An industrial internet multi-vulnerability correlation analysis method

By acquiring and integrating node topology, vulnerability permissions, and dynamic defense features in the Industrial Internet, a ternary weighted heterogeneous graph and a dynamic iterative rule knowledge base are constructed. This addresses the shortcomings of cross-node attack path analysis in existing technologies and enables accurate identification and protection guidance for high-threat attack chains.

CN122069111BActive Publication Date: 2026-06-26北京中关村实验室

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
北京中关村实验室
Filing Date
2026-04-20
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing technologies in the Industrial Internet cannot accurately characterize and predict cross-node, multi-step combined privilege escalation attack paths. They also suffer from limited feature extraction methods, static design of vulnerability elements and association rules, and a lack of consideration for the timeliness of defense strategies, resulting in insufficient accuracy and guidance in the analysis results.

Method used

By acquiring a standardized structured dataset, node topological centrality, vulnerability permissions, and defense dynamic features are extracted, weighted and fused to construct a ternary weighted heterogeneous graph. Combined with a dynamic iterative rule knowledge base and an attack cost model, the attack path with the minimum total cost is mined, and vulnerability correlation analysis is performed.

Benefits of technology

It enables comprehensive, dynamic, and precise analysis of high-threat attack chains in the Industrial Internet, improving the comprehensiveness and accuracy of the analysis, providing reliable protection guidance, and reducing the false positive rate.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122069111B_ABST
    Figure CN122069111B_ABST
Patent Text Reader

Abstract

The application belongs to the technical field of industrial internet security, and relates to an industrial internet multi-vulnerability correlation analysis method, aiming to solve the problems of insufficient feature fusion, static analysis and inaccurate path mining in the prior art. The method comprises the following steps: obtaining a standardized data set; extracting node topology, vulnerability permission and defense dynamic features to generate a fusion feature matrix; predicting vulnerability elements based on the fusion feature matrix, combining defense effect completion and filtering to generate a vulnerability element set; constructing a rule knowledge base; constructing a three-element weighted heterogeneous graph based on the quantified features, the vulnerability element set and the rule knowledge base, and weighting the directed edges; dividing the node levels of the three-element weighted heterogeneous graph, searching for a path with the minimum total cost based on an attack cost model and by introducing vulnerability power-up logic constraints, mining the attack path with the minimum total cost, performing correlation analysis, and outputting a list of high-threat attack paths. The application improves the comprehensiveness, dynamics and accuracy of vulnerability correlation analysis, and can effectively identify high-threat attack paths.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of industrial internet security technology and relates to a method for multi-vulnerability correlation analysis in the industrial internet. Background Technology

[0002] The Industrial Internet, with its ubiquitous connectivity and extensive coverage, has transformed the relatively closed and isolated operation of traditional industrial control systems, enabling comprehensive and in-depth data exchange and efficient collaborative operation among numerous devices, terminals, and systems. However, this open and interconnected environment has also significantly increased system security vulnerabilities, with attack patterns exhibiting new characteristics: attackers often first exploit low-privilege vulnerabilities in edge devices to achieve initial intrusion, then, through lateral movement, combine and exploit multiple vulnerabilities in different nodes within the network to escalate privileges, ultimately reaching and disrupting core production and control nodes. This type of cross-node, multi-step privilege escalation attack poses a serious threat to the security and continuity of industrial production.

[0003] To address such threats, various multi-vulnerability correlation analysis methods have been proposed in the industry. In developing this invention, the inventors discovered that existing technologies still have significant limitations in practical applications, failing to accurately characterize and predict the complex attack paths described above. Specifically, these limitations are mainly reflected in the following aspects:

[0004] First, the feature extraction methods are simplistic and lack deep integration, focusing only on single device vulnerabilities or simply piecing together topology and vulnerability features, making it difficult to capture the dual logic in cross-node combined attacks. Second, vulnerability elements and association rules are mostly statically designed, failing to consider the timeliness changes in industrial field defense strategies and patch status, making it difficult to adapt to new vulnerabilities and attack patterns. Third, the attack path discovery process often lacks hard constraints on privilege escalation logic, and the cost assessment dimension is one-sided, leading to discrepancies between the results and the attacker's actual behavioral logic. Fourth, the criteria for determining vulnerability correlation are too simplistic, ignoring the reverse filtering effect of defense effectiveness, affecting the accuracy of the analysis results and the practicality of protection guidance.

[0005] Therefore, there is an urgent need for a method that can comprehensively, dynamically, and accurately analyze the correlation between multiple vulnerabilities in the Industrial Internet, so as to effectively identify high-threat attack chains and provide a reliable basis for proactive defense. Summary of the Invention

[0006] To address the aforementioned problems in the prior art, namely insufficient feature fusion, static analysis, and inaccurate path mining, the first aspect of this application proposes a multi-vulnerability correlation analysis method for the Industrial Internet, the method comprising the following steps:

[0007] Obtain a standardized, structured dataset that includes basic node attributes, network topology, vulnerability data, and dynamic defense data.

[0008] Node topology centrality features, vulnerability access features, and defense dynamic features are extracted from a standardized dataset and quantified separately. The quantified features are then weighted and fused to generate a fused feature matrix.

[0009] Based on the fusion feature matrix, the vulnerability elements on each physical node are predicted, and the potential vulnerabilities are supplemented and filtered in combination with the defense effect to generate a vulnerability element set.

[0010] Based on vulnerability element sets, vulnerability association rules are mined to build a rule knowledge base, and a lifecycle is set for each rule. The rule knowledge base is dynamically iterated through periodic and triggered corrections.

[0011] Based on the quantified features, vulnerability element set and rule knowledge base, a ternary weighted heterogeneous graph is constructed, and numerical weights are assigned to directed edges.

