Attack path prediction method and device based on asset analysis and graph convolutional neural network

By constructing an attack path prediction model based on asset analysis and graph convolutional neural networks, the problem of difficulty in capturing high-order interaction features between assets in existing technologies is solved, and more accurate attack path prediction and network security defense are achieved.

CN121690656BActive Publication Date: 2026-07-10CHINA NUCLEAR POWER OPERATION TECH CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA NUCLEAR POWER OPERATION TECH CORP
Filing Date
2025-11-17
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing attack path prediction methods struggle to effectively capture potential dependencies and high-level interaction characteristics between assets when dealing with complex asset relationships, heterogeneous vulnerability information, and dynamic attack behaviors, resulting in insufficient accuracy in network system security posture assessment.

Method used

We employ an asset analysis and graph convolutional neural network-based approach. This approach involves constructing an asset graph, embedding and preprocessing features, analyzing asset vulnerabilities, building an attack graph, and iteratively aggregating features using a graph convolutional neural network to predict attack paths. By comprehensively considering factors such as vulnerability exploitability and business impact, we utilize a graph convolutional neural network for feature aggregation and path prediction.

Benefits of technology

It improves the accuracy of attack path prediction and the foresight of network security defense, reduces false positive and false negative rates, and can effectively capture high-order adjacency relationships and non-linear dependency characteristics between assets.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121690656B_ABST
    Figure CN121690656B_ABST
Patent Text Reader

Abstract

The present disclosure belongs to the technical field of nuclear power and specifically relates to an attack path prediction method and device based on asset analysis and graph convolutional neural network. The present disclosure realizes rapid positioning and prediction of attack paths and improves the foresight of network security defense by modeling asset vulnerability, constructing an attack graph and utilizing a graph convolutional neural network for reasoning. Through vectorization modeling of asset vulnerability, the present disclosure converts traditional discrete vulnerability evaluation into continuous feature representation, realizing accurate quantification from coarse-grained CVSS score to multi-dimensional vulnerability features. The graph convolutional neural network is introduced for attack path prediction, which can effectively capture high-order adjacency relationships and nonlinear dependence features between assets.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of nuclear power technology, specifically relating to an attack path prediction method and apparatus based on asset analysis and graph convolutional neural networks. Background Technology

[0002] With the accelerated advancement of information technology development, the scale of assets in enterprises and critical infrastructure is constantly expanding, and the dependencies between assets are becoming increasingly complex. Attackers often exploit vulnerabilities and configuration flaws in network systems to gradually penetrate and move laterally, forming multi-step attack chains.

[0003] Existing attack path prediction methods mostly rely on traditional graph theory algorithms (such as shortest path and probability propagation), which are insufficient when dealing with complex asset relationships, heterogeneous vulnerability information and dynamic attack behaviors, and are difficult to effectively capture the potential dependencies and high-order interaction features between assets.

[0004] Therefore, it is urgent to improve the accuracy of network system security posture assessment. Summary of the Invention

[0005] To overcome the problems existing in related technologies, an attack path prediction method and device based on asset analysis and graph convolutional neural networks are provided.

[0006] According to one aspect of the embodiments of this disclosure, an attack path prediction method based on asset analysis and graph convolutional neural networks is provided, the method comprising:

[0007] Step 1: Construct an asset graph based on the collected data. In the asset graph, each node represents an asset. The attributes of the corresponding node are determined based on the asset information and security data. The edge between two nodes is used to represent the connection relationship between the assets corresponding to the two nodes. The asset information is used to reflect the asset's attributes and operating status, and the security data is used to reflect the asset's vulnerability information and security status.

[0008] Step 2, Feature Embedding and Preprocessing: Based on the asset graph, the attributes of each asset are mapped to a low-dimensional vector space using a vectorization method to obtain the embedding vector of the asset.

[0009] Step 3, Asset Vulnerability Analysis: Based on the asset map, the attributes of each asset are matched with the known vulnerability database to obtain the vulnerability features corresponding to the asset. Vulnerability features are represented as the set of features that lead to the attack on the asset. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined.

