples from the deterministic knowledge base according to a set period, and constructing a knowledge graph of a current version comprise the following steps: when each version construction period arrives, inquiring a record of which the last updated time field changes from the last version construction in the deterministic knowledge base as incremental data; If not, merging the incremental data with the full data of the previous version, and covering the previous version data with the incremental data for the same entity or relation; Converting the combined data into node files and relation files of a graph database; loading the files through a batch import tool of the graph database to generate a version named according to the date corresponding to the construction period; And storing the version number, the construction time and the data volume statistical information as metadata into a metadata base.
7. 7. The method for building the industrial internet vulnerability database according to claim 1, wherein the computing Merkle root hash of the current version and the hash link of the previous version form a version hash chain, specifically comprising the following steps: performing dictionary sequence sequencing on all triples constructed in the current version period according to the sequence of the head entity ID character string, the relation type character string and the tail entity ID character string; For each ordered triplet, splicing the head entity ID, the relation type and the tail entity ID into a character string, and calculating the SHA-256 hash value of the character string to be used as leaf node hash; If the number of the leaf nodes is odd, copying the last leaf node to be even, splicing hash values of two adjacent leaf nodes, and calculating SHA-256 hash values of the spliced character string to be used as a father node hash; the method comprises the steps of obtaining a chain hash of a previous version, if the chain hash is the first version, the chain hash is equal to a root hash, splicing the chain hash of the previous version with the root hash of a current version, and calculating an SHA-256 hash value of a character string after splicing to be used as the chain hash of the current version; and storing the root hash and the chain hash of the current version into the version metadata of the vulnerability knowledge base.
8. 8. The method of claim 1, wherein the periodically updating the remote supervised deep learning model with accumulated external feedback data and the periodically updating the deep reinforcement learning network with an experience playback pool comprises the steps of: adding the newly acquired external feedback data into a labeling sample library in each version construction period, and recording the accumulated newly increased quantity; Triggering retraining of the remote supervision deep learning model when the number of accumulated newly added labeling samples reaches a preset threshold value; evaluating the model performance on the verification set after the retraining is completed, and if the model performance is improved by more than a preset lifting threshold value compared with the old model, putting the old model on line to replace the old model; Randomly sampling a batch of history transfer data from the experience playback pool in each reinforcement learning updating period, and updating parameters of a deep reinforcement learning network according to a deep reinforcement learning algorithm; the target network parameters are updated once every preset step number.
9. 9. The method for establishing the industrial internet vulnerability database according to claim 1, further comprising an attack path analysis step after obtaining the vulnerability knowledge database comprising the version hash chain, specifically comprising the following steps: Acquiring a starting node set and an ending node set designated by a user based on the knowledge graph of the latest version; Adopting a breadth-first search algorithm, starting from each starting point node, expanding outwards layer by layer along a relation edge, and recording a path from the starting point to a current node until reaching any end point node or the path length exceeds a preset maximum length threshold; For each searched complete path, calculating a risk score by multiplying the general vulnerability scores of all vulnerability nodes on the path to obtain a cumulative score and multiplying the cumulative score by the product of weight coefficients of all relation edges on the path; and sequencing all paths from high risk score to low risk score, and returning the top N paths with the highest scores and visual display thereof.
10. 10. The method for building an industrial internet vulnerability database according to claim 1, further comprising an industrial proper noun feature library building step before the entity and the relation are extracted by adopting the rule extraction and the remote supervision deep learning model, specifically comprising the following steps: deriving initial basic vocabulary entries from the published industry standard dictionary and the existing knowledge base, wherein the initial basic vocabulary entries comprise manufacturer names, product series, model patterns and vulnerability types; word segmentation statistics is carried out on collected vendor safety bulletins and vulnerability description texts, and proper nouns which occur frequently are extracted to be used as candidate vocabulary entries; matching the similarity between the candidate vocabulary entries and the basic vocabulary entries, and screening out new vocabulary entries which are not recorded; after rechecking and confirming the new word, adding the new word into an industrial proper noun feature library, and establishing a synonym mapping relation; Generating a corresponding regular expression template for subsequent rule extraction based on the model patterns in the industrial proper noun feature library; the industrial proper noun feature library is synchronously updated at each version construction period.