[0012] The ternary weighted heterogeneous graph is divided into node levels to determine the attack starting point and target. Based on the attack cost model and by introducing vulnerability privilege escalation logic constraints, path search is performed to find the attack path with the minimum total cost from the attack starting point to the target. Vulnerability correlation analysis is then performed to output a list of high-threat attack paths.

[0013] In some preferred embodiments, node topological centrality features, vulnerability access control features, and defense dynamic features are extracted and quantified respectively, specifically including:

[0014] User permissions are divided into multiple levels and assigned corresponding weights. The privilege escalation before and after vulnerability exploitation is calculated. Vulnerabilities with privilege escalation of no more than zero are eliminated and have no privilege escalation value. The vulnerability exploitation difficulty coefficient is quantified by combining the complexity of CVSS attacks and identity authentication requirements, and a privilege feature vector is generated.

[0015] Based on the inter-node connectivity, degree centrality, betweenness centrality, and proximity centrality are calculated, and node topological centrality feature vectors are generated. Furthermore, the cross-node communication cost coefficient between any connected node pairs is independently calculated based on the inter-node communication bandwidth and transmission delay.

[0016] The timeliness coefficient is calculated based on the effective duration of the defense mechanism, the interception success rate is calculated based on historical interception data, and a dynamic feature vector of defense is generated.

[0017] The node topology centrality feature vector, permission feature vector, and defense dynamic feature vector are weighted and fused according to preset weights to generate a fused feature matrix, in which the vulnerability permission feature is assigned the highest weight.

[0018] In some preferred embodiments, the ternary weighted heterogeneous graph includes three types of nodes: physical nodes, vulnerability nodes, and defense mechanism nodes, as well as five types of directed edges. Different types of directed edges are assigned numerical weights related to the attack cost. Specifically, the directed edges are:

[0019] The weight of a directed edge between physical nodes is determined based on the cross-node communication cost coefficient.

[0020] The weight of a directed edge from a physical node to a vulnerable node is determined based on the vulnerability exploitation difficulty coefficient and the privilege escalation level.

[0021] The weight of a directed edge from a physical node to a defense mechanism node is determined based on the defense timeliness coefficient.

[0022] The weights of directed edges between vulnerable nodes are determined based on the confidence level of the association rules.

[0023] The weight of the directed edge from the defense mechanism node to the vulnerability node is determined based on the defense interception success rate.

[0024] When the confidence level of the quantization feature or the association rule changes, the corresponding numerical edge weights are automatically refreshed within a preset period.

[0025] In some preferred embodiments, the attack cost model defines the total cost of the attack path as the sum of the cost weights of all edges in the path; the cost weights are distributed to different types of directed edges according to four-dimensional attack cost factors, specifically including:

[0026] Distribute the cost of cross-node communication to the edge weights between physical nodes;

[0027] The combined cost of the difficulty of privilege escalation and the difficulty of exploitation is allocated to the edge weights of physical nodes pointing to vulnerable nodes.

[0028] In some preferred embodiments, the cost of defense evasion is allocated to the edge weights of the defense mechanism nodes pointing to the vulnerability nodes.

[0029] The path search using the attack cost model and by introducing vulnerability privilege escalation logic constraints specifically includes:

[0030] Add privilege escalation logic constraints to perform pruning judgment during node traversal: the resulting privileges obtained after exploiting a previous vulnerability must not be lower than the prerequisite privileges required for exploiting a subsequent vulnerability; otherwise, prune the path.

[0031] Based on the numerical weights assigned to directed edges, a graph shortest path search algorithm is used to find the attack path from the attack origin to the target with the minimum cumulative weight.

[0032] Compared with the prior art, the technical solutions in the embodiments provided in this application have at least the following beneficial effects:

[0033] 1) By deeply integrating the multi-dimensional features of node topology, vulnerability permissions, and defense dynamics, and combining dynamically updated elements and rules to construct a heterogeneous graph model, the attack path with the lowest total cost is mined for vulnerability correlation analysis, forming a complete closed loop from data collection to attack path output. This effectively identifies high-threat attack chains extending from the edge to the core in the industrial internet, significantly improving the comprehensiveness, dynamism, and accuracy of multi-vulnerability correlation analysis in the industrial internet, and providing reliable support for implementing precise proactive protection measures.

[0034] 2) By using weighted fusion, the node topology centrality feature reflects the possibility of cross-node attacks, the vulnerability privilege feature reflects the nature of vulnerability privilege escalation, and the defense dynamic feature reflects the difficulty of attack avoidance. The three features work together to characterize the complete logic of multi-vulnerability combination attacks in the industrial Internet, more accurately capture the dual attack logic of topology association and vulnerability privilege escalation, improve the prediction accuracy of vulnerability elements, and improve the overall accuracy of association analysis.

[0035] 3) Dynamic iteration throughout the entire process is achieved through dynamically updated vulnerability element sets, a lifecycle-based association rule knowledge base, and a real-time refreshed ternary weighted heterogeneous graph. Furthermore, a defense interception success rate filtering mechanism is introduced during the potential vulnerability patching process to effectively avoid misjudgments caused by invalid patching; a dual mechanism of periodic and triggered correction is employed to ensure that the rule knowledge base always matches the operational status of the Industrial Internet and the characteristics of new vulnerabilities, reducing the misjudgment rate of potential vulnerability patching.

[0036] 4) A four-dimensional attack cost model is constructed to comprehensively cover the core cost factors in the attacker's actual attack behavior; at the same time, vulnerability privilege escalation logic constraints are introduced as hard conditions for path search to ensure that the discovered paths conform to the attacker's actual attack logic. Only when the multi-condition quantitative judgment passes and the defense mechanism does not reach the interception threshold is the vulnerability determined to have actual relevance value, which greatly reduces the false positive rate and makes the analysis results more practically instructive. Attached Figure Description

[0037] Other features, objects, and advantages of this application will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:

[0038] Figure 1 This is a flowchart illustrating an embodiment of the industrial internet multi-vulnerability correlation analysis method provided in this application;

[0039] Figure 2 This is a schematic diagram of the structure of a computer system used to implement the methods, apparatus, and electronic devices of this application. Detailed Implementation

[0040] The present application will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the invention. Furthermore, it should be noted that, for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.