[0010] Step 4: Construct an attack graph. Treat the assets in the network system as nodes and the reachability between assets as edges to form a directed attack graph. The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another.

[0011] Step 5: Based on the attack graph, the vulnerability score and embedding vector corresponding to each node are used as initial inputs, and a graph convolutional neural network is used to aggregate features. After a preset number of iterations, the aggregated embedding vector of each node is obtained.

[0012] Step 6, Attack Path Prediction: Based on the attack graph, extract the final embedding vector of the target path according to the aggregated embedding vector of each node in the target path.

[0013] The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula:

[0014]

[0015] risk score (path) = g(path) representation )

[0016]

[0017] in, The path scoring function is g(path). representation ) is a path aggregation function.

[0018] In one possible implementation, in step 1, asset information of assets in the network environment to be evaluated is collected, and security data of each asset is obtained using vulnerability scanning tools.

[0019] In one possible implementation, in step 3, the vulnerability score for each asset is determined using the following formula:

[0020] V(x i )=αCVSS(x i )+βE(x i )+γC(x i )

[0021] Where V(x) i Let be the vulnerability score of the i-th asset, and CVSS(x) be the vulnerability score of the i-th asset. i E(x) represents the vulnerability score of the i-th asset; i C(x) represents the exploitability of the vulnerability in the i-th asset; i) represents the impact of the vulnerability in the i-th asset on the business; α, β and γ are weight parameters.

[0022] In one possible implementation, vulnerability features include asset vulnerability score, exploit sub-score, vulnerability exploitation library, impact score, and asset importance. The exploitability of an asset is determined by the exploit sub-score and vulnerability exploitation library included in the vulnerability features, and the impact of asset vulnerabilities on business is determined by combining the impact score of vulnerability features and asset importance.

[0023] In one possible implementation, the method further includes: ranking the target paths according to their attack probabilities, and selecting target paths with attack probabilities greater than a preset threshold as high-risk paths for visual display.

[0024] According to another aspect of the embodiments of this disclosure, an attack path prediction apparatus based on asset analysis and graph convolutional neural networks is provided, the apparatus comprising:

[0025] The data acquisition and construction module is used to build an asset graph based on the collected data. In the asset graph, each node represents an asset. The attributes of the corresponding node are determined based on the asset information and security data of the asset. The edge between two nodes is used to represent the connection relationship between the assets corresponding to the two nodes. The asset information is used to reflect the asset's attributes and operating status, and the security data is used to reflect the asset's vulnerability information and security status.

[0026] The feature embedding and preprocessing module is used to map the attributes of each asset to a low-dimensional vector space based on the asset graph using a vectorization method, so as to obtain the embedding vector of the asset.

[0027] The asset vulnerability analysis module is used to match the attributes of each asset with a known vulnerability database based on the asset map to obtain the vulnerability features corresponding to the asset. The vulnerability features are represented as a set of features that lead to the attack on the asset. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined.

[0028] The attack graph construction module is used to form a directed attack graph by treating assets in the network system as nodes and the reachability between assets as edges. The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another.

[0029] The aggregation module is used to aggregate features based on the attack graph, taking the vulnerability score and embedding vector corresponding to each node as initial input, and using a graph convolutional neural network to perform feature aggregation, and obtaining the aggregated embedding vector of each node after a preset number of iterations.

[0030] The attack path prediction module is used to extract the final embedding vector of the target path based on the attack graph and the aggregated embedding vectors of each node in the target path.

[0031] The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula:

[0032]

[0033] risk score (path) = g(path) representation )

[0034]

[0035] in, The path scoring function is g(path). representation ) is a path aggregation function.

[0036] According to another aspect of the embodiments of this disclosure, an attack path prediction apparatus based on asset analysis and graph convolutional neural networks is provided, the apparatus comprising:

[0037] processor;

[0038] Memory used to store processor-executable instructions;

[0039] The processor is configured to execute the above-described method.

[0040] According to another aspect of the present disclosure, a non-volatile computer-readable storage medium is provided, on which computer program instructions are stored, which, when executed by a processor, implement the above-described method.