Description

Industrial Internet vulnerability library establishment method Technical Field The invention belongs to the technical field of industrial Internet security, and particularly relates to an industrial Internet vulnerability library establishment method. Background The industrial Internet is used as a product of deep fusion of an industrial system and the Internet, and covers a large number of industrial control equipment, industrial communication protocols and various industrial control systems, and the safe and stable operation of the industrial Internet directly relates to industrial production safety and national key infrastructure safety. However, the industrial internet vulnerability information has the characteristics of multisource dispersion and complex association, and is widely distributed in official vulnerability databases such as CVE/NVD, CNVD and the like, industrial control equipment manufacturer safety notices, safety manufacturer technical blogs, industrial safety event reports and the like, so that great challenges are brought to centralized management, accurate analysis and deep application of vulnerabilities. The traditional vulnerability database is stored by adopting a relational database, only the basic attributes of the vulnerability and the product list influenced by the basic attributes are recorded, the expression capability of complex relationships (such as vulnerability triggering conditions, dependence among the vulnerabilities and association between the vulnerability and an event) is lacking, and the deep application such as attack path prediction, risk assessment and the like is difficult to support. In recent years, knowledge graph technology is introduced into the field of vulnerability management, tao Yaodong and the like (2020) provide an industrial Internet security vulnerability research method based on knowledge graph, and an industrial control vulnerability exploitation relation prediction method based on knowledge graph reasoning is further researched by a 'vulnerability-event-product' association network and a Hai university team (2024). However, the prior art still has the following disadvantages: 1. the confidence coefficient evaluation method is simple, wherein the weighted average is mostly adopted to fuse the multisource confidence coefficient, and global structural information of the knowledge graph is not considered, so that the confidence coefficient evaluation is inaccurate, and the accuracy of extracting the vulnerability data is difficult to ensure; 2. Knowledge version management is lacking, namely historical state backtracking and compliance audit cannot be supported, and the requirements of industrial scenes cannot be met; 3. the active learning sampling strategy is single, namely fixed uncertainty sampling is adopted, and auditing resources (such as the processing capacity of an automatic auditing process and the daily auditing capacity of industrial safety auditors) and dynamic changes of model states are not considered, so that the human-machine coordination efficiency is low; 4. The lack of industrial proprietary terminology support is that a targeted industrial proprietary noun feature library is not constructed, so that the accuracy of entity and relation extraction is insufficient; 5. the closed-loop evolution mechanism is lacking, the cooperative updating of the model and knowledge is not realized, and the extraction model and the sampling strategy cannot be continuously optimized through external feedback. Aiming at the defects, the invention provides an industrial Internet vulnerability library construction method combining confidence coefficient propagation, incremental hash chain verification and reinforcement learning sampling, which is used for constructing an industrial Internet vulnerability knowledge engine with high quality, traceability and continuous evolution, effectively solving the problems in the prior art and meeting the actual requirements of industrial Internet security protection. Disclosure of Invention In order to solve the problems in the prior art, namely the problems of low construction quality, weak traceability, insufficient continuous evolution capability and difficulty in supporting deep security application of a vulnerability database caused by insufficient vulnerability data extraction precision, incomplete knowledge expression, missing version tracing, low man-machine cooperation efficiency and poor heterogeneity adaptability to multi-source data in the prior art, the invention provides an industrial Internet vulnerability database construction method, which comprises the following steps: Acquiring industrial Internet multi-source vulnerability data and external feedback data; based on the multi-source vulnerability data, extracting entities and relations by adopting a rule extraction and remote supervision deep learning model to obtain an initial extraction result and a corresponding initial confidence coefficien