Search

CN-122027321-A - Network security defense strategy generation method, device, equipment, storage medium and product

CN122027321ACN 122027321 ACN122027321 ACN 122027321ACN-122027321-A

Abstract

The application discloses a network security defense strategy generation method, a device, equipment, a storage medium and a product, and relates to the technical field of data processing, wherein the network security defense strategy generation method comprises the steps of matching attack information with each technology in a preset attack behavior map to obtain a candidate technology set; and determining a candidate defense strategy according to the attack vector and a preset defense technical map, and determining a network security defense strategy according to the candidate defense strategy. Compared with the existing mode of generating a defending strategy by analyzing attack information only by using the natural language understanding capability of a large language model, the mode can strongly bind attack behaviors and the defending strategy, reduce the risk of mismatching, determine the network security defending strategy under the topological constraint of the preset defending technical map, and automatically generate a systematic defending scheme which covers multiple stages of attack chains and has logic depth.

Inventors

  • MEI YANGYANG
  • JIA YAN
  • HAN WEIHONG
  • ZHANG JIAWEI
  • YU ZHUOCHENG
  • CHEN RUI
  • WU ZHILIANG
  • JI QINGLI
  • HUANG JUN

Assignees

  • 鹏城实验室

Dates

Publication Date
20260512
Application Date
20260306

Claims (10)

  1. 1. A network security defense policy generation method, characterized in that the network security defense policy generation method comprises the steps of: matching the attack information with each technology in a preset attack behavior map to obtain a candidate technology set; Disambiguating the candidate technical set to obtain an attack vector; and determining a candidate defense strategy according to the attack vector and a preset defense technology map, and determining a network security defense strategy according to the candidate defense strategy.
  2. 2. The method of generating network security defense strategies according to claim 1, wherein the determining candidate defense strategies according to the attack vectors and the preset defense technology patterns and determining network security defense strategies according to the candidate defense strategies includes: determining a basic defense technology set according to the attack vector and a preset defense technology map; determining an enhanced intelligence set based on the attack vector; Inputting the basic defense technology set and the enhanced information set into a preset defense strategy generation model to obtain candidate defense strategies output by the preset defense strategy generation model; and determining a network security defense strategy according to the candidate defense strategy.
  3. 3. The method for generating network security defense strategies according to claim 2, wherein said determining network security defense strategies based on said candidate defense strategies comprises: generating a simulated attack tree according to the attack vector; performing attack simulation on the candidate defense strategies based on the simulation attack tree to obtain a simulation result; And determining a network security defense strategy according to the simulation result and the candidate defense strategy.
  4. 4. The method for generating network security defense strategy according to claim 3, wherein determining the network security defense strategy based on the simulation result and the candidate defense strategy comprises: Determining strategy effectiveness scores of candidate defense strategies according to the simulation results; determining a target defense strategy based on the strategy effectiveness score; Strengthening the target defense strategy based on a preset defense strategy strengthening model to obtain a strengthened target defense strategy; and determining a network security defense strategy according to the target defense strategy and the reinforced target defense strategy.
  5. 5. The method for generating network security defense strategies according to any one of claims 1 to 4, wherein after determining a candidate defense strategy according to the attack vector and a preset defense technology spectrum and determining a network security defense strategy according to the candidate defense strategy, further comprises: Generating a security defense code and security defense instructions based on the network security defense policy; and carrying out network security defense according to the security defense code and the security defense instruction.
  6. 6. The method for generating network security defense strategies according to any one of claims 1-4, wherein said disambiguating said candidate technology set to obtain attack vectors comprises: determining a standard association subgraph of candidate technologies in the candidate technology set based on the preset attack behavior patterns; Determining an entity association subgraph corresponding to the attack information; determining the similarity of the entity-associated subgraph and the standard-associated subgraph; disambiguating the candidate technical set based on the similarity to obtain a disambiguation result; And determining an attack vector according to the disambiguation result.
  7. 7. A network security defense policy generation apparatus, characterized in that the network security defense policy generation apparatus comprises: The dividing module is used for matching the attack information with each technology in the preset attack behavior pattern to obtain a candidate technology set; The disambiguation module is used for disambiguating the candidate technical set to obtain an attack vector; And the network security defense strategy determining module is used for determining candidate defense strategies according to the attack vector and a preset defense technical map and determining network security defense strategies according to the candidate defense strategies.
  8. 8. A network security defense strategy generation apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of the network security defense strategy generation method of any one of claims 1 to 6.
  9. 9. A storage medium, characterized in that the storage medium is a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the network security defense strategy generation method according to any one of claims 1 to 6.
  10. 10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the steps of the network security defense strategy generation method according to any one of claims 1 to 6.