[0041] The beneficial effects of this disclosure are as follows: by modeling asset vulnerabilities, constructing attack graphs, and using graph convolutional neural networks for inference, this disclosure enables rapid location and prediction of attack paths, thereby improving the foresight of network security defense.

[0042] Enhanced Vulnerability Analysis: By vectorizing asset vulnerabilities, this invention transforms traditional discrete vulnerability assessments into continuous feature representations, achieving a shift from coarse-grained CVSS scoring to precise quantification of multi-dimensional vulnerability features. Compared to traditional methods that only consider a single vulnerability score, this invention comprehensively considers multiple factors such as vulnerability exploitability, business impact, and attack complexity, effectively reducing false positive and false negative rates.

[0043] Attack path prediction accuracy is significantly improved: By introducing a graph convolutional neural network for attack path prediction, the high-order adjacency relationships and non-linear dependencies between assets can be effectively captured. Compared with traditional shortest path algorithms and probability propagation methods, the prediction accuracy of this invention is significantly improved. Attached Figure Description

[0044] Figure 1 This is a flowchart illustrating an attack path prediction method based on asset analysis and graph convolutional neural networks, as shown in an embodiment of this disclosure.

[0045] Figure 2 This is a block diagram of an attack path prediction device based on asset analysis and graph convolutional neural networks, as shown in an embodiment of this disclosure. Detailed Implementation

[0046] The present disclosure will now be described in further detail with reference to the accompanying drawings and specific embodiments.

[0047] Unless otherwise defined, the technical and scientific terms used in this disclosure have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains; the terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of this disclosure; the term "comprising" and any variations thereof in this disclosure are intended to cover non-exclusive inclusion. Clearly, the embodiments described in this disclosure are only a part of the embodiments of this disclosure, and not all of them. All other embodiments obtained by those of ordinary skill in the art based on the embodiments of this disclosure without inventive effort are within the scope of protection of this disclosure.

[0048] In this disclosure, the reference to "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this disclosure. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.

[0049] Figure 1 ...This method can be executed by a terminal device, which can be a server, desktop computer, laptop computer, etc. This disclosure does not limit the type of terminal device. For example... Figure 1 As shown, the method includes:

[0050] Step 1: Collect data to construct an asset map. Collect asset information of assets in the network environment to be evaluated. Assets can be, for example, hosts, servers, switches, firewalls, terminals, etc. Use vulnerability scanning tools to obtain security data for each asset. Security data is used to reflect the vulnerability information and security status of the asset. Asset information is used to reflect the attributes and operating status of the asset. Security data can be, for example, the vulnerability information, configuration weaknesses, security event logs, etc.

[0051] An asset graph is constructed based on the collected asset information and security data. In the asset graph, each node represents an asset, and the attributes of each node include: asset type, criticality, service type, communication protocol, number of vulnerabilities, and vulnerability CVSS score. The edges between two nodes represent the connection relationship between the assets corresponding to those two nodes (such as communication, dependency, and access control). Thus, this disclosure uses an attributed graph format, assigning vulnerability features and interaction features to nodes and edges, respectively.

[0052] Step 2, Feature Embedding and Preprocessing: Based on the asset graph, the attributes of each asset are mapped to a low-dimensional vector space using a vectorization method to obtain the embedding vector of the asset. For example, the embedding vector of an asset can be obtained using the following formula.

[0053]

[0054] Where, x i h represents the original characteristics of the i-th asset in the network system. i Let be the embedding vector of the i-th asset.

[0055] Step 3, Asset Vulnerability Analysis: Based on the asset map, the operational status of each asset is matched with a known vulnerability database (such as a CVE database) to obtain the corresponding vulnerability features of the asset. Vulnerability features represent the set of features that lead to the asset being attacked. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined, as shown in the following formula:

[0056] V(x i )=αCVSS(x i )+βE(x i )+γC(x i )

[0057] Where V(x) i Let be the vulnerability score of the i-th asset, and CVSS(x) be the vulnerability score of the i-th asset. i E(x) represents the vulnerability score of the i-th asset; i C(x) represents the exploitability of the vulnerability in the i-th asset; iThe denoted ) represents the impact of the vulnerability of the i-th asset on the business; α, β, and γ are weighting parameters that can be set based on empirical values. The vulnerability score of an asset is obtained based on authoritative databases such as CVSS. The exploitability of an asset is determined by the CVSS exploit sub-score and the vulnerability exploitation library. The impact of the asset's vulnerability on the business is determined by combining the CVSS impact score and the asset's importance level. Finally, the vulnerability index is formed by merging the weighting parameters.