[0041] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.

[0042] To address the shortcomings of existing technologies, such as insufficient feature fusion, static analysis, and inaccurate path mining, this application provides a method for multi-vulnerability correlation analysis in the industrial internet. This method involves multi-source data collection and standardized preprocessing, deep fusion and quantification of node-vulnerability-defense three-layer features, construction of a dynamic vulnerability element set for the fusion model, generation of a lifecycle-based association rule knowledge base, ternary weighted heterogeneous graph modeling, and attack path mining with multi-dimensional cost constraints. A closed-loop feedback mechanism is also established to achieve comprehensiveness, dynamism, and accuracy in multi-vulnerability correlation analysis of the industrial internet. This ensures that the mined attack paths closely match the attacker's actual attack logic, providing precise and practical guidance for industrial internet security protection.

[0043] To more clearly explain the industrial internet multi-vulnerability correlation analysis method of this application, the following will combine... Figure 1 The steps in the embodiments of this application are described in detail.

[0044] The first embodiment of this application provides a method for multi-vulnerability correlation analysis in the industrial internet, including steps S1 to S5, such as... Figure 1 As shown, each step is described in detail below:

[0045] A method for multi-vulnerability correlation analysis in the industrial internet includes the following steps:

[0046] S1. Obtain a standardized structured dataset that includes basic node attributes, network topology, vulnerability data, and dynamic defense data.

[0047] Preferably, the basic node attributes, network topology, vulnerability information, and defense dynamics data of physical nodes in the industrial internet are collected and uploaded, and then preprocessed to obtain a standardized structured dataset.

[0048] More preferably, the preprocessing includes cleaning, structure transformation, and normalization, specifically including the following:

[0049] The collected raw data is cleaned and standardized to remove invalid, missing, and duplicate data. Unstructured data (such as vulnerability hazard descriptions) is segmented using the Natural Language Toolkit (NLTK) and transformed into a structured vocabulary. Numerical data with different dimensions (such as bandwidth, latency, and CVSS (Common Vulnerability Scoring System) scores) are normalized and preprocessed to map the values ​​to the [0,1] interval, avoiding the impact of dimension differences on subsequent feature fusion and model training. Finally, the preprocessed data is stored in a structured database according to three categories: nodes, vulnerabilities, and defenses, providing standardized input data for the next step of feature fusion and quantification.

[0050] Specifically, as a feasible example, the basic attributes of the nodes are collected and uploaded from the industrial internet management platform, including node name, number, device type (sensor / PLC / gateway / server, etc.), communication protocol (Modbus TCP / Profinet / Ethernet / IP, etc., supporting standard or proprietary communication protocols in the field of industrial control), software version, etc., to provide basic identification information for node feature extraction.

[0051] Specifically, the network topology data is collected and uploaded through network sniffing tools and topology discovery protocols, including the physical connection relationships between nodes and bidirectional communication bandwidth. End-to-end transmission delay Access control policies (whitelist / blacklist).

[0052] Specifically, the basic vulnerability data is obtained through public vulnerability databases and proactive fuzzing techniques. Specifically, the CVE numbers, CVSS scores, attack vectors, authentication requirements, confidentiality / integrity / availability impacts, and vulnerability hazard descriptions of publicly disclosed vulnerabilities are obtained from the National Information Security Vulnerability Sharing Platform, the Industrial Internet Security Emergency Response Center, and the official CVE database. Proactive fuzzing techniques are used to conduct on-site probing of devices for which no CVE information was found, acquiring characteristics of unknown vulnerabilities and vulnerabilities with private attributes, providing data for vulnerability feature quantification and access control analysis.

[0053] Specifically, the defense dynamic data is collected and uploaded from industrial internet security protection devices (firewalls / IDS / IPS / patch management systems), including the type of defense mechanism deployed on each node, deployment time, patch update time, number of historical blocked attacks, number of attack attempts, validity period of defense rules, etc., providing raw data for the quantification of defense dynamic characteristics.

[0054] By deeply weighting and fusing node topology centrality features, vulnerability privilege features, and defense dynamic features, we can more accurately capture the dual attack logic of "topology association + vulnerability privilege escalation", significantly improve the accuracy of vulnerability element prediction, and greatly enhance the overall accuracy of association analysis.

[0055] S2. Extract node topology centrality features, vulnerability permission features, and defense dynamic features from the standardized dataset and quantify them respectively. Then, perform weighted fusion of the quantified features to generate a fused feature matrix.

[0056] Preferably, node topological centrality features, vulnerability permission features, and defense dynamic features are extracted and quantified respectively, specifically including:

[0057] User permissions are divided into multiple levels and assigned corresponding weights. The privilege escalation before and after vulnerability exploitation is calculated. Vulnerabilities with privilege escalation of no more than zero are eliminated and have no privilege escalation value. The vulnerability exploitation difficulty coefficient is quantified by combining the complexity of CVSS attacks and identity authentication requirements, and a privilege feature vector is generated.

[0058] Based on the inter-node connectivity, degree centrality, betweenness centrality, and proximity centrality are calculated, and node topological centrality feature vectors are generated. Furthermore, the cross-node communication cost coefficient between any connected node pairs is independently calculated based on the inter-node communication bandwidth and transmission delay.

[0059] The timeliness coefficient is calculated based on the effective duration of the defense mechanism, the interception success rate is calculated based on historical interception data, and a dynamic feature vector of defense is generated.