Description

Network security defense strategy generation method, device, equipment, storage medium and product Technical Field The present application relates to the field of network security defense technologies, and in particular, to a method, an apparatus, a device, a storage medium, and a product for generating a network security defense policy. Background Automated recommendation of network security defense policies is a central topic of Security Operation Automation (SOAR) and intelligent security analysis. With the complexity and scale of network attack, the traditional modes of manually analyzing alarms and designing response schemes by relying on security experts are difficult to deal with. The academic and industrial industries continue to explore automated and intelligent solutions, and the current main research direction and technical application can be categorized into three major categories, namely methods based on static rules and policy templates, methods based on traditional machine learning and data driving, and primary intelligent application based on large language models. Despite the advances made in these methods, a number of fundamental drawbacks are exposed in practical deployment. For example, methods based on static rules and policy templates suffer from the disadvantages of stiffness and high maintenance costs, lack of environmental awareness and adaptability, and sporadic and lack of systematicness, methods based on traditional machine learning and data driving suffer from the disadvantages of data dependency and "cold start" problems, poor interpretability and trust crisis, and limited generalization ability to concept drift, primary intelligent applications based on large language models suffer from the disadvantages of illusion and fact accuracy risk, policy sporadic and lack of operability, and passive questioning and answering and lack of prospective counterthinking. In summary, the related art presents an obvious "capability fault" when facing modern advanced threats, namely, static rules and ML models have certain automation capability, but lack deep understanding and flexible reasoning capability of attack semantics and business environments, while large language models (Large Language Model, LLM) with powerful semantic understanding capability have unreliable, non-systematic and impractical output due to the illusion problem, lack of field structured knowledge integration and countermeasure evaluation. Disclosure of Invention The application mainly aims to provide a network security defense strategy generation method, device, equipment, storage medium and product, and aims to solve the technical problem that the existing network security defense strategy generation efficiency is low. In order to achieve the above object, the present application provides a network security defense policy generation method, which includes: matching the attack information with each technology in a preset attack behavior map to obtain a candidate technology set; Disambiguating the candidate technical set to obtain an attack vector; and determining a candidate defense strategy according to the attack vector and a preset defense technology map, and determining a network security defense strategy according to the candidate defense strategy. Optionally, the determining a candidate defense strategy according to the attack vector and a preset defense technology spectrum, and determining a network security defense strategy according to the candidate defense strategy includes: determining a basic defense technology set according to the attack vector and a preset defense technology map; determining an enhanced intelligence set based on the attack vector; Inputting the basic defense technology set and the enhanced information set into a preset defense strategy generation model to obtain candidate defense strategies output by the preset defense strategy generation model; and determining a network security defense strategy according to the candidate defense strategy. Optionally, the determining a network security defense policy according to the candidate defense policy includes: generating a simulated attack tree according to the attack vector; performing attack simulation on the candidate defense strategies based on the simulation attack tree to obtain a simulation result; And determining a network security defense strategy according to the simulation result and the candidate defense strategy. Optionally, the determining a network security defense strategy according to the simulation result and the candidate defense strategy includes: Determining strategy effectiveness scores of candidate defense strategies according to the simulation results; determining a target defense strategy based on the strategy effectiveness score; Strengthening the target defense strategy based on a preset defense strategy strengthening model to obtain a strengthened target defense strategy; and determining a network security defense stra