CN-122027330-A - Threat decision-making auxiliary system based on network security

Abstract

The invention discloses a threat decision-making auxiliary system based on network security, which comprises an advanced malicious code analysis module, a secondary alarm aggregation module, a multi-source alarm reduction fusion module and a multi-source alarm fusion module, wherein the advanced malicious code analysis module analyzes and synthesizes original features based on deep learning, continuous training is carried out through security artificial intelligence, stable and reliable high-level features are extracted through an AI and artificial intelligent virus detection algorithm, the secondary alarm aggregation module identifies an attack result and qualitatively processes threat alarms through reduction and fusion, and the multi-source alarm reduction fusion module introduces a fine-granularity alarm fusion strategy in combination with user information and carries out seamless fusion on the alarms according to security semantics. According to the scheme, the event handling workload is greatly reduced, the handling efficiency is improved, and the security threat decision command capability is improved.

Inventors

• HAN HUI
• ZHANG ZHAO
• GAO DALEI
• ZHANG MINTAO
• XING SHENGCHAO
• Lai Zhide

Assignees

• 唐山市盾石信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260318

Claims (7)

1. 1. A threat decision-making auxiliary system based on network security, applied to a security operation platform system, comprising: The advanced malicious code analysis module is used for analyzing and synthesizing original features based on deep learning, continuously training through safe artificial intelligence and extracting stable and reliable high-level features by using an AI and artificial intelligence virus detection algorithm; The secondary alarm aggregation module is used for identifying an attack result and qualifying threat alarms by reducing merging; and the multisource alarm reduction fusion module is used for introducing a fine-granularity alarm fusion strategy by combining the user information and carrying out seamless fusion on the alarms according to the safety semantics.
2. 2. The threat decision assistance system based on network security of claim 1, wherein the continuous training of security artificial intelligence in the advanced malicious code analysis module comprises: Based on massive safety knowledge extraction and combining a network safety countermeasure mechanism, constructing a network safety pre-training large model, and reading and pre-training the massive knowledge through an artificial intelligent front network framework transducer model and a mask language modeling MLM (multi-level model) self-supervision learning mode; Based on massive safety data accumulated by an enterprise-level distributed safety platform for a long time, matching general knowledge corpus, combining scene research and judgment of safety experts, mathematical training of algorithm experts, engineering support of algorithm force experts and operation and landing four-in-one data research and judgment analysis experience of product experts, and constructing a large model pre-training based on massive knowledge extraction.
3. 3. A cyber-security-based threat decision assistance system as defined in claim 2, wherein the data set in the large model pre-training includes generic data and specialized data, the large model training step further comprising: Data preprocessing, namely cleaning, word segmentation and coding operation are carried out on original data, so that model input and model output are realized; selecting a proper deep neural network structure to realize information transmission and representation learning; and selecting a training mode, namely adopting a proper self-supervision learning mode and carrying out model training by using unlabeled or weakly labeled data.
4. 4. The threat decision assistance system of claim 1, wherein the malicious code analysis module uses AI to extract high-level features specifically comprises: Task instruction fine tuning, namely carrying out instruction fine tuning on the model through tens of millions of data volume levels, expert labels, HTTP attack message question-answer pairs with thinking chains and data pairs fusing various confusing attack techniques; Reinforcement learning training, namely after fine adjustment through instructions, continuing to increase the temperature of the model through reinforcement learning training, setting a reward mechanism according to a detection target, gradually increasing the difficulty through course learning thinking and increasing the score of format rewards; Model performance optimization, namely setting knowledge distillation, model quantification, model pruning and attention optimization mechanisms, and optimizing the model performance.
5. 5. The threat decision assistance system of claim 4, wherein said model performance optimization mechanisms comprise: Knowledge distillation, namely constructing a light small model, and training the small model by using the supervision information of a large model with better performance; model quantization, namely quantizing the network parameters from the FLOAT32 to lower digits; Removing redundant connection or parameters in a network, adopting structured pruning, and cutting neurons or channels with smaller influence on detection capability; attention optimization mechanisms, including multi-head Attention, position coding and Page Attention cache key optimization.
6. 6. The threat decision assistance system based on network security of claim 1, wherein the artificial intelligent virus detection algorithm in the malicious code analysis module automatically extracts high-level features through a neural network and a plurality of machine learning algorithms, and further comprises anomaly detection by using a terminal graph neural network based on a traceability graph.
7. 7. The threat decision assistance system based on network security of claim 1, wherein the secondary alarm aggregation module constructs a secondary alarm aggregation engine, and combines the multi-source alarm reduction fusion module to perform payload similarity on alarms, similar attacks initiated by a single attack source to a plurality of targets, and deep aggregation merging of similar attack dimensions initiated by a plurality of attack sources to a single target, wherein the merging of alarms refines compressed effective information first and then provides richer context evidence through multidimensional data, wherein: For the same attack behavior, a plurality of security alarms generated by different security devices are associated and fused into the same alarm, and a plurality of three-party sub-alarms can be seen by clicking the alarm; And aggregating alarms scattered to the end and the network at different stages of the same security event into the same event, wherein the fused security alarm evidence page displays the evidence field contents of different data sources.