[0060] The node topology centrality feature vector, permission feature vector, and defense dynamic feature vector are weighted and fused according to preset weights to generate a fused feature matrix, in which the vulnerability permission feature is assigned the highest weight.

[0061] While generating permission feature vectors and obtaining permission escalation magnitudes, vulnerabilities with no privilege escalation value whose permission escalation magnitude is not greater than zero are simultaneously eliminated to reduce the redundant quantification of other features of invalid vulnerabilities.

[0062] More preferably, the node topological centrality feature vector is used to characterize the structural position (centrality) of a node in the Industrial Internet, and the quantification of each feature is as follows:

[0063] Degree centrality characterizes the tightness of network connections between nodes and reflects the likelihood that a node will be used as a springboard for attacks. It is calculated by the proportion of the number of nodes directly connected to the total number of nodes.

[0064] Betweenness centrality characterizes the degree of control a node has over communication between other nodes, reflecting the centrality of a node in an attack path. It is calculated by normalizing the ratio of the frequency of a node appearing in the shortest path between any two nodes to the total number of all shortest paths.

[0065] Proximity centrality, which characterizes the average distance from a node to all other nodes, reflects the likelihood of a node being rapidly penetrated. It is calculated as the ratio of the total number of nodes minus one to the sum of the shortest path hops from the node to all other nodes.

[0066] More preferably, the cross-node communication cost coefficient is a node pair feature, representing the difficulty of communication from one node to another. It is one of the core costs of cross-node attacks. It is calculated by normalization in combination with communication bandwidth and transmission delay, and by normalized weighted calculation using communication bandwidth and transmission delay.

[0067] In one specific embodiment, the node The quantization process of the node topological centrality eigenvectors is as follows:

[0068] Calculate degree centrality: ;

[0069] Calculate betweenness centrality: ;

[0070] Calculate proximity centrality: ;

[0071] Calculate the cross-node communication cost coefficient : ;

[0072] By concatenating the topological centrality features obtained above, we obtain the nodes. Topological feature vectors Simultaneously, computing nodes To all its adjacent nodes j The cross-node communication cost coefficient is used for subsequent edge weight calculation.

[0073] in, For nodes The number of directly connected nodes, The total number of physical nodes in the Industrial Internet; degree centrality The value range is [0,1]. The larger the value, the more tightly connected the nodes are, and the easier it is for them to become attack springboards. For nodes To the node The number of shortest paths, For nodes To the node Passing through the node Shortest path number, betweenness centrality The value range is [0,1], and the larger the value, the higher the degree of control the node has over network communication; For nodes To the node Shortest path hop count, close to centrality The value range is [0,1]. The larger the value, the closer the node is to other nodes, and the easier it is to be quickly penetrated. This represents the maximum communication bandwidth in the Industrial Internet. Maximum transmission delay; For the weighting coefficients, satisfying Cross-node communication cost coefficient The value range is [0,1], and a larger value indicates that it originates from the node. To the node The higher the communication cost, the more difficult it is to launch a cross-node attack.

[0074] More preferably, in this embodiment, the permission level division divides the user permissions of the Industrial Internet into 5 mutually exclusive permission sets according to roles, and the definition and quantification weight of each set are as follows:

[0075] Industrial Control System Administrator (ICS-ROOT, weight V=1.0), Advanced User (ICS-ADUSER, weight V=0.8), Ordinary User (ICS-USER, weight V=0.5), Trusted Remote User (ICS-ACCESS, weight V=0.2), Untrusted Remote User (ICS-UNACCESS, weight V=0.0).

[0076] The privilege escalation level is the result privilege weight minus the prerequisite privilege weight; the vulnerability exploitation difficulty coefficient is obtained by weighting the CVSS attack complexity and authentication requirements.

[0077] In one specific embodiment, generating a permission feature vector includes:

[0078] exploiting vulnerabilities The required initial permissions are extracted from the vulnerability hazard description and authentication requirements and mapped to the above 5 permission sets, and corresponding weights are assigned to obtain the prerequisite permission set. ;

[0079] Successfully exploiting the vulnerability The target permissions that can be obtained are extracted from the vulnerability hazard description and the impact on confidentiality / integrity / availability, and mapped to the above 5 permission sets, and corresponding weights are assigned to obtain the resulting permission set. ;

[0080] Computational vulnerabilities The ability to escalate privileges and the extent to which privileges are increased. :

[0081] ; The value range is [0,1]. A larger value indicates a stronger privilege escalation capability and higher value to attackers; if... If so, the vulnerability has no privilege escalation value and should be directly removed from subsequent analysis;

[0082] Complexity of CVSS attacks and identity verification requirements Quantify and calculate the difficulty coefficient of vulnerability exploitation. :

[0083] ;in, For the weighting coefficients, satisfying , The value range is [0,1], and the larger the value, the more difficult it is to exploit the vulnerability.

[0084] By combining the four features mentioned above, the vulnerability is obtained. Corresponding permission feature vector .

[0085] As an example, this embodiment preferably... Bandwidth has a greater impact on communication costs; AC is quantized using "None=0.1, Low=0.3, Medium=0.5, High=0.8", while AU is quantized using "None=0.1, Single=0.4, Multiple=0.7". .

[0086] In a specific embodiment, the defense dynamic feature vector is generated as follows:

[0087] Calculate the defense timeliness coefficient: ;

[0088] Calculate the success rate of defense interception: ;

[0089] By combining the two features mentioned above, we obtain the defense mechanism. Dynamic feature vectors ;

[0090] in, For defense mechanism The remaining valid duration, For defense mechanism Total effective duration; The value range is [0,1], and the larger the value, the stronger the timeliness of the defense mechanism; if If this happens, the defense mechanism has failed and has no interception capability. For defense mechanism The number of times the target vulnerability has been successfully intercepted in the past. The number of attack attempts targeting the vulnerability; The value range is [0,1]. The larger the value, the better the interception effect of the defense mechanism and the more difficult it is for attackers to circumvent it.