[0058] Step 4: Construct the attack graph. Treat the assets in the network system as nodes and the reachability between assets (such as port communication, dependencies, and access permissions) as edges to form a directed attack graph G = (N, E). The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another. The edge weights can be determined by communication protocols, port exposure levels, access control policies, etc.

[0059] Step 5: Based on the attack graph, the vulnerability score and embedding vector corresponding to each node are used as initial inputs. Combined with the normalized adjacency matrix, a graph convolutional neural network (GCN) is used for feature aggregation, as shown in the following formula. After multiple iterations, the aggregated embedding vector H of each node is obtained. L As shown in the following formula:

[0060]

[0061] in, H is the normalized adjacency matrix. (l) W is the embedding vector of the l-th layer node in the graph convolutional neural network. (l) σ represents the learnable weights, and σ is the non-linear activation function.

[0062] Step 6, Attack path prediction: Based on the attack graph, for the target path path = [v1, v2, ..., v k The path risk scoring methods include:

[0063] Based on the aggregated embedding vectors of each node in the target path, extract the final embedding vector of the target path.

[0064] The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula:

[0065]

[0066] risk score (path) = g(path) representation )

[0067]

[0068] in, The path scoring function is g(path). representation ) is a path aggregation function.

[0069] In one possible implementation, the target paths are ranked according to their attack probability (as shown in Table 1), and target paths with an attack probability greater than a preset threshold are selected as high-risk paths for visualization to assist security personnel in strengthening them in advance.

[0070] Table 1. Ranking of attack path predictions

[0071] starting point end Possible paths Rating and sorting a b adrceb 0.95 a b ab 0.86 a b aceb 0.77

[0072] In one possible implementation, an attack path prediction device based on asset analysis and graph convolutional neural networks is provided, the device comprising:

[0073] The data acquisition and construction module is used to build an asset graph based on the collected data. In the asset graph, each node represents an asset. The attributes of the corresponding node are determined based on the asset information and security data of the asset. The edge between two nodes is used to represent the connection relationship between the assets corresponding to the two nodes. The asset information is used to reflect the asset's attributes and operating status, and the security data is used to reflect the asset's vulnerability information and security status.

[0074] The feature embedding and preprocessing module is used to map the attributes of each asset to a low-dimensional vector space based on the asset graph using a vectorization method, so as to obtain the embedding vector of the asset.

[0075] The asset vulnerability analysis module is used to match the attributes of each asset with a known vulnerability database based on the asset map to obtain the vulnerability features corresponding to the asset. The vulnerability features are represented as a set of features that lead to the attack on the asset. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined.

[0076] The attack graph construction module is used to form a directed attack graph by treating assets in the network system as nodes and the reachability between assets as edges. The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another.

[0077] The aggregation module is used to aggregate features based on the attack graph, taking the vulnerability score and embedding vector corresponding to each node as initial input, and using a graph convolutional neural network to perform feature aggregation, and obtaining the aggregated embedding vector of each node after a preset number of iterations.

[0078] The attack path prediction module is used to extract the final embedding vector of the target path based on the attack graph and the aggregated embedding vectors of each node in the target path.

[0079] The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula:

[0080]

[0081] risk score (path) = g(path) representation )

[0082]

[0083] in, The path scoring function is g(path). representation ) is a path aggregation function.

[0084] The description of the above-mentioned apparatus has been elaborated in detail in the description of the above-mentioned method, and will not be repeated here.

[0085] Figure… For example, device 19 can be provided as a server. Referring to…, device 19 includes a processing component 1922, which further includes one or more processors, and memory resources represented by memory 1932 for storing instructions, such as application programs, that can be executed by the processing component 1922. The application programs stored in memory 1932 may include one or more modules, each corresponding to a set of instructions. Furthermore, the processing component 1922 is configured to execute instructions to perform the methods described above.

