CN-122027225-A - Causal path complement method, device, equipment and storage medium

Abstract

The embodiment of the application provides a causal path complement method, a causal path complement device, causal path complement equipment and a causal path complement storage medium, and relates to the technical field of network security. The method comprises the steps of responding to a path complement instruction, obtaining a path breaking point from a causal path, determining a context data packet according to the path breaking point, carrying out large language model reasoning on the context data packet based on a vector database to obtain verification plan data of candidate paths, arranging the verification plan data according to verification platform information to obtain an instruction sequence containing at least one atomic action instruction, carrying out verification on the instruction sequence to obtain a verification result corresponding to each atomic action instruction, carrying out decision judgment on the candidate paths according to the verification plan data and the verification result to obtain a judgment result, and carrying out complement on the causal path based on the judgment result. The full flow from fracture point positioning and candidate path reasoning to verification completion is automated, the processing efficiency is effectively improved, and the accuracy and the credibility of the completion result are ensured.

Inventors

• LIU CHAO
• QIAO YANCHEN
• ZHANG WEIZHE
• ZHANG YU

Assignees

• 鹏城实验室

Dates

Publication Date

20260512

Application Date

20260113

Claims (10)

1. 1. A causal path completion method, comprising: Responding to a path completion instruction, acquiring a path breaking point from a causal path, and determining a context data packet according to the path breaking point; performing large language model reasoning on the context data packet based on a vector database to obtain verification plan data of candidate paths, and arranging the verification plan data according to verification platform information to obtain an instruction sequence containing at least one atomic action instruction; performing verification on the instruction sequence to obtain a verification result corresponding to each atomic action instruction; And carrying out decision judgment on the candidate paths according to the verification plan data and the verification result to obtain a judgment result, and completing the causal path based on the judgment result.
2. 2. The causal path completion method according to claim 1, characterized in that said determining a context data packet according to said path breaking point comprises: Taking the path breaking point as a center, inquiring a preset range in a graph database, acquiring at least one-hop node and corresponding node attribute related to the path breaking point, and acquiring an original record pointer in log data; And structuring the original record pointer, the node and the node attribute to obtain the context data packet.
3. 3. The causal path completion method according to claim 2, wherein said performing large language model reasoning on the context data packet based on a vector database to obtain verification plan data of candidate paths comprises: Querying candidate intermediate nodes missing in the causal path in the vector database according to the context data; Taking an edge associated with the candidate intermediate node as a candidate causal edge, and calculating a causal edge confidence score for the candidate causal edge; generating an atomic verification action according to the context data, the candidate intermediate node and the candidate causal edge; And outputting the candidate intermediate nodes, the candidate causal edges, the causal edge confidence scores and the atomization verification actions according to a preset JSON format to obtain the verification plan data.
4. 4. A causal path completion method according to claim 3, characterized in that said compiling of said verification plan data according to verification platform information, results in an instruction sequence comprising at least one atomic action instruction, comprising: Selecting an atomic action corresponding to the atomic action instruction from a preset capability registry, wherein the atomic action comprises a corresponding back-end execution function; Converting the corresponding back-end execution function into a platform atomic instruction according to the verification platform information, and obtaining triggering flow information corresponding to the platform atomic instruction; And obtaining the instruction sequence according to the platform atomic instruction and the trigger flow information.
5. 5. The causal path completion method according to claim 4, wherein the verifying the instruction sequence to obtain a verification result corresponding to each atomic action instruction comprises: calling a system interface corresponding to a verification platform based on the instruction sequence, executing the platform atomic instruction on the verification platform, and performing multi-step verification according to the trigger flow information to obtain an execution result of the corresponding platform atomic instruction; and determining the verification result of the verification plan data according to all execution results, wherein the verification result comprises a corresponding quantitative verification score.
6. 6. The causal path completing method according to claim 5, wherein the determining the candidate path according to the verification plan data and the verification result includes obtaining a model generation confidence corresponding to the verification plan data, and when the model generation confidence is greater than or equal to a first preset threshold and the quantized verification score is greater than or equal to a second preset threshold, indicating that a determination result for determining the candidate path as a confirmation path is generated, otherwise indicating that a determination result for determining the candidate path as a path to be examined is generated.
7. 7. The causal path completion method according to claim 6, characterized in that the method further comprises: and if the judging result is that the candidate path is determined to be a path to be checked, taking the path to be checked, the context data packet, the verification plan data, the verification result and the judging result as negative samples, and updating the vector database by using the negative samples.
8. 8. A causal path completion device, comprising: the context acquisition module is used for responding to the path completion instruction, acquiring a path breaking point from the causal path and determining a context data packet according to the path breaking point; the instruction arrangement module is used for carrying out large language model reasoning on the context data packet based on a vector database to obtain verification plan data of candidate paths, and arranging the verification plan data according to verification platform information to obtain an instruction sequence containing at least one atomic action instruction; The instruction verification module is used for performing verification on the instruction sequence to obtain a verification result corresponding to each atomic action instruction; and the decision judgment module is used for carrying out decision judgment on the candidate paths according to the verification plan data and the verification result to obtain a judgment result, and completing the causal path based on the judgment result.
9. 9. An electronic device comprising a memory storing a computer program and a processor implementing the causal path completion method of any of claims 1 to 7 when executing the computer program.
10. 10. A storage medium storing a computer program, which when executed by a processor implements the causal path completion method of any of claims 1 to 7.

Description

Causal path complement method, device, equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a causal path complement method, apparatus, device, and storage medium. Background Aiming at analysis and investigation of network security events, a technical stack constructed based on products such as security information and event management systems, intrusion detection systems, intrusion prevention systems, endpoint detection and response is generally adopted. When the related technology processes the security event, the hierarchical architecture of the technical stack is used for operation, namely a data acquisition and standardization layer is responsible for acquiring heterogeneous logs of multiple devices, the heterogeneous logs are processed into a structured event through ETL (extraction-conversion-loading) and then stored, a correlation analysis and imaging layer generates an alarm through a rule engine and partial data is imported into a graph database for relational modeling, an automatic detection and response layer combines feature detection and machine learning abnormal scoring technology, and a linkage security arrangement automation and response (SOAR) platform completes security response. If the path is broken due to data isomerization, manual intervention investigation is required. The analyst needs to frequently switch between interfaces of different systems, manually splice event timelines, and screen and mine causal evidence from mass data. The processing mode is not only inefficient, but also highly depends on personal experience of an analyst, finally causes overlong response time of the security event, and related security risks are difficult to effectively manage. Disclosure of Invention The embodiment of the application mainly aims to provide a causal path complement method, a causal path complement device, causal path complement equipment and a causal path complement storage medium, which improve the efficiency and the accuracy of causal path complement in the safety event processing process. To achieve the above object, a first aspect of an embodiment of the present application provides a causal path completing method, including: Responding to a path completion instruction, acquiring a path breaking point from a causal path, and determining a context data packet according to the path breaking point; performing large language model reasoning on the context data packet based on a vector database to obtain verification plan data of candidate paths, and arranging the verification plan data according to verification platform information to obtain an instruction sequence containing at least one atomic action instruction; performing verification on the instruction sequence to obtain a verification result corresponding to each atomic action instruction; And carrying out decision judgment on the candidate paths according to the verification plan data and the verification result to obtain a judgment result, and completing the causal path based on the judgment result. In some embodiments, the determining the context data packet according to the path breaking point includes: Taking the path breaking point as a center, inquiring a preset range in a graph database, acquiring at least one-hop node and corresponding node attribute related to the path breaking point, and acquiring an original record pointer in log data; And structuring the original record pointer, the node and the node attribute to obtain the context data packet. In some embodiments, the performing large language model reasoning on the context data packet based on the vector database to obtain verification plan data of the candidate path includes: Querying candidate intermediate nodes missing in the causal path in the vector database according to the context data; Taking an edge associated with the candidate intermediate node as a candidate causal edge, and calculating a causal edge confidence score for the candidate causal edge; generating an atomic verification action according to the context data, the candidate intermediate node and the candidate causal edge; And outputting the candidate intermediate nodes, the candidate causal edges, the causal edge confidence scores and the atomization verification actions according to a preset JSON format to obtain the verification plan data. In some embodiments, the programming the verification plan data according to the verification platform information, to obtain an instruction sequence including at least one atomic action instruction, includes: Selecting an atomic action corresponding to the atomic action instruction from a preset capability registry, wherein the atomic action comprises a corresponding back-end execution function; Converting the corresponding back-end execution function into a platform atomic instruction according to the verification platform information, and obtaining triggering flow