[0091] The node topological centrality feature, vulnerability access control feature, and defense dynamic feature are weighted and fused according to preset weights to generate a fused feature matrix, wherein the vulnerability access control feature is assigned the highest weight, specifically as follows:

[0092] First, eliminate invalid vulnerabilities with no privilege escalation value (≤0). Then, analyze the node's basic attribute features and topological feature vectors. Defense dynamic feature vector Standardized concatenation is performed to obtain the node fusion feature vector. ; The vulnerability's basic characteristics and privilege signature vectors Standardized splicing is performed to obtain the vulnerability fusion feature vector. Based on the relationship between nodes and vulnerabilities (vulnerability nodes) Existing in nodes ),Will and After weighting and concatenation, the final product forms an industrial internet integration feature matrix. The rows of the matrix correspond to node-vulnerability pairs in the Industrial Internet, and the columns correspond to all quantitative features.

[0093] Preferably, and During the splicing process, features are weighted according to their importance. The feature weights are used to quantify the contribution of each dimension of features to the vulnerability correlation analysis. For example, in a specific implementation, the weights are allocated as follows: vulnerability permission features account for 40%, node topology centrality features account for 20%, defense dynamic features account for 20%, and basic attribute features account for 20%.

[0094] More preferably, this provides a basis for subsequent node level classification and attack cost calculation, combining the number of vulnerabilities in a node and the average CVSS score to calculate the node's level. Security risk level :

[0095] ;

[0096] in, For nodes The total number of existing vulnerabilities (including known vulnerabilities and potential vulnerabilities). For nodes Average CVSS score for all vulnerabilities For calibration parameters (e.g.) =1.2); The value range is [0, 10]. The larger the value, the higher the security risk of the node, and the more likely it is to become a target for attackers. The node risk level quantification feature is pre-stored in the feature library for direct use in subsequent steps.

[0097] By employing dynamically updated vulnerability element sets, a lifecycle-based association rule knowledge base, and a real-time refreshed ternary weighted heterogeneous graph, dynamic iteration across the entire process is achieved. This significantly reduces the false positive rate for potential vulnerability patching, maintains a high level of rule effectiveness, and addresses the core shortcomings of existing technologies, such as static elements and rigid rules.

[0098] S3. Based on the fusion feature matrix, predict the vulnerability elements on each physical node, and combine the defense effect to complete and filter potential vulnerabilities, generating a vulnerability element set; each element in the vulnerability element set includes a node identifier, a vulnerability identifier, and quantitative features related to the vulnerability.

[0099] Preferably, the vulnerability elements on each physical node are predicted based on the fused feature matrix, specifically as follows:

[0100] The fused feature matrix is ​​input into a pre-trained fusion model to predict vulnerability elements on each physical node. The pre-trained fusion model is a fusion model of graph attention network and deep neural network. The graph attention network layer extracts the topological association features between nodes, and the deep neural network layer extracts the nonlinear mapping relationship between vulnerability permission features and defense dynamic features. The two types of features are fused and the vulnerability existence probability is output. The existence probability is used to determine whether the vulnerability exists on the corresponding physical node.

[0101] Specifically, the existence of a vulnerability on a corresponding physical node is determined based on the probability of its existence.

[0102] The system filters out pairs of vulnerabilities with a probability of existence no less than a preset vulnerability screening threshold (e.g., 0.8), integrates basic vulnerability features, quantitative features, and node association features to form an initial vulnerability element set. For example, in this embodiment, each element in the element set is a "physical node". Vulnerable nodes Defense nodes The four-dimensional combination of "feature quantization value".

[0103] More preferably, potential vulnerabilities are supplemented and filtered in conjunction with the defense effect, specifically as follows:

[0104] Calculate the conditional probability between vulnerabilities based on their co-occurrence frequency:

[0105] ;

[0106] in, This indicates that the physical node has a vulnerability. Vulnerabilities exist. The probability, For the existence of vulnerabilities and The number of physical nodes, For the existence of vulnerabilities The number of physical nodes;

[0107] When the conditional probability meets the preset strong correlation judgment condition, it is determined that the two vulnerabilities are strongly correlated. If a physical node has a known vulnerability but no strongly correlated vulnerability is detected, then the physical node is predicted to have the associated vulnerability as a potential vulnerability.

[0108] If the interception success rate of the defense mechanism corresponding to the potential vulnerability reaches or exceeds the preset filtering threshold, the potential vulnerability is filtered; otherwise, it is added to the vulnerability element set.

[0109] Specifically, the preset strong correlation determination condition is preferably... Vulnerability and When strong correlation exists, if physical nodes Vulnerability exists However, no vulnerability was detected. Then predict the physical nodes Potential vulnerabilities exist The preset filtering threshold is preferably 90%, if the physical node Targeting potential vulnerabilities Deployed defense mechanisms d Interception success rate This indicates that the defense mechanism can effectively block vulnerabilities. Attackers cannot exploit this vulnerability, therefore they ignore it. The completion; if This will expose potential vulnerabilities. Complete the vulnerability element set.

[0110] S4. Based on the vulnerability element set, mine vulnerability association rules to build a rule knowledge base, and set a life cycle for each rule. The rule knowledge base is dynamically iterated through periodic and triggered corrections.

[0111] Preferably, the vulnerability association rules mined based on vulnerability element sets specifically include:

[0112] Candidate association rules are generated through frequent itemset mining. The support, confidence, and lift of each candidate rule are calculated. Rules whose confidence reaches the screening threshold are directly included in the rule knowledge base. Rules whose confidence does not reach the screening threshold but whose lift reaches the preset lift threshold are also included.