[0086] Device 19 may also include a power supply component 1926 configured to perform power management of device 19, a wired or wireless network interface 1950 configured to connect device 19 to a network, and an input / output (I / O) interface 1958. Device 19 may operate on an operating system stored in memory 1932, such as Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, or similar.

[0087] In an exemplary embodiment, a non-volatile computer-readable storage medium is also provided, such as a memory 1932 including computer program instructions that can be executed by a processing component 1922 of the device 19 to perform the above-described method.

[0088] This disclosure can be a system, method, and / or computer program product. A computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for causing a processor to implement various aspects of this disclosure.

[0089] Computer-readable storage media can be tangible devices capable of holding and storing instructions for use by an instruction execution device. Computer-readable storage media can be, for example—but not limited to—electrical storage devices, magnetic storage devices, optical storage devices, electromagnetic storage devices, semiconductor storage devices, or any suitable combination thereof. More specific examples (a non-exhaustive list) of computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static random access memory (SRAM), portable compact disc read-only memory (CD-ROM), digital multifunction disc (DVD), memory sticks, floppy disks, mechanical encoding devices, such as punch cards or recessed protrusions storing instructions thereon, and any suitable combination thereof. The computer-readable storage media used herein are not to be construed as transient signals themselves, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., light pulses through fiber optic cables), or electrical signals transmitted through wires.

[0090] The computer-readable program instructions described herein can be downloaded from computer-readable storage media to various computing / processing devices, or downloaded via a network, such as the Internet, local area network, wide area network, and / or wireless network, to an external computer or external storage device. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and / or edge servers. A network adapter card or network interface in each computing / processing device receives the computer-readable program instructions from the network and forwards them to the computer-readable storage media in the respective computing / processing device.

[0091] Computer program instructions used to perform the operations of this disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, status setting data, or source code or object code written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Smalltalk, C++, etc., and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or may be connected to an external computer (e.g., via the Internet using an Internet service provider). In some embodiments, electronic circuitry, such as programmable logic circuitry, field-programmable gate arrays (FPGAs), or programmable logic arrays (PLAs), is personalized by utilizing the status information of the computer-readable program instructions to implement various aspects of this disclosure.

[0092] Various aspects of this disclosure are described herein with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-readable program instructions.

[0093] These computer-readable program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus to produce a machine such that, when executed by the processor of the computer or other programmable data processing apparatus, they create means for implementing the functions / actions specified in one or more blocks of the flowchart and / or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium that causes a computer, programmable data processing apparatus, and / or other device to operate in a particular manner; thus, the computer-readable medium storing the instructions comprises an article of manufacture that includes instructions for implementing aspects of the functions / actions specified in one or more blocks of the flowchart and / or block diagram.

[0094] Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, thereby causing the instructions executed on the computer, other programmable data processing apparatus, or other device to perform the functions / actions specified in one or more boxes of a flowchart and / or block diagram.

[0095] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of an instruction containing one or more executable instructions for implementing a specified logical function. In some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.

[0096] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or improvement of the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. An attack path prediction method based on asset analysis and graph convolutional neural networks, characterized in that, The method includes: Step 1: Construct an asset graph based on the collected data. In the asset graph, each node represents an asset. The attributes of the corresponding node are determined based on the asset information and security data. The edge between two nodes is used to represent the connection relationship between the assets corresponding to the two nodes. The asset information is used to reflect the asset's attributes and operating status, and the security data is used to reflect the asset's vulnerability information and security status. Step 2, Feature Embedding and Preprocessing: Based on the asset graph, the attributes of each asset are mapped to a low-dimensional vector space using a vectorization method to obtain the embedding vector of the asset. Step 3, Asset Vulnerability Analysis: Based on the asset map, the attributes of each asset are matched with the known vulnerability database to obtain the vulnerability features corresponding to the asset. Vulnerability features are represented as the set of features that lead to the attack on the asset. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined. Step 4: Construct an attack graph. Treat the assets in the network system as nodes and the reachability between assets as edges to form a directed attack graph. The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another. Step 5: Based on the attack graph, the vulnerability score and embedding vector corresponding to each node are used as initial inputs, and a graph convolutional neural network is used to aggregate features. After a preset number of iterations, the aggregated embedding vector of each node is obtained. Step 6, Attack Path Prediction: Based on the attack graph, extract the final embedding vector of the target path according to the aggregated embedding vector of each node in the target path. The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula: risk score (path)=g(path representation ) in, For the path scoring function, g(path) representation ) is a path aggregation function.

