CN-122027326-A - Network security operation method of self-adaptive evolution

Abstract

The invention relates to the technical field of network security and discloses a network security operation method with self-adaptive evolution, which comprises the steps of constructing a virtual verification environment linked with physical security equipment, inputting collected network original data into a detection analysis component and the virtual verification environment at the same time to respectively acquire a detection result and response data, inputting a large model component for fusion analysis to judge whether abnormal threat exists, generating an abnormal behavior model, generating simulated attack flow in the virtual verification environment based on the model for deduction, identifying failure points of a defense strategy, generating a blocking strategy according to the failure points and performing iterative verification in the virtual environment, issuing the verified strategy to the physical equipment for execution, and feeding back treatment data to the large model to realize self-evolution. The invention solves the problems of high false alarm rate, delayed response and incapability of coping with unknown threats in the prior art, and remarkably improves the operation efficiency and the active defense capability.

Inventors

• Chen Lexi
• CAO GAOHUI
• LIU BAILING
• LIU CHAO
• LIANG ZHONGHUI

Assignees

• 武汉紫瑞东创科技有限公司

Dates

Publication Date

20260512

Application Date

20260314

Claims (10)

1. 1. A network security operation method with self-adaptive evolution is characterized by comprising the following steps: s1, constructing a virtual verification environment linked with physical security equipment, wherein the virtual verification environment is a digital twin body for performing simulation mapping on strategy behaviors and response logic of the physical security equipment; S2, inputting the collected network original data into a detection analysis assembly and the virtual verification environment at the same time, and respectively obtaining a first detection result and second response data; s3, inputting the first detection result and the second response data into a large model component for fusion analysis, and judging whether abnormal threat exists or not based on semantic understanding and causal reasoning; S4, if the abnormal threat exists, dynamically adjusting the original data acquisition frequency of the abnormal region, analyzing the behavior characteristics of the abnormal threat, and generating an abnormal behavior model representing the nature of the threat; S5, based on the abnormal behavior model and the latest threat information, generating targeted simulated attack flow in the virtual verification environment, carrying out attack deduction on the virtual verification environment, and identifying a failure point of the existing defense strategy; s6, generating a blocking strategy for the abnormal behavior model according to the identified failure point; s7, verifying the effectiveness of the blocking strategy in the virtual verification environment, and iteratively optimizing the blocking strategy according to a verification result; And S8, issuing the verified blocking strategy to the physical safety equipment for execution, and feeding back the data of the treatment process to the large model component for updating the threat identification model.
2. 2. The method for adaptively evolving network security operation as in claim 1, wherein S1 constructing the virtual verification environment comprises: S11, synchronizing an access control list, an intrusion detection rule and address mapping configuration information of the physical security equipment through a control channel of the physical security equipment; S12, generating a virtual device instance with the same strategy logic in the virtualized environment based on the synchronous configuration information; S13, the historical flow log of the physical equipment is replayed to the virtual equipment instance, response behaviors are compared, and simulation parameters of the virtual equipment are adjusted until the deviation between the behaviors of the virtual equipment and the behaviors of the physical equipment is smaller than a preset threshold value.
3. 3. The network security operation method of adaptive evolution according to claim 1, wherein S3 specifically comprises: s31, the large model component performs semantic analysis on the first detection result and converts the first detection result into a structured security event; s32, correlating the structured security event with the second response data on a time axis, and constructing a knowledge graph of the abnormal event; s33, based on the knowledge graph, utilizing a large model to infer an attack chain path and a final intention of the abnormal event; s34, if the reasoning result is matched with the known threat mode, judging the threat as the known threat, and if the reasoning result is not matched with any known mode, judging the threat as the unknown threat and marking the threat as a high risk abnormal area.
4. 4. The method for adaptively evolving network security operation as in claim 1, wherein generating an abnormal behavior model in S4 comprises: S41, carrying out deep packet detection and session reconstruction on the flow and the log of the high-risk abnormal region, and extracting protocol features, load features and behavior time sequence features of the abnormal flow; S42, carrying out standardization processing on the extracted features to form a machine-readable abnormal behavior feature vector set which is composed of a plurality of atomic behaviors and is used as the abnormal behavior model.
5. 5. The method for adaptively evolving network security operation as in claim 1, wherein S5 comprises: S51, analyzing the abnormal behavior model by an attack simulation component, and extracting an atomic behavior sequence of the abnormal behavior model; S52, determining tactical intent and available attack technologies corresponding to the atomic behavior sequence based on an MITRE ATT & CK framework; S53, combining the latest vulnerability information and an attack load library, and generating a resistance attack flow which can simulate the atomic behavior sequence and can avoid conventional detection by using a generation type countermeasure network; S54, injecting the resistance attack flow into a virtual verification environment, monitoring a response log of the virtual equipment, and identifying an attack behavior which is not intercepted or alarmed as a failure point of the defense strategy.
6. 6. The method for adaptively evolving network security operation as in claim 5, wherein generating a blocking policy in S6 comprises: s61, analyzing corresponding attack stages and utilized loopholes or protocol defects of each identified failure point; S62, generating targeted blocking rules according to analysis results, wherein the blocking rules comprise but are not limited to IP reputation blacklists, domain name filtering strategies, protocol anomaly detection signatures and behavior pattern recognition models; s63, performing conflict detection and redundancy elimination on the generated blocking rule and the existing strategy to form a combined strategy set.
7. 7. The network security operation method of adaptive evolution according to claim 1, wherein the iterative verification in S7 specifically comprises: S71, loading the blocking strategy into a virtual verification environment, and re-injecting the antagonistic attack traffic generated according to the abnormal behavior model; S72, judging whether the antagonistic attack traffic is totally blocked or not, and not generating false alarm to the simulated normal traffic; s73, if the unbroken attack variant exists or false alarm is generated, adjusting parameters or rules of the blocking strategy, repeating S71-S72 until verification is passed, and recording the strategy version passing the verification.
8. 8. The method for adaptively evolving network security operation of claim 1, further comprising a model update step S9 after S8: S9, the whole process data from threat discovery to strategy verification at this time, including original abnormal data, an abnormal behavior model, a generated blocking strategy and a verification log, are used as training samples to be fed back to a large model component and used for incremental training and updating threat cognitive parameters of the large model, and the self-evolution capability of the system on novel threats is achieved.
9. 9. A storage medium is characterized in that the storage medium stores instructions and data for implementing the network security operation method of adaptive evolution according to any one of claims 1-8.
10. 10. The network security operation equipment with the adaptive evolution is characterized by comprising a processor and a storage medium, wherein the processor loads and executes instructions and data in the storage medium to realize the network security operation method with the adaptive evolution according to any one of claims 1-8.

Description

Network security operation method of self-adaptive evolution Technical Field The invention relates to the technical field of network security, in particular to a network security operation method with self-adaptive evolution. Background With the rapid development of cloud computing, big data and Internet of things technology, the network environment is increasingly complex, the attack surface is explosively increased, and the network security threat is more concealed and intelligent. Traditional security models based on boundary protection and signature detection have difficulty in coping with continuously evolving network attacks, particularly novel attacks such as Advanced Persistent Threat (APT), zero-day exploits, and luxury software variants. Under the background, a network security situation awareness system is generated, and becomes a mainstream technical scheme of current network security protection. The network security situation awareness system is based on big data analysis and artificial intelligence technology, and realizes global monitoring, threat prediction and decision support on the overall security state of the network through multi-source data acquisition (including a firewall, an intrusion detection system, a server log, network traffic and the like), real-time association analysis, visual display and response treatment, thereby helping security operation teams identify real vices from mass alarms. However, the existing network security situation awareness scheme still has a plurality of defects in practical application. Firstly, the problems of false alarm and false omission are prominent, the existing system excessively depends on the situation that threat logs of safety equipment are collected and matched with rules, but the attack characteristics are incompletely described, algorithm defects are overcome, or the data contains attack characteristics but has no actual threat, and the like, so that alarm noise is serious. It is counted that up to 30% of SOC analysts' working time is wasted on tracking false alarms, while true new threats (such as zero day vulnerabilities and APT attacks) are missed due to insufficient recognition capability. Secondly, the problems of data quality and integrity are obvious, data acquisition may be incomplete, an index system is incomplete, accuracy of situation assessment is affected, and key information may be lost or errors may be introduced in the data cleaning and normalization process. Moreover, the construction of the integration of sensing and response is insufficient, the existing scheme lacks an automatic response mechanism, the adjustment of the security policy often depends on manual research and judgment and manual treatment, the response delay is serious, and the attack and defense aging requirements of minute level and even second level are difficult to meet. In addition, the traditional SASE and SIEM schemes have core problems of cross-level data island, edge and cloud collaborative dilemma, static rule base dependence and the like, so that a defense system cannot construct a complete attack chain view angle, and the active interception capability is greatly reduced. Disclosure of Invention The invention aims to provide a network security operation method with self-adaptive evolution, which solves the technical problems of high false alarm rate, difficult guarantee of data quality, low response efficiency, sensing and response cutting and the like in the prior art. Specifically, the invention provides a network security operation method with self-adaptive evolution, which comprises the following steps: s1, constructing a virtual verification environment linked with physical security equipment, wherein the virtual verification environment is a digital twin body for performing simulation mapping on strategy behaviors and response logic of the physical security equipment; S2, inputting the collected network original data into a detection analysis assembly and the virtual verification environment at the same time, and respectively obtaining a first detection result and second response data; s3, inputting the first detection result and the second response data into a large model component for fusion analysis, and judging whether abnormal threat exists or not based on semantic understanding and causal reasoning; S4, if the abnormal threat exists, dynamically adjusting the original data acquisition frequency of the abnormal region, analyzing the behavior characteristics of the abnormal threat, and generating an abnormal behavior model representing the nature of the threat; S5, based on the abnormal behavior model and the latest threat information, generating targeted simulated attack flow in the virtual verification environment, carrying out attack deduction on the virtual verification environment, and identifying a failure point of the existing defense strategy; s6, generating a blocking strategy for the abnormal behavior model according to the