[0113] More preferably, the specific steps for constructing a rule knowledge base by mining vulnerability association rules based on vulnerability element sets are as follows:

[0114] Extract vulnerability elements from dynamic vulnerability feature sets and perform frequent itemset mining;

[0115] Candidate association rules are constructed from frequent itemsets, and each frequent itemset is split into a premise set X and a conclusion set Y. ), construct candidate association rules This indicates that if there is a vulnerability in the premise set X, there is a high probability that there is a vulnerability in the conclusion set Y.

[0116] The support for representing the generality of a rule, the confidence for representing the reliability of a rule, and the boost for representing the association strength of a rule are calculated for each candidate rule, specifically as follows:

[0117] Support ;

[0118] Confidence ;

[0119] Improvement ;

[0120] Among them, if If X and Y are positively correlated, then X and Y are positively correlated; if If X and Y are uncorrelated, then X and Y are not related; if If X and Y are negatively correlated, then X and Y are negatively correlated.

[0121] A screening strategy is adopted that prioritizes high confidence and supplements it with high lift. Rules whose confidence reaches the screening threshold are directly included in the rule knowledge base. Rules whose confidence does not reach the screening threshold but whose lift reaches the preset lift threshold are also included. Rules whose lift is not higher than the invalid lift threshold are removed, as such rules have no relevance value.

[0122] In one specific implementation, the screening threshold is 75%, the preset lift threshold is 1.2, and the failure lift threshold is 1.

[0123] More preferably, vulnerability elements are extracted from the dynamic vulnerability element set, and frequent itemset mining is performed, specifically as follows:

[0124] 1) Generate a candidate item set: Based on the physical node-vulnerability-defense triplet in the dynamic vulnerability element set, filter out invalid vulnerabilities with a defense interception success rate of ≥90%, treat the remaining vulnerabilities as independent items, and generate a candidate item set, with each item set element being a single vulnerability.

[0125] 2) Filter a frequent itemset: Calculate the support of each candidate itemset. , representing the proportion of nodes containing vulnerability X out of the total number of nodes, is expressed by the formula:

[0126] ;

[0127] in, The number of nodes containing vulnerability X. The total number of nodes in the industrial internet; select a candidate itemset with a support of ≥40% to form a frequent itemset;

[0128] 3) Generate N+1 candidate itemsets: Perform a Cartesian product operation on one frequent itemset and the generated N frequent itemsets to generate N+1 candidate itemsets. The elements of each itemset are combinations of N+1 vulnerabilities.

[0129] 4) Filter N+1 frequent itemsets: Calculate the support of each N+1 candidate itemset. This indicates that it contains vulnerabilities. The proportion of nodes to the total number of nodes; filter N+1 candidate itemsets with support ≥30% to form N+1 frequent itemsets;

[0130] Iteration termination: Repeat steps 3) and 4) until no new N+1 frequent itemsets can be generated, then terminate the iteration and obtain frequent itemsets for all dimensions.

[0131] It should be noted that the occurrence frequency of a single vulnerability is relatively stable, so a higher threshold of 40% is set to filter out single vulnerabilities that have no general value; the occurrence frequency of high-order vulnerability combinations decreases as the order increases, so a lower threshold of 30% is set to avoid overlooking potential combination risks; both thresholds have been verified through industrial internet scenario testing and can be fine-tuned according to the actual vulnerability distribution.

[0132] Preferably, the dynamic iteration of the rule knowledge base includes: setting an expiration period (e.g., 90 days) for each rule; recalculating the rule indicators and removing rules with confidence levels lower than the failure confidence threshold and lift levels lower than the failure lift threshold when the update ratio of the vulnerability element set reaches a preset update threshold; and triggering rule recalculation and correction when the update ratio of the vulnerability element set reaches a preset update threshold.

[0133] In one specific implementation, the failure confidence threshold is 60% and the failure lift threshold is 1. After recalculating the rule indicators, if the rule's confidence is <60% and the lift is <1.0, it indicates that the rule has failed and is removed from the knowledge base. If the rule's indicators still meet the screening conditions, its validity period is extended by 90 days.

[0134] More preferably, when the vulnerability element set undergoes a significant update (update ratio ≥ 20%) due to the addition of new vulnerabilities or updates to defense mechanisms, rule recalculation is immediately triggered to correct the knowledge base in real time. Simultaneously, when a new combination of vulnerabilities is discovered, new association rules are generated based on the new vulnerability elements and added to the knowledge base. After the rule knowledge base is updated, feedback is sent back to the vulnerability element set. When a new rule indicates a strong correlation between two vulnerabilities, the potential vulnerability elements are re-completed.

[0135] Association rules are generated through frequent itemset mining and three-dimensional indicator screening. The rules are then set with validity periods, periodic corrections, and trigger-based corrections to ensure that the rule knowledge base always matches the operational status of the industrial internet and the characteristics of new vulnerabilities.

[0136] S5. Based on the quantized features, vulnerability element set and rule knowledge base, construct a ternary weighted heterogeneous graph and assign numerical weights to the directed edges.

[0137] Preferably, a ternary weighted heterogeneous graph is constructed. Where A is the node set, E is the edge set, and W is the edge weight set, the construction details and weight assignments of each part are as follows:

[0138] All nodes in node set A are equipped with corresponding quantized feature attributes, providing a basis for subsequent edge weight calculation and path mining, specifically including:

[0139] Physical node set This corresponds to all physical nodes in the Industrial Internet. Each node has the following attributes: node number, device type, and security risk level. Topological feature vectors The highest achievable permission level;

[0140] Vulnerable Node Set : For all vulnerabilities in the corresponding vulnerability element set, each node has the following attributes: vulnerability number, CVE number, and permission feature vector. Utilizing the difficulty level ;

[0141] Defense mechanism node set : Corresponding to all defense mechanisms in the vulnerability element set, each node has the following attributes: defense number, defense type, and dynamic feature vector. Interception success rate .