Description

Threat decision-making auxiliary system based on network security Technical Field The invention relates to the technical field of network security of operation management systems, in particular to a threat decision-making auxiliary system based on network security. Background In a safety operation system, when massive alarms are faced, operation and maintenance personnel cannot conduct one-to-one judgment on the alarms, so that key alarms can be ignored, and important alarms can be ignored even if personnel monitoring is added in a reinsurance scene. There are the following problems in threat detection: (1) The prior art is mainly based on rule recognition, and is often only capable of finding known threats through a rule matching mechanism, and has no effective detection means for unknown attacks. More and more attacks against technology, APT attacks, present many rules of manipulation that bypass a single security device, and device manufacturers often have a "passive hit" disadvantage for the awareness of the bypass of manipulation. Even with certain bypass approaches to architecture or basic capability, security is a long period from perception of improved repair to issuing policies, which greatly challenges the protection capabilities of the prior art. (2) The security devices are distributed in an island mode, cannot work together truly, a trace is left at a plurality of points at the same time in a security event, but the security devices are independent from each other, and although the independent security devices can provide logs and alarms of self-responsibility ranges, the independent security devices do not connect the points of the whole attack surface, and cannot work together truly. The safety operation capability of the prior art is based on manual association of safety analysts, but alarms come from multi-source heterogeneous data, most of the alarms are fragmented and are very difficult to integrate, repeated inefficient secondary evidence collection work exists in the alarm research and judgment process, the safety analysts need to repeatedly switch among different safety devices, an incomplete asset entity library also blocks the research and judgment, and finally, the work of summarizing, integrating and judging is completed by the safety analysts, and the energy and the capability of enterprise personnel often become the most difficult-to-surprise. (3) In the aspect of safety operator response, the safety event disposal fragmentation is difficult to break the product boundary, the traditional safety event response disposal only focuses on the response capability of single products, the network end cooperative response is not achieved, the network end cooperative response is also caused by too much and inaccurate alarm data, and the final disposal is often a method of cutting off the network or reloading dangerous asset entities directly. This rough approach also appears to be difficult to replace without threatening the accurate positioning support, but when the number of security events exceeds the manual handling capability of the person, the disadvantages of this rough approach are revealed when the dangerous asset is related to the enterprise's core asset, which is often very tricky for these situations. (4) The safety operation efficiency is low, operators are tired to cope with repeated and single work, and a large number of heterogeneous safety devices are scattered everywhere to generate a large number of logs, so that the difficulty is brought to log analysis and event processing. The operation and maintenance personnel are submerged by a large amount of scattered information, macroscopic judgment and effective decision cannot be made, and the operation and maintenance personnel are repeatedly switched among a plurality of devices, so that the efficiency is low, and the optimal capability of each device cannot be fully exerted. In summary, the above-mentioned obstacles in the conventional security construction process, the security threat decision command puts higher demands on the following aspects: simple and more efficient correlation analysis; detecting high-level threat behaviors; quick looking up and tracing evidence obtaining; More efficient full flow event handling; more complete attack chain visualization; The experience of safe operation is changed to automation. Disclosure of Invention Aiming at the technical problems, the invention provides a threat decision-making auxiliary system based on network security, which is applied to decision-making assistance in a security operation platform system. The invention is realized by adopting the following technical scheme: a network security based threat decision assistance system, comprising: The advanced malicious code analysis module is used for analyzing and synthesizing original features based on deep learning, continuously training through safe artificial intelligence and extracting stable and reliable high-level feat