Network security target field-based virtual simulation and security evaluation method and system

By constructing a network asset knowledge graph and combining Monte Carlo tree search and Bayesian attack graph techniques, the problems of insufficient realism and lack of comprehensiveness in simulated adversarial assessments in network test ranges are solved. This enables the simulation of complex attack chains and the identification of key risk nodes, and provides logically clear defense recommendations.

CN121125218BActive Publication Date: 2026-06-23BEIJING BO YI WANG XUN SCI & TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING BO YI WANG XUN SCI & TECH CO LTD
Filing Date
2025-09-04
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing network ranges lack dynamic adaptability and intelligent decision-making capabilities in virtual simulation and security assessment, making it difficult to effectively simulate advanced persistent threats. Furthermore, traditional assessment methods cannot identify attack chains and key risk nodes in complex network topologies.

Method used

The Monte Carlo tree search algorithm and Bayesian attack graph technology are used to construct a network asset knowledge graph, simulate attack paths and quantify security risks. Attack simulations are performed on the knowledge graph using the Monte Carlo tree search algorithm, and risk assessments are conducted in conjunction with the Bayesian attack graph to generate a comprehensive assessment report.

Benefits of technology

It improves the strategic and realistic nature of simulation, enables the discovery of complex attack chains and the identification of key risk nodes, provides logically clear defense recommendations, and enhances the comprehensiveness and predictability of the assessment.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121125218B_ABST
    Figure CN121125218B_ABST
Patent Text Reader

Abstract

The application discloses a network security target-based virtual simulation and security evaluation method and system. First, a network asset knowledge graph describing a virtual target environment is constructed through information collection. Second, intelligent attack simulation is performed on the knowledge graph based on an attack strategy syntax rule library using a Monte Carlo tree search (MCTS) algorithm to discover nonlinear and multi-stage attack paths. Third, a Bayesian attack graph (BAG) is constructed based on the knowledge graph to probabilistically and systematically quantitatively evaluate the security risks of asset nodes in the network through Bayesian inference. Finally, the attack paths and quantitative risk values are integrated to generate a comprehensive evaluation report containing visualized paths, risk rankings and reinforcement suggestions. The application solves the problems of insufficient realism of existing target simulation, one-sided security evaluation and lack of predictability by combining strategic simulation of MCTS and global quantitative analysis of BAG.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, specifically to a virtual simulation and security assessment method and system based on a cybersecurity test range. Background Technology

[0002] Cybersecurity test ranges and virtual simulation platforms are cybersecurity experimental platforms developed to address the rapid development of information technology and informationized weaponry, to respond to revolutionary changes in the military field, to adapt to the development needs of informationized weaponry, and to provide a near-real combat information warfare environment. They can provide quantitative and qualitative assessments of the security of various network technologies, attack and defense methods, and conceptual security, enabling tactical performance testing and operational effectiveness evaluation of informationized weaponry. They also provide information security authorities with a credible, controllable, and operable experimental environment for assessing the security level of network information systems.

[0003] Countries worldwide regard the construction of cybersecurity test ranges and virtual simulation platforms as crucial venues for demonstrating and verifying cybersecurity technologies, developing and testing cyber weapons and equipment, conducting offensive and defensive training exercises, and performing cyber risk assessments and analyses. Cybersecurity test ranges and virtual simulation platforms are vital infrastructure for cyber offensive and defensive exercises and the evaluation of new cyber technologies, and are important means of supporting cybersecurity, cyber weapon testing, offensive and defensive exercises, and cyber risk assessments.

[0004] Current network range technologies typically suffer from the following technical problems when conducting virtual simulations and security assessments: Firstly, most mainstream network ranges rely on pre-written static attack scripts or manual penetration testing for attack and defense drills. This approach generates relatively fixed attack paths, lacking dynamic adaptability and intelligent decision-making capabilities. It struggles to effectively simulate the highly intelligent decision-making processes exhibited by complex attackers such as Advanced Persistent Threats (APTs) when facing different network environments and defense strategies, leading to significant discrepancies between simulation assessment results and complex real-world adversarial scenarios. Secondly, traditional security assessment methods, such as vulnerability scanning and configuration verification, usually focus on isolated, static security flaws in the network—"point" risks—while neglecting the interconnectedness of these flaws within complex network topologies and the potential for attackers to exploit them in chain attacks—"surface" risks. This assessment method lacks a macro-level understanding of the overall system security posture and the ability to predict potential attack paths, making it difficult to accurately quantify the overall security level of the system and identify key risk nodes that play a crucial role in the attack's evolution.

[0005] Therefore, how to improve the dynamic adversarial realism of virtual simulation in network ranges and achieve comprehensive, dynamic and predictive security assessment of the tested system is a technical problem that urgently needs to be solved in the field of cybersecurity. Summary of the Invention

[0006] This application aims to provide a virtual simulation and security assessment method and system based on a cybersecurity test range, in order to solve the technical problems in the background technology of insufficient realism in cybersecurity test range simulation and lack of comprehensiveness and predictability in security assessment.

[0007] To achieve the above objectives, this application provides a virtual simulation and security assessment method based on a cybersecurity test range, characterized by the following steps:

[0008] S1: Collect asset information, network connection relationships, and security configuration information within a preset virtualized test range environment, and construct a network asset knowledge graph containing asset nodes, relationship edges, and attribute tags;

[0009] S2: Based on the predefined attack strategy syntax rule base and the network asset knowledge graph, the Monte Carlo tree search algorithm is used to simulate the attack in order to explore and find at least one effective multi-step attack path from the initial attack node to the preset target node.

[0010] S3: Based on the vulnerability information and inter-node dependencies in the network asset knowledge graph, construct a Bayesian attack graph, and calculate the posterior probability of each secure state node in the graph being achieved by performing Bayesian inference on the Bayesian attack graph, which serves as the quantitative security risk value of the corresponding asset.

[0011] S4: Integrate the multi-step attack paths and the quantitative security risk values ​​of each asset to generate a comprehensive assessment report, and generate defense hardening recommendations based on the report.

[0012] Preferably, the step of simulating the attack using the Monte Carlo tree search algorithm specifically includes iteratively executing the following steps:

[0013] Based on the preset node selection strategy, starting from the node in the current attack state, select an optimal subsequent node for expansion;

[0014] Based on the attack strategy syntax rule base, create one or more child nodes representing new attack actions for the selected node;

[0015] Starting from the newly created child node, attack actions are randomly executed according to the default strategy until the end state is reached;

[0016] The results of the simulation phase are used to update the statistical values ​​of all nodes on the selected path in reverse order.

[0017] Preferably, the node selection strategy is an upper confidence bound (UCB) strategy, which is used to balance the utilization of known effective attack paths and the exploration of unknown attack paths.

[0018] Preferably, the step of constructing the Bayesian attack graph includes:

[0019] Define the security state in the network as a node in a Bayesian attack graph;

[0020] The causal attack dependencies between the security states are defined as directed edges connecting the nodes;

[0021] Configure a conditional probability table for each directed edge to quantify the probability of the occurrence of the causal attack dependency.

[0022] Preferably, the Bayesian inference is performed to calculate the posterior probability of the occurrence of all other secure state nodes, given a known vulnerability in the network as initial evidence.

[0023] Preferably, the comprehensive assessment report includes at least one of the following: a visualized attack path diagram, a ranking list of key risk nodes, and a heat map of network security risk situation.

[0024] Accordingly, this application also provides a virtual simulation and security assessment system based on a cybersecurity test range, including:

[0025] The knowledge graph construction module is used to collect information about the virtualized test range environment and construct a network asset knowledge graph.

[0026] The attack path simulation module is used to simulate attacks based on a predefined attack strategy syntax rule base and the network asset knowledge graph PEG, employing a Monte Carlo tree search algorithm to find at least one valid multi-step attack path. This module internally includes an attack strategy syntax rule base that stores formalized rules governing the preconditions and effects of attack behaviors.

[0027] The security risk assessment module is used to construct a Bayesian attack graph based on the network asset knowledge graph, and calculate the quantitative security risk value of each asset by performing Bayesian inference. This module includes a Bayesian inference engine for performing probabilistic inference algorithms.

[0028] The report generation module integrates the multi-step attack path and the quantified security risk value to generate a comprehensive assessment report and defense hardening recommendations. This module includes a visualization engine to display the analysis results in graphical or chart form.

[0029] In summary, this application provides a virtual simulation and security assessment method and system based on a cybersecurity testbed. First, the complex network environment is abstracted into a machine-readable network asset knowledge graph. Then, using the Monte Carlo Tree Search (MCTS) algorithm, exploratory attack path deduction simulating the strategic thinking of human attackers is performed on this knowledge graph to discover highly concealed, multi-stage attack chains. Simultaneously, a Bayesian Attack Graph (BAG) is constructed in parallel, placing vulnerabilities in the network within a global causal probability network. Bayesian inference is then used to accurately quantify the systemic security risks of individual assets and even the entire system. By combining the path discovery capabilities of MCTS with the risk quantification capabilities of BAG, this application achieves a complete and intelligent security assessment process, from discovering attack paths to assessing path threats and locating key risk nodes.

[0030] Compared with the prior art, this application has the following beneficial effects:

[0031] 1. This application employs the Monte Carlo tree search algorithm, combined with an attack strategy syntax rule base, to simulate the attacker's balance between exploration and exploitation during the decision-making process, rather than simply executing a fixed script. This method can discover non-linear, counterintuitive, and complex attack chains, and its simulation results are closer to those of real-world human attackers with strategic planning capabilities, significantly improving the strategic depth and realism of attack simulation.

[0032] 2. By constructing a Bayesian attack graph, this application places isolated vulnerabilities and configuration information into a global causal network for analysis. It can accurately quantify the security risks of each asset and even the entire system in a probabilistic manner, and reveal the propagation and amplification effects of risks in the network. This achieves a shift from "point" risk assessment to a "surface" systematic risk measurement, realizing the quantification and systematic assessment of security risks, resulting in a more comprehensive and objective evaluation.

[0033] 3. The evaluation results of this application (the optimal attack path generated by MCTS and the high-risk nodes calculated by BAG) are highly interpretable. It not only tells users where the risks are, but also clearly demonstrates how these risks are exploited and which risks are most critical. The generated defense recommendations directly target the key links in the attack chain, providing logically clear and focused decision support for security hardening, and offering accurate and interpretable decision-making basis. Attached Figure Description

[0034] Figure 1 A flowchart of a virtual simulation and security assessment method based on a cybersecurity test range provided for this application.

[0035] Figure 2 This is a schematic diagram illustrating the principle of Monte Carlo Tree Search (MCTS) attack simulation in the embodiments of this application.

[0036] Figure 3 This is a schematic diagram illustrating the construction of the Bayesian Attack Graph (BAG) in an embodiment of this application.

[0037] Figure 4 This application provides a structural block diagram of a virtual simulation and security assessment system based on a cybersecurity test range.

[0038] Figure 5 This is a heatmap of network security risk situation generated in the embodiments of this application.

[0039] Figure 6 This is a comparison chart showing the simulation performance capabilities of the embodiments of this application and traditional methods.

[0040] Figure 7 A schematic diagram of the interface of a virtual simulation and security assessment system based on a cybersecurity test range provided in this application embodiment.

[0041] Figure 8 This is another schematic diagram of the interface of the virtual simulation and security assessment system based on the network security test range provided in the embodiments of this application.

[0042] Figure 9 This is a schematic diagram of the evaluation result report provided in an embodiment of this application. Detailed Implementation

[0043] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.

[0044] Example 1

[0045] This embodiment provides a specific implementation of a virtual simulation and security assessment method based on a cybersecurity test range. (Refer to...) Figure 1 The method includes the following detailed steps:

[0046] Step S1: Construct a network asset knowledge graph. Collect asset information, network connectivity relationships, and security configuration information within a pre-defined virtualized test environment to build a network asset knowledge graph containing asset nodes, relationship edges, and attribute labels. This step aims to transform the physical and virtual network environment into a machine-understandable, structured data model. The system first collects information using various probes deployed in the virtualized test environment. These probes include:

[0047] Active scanning probes, such as Nmap and Nessus, are used to discover live hosts, open ports, running services, and known CVE vulnerabilities.

[0048] Configure data collection agent: A lightweight agent program installed inside a virtual machine or container to obtain detailed information such as operating system type, version, list of installed software, user accounts, and security configurations (such as firewall rules and password policies).

[0049] Traffic analysis probes: Capture network traffic through network routing (such as SPAN ports) and analyze it to determine the actual communication relationships and protocols between devices.

[0050] The collected information is integrated and stored as a Cyber ​​Asset Knowledge Graph. This is an attribute graph, where:

[0051] Asset nodes: Represent entities in the network, such as Host, Service, Vulnerability, and UserAccount. Each node has detailed attributes. For example, a Host node might have {ip:'192.168.1.10',os:'WindowsServer 2019',hostname:'WEB-SVR-01'}.

[0052] Relationship edges: represent the relationships between nodes, such as connectsTo(host_A, host_B), runs(host, service), has(host, vulnerability).

[0053] Attribute tags: These are the specific attributes of a node and form the basis for subsequent analysis.

[0054] This knowledge graph is the cornerstone of the entire assessment process, providing comprehensive and accurate data support for subsequent attack simulations and risk calculations.

[0055] Step S2: Generate a multi-step attack path. Based on a predefined attack strategy syntax rule base and the network asset knowledge graph, a Monte Carlo Tree Search (MCTS) algorithm is used to simulate an attack, exploring and finding at least one effective multi-step attack path from the initial attack node to the preset target node. This step aims to simulate how a strategic and targeted attacker exploits weaknesses in the network to achieve their objectives. This embodiment does not use a preset script but instead employs the Monte Carlo Tree Search (MCTS) algorithm for dynamic and intelligent path discovery, the principle of which is as follows: Figure 2 As shown.

[0056] First, an attack strategy syntax rule base needs to be defined. This is a formalized set of rules describing the actions an attacker can take and their preconditions. For example, a rule can be represented as: Exploit(Attacker,TargetHost,CVE_ID):-HasPrivi lege(Attacker,SourceHost),ConnectsTo(SourceHost,TargetHost,Port),HasVulnerability(TargetHost,CVE_ID,Port). This rule indicates that for an attacker to exploit a vulnerability on a target host, the prerequisites are that they have control of the source host, the source host and the target host have a connection on the corresponding port, and the target host actually has the vulnerability. The MCTS algorithm uses this rule base to search the knowledge graph, and the process is as follows:

[0057] 1. Initialization: Create a root node that represents the attacker's initial state (e.g., having taken control of a jump server in the DMZ).

[0058] 2. Iterative Search: Repeat the following four steps a certain number of times, which can be thousands or tens of thousands of times:

[0059] (1) Selection: Based on a preset node selection strategy, starting from the node in the current attack state, the system selects the optimal subsequent node for expansion. In a specific implementation, child nodes are recursively selected from the root node until an incompletely expanded node is reached. In each selection step, the system determines which child node to select based on the node's Upper Confidence Bound 1 (UCB1) value. The UCB1 formula is (Q(v) / N(v)) + C*sqrt(ln(N(p)) / N(v)), balancing the exploitation of known optimal paths and the exploration of unknown paths. Here, the meaning and usage of each symbol in the formula are explained in detail:

[0060] v: Represents a child node currently being evaluated, i.e., a potential attack action.

[0061] p: represents the parent node of node v.

[0062] Q(v): Represents the total value or reward of node v. In the context of this application, it specifically refers to the number of times the attack objective is successfully achieved through all simulations using node v, i.e., the "number of wins".

[0063] N(v): Represents the total number of times node v is visited, that is, the total number of simulated visits through this node.

[0064] N(p): Represents the total number of times the parent node p is visited.

[0065] C: Represents the exploration parameter, a positive constant used to adjust the weight between the exploit and exploration terms. Theoretically, it is usually taken as sqrt(2), but it can also be adjusted empirically according to the specific scenario. A higher C value will encourage the algorithm to conduct a wider exploration.

[0066] The specific usage of the formula is described below. The formula consists of two core parts:

[0067] Exploitation Term: Q(v) / N(v). This term calculates the historical average return or win rate of node v. The higher this value for a node, the greater the probability of success after choosing this attack action based on historical experience. The algorithm tends to choose nodes with high values, i.e., those that utilize known effective paths.

[0068] The Exploration Term is defined as C*sqrt(ln(N(p)) / N(v)). This term is a reward or curiosity bonus given to nodes that are visited less frequently. The denominator N(v) is crucial; when a node v is visited very few times N(v), this term will have a large value, thus increasing the node's total UCB1 score and making it more likely to be selected. This encourages the algorithm to explore attack paths that have not yet been fully tried, avoiding missing the global optimum due to premature convergence.

[0069] The specific execution flow in the selection phase can be as follows: For a parent node p, the algorithm traverses all its child nodes v and calculates the UCB1 score for each child node. Then, the algorithm selects the child node with the highest score as the next path, and repeats this process from the selected node until a child node is reached or a node with unexpanded child nodes exists.

[0070] (2) Expansion: Based on the attack strategy syntax rule base, create one or more child nodes representing new attack actions for the selected node. In a specific implementation, for the selected node, generate one or more new child nodes based on the attack strategy syntax rule base and the current knowledge graph state, with each child node representing a feasible attack action.

[0071] (3) Simulation / Rollout: Starting from the newly created child node, attack actions are randomly executed according to the default policy until a final state is reached. In a specific implementation, starting from the newly expanded node, subsequent attack actions are randomly selected or based on a lightweight default policy until a final state is reached, such as successfully controlling the target node or reaching the maximum simulation depth.

[0072] (4) Backpropagation: The results of the simulation phase are used to update the statistical values ​​of all nodes on the selected path in reverse. In a specific implementation, the simulation results are set as follows: success is 1 and failure is 0. The simulation is then propagated back along the path of the selection phase to update the number of wins Q(v) and the number of visits N(v) of all nodes on the path.

[0073] 3. Output Results: After the above iterative execution is completed, starting from the root node, select the child node that is visited most frequently in each step. The path formed by this selection is the optimal or most likely successful multi-step attack path found by the algorithm. Through MCTS, this application can discover attack chains that require multiple steps and seem logically unlikely during virtual simulation, greatly improving the depth and realism of the simulation.

[0074] Step S3: Quantify node security risk. Based on the vulnerability information and inter-node dependencies in the network asset knowledge graph, construct a Bayesian attack graph. Then, perform Bayesian inference on the Bayesian attack graph to calculate the posterior probability of each secure state node being achieved, which serves as the quantified security risk value for the corresponding asset. This step aims to assess the correlation and propagation of risks in the network from a global perspective. This embodiment uses Bayesian Attack Graph (BAG) technology, such as... Figure 3 As shown.

[0075] 1. Construct BAG: The system traverses the network asset knowledge graph and transforms it into a directed acyclic probabilistic graph.

[0076] The security state in the network is defined as a node in the Bayesian attack graph. A node in the BAG represents a security-related state or event, such as has_user_privilege(Host_A), vulnerability_exploited(CVE_ID), and goal_achieved(Data_Exfiltration).

[0077] The causal attack dependencies between the security states are defined as directed edges connecting the nodes, where each edge in the BAG represents a causal or conditional dependency between nodes. For example, an edge from vulnerability_exploited(CVE_ID) to has_root_privilege(Host_A) indicates that the latter depends on the former.

[0078] A conditional probability table (CPT) is configured for each directed edge to quantify the probability of the causal attack dependency occurring. Each edge in the CPT is associated with a conditional probability. For example, P(has_root_privilege|vulnerability_exploited) = 0.8, and this probability value can be set based on prior knowledge such as CVSS score and the difficulty of exploiting the vulnerability. The prior probability of leaf nodes (usually known vulnerabilities) is set to 1 (indicating confirmed existence).

[0079] 2. Bayesian inference, used to calculate the posterior probability of all other secure nodes occurring given a known vulnerability in a network as initial evidence. In a specific implementation: after constructing...

[0080] After BAG (Blocking Aggregate), the system employs a probabilistic reasoning algorithm (such as variable elimination or belief propagation) to calculate the posterior probability of each node in the graph. This posterior probability represents the probability that the secure state will be achieved given all known evidence (i.e., the existence of vulnerabilities in the child nodes).

[0081] 3. Risk Value Output: The posterior probability of each asset's associated critical security status (such as being controlled by administrators) is defined as the asset's quantified security risk value. For example, calculating...

[0082] If P(has_admin_privilege(DB_Server)) = 0.92, it means that the database server faces an extremely high risk of being completely controlled.

[0083] One specific method for setting conditional probabilities is to map the vulnerability's CVSSv3 base score to an interval using a non-linear function (such as the sigmoid function). For example, the conditional probability P can be calculated using the following formula: P = 1 / (1 + exp(-k*(BaseScore-5))). Here, BaseScore is the vulnerability's CVSS base score, k is a kurtosis coefficient (e.g., k = 1), and 5 is the base score for medium risk. For a critical vulnerability with a CVSS score of 9.8, the conditional probability of successful exploitation can be calculated as 1 / (1 + exp(-1*(9.8-5))) ≈ 0.992. For non-exploitation actions, such as cracking weak passwords, the success probability can be empirically set based on the strength of the password strategy. For example, for a weak password, P(successful cracking) can be set to 0.8.

[0084] The advantage of using BAG in this application is that it can clearly model the propagation path of risk. If a low-risk vulnerability is in a critical position in the attack chain, its impact on downstream core assets will be amplified probabilistically, thus obtaining a risk score that matches its true threat.

[0085] Reference Figure 3 This diagram illustrates a simplified process of constructing a Bayesian attack graph. In this graph, rectangles represent evidence nodes, typically known and certain facts such as "Web server has vulnerability A" and "Database has weak password B." The prior probability of these nodes is set to 1.0. Ellipses represent state nodes, indicating a security state in the network whose occurrence is uncertain, such as "Gaining user privileges on the web server."

[0086] Directed edges between nodes represent causal attack dependencies. For example, an edge from "Web server has vulnerability A" to "gaining user privileges on the web server" indicates that the latter is a result of the former being exploited. The label P(access_web|vuln_web) on this edge is the conditional probability, quantifying this causal relationship.

[0087] More complexly, the state node "Gained Database Administrator Privileges" has two parent nodes: "Gained Web Server User Privileges" and "Weak Password B Exists in the Database." This indicates that an attacker must simultaneously meet both preconditions to successfully gain database privileges. By constructing such a graph, the system can model fragmented vulnerability information and complex attack logic, laying the foundation for subsequent global risk probability calculations.

[0088] Step S4: Generate a comprehensive assessment and hardening recommendations. Integrate the multi-step attack paths and the quantitative security risk values ​​of each asset to generate a comprehensive assessment report, and generate defense hardening recommendations based on the report. This step presents the analysis results in a user-friendly manner and provides actionable guidance.

[0089] In one specific implementation, the comprehensive evaluation report may include:

[0090] Visualized attack path: The best attack path found by MCTS in S2 is displayed in the form of a flowchart or topology overlay diagram, clearly marking the attack techniques at each step.

[0091] Key risk node ranking: Sort all assets calculated in S3 from high to low according to their quantitative security risk values ​​to form a Top-N risk asset list.

[0092] Risk situation heat map: such as Figure 5 As shown, the risk values ​​of different network regions and assets are rendered on the topology map using varying shades of color, forming an intuitive risk distribution heatmap. (Refer to...) Figure 5 It shows a network security risk situation heat map generated by an embodiment of this application.

[0093] This heatmap is a two-dimensional matrix, with the vertical axis representing different network areas (such as DMZ, core business area, and office area) and the horizontal axis representing different types of asset clusters (such as web server clusters, application server clusters, and database servers).

[0094] The value of each cell in the figure (such as 0.85, 0.92) represents the comprehensive quantitative security risk value of the corresponding asset cluster in the corresponding region. This value is calculated by Bayesian inference in step S3 (it can be the average or maximum value of the asset risk value in the region).

[0095] The cell color is positively correlated with the risk value, rendered using a color gradient from light to dark red. As shown in the figure, the database server in the core business area (risk value 0.92) and the application server cluster in the DMZ area (risk value 0.85) are the darkest, intuitively revealing that these two areas are the weakest and most urgent links in current network security protection, helping managers quickly identify the focus of risk.

[0096] Defense hardening recommendations: Based on the principles of blocking attack chains and reducing risks to critical nodes, the system can automatically generate recommendations:

[0097] For attack paths: Analyze the key steps in the MCTS path and provide blocking suggestions. For example:

[0098] "MCTS discovered that the main attack path relies on communication between the web server and the application server via port 3389. It is recommended to deploy a firewall policy between the two to block access to this port."

[0099] For high-risk nodes: For high-risk nodes identified by BAG calculations, reinforcement recommendations are provided. For example:

[0100] "The database server has a risk probability of 0.92, mainly because it can be accessed from compromised application servers using weak passwords. It is recommended to immediately change the database password to a strong one and restrict access from IP addresses using a whitelist."

[0101] Example 2

[0102] This embodiment provides the structure of a virtual simulation and security assessment system based on a cybersecurity test range, and elaborates on the functions and implementation methods of each module. (Refer to...) Figure 4 The system includes:

[0103] I. Knowledge Graph Construction Module (1) is used to collect information on the virtualized test range environment and construct a network asset knowledge graph. This module is the data foundation of the system and is responsible for comprehensively and automatically collecting test range environment information and integrating these heterogeneous and scattered data into a unified and structured network asset knowledge graph to provide a global and real-time view for subsequent attack simulation and risk assessment.

[0104] The specific implementation method can be:

[0105] 1. Data Acquisition Layer: Deploy a distributed probe cluster. This cluster includes:

[0106] Active Network Scanner: Integrates the open-source tool Nmap, using technologies such as TCP / UDP port scanning, service version detection, and operating system fingerprinting to discover live assets and their open services on the network.

[0107] Vulnerability evaluator: Integrates with open-source tools like OpenVAS or commercial scanner APIs to perform vulnerability scans on discovered assets and services, obtaining information such as CVE IDs and CVSS scores.

[0108] Configuration information collector: For Windows environments, it remotely queries via WMI (Windows Management Instrumentation) or WinRM; for Linux environments, it executes preset scripts (such as lshw, netstat, rpm-qa, etc.) via SSH to obtain detailed configuration information such as hostname, hardware configuration, software list, user accounts, routing table, and firewall rules.

[0109] Passive traffic listeners: Deploy traffic probes (such as Zeek or Suricata) on the mirrored port (SPAN port) of a virtual switch to analyze network traffic to identify the real communication relationships between devices, the protocols used, and the applications, thus compensating for connection information that may be missed by active scanning.

[0110] 2. The data fusion and storage layer includes:

[0111] ETL pipeline: Design a data extraction, transformation, and loading (ETL) process to clean, deduplicatize, and standardize data from different sources and in different formats.

[0112] Graph Database: A graph database using Neo4j as the backend. Data processed by ETL is converted into Cypher query statements such as CREATE and MERGE, and written to Neo4j. For example, MERGE(h:Host{ip:'10.0.1.5'}) SET h.os='Ubuntu 20.04'. Here, the Cypher query statement used to create relationships between assets is explained in detail; this statement is one of the core operations of the data fusion and storage layer: MATCH(h1:Host{ip:'10.0.1.5'}),(h2:Host{ip:'10.0.2.10'})MERGE(h1)-[:CONNECTS_TO{protocol:'tcp',port:80}]->(h2). This statement transforms an observed network connection event (e.g., a web access captured by a passive traffic listener) into a persistent, attribute-rich relationship edge in the knowledge graph. Its specific execution logic is broken down as follows:

[0113] MATCH(h1:Host{ip:'10.0.1.5'}),(h2:Host{ip:'10.0.2.10'}): This is a node matching clause. It instructs the graph database to first perform a lookup operation. Where:

[0114] The expression `(h1:Host{ip:'10.0.1.5'})` searches for all nodes in the graph labeled "Host" (host type), and the `ip` attribute value of these nodes must be '10.0.1.5'. The first matching node found will be bound to the temporary variable `h1`.

[0115] (h2:Host{ip:'10.0.2.10'}) means finding the Host node with the IP address '10.0.2.10' and binding it to the variable h2.

[0116] The comma in the statement acts as a logical AND, indicating that both nodes h1 and h2 must be successfully found for the MATCH clause to succeed. This step ensures that the relationship is established between two known and correct asset nodes.

[0117] MERGE(h1)-[:CONNECTS_TO{protocol:'tcp',port:80}]->(h2): This is the relation creation and merging clause, which is crucial for ensuring the accuracy and consistency of the graph data.

[0118] The MERGE operation attempts to match the complete pattern within the parentheses, which is a specific relationship from h1 to h2.

[0119] If the complete schema already exists in the database (i.e., there is already a relationship between h1 and h2 of type CONNECTS_TO with protocol tcp and port 80), the MERGE operation will not perform any operation. This feature avoids creating a large number of redundant relationship edges in the graph due to repeatedly collecting the same connection information.

[0120] If the complete schema does not exist, the MERGE operation will create the new relationship.

[0121] (h1)-[...]->(h2): Defines a directed relation from node h1 to node h2.

[0122] [:CONNECTS_TO...]: Defines the type of this relationship as CONNECTS_TO, giving it a clear business semantic, namely, connecting to.

[0123] {protocol:'tcp',port:80}: This is an attribute defined on the relation edge. It records detailed context information about this connection, namely, the connection protocol is TCP and the target port is 80. These attributes are crucial for subsequent attack path simulation because many attack actions depend on the connectivity of specific ports and protocols.

[0124] In summary, this Cypher statement fully implements the following atomic operation: confirming the existence of two host entities with specific IPs in the network, and then ensuring that there is a specific type of connection relationship (TCP protocol, port 80) between them, and that this relationship is recorded only once in the knowledge graph.

[0125] Update mechanism: The module supports two update mechanisms: timed polling scan and event-triggered (such as the creation of a new virtual machine) to ensure the near real-time performance of the knowledge graph.

[0126] II. Attack Path Simulation Module (2) is used to simulate attacks based on a predefined attack strategy syntax rule base and the network asset knowledge graph, using the Monte Carlo tree search algorithm to find at least one effective multi-step attack path. This module is responsible for simulating the attacker's decision-making thinking and performing strategic deduction on the knowledge graph to discover multi-step attack paths that may be used to achieve the attack target.

[0127] The specific implementation method can be:

[0128] 1. Attack Strategy Syntax Rule Base: Attack primitives are defined using a domain-specific language (DSL) or XML format. Each primitive includes an action name, preconditions, and postconditions. For example:

[0129] XML code

[0130] <Primitive name="RemoteCodeExecution_CVE-2017-0144">

[0131] <preconditions>

[0132] <Fact type="connectivity"from="attacker"to="target"port="445" / >

[0133] <Fact type="vulnerability"on="target"cve="CVE-2017-0144" / >

[0134] <Fact type="privilege"on="attacker"level="user" / >

[0135] < / preconditions>

[0136] <postconditions>

[0137] <Fact type="privilege"on="target"level="system" / >

[0138] < / postconditions>

[0139]

[0140] These rules are managed and parsed by a rule engine (such as Drools).

[0141] 2. MCTS Engine Unit:

[0142] Tree structure: Maintain an MCTS tree in memory. The Node data structure of the tree contains state (current attack state, such as the list of controlled nodes), parent, children (pointers to other Node objects), wins (number of wins), and visits (number of visits).

[0143] Selection / Expansion Logic: In the selection phase, the code recursively traverses child nodes, calculates the UCB1 value of each child node, and selects the largest one. In the expansion phase, the MCTS engine queries the rule engine for all attack primitives that meet the preconditions in the current state and creates a new child node for each primitive.

[0144] Simulation Logic: The Rollout phase employs a lightweight heuristic strategy, such as prioritizing attack actions that can gain higher privileges or access to more new hosts, to guide the random simulation and make it more likely to reach meaningful results.

[0145] Interaction Interface: The engine interacts with the knowledge graph building module via API, checking whether the required prerequisites exist in the knowledge graph at each step of the inference process.

[0146] III. Security Risk Assessment Module (3) is used to construct a Bayesian attack graph based on the network asset knowledge graph and calculate the quantitative security risk value of each asset by performing Bayesian inference. This module is responsible for transforming the complex dependency relationship between network assets and vulnerabilities into a computable probability model, thereby conducting a systematic and quantitative assessment of the security risks of each asset and even the entire system.

[0147] The specific implementation method can be:

[0148] 1. BAG Build Engine:

[0149] Template Transformer: This unit traverses the knowledge graph and applies a set of predefined transformation templates to map the graph information into a BAG structure. For example, a template could be: "For each..."

[0150] The Host-has -> Vulnerability relationship is created in BAG.

[0151] Create an Exploit (Vulnerability) evidence node and a Privilege (Host) state node, and connect them.

[0152] CPT Generator: Based on metadata such as vulnerability CVSS score, exploit code maturity, and report credibility, it queries a built-in risk knowledge base and generates CPTs.

[0153] Each edge of a BAG generates a conditional probability. For example, for a vulnerability with a CVSS score of 9.0-10.0, its P (privilege gain | exploit) might be set to 0.95.

[0154] 2. Bayesian Inference Engine:

[0155] Probabilistic network library: Integrates a mature probabilistic graphical model library, such as pgmpy (Python) or jBPT (Java).

[0156] Inference Executor: First, all known vulnerabilities (confirmed to exist in the knowledge graph) are treated as evidence, and their probabilities in the corresponding nodes of the BAG are set to 1.0. Then, precise inference algorithms (such as variable elimination, suitable for small to medium-sized graphs) or approximate inference algorithms (such as Markov Chain Monte Carlo MCMC, suitable for large graphs) from the probabilistic network library are called to calculate the posterior probabilities of all non-evidence nodes.

[0157] IV. Report generation module (4) is used to integrate the multi-step attack path and the quantified security risk value to generate a comprehensive assessment report and defense hardening suggestions. This module is the final exit for the interaction between the system and the user. It is responsible for transforming complex analysis results into intuitive, easy-to-understand reports and actionable suggestions to support security decisions.

[0158] The specific implementation method can be:

[0159] 1. Data Integration and Formatting Unit: Obtains the optimal attack path (a sequence of actions) from the attack path simulation module via API, and obtains the quantitative risk value of each asset from the security risk assessment module.

[0160] 2. Visualization engine, including attack path visualization: using JavaScript libraries (such as D3.js or...)

[0161] Vis.js renders the attack path sequence into a dynamic, interactive directed graph, allowing users to click on each step to view detailed explanations of the attack techniques.

[0162] Topology Risk Heatmap: This method obtains network topology layout information from a knowledge graph, and then assigns a color gradient from green to red to the nodes in the topology graph based on the risk value of each asset, generating a heatmap like this. Figure 5 The heatmap shown.

[0163] 3. Recommendation Generation Unit: This unit maintains a risk-countermeasure mapping knowledge base. It iterates through the analysis results; for example, for a critical step in the attack path (Exploit (CVE-XXXX)), it queries the knowledge base for the corresponding countermeasure: "Apply Patch Vendor-Patch-ID" or "Deploy Virtual Patch Rule IPS-Rule-ID". For high-risk nodes, it recommends general hardening measures such as "Strengthening Access Control", "Principle of Least Privilege", and "Network Micro-Segmentation".

[0164] 4. Report document generator: using template engines (such as Jinja2) and document conversion tools (such as...)

[0165] Pandoc populates all formatted text, charts, and visualizations into a preset template, ultimately generating a comprehensive evaluation report in PDF or HTML format.

[0166] Example 3

[0167] This embodiment combines a converged network security assessment scenario of a manufacturing enterprise headquarters (IT network) and a smart factory (OT / ICS network) to describe in detail the specific application of the method of this application.

[0168] 1. Detailed application scenario description

[0169] The network environment includes:

[0170] Headquarters IT Network (10.10.0.0 / 16): Includes a standard office network environment with employee PCs, an email server (Exchange), a file server (Windows Server), and an ERP system for managing factory production. The network connects to the internet via a firewall.

[0171] The smart factory OT network (192.168.0.0 / 24) includes Industrial Control System (ICS) devices such as SCADA servers, Human-Machine Interface (HMI) workstations, and Programmable Logic Controllers (PLCs). The OT network is wired to the IT network via a dual-NIC bastion host (acting as a jump server for remote maintenance by engineers).

[0172] Assessment Objective: To assess the risk that an attacker could penetrate the internet and ultimately tamper with the control logic of the production line's PLC, causing production to halt. The ultimate target node is defined as the control of PLC-01.

[0173] 2. In this application scenario, the specific implementation of each method step in this application is as follows:

[0174] Step S1, construct a knowledge graph for IT / OT convergence, such as Figure 7-8 As shown, upon logging into the network range management platform system, the system first conducts a comprehensive information collection of the headquarters IT network and the factory OT network. By abstracting and uniformly identifying heterogeneous resources, a resource catalog is formed. At the same time, a range resource management platform is established to realize the discovery and automatic push of range resources, real-time monitoring, dynamic scheduling, intelligent control, and rapid release.

[0175] In the IT network, the system discovered that the mail server had a CVE-2021-26855 (ProxyLogon) vulnerability, a file server had an EternalBlue vulnerability (MS17-010), and through traffic analysis, it was found that the ERP system server (10.10.20.5) would periodically access the bastion host (10.10.20.100, 192.168.0.100).

[0176] In the OT network, since active vulnerability scanning is not possible, the system passively monitors traffic and reads the configuration of the engineer station. It discovers that the configuration software running on the HMI (192.168.0.20) has a remote code execution vulnerability (CVE-2022-XXXX), and the HMI communicates with the target PLC-01 (192.168.0.50) via the Modbus protocol.

[0177] All this information is integrated into the network asset knowledge graph, forming a complex graph structure that spans IT and OT domains and includes hosts, vulnerabilities, and connectivity relationships (especially cross-domain connections via bastion hosts).

[0178] Step S2: MCTS simulates a cross-domain attack path. The attack simulation module takes "any host on the Internet" as the initial attack node and the control of PLC-01 as the target, and starts MCTS search.

[0179] 1. Selection and Expansion: The initial layers of the MCTS tree expanded to include various attack methods such as exploiting mail server vulnerabilities and phishing emails. After multiple iterations, the path of 'exploiting the ProxyLogon vulnerability' rapidly increased its UCB1 value due to its high success rate (multiple successes during the simulation phase), becoming the preferred direction for exploration.

[0180] 2. Discovery: Following this path, after gaining access to the mail server, the MCTS simulator discovered the ERP system administrator credentials stored on it. Subsequently, the simulator "decided" to log into the ERP system and discovered the connection between the ERP system and the bastion host.

[0181] 3. Cross-domain breach: The simulator then used the ERP server's privileges to remotely log into the bastion host and successfully entered the OT network. Inside the OT network, the MCTS simulator discovered a vulnerability in the HMI.

[0182] 4. Final Achievement: Ultimately, the simulator expanded to exploit the HMI vulnerability to gain control and send malicious Modbus commands from the HMI to the PLC-01, successfully achieving its goal.

[0183] Output path: After a certain number of iterations, MCTS finally outputs an optimal attack path:

[0184] "Internet -> [Exploit CVE-2021-26855] -> Mail Server -> [Obtain Credentials] -> ERP System -> [Remote Login] -> Bastion Host -> [Lateral Movement] -> HMI Engineer Station -> [Exploit CVE-2021-26855]"

[0185] "CVE-2022-XXXX]->PLC-01". This complex cross-domain attack chain is extremely difficult to detect using traditional security assessment methods.

[0186] Step S3: BAG quantifies the propagation of IT / OT risks. The security risk assessment module constructs a Bayesian attack graph based on the knowledge graph.

[0187] 1. BAG Construction: The graph contains a series of state nodes such as Exploited (ProxyLogon), Compromised (EmailServer), Compromised (ERP), Compromised (HMI), and Control (PLC-01), which are connected according to the attack dependency relationship.

[0188] 2. Probabilistic reasoning: P(Compromised(EmailServer)|Exploited(ProxyLogon)) is set to 0.9 (high success rate of exploitation).

[0189] P(Compromised(PLC-01)|Compromised(HMI))` is set to 0.98 (HMI directly controls PLC, and Modbus protocol is uncertified).

[0190] Set the prior probability of known vulnerabilities such as Exploited(ProxyLogon) to 1.0.

[0191] 3. Risk Calculation Results: The Bayesian inference engine calculated that although the initial risk to the mail server appeared to be limited to information leakage, its upstream position in the attack chain ultimately resulted in a posterior probability of 0.75 for Control (PLC-01). In contrast, the risk of the HMI itself in the isolated network might be underestimated if only the vulnerability itself is considered. BAG clearly reveals how risks from the IT domain are amplified and propagated to core OT assets through a series of seemingly unrelated nodes.

[0192] Step S4 generates reports and recommendations for IT / OT convergence scenarios, and the report generation module produces the final evaluation results.

[0193] 1. Comprehensive Report: The report uses animation to visualize the complete attack path from IT to OT. In the risk heatmap, the mail server, bastion host, HMI, and PLC-01 are all marked as dark red high-risk areas. The list of key risk nodes lists the bastion host and HMI as the Top 2, as they are the key hubs for cross-domain attacks and control of core devices.

[0194] 2. Reinforcement Recommendations:

[0195] Urgent recommendation (blocking the path): "Immediately implement strict access control policies on the bastion host between the IT and OT networks, allowing only specific source IPs (such as ERP) to access specific ports, and enforce multi-factor authentication (MFA) for login attempts."

[0196] High-priority recommendations (remediate critical nodes): "Immediately install the ProxyLogon patch for the mail server; seek vendor patches or deploy mitigation measures for the HMI configuration software vulnerability."

[0197] Long-term recommendation (to enhance system capabilities): "Plan an industrial DMZ zone between IT / OT networks and strengthen in-depth detection of cross-domain traffic."

[0198] Network tracing and attribution (enhancing prevention capabilities): such as Figure 9 As shown, research on network deception technologies such as honeypots and honeynets will be strengthened, the characteristics of various attack behaviors will be analyzed in depth, and the network attack methods, attack techniques and targets will be thoroughly understood to provide a basis for attack tracing and investigation, and to achieve rapid tracking and precise location of network attack behaviors.

[0199] Through this detailed description of a specific application scenario, it can be seen that the method of this application is adapted to the systemic security risks in modern complex network environments and provides corresponding decision support. In summary, this application does not rely on deep learning. By combining the strategic simulation of MCTS with the global quantitative analysis of BAG, it solves the problems of insufficient realism, one-sided security assessment, and lack of predictability in existing target range simulations, providing a more accurate and interpretable technical means for network security assessment.

[0200] Reference Figure 6 The chart visually compares the performance differences between the method disclosed in this application and traditional security assessment methods in terms of the accuracy of predicting key risk nodes using a bar chart. Traditional methods employ static scanning, expert penetration testing, and fixed-script attacks. A comparison with the method in this application reveals that the method in this application is significantly superior to all three traditional methods in both the number of attack paths discovered and the accuracy of risk assessment.

[0201] In summary, Appendix Figure 6 This strongly demonstrates that the method of systematic risk quantification by constructing a Bayesian attack graph can more accurately identify the core risk nodes that truly play a key role in complex attack chains than traditional isolated, static scoring-based methods, thus verifying the significant technological progress and beneficial effects of this application compared to existing technologies.

[0202] In this invention, it should be understood that if the implemented module is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments of this invention can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable file, or some intermediate form. The computer-readable medium can include: any entity or device capable of carrying the computer program code, recording media, USB flash drive, portable hard drive, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signals, telecommunication signals, and software distribution media, etc. It should be noted that the content included in the computer-readable medium can be appropriately added or removed according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, the computer-readable medium does not include electrical carrier signals and telecommunication signals.

[0203] It should be noted that the device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to implement this embodiment according to actual needs. Furthermore, in the accompanying drawings of the device embodiments provided by this invention, the connection relationships between modules indicate that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines. Those skilled in the art can understand and implement this without creative effort. The above are merely preferred embodiments of the present invention, and the scope of protection of the present invention is not limited to the above embodiments. All technical solutions falling within the scope of the present invention's concept are within the protection scope of the present invention.

Claims

1. A virtual simulation and security assessment method based on a cybersecurity test range, characterized in that, Includes the following steps: S1: Collect asset information, network connection relationships, and security configuration information within a preset virtualized test range environment, and construct a network asset knowledge graph containing asset nodes, relationship edges, and attribute tags; S2: Based on the predefined attack strategy syntax rule base and the network asset knowledge graph, the Monte Carlo tree search algorithm is used to simulate attacks in order to explore and find at least one effective multi-step attack path from the initial attack node to the preset target node. The attack strategy syntax rule base defines attack primitives using a domain-specific language (DSL) or XML format. Each attack primitive includes an action name, preconditions, and action effects. In the Monte Carlo tree search MCTS extension phase, the MCTS engine queries the rule engine for all attack primitives that can satisfy the preconditions under the current attack state, and creates a new child node for each attack primitive that satisfies the conditions. The simulation phase employs a heuristic strategy that prioritizes attack actions that can gain higher privileges or access more new hosts; and the MCTS engine interacts with the knowledge graph construction module through the API, checking whether the required prerequisites exist in the knowledge graph at each step of the simulation. S3: Based on the vulnerability information and inter-node dependencies in the network asset knowledge graph, construct a Bayesian attack graph, and calculate the posterior probability of each secure state node in the graph being achieved by performing Bayesian inference on the Bayesian attack graph, which serves as the quantitative security risk value of the corresponding asset. S4: Integrate the multi-step attack paths and the quantitative security risk values ​​of each asset to generate a comprehensive assessment report, and generate defense hardening recommendations based on the report.

2. The method according to claim 1, characterized in that, The steps for simulating the attack using the Monte Carlo tree search algorithm specifically include iteratively executing the following steps: Based on the preset node selection strategy, starting from the node in the current attack state, select an optimal subsequent node for expansion; Based on the attack strategy syntax rule base, create one or more child nodes representing new attack actions for the selected node; Starting from the newly created child node, attack actions are randomly executed according to the default strategy until the end state is reached; The results of the simulation phase are used to update the statistical values ​​of all nodes on the selected path in reverse order.

3. The method according to claim 2, characterized in that, The node selection strategy is the upper confidence bound (UCB) strategy, which is used to balance the utilization of known effective attack paths and the exploration of unknown attack paths.

4. The method according to claim 1, characterized in that, The steps for constructing the Bayesian attack graph include: Define the security state in the network as a node in a Bayesian attack graph; The causal attack dependencies between the security states are defined as directed edges connecting the nodes; Configure a conditional probability table for each directed edge to quantify the probability of the occurrence of the causal attack dependency.

5. The method according to claim 4, characterized in that, The Bayesian inference is performed to calculate the posterior probability of all other secure state nodes occurring, given a known vulnerability in the network as initial evidence.

6. The method according to claim 1, characterized in that, The comprehensive assessment report includes at least one of the following: a visualized attack path diagram, a ranking list of key risk nodes, and a heat map of the network security risk situation.

7. A virtual simulation and security assessment system based on a cybersecurity test range, characterized in that, include: The knowledge graph construction module is used to collect information about the virtualized test range environment and construct a network asset knowledge graph. The attack path simulation module is used to simulate attacks based on a predefined attack strategy syntax rule base and the network asset knowledge graph, using a Monte Carlo tree search algorithm to find at least one valid multi-step attack path. The attack strategy syntax rule base defines attack primitives using a domain-specific language (DSL) or XML format. Each attack primitive includes an action name, preconditions, and action effects. In the Monte Carlo Tree Search (MCTS) expansion phase, the MCTS engine queries the rule engine for all attack primitives that meet the preconditions under the current attack state and creates a new child node for each attack primitive that meets the conditions. The simulation phase employs a heuristic strategy that prioritizes attack actions that can gain higher privileges or access more new hosts; and the MCTS engine interacts with the knowledge graph construction module through the API, checking whether the required prerequisites exist in the knowledge graph at each step of the simulation. The security risk assessment module is used to construct a Bayesian attack graph based on the network asset knowledge graph, and to calculate the quantitative security risk value of each asset by performing Bayesian inference. The report generation module is used to integrate the multi-step attack path and the quantified security risk value to generate a comprehensive assessment report and defense hardening recommendations.

8. The system according to claim 7, characterized in that, The attack path simulation module includes an attack strategy syntax rule library, which stores formal rules for the premise and effect of attack behaviors.

9. The system according to claim 7, characterized in that, The security risk assessment module includes a Bayesian inference engine, which executes probabilistic inference algorithms to calculate the posterior probability in the Bayesian attack graph.

10. The system according to claim 7, characterized in that, The report generation module includes a visualization engine, which is used to display the multi-step attack path and the quantified security risk value in the form of graphs or charts.