[0142] Edge set E consists of directed edges representing the actual relationships between the three types of nodes. The weight of an edge related to the total cost of the attack path is defined as the attack cost; a larger weight indicates a higher difficulty or cost for the attacker to traverse that path segment. All edge weights are designed to be non-negative. The specific edge types and weight assignment rules are as follows:

[0143] Physical node - physical node edge : Represents the physical connection relationship between nodes, directed edges from nodes Pointing to node j That is, the cost of lateral movement, the cost weight. , This represents the cost coefficient for cross-node communication. These are configurable weighting coefficients. The larger the value, the more likely it is to be from The higher the difficulty of cross-node attacks, the more complex the attack becomes.

[0144] Physical node - vulnerable node edge The vulnerability is represented by the fact that it exists in the corresponding physical node, and the directed edge originates from the physical node. Pointing to the vulnerable node The cost weighting combines the difficulty of privilege escalation and the difficulty of exploiting the vulnerability, that is, the overall cost of exploiting the vulnerability, specifically: ,in, The difficulty level of exploiting the vulnerability. For vulnerabilities The extent of privilege escalation, These are configurable weighting coefficients; A larger weight indicates that at a node exploiting vulnerabilities The higher the difficulty.

[0145] Physical Node - Defense Mechanism Node Edge : Represents that the physical node has deployed the corresponding defense mechanism, and the directed edge is from the physical node. Pointing to the defense mechanism node d , border rights (Defense Timeliness Coefficient), the larger the weight, the stronger the defense mechanism. d The more time-sensitive the information, the more difficult it is for attackers to evade it.

[0146] Vulnerable node - Vulnerable node edge : Represents the relationships between vulnerabilities, with directed edges connecting vulnerability nodes. Pointing to the vulnerable node , border rights The larger the weight, the more... and The more reliable the relationship, the better; among them, The confidence level of the association rule. These are configurable weighting coefficients.

[0147] Defense mechanism node - vulnerability node edge The defense mechanism represents the corresponding vulnerability, with directed edges connecting the defense mechanism nodes. Pointing to the vulnerable node That is, the cost of defense and avoidance, with the cost weight being... A higher weight indicates a stronger defense mechanism. d Vulnerability The better the interception effect, the more easily attackers can exploit vulnerabilities. The higher the difficulty; among them, (to improve the success rate of defense interception) These are configurable weighting coefficients.

[0148] When the quantization feature (such as or the confidence level of the association rule. When changes occur, the corresponding numerical edge weights are automatically refreshed within a preset period; when physical nodes, vulnerabilities, and defense mechanisms are added or deleted, the corresponding nodes and edges are also added or deleted synchronously to ensure that the heterogeneous graph is always consistent with the actual state of the industrial internet.

[0149] By constructing a ternary weighted heterogeneous graph containing physical nodes, vulnerability nodes, and defense mechanism nodes, and assigning numerical weights related to actual attack characteristics such as cross-node communication cost, vulnerability exploitation difficulty, defense timeliness, rule confidence, and interception success rate to different types of directed edges, the graph model is highly matched with real attack scenarios.

[0150] S6. Divide the node levels of the ternary weighted heterogeneous graph to determine the attack starting point and target. Based on the attack cost model and introduce vulnerability privilege escalation logic constraints, perform path search to find the attack path with the minimum total cost from the attack starting point to the target. Perform vulnerability correlation analysis and output a list of high-threat attack paths.

[0151] Preferably, the node levels are divided into ternary weighted heterogeneous graphs, specifically as follows:

[0152] The security risk level of the node , penetration , out-degree After normalization, construct the node feature vector. ;

[0153] As a clustering criterion, Euclidean distance is used as a similarity measure to divide the node feature vectors into three clusters:

[0154] The cluster closest to the origin is defined as the edge layer node (attack starting point). Such nodes have low security risk and small in-degree. They are usually edge acquisition devices such as sensors and cameras, and are the initial intrusion point for attackers.

[0155] The cluster furthest from the origin is defined as the core layer node (attack target). Such nodes have high security risks and large outgoing distances. They are usually core control devices such as servers and PLCs, and are the ultimate target of attackers.

[0156] The remaining clusters are defined as intermediate layer nodes (attack springboards). These nodes are intermediate nodes for attackers to conduct lateral penetration and escalate privileges.

[0157] Preferably, the attack cost model quantifies the total implementation difficulty of the attack path by comprehensively evaluating four dimensions: difficulty of privilege escalation, cost of cross-node communication, difficulty of vulnerability exploitation, and cost of defense and evasion.

[0158] The difficulty of privilege escalation is determined based on the privilege escalation range of the vulnerability; the cost of cross-node communication is determined based on the communication cost coefficient between nodes; the difficulty of vulnerability exploitation is determined based on the vulnerability exploitation difficulty coefficient; and the cost of defense and evasion is determined based on the interception success rate of the defense mechanism.

[0159] More preferably, the attack cost model is implemented by allocating the cost to the edge weights of the heterogeneous graph. This definition integrates four dimensions—priority escalation difficulty, cross-node communication cost, vulnerability exploitation difficulty, and defense evasion cost—into the weights of each edge. The total cost of the attack path is defined as the sum of the costs of all edges traversed by the path.

[0160] ;

[0161] in, It is an edge in the path. This is the cost weight of that edge; the specific calculation method is defined in S5. The costs for each dimension (privilege escalation, lateral movement, exploitation, and defense evasion) are weighted by coefficients. By incorporating the corresponding type of edge weight calculation, the comprehensiveness of the total cost is ensured.