2. The method according to claim 1, characterized in that, In step 1, asset information of assets in the network environment to be evaluated is collected, and security data of each asset is obtained using vulnerability scanning tools.

3. The method according to claim 1, characterized in that, In step 3, the vulnerability score for each asset is determined using the following formula: V(x i )=αCVSS(x i )+βE(x i )+γC(x i ) Where V(x) i Let be the vulnerability score of the i-th asset, and CVSS(x) be the vulnerability score of the i-th asset. i E(x) represents the vulnerability score of the i-th asset; i C(x) represents the exploitability of the vulnerability in the i-th asset; i ) represents the impact of the vulnerability in the i-th asset on the business; α, β and γ are weight parameters.

4. The method according to claim 3, characterized in that, Vulnerability features include asset vulnerability score, exploit sub-score, vulnerability exploitation library, impact score, and asset importance. The exploitability of an asset is determined by the exploit sub-score and vulnerability exploitation library included in the vulnerability features. The impact of an asset's vulnerabilities on business is determined by combining the impact score of the vulnerability features with the asset importance.

5. The method according to claim 1, characterized in that, The method further includes: ranking the target paths according to their attack probabilities, and selecting target paths with attack probabilities greater than a preset threshold as high-risk paths for visualization.

6. An attack path prediction device based on asset analysis and graph convolutional neural networks, characterized in that, The device includes: The data acquisition and construction module is used to build an asset graph based on the collected data. In the asset graph, each node represents an asset. The attributes of the corresponding node are determined based on the asset information and security data of the asset. The edge between two nodes is used to represent the connection relationship between the assets corresponding to the two nodes. The asset information is used to reflect the asset's attributes and operating status, and the security data is used to reflect the asset's vulnerability information and security status. The feature embedding and preprocessing module is used to map the attributes of each asset to a low-dimensional vector space based on the asset graph using a vectorization method, so as to obtain the embedding vector of the asset. The asset vulnerability analysis module is used to match the attributes of each asset with a known vulnerability database based on the asset map to obtain the vulnerability features corresponding to the asset. The vulnerability features are represented as a set of features that lead to the attack on the asset. Based on the vulnerability features of each asset, the vulnerability score of the asset is determined. The attack graph construction module is used to form a directed attack graph by treating assets in the network system as nodes and the reachability between assets as edges. The node attributes in the attack graph are asset vulnerability scores and embedding vectors, and the edge weights are the potential exploitation relationships between nodes. The potential exploitation relationship represents the probability that an attacker can penetrate from one node to another. The aggregation module is used to aggregate features based on the attack graph, taking the vulnerability score and embedding vector corresponding to each node as initial input, and using a graph convolutional neural network to perform feature aggregation, and obtaining the aggregated embedding vector of each node after a preset number of iterations. The attack path prediction module is used to extract the final embedding vector of the target path based on the attack graph and the aggregated embedding vectors of each node in the target path. The final embedding vector is input into the path normalization function P(path). i The attack probability of the target path is obtained from the following formula: risk score (path)=g(path representation ) in, For the path scoring function, g(path) representation ) is a path aggregation function.

7. An attack path prediction device based on asset analysis and graph convolutional neural networks, characterized in that, The device includes: processor; Memory used to store processor-executable instructions; The processor is configured to perform the method according to any one of claims 1 to 5.

8. A non-volatile computer-readable storage medium storing computer program instructions thereon, characterized in that, When the computer program instructions are executed by the processor, they implement the method described in any one of claims 1 to 5.