[0162] In a typical example, the weight coefficient takes the value of The weighting coefficients can be flexibly adjusted according to the security requirements of different industrial scenarios. For example, in the power sector, where priority should be given to privilege escalation, the weighting coefficients can be adjusted accordingly. Increase to 0.5; in chemical scenarios, special attention should be paid to defense and evasion, which can be... Increased to 0.3.

[0163] Preferably, the path search algorithm is an improved shortest path search algorithm, with the goal of minimizing the total cost, and adds vulnerability privilege escalation logic constraints. More preferably, the step of using an attack cost model and introducing vulnerability privilege escalation logic constraints for path search specifically includes:

[0164] With the goal of minimizing the total cost, add vulnerability privilege escalation logic constraints and perform pruning judgment during node traversal: the resulting privileges obtained after exploiting a previous vulnerability must not be lower than the prerequisite privileges required for exploiting a subsequent vulnerability; otherwise, prune the path.

[0165] The path length of the classic shortest path algorithm is replaced with the total cost calculated by the attack cost model to find the attack path with the minimum total cost.

[0166] All edge weights are non-negative, preventing attackers from exploiting low-privilege vulnerabilities to trigger high-privilege vulnerabilities. This constraint is the core logic of attack path discovery, solving the problem of disconnect between existing technical path discovery and privilege escalation logic.

[0167] More preferably, the path search method is as follows:

[0168] 1) The cost of all physical nodes Initialize to Initialize the cost of the edge layer nodes to 0 and set the predecessor node to null;

[0169] 2) Add all edge layer nodes to the set of nodes to be visited;

[0170] 3) Select the node with the lowest cost from the set of nodes to be visited. traverse all its adjacent nodes Each corresponding edge ( ,v );

[0171] 4) Check from the path start point to Then The permission flow, if the edge ( , ) Involves vulnerability exploitation (such as It is a physical node. If it is a vulnerable node, then check the permissions obtained from the starting point to u to see if it satisfies "permissions resulting from the preceding vulnerability ≥ permissions required for the subsequent vulnerability". If not, skip that edge.

[0172] 5) If the constraints are satisfied, calculate the temporary cost. .if Then update and record The predecessor node is ,Will Marked as visited;

[0173] 6) Repeat steps 3)-5) until the set of nodes to be visited is empty, or all core layer nodes have been added to the set of visited nodes;

[0174] 7) Starting from the core layer node, trace back to the predecessor node and then to the edge layer node to extract the effective attack path from the edge layer node to the core layer node. This represents the total cost C of the path, where t is the target node.

[0175] Suppose a total path is: the vulnerability occurs on N1, exploiting the vulnerable node v1, then moving laterally to physical node N2, and then exploiting the vulnerable node v2 (N2→V2); the corresponding graph traversal path is: node N1→vulnerable node v1→node N2→vulnerable node v2; its total cost is calculated as follows:

[0176] ;

[0177] in, This includes the costs associated with privilege escalation and increased difficulty in exploitation. This reflects the cost of lateral movement. (N2→V2) Similarly. In the search process, the algorithm finds the optimal path by continuously comparing and accumulating the costs of these edges.

[0178] Preferably, the vulnerability correlation analysis includes:

[0179] Multi-condition quantification is performed on adjacent vulnerabilities in the attack path, and the determination includes verifying whether the following conditions are met simultaneously:

[0180] Privilege escalation conditions: the resulting privilege level of a preceding vulnerability must not be lower than the prerequisite privilege level of a subsequent vulnerability.

[0181] Association rule conditions, that is, the confidence level of the association rule between two vulnerabilities reaches a preset association threshold;

[0182] Cross-node communication conditions, namely, the communication cost coefficient between the two physical nodes where the vulnerability is located does not exceed the preset cost threshold;

[0183] When all the above conditions are met, reverse defense filtering is performed: if the interception success rate of the defense mechanism corresponding to the subsequent vulnerability does not reach the preset interception threshold, the two vulnerabilities are determined to have actual correlation value; if the interception success rate of the defense mechanism corresponding to the subsequent vulnerability reaches the preset interception threshold, even if all the above conditions are met, the two vulnerabilities are still determined to have no actual correlation value and are marked separately in the results, because attackers cannot effectively circumvent the defense, and the correlation has no actual attack significance.

[0184] The path mining method based on the improved shortest path search algorithm described above is only an example. Other graph theory search algorithms that can handle weighted directed graphs and consider specific constraints (such as weight-raising logic), such as other variants of Dijkstra's algorithm, can also be used to mine the attack path with the minimum total cost after appropriate adaptation.

[0185] In one specific embodiment, the preset association threshold is preferably 70%, the cost threshold is preferably 0.8, and the preset interception threshold is preferably 90%, and each threshold is a configurable parameter.

[0186] This approach employs a parallel determination of three quantitative conditions: privilege escalation conditions, association rule conditions, and cross-node communication conditions, combined with a defensive reverse filtering mechanism, to achieve precise correlation analysis of vulnerabilities. A vulnerability is deemed to have practical correlation value only when all three conditions are met simultaneously and the defense mechanism has not reached its interception threshold. Compared to existing technologies that rely solely on single conditions such as privilege level or probability indicators, this multi-condition determination mechanism significantly reduces the false positive rate, making the analysis results more practically instructive.

[0187] Preferably, a threat value index is introduced, which combines the total cost C of the path with the security risk level of the core layer nodes. All valid attack paths are prioritized, and the threat value formula is:

[0188] ;

[0189] in, The security risk level of the core layer node at the end of the attack path is given by C, and the total cost of the path is given by C. When C is less than a preset minimum cost threshold, the threshold is used for calculation to avoid calculation errors. The range of values ​​is The larger the value, the higher the threat level of the path, the easier it is for attackers to exploit, and the more priority should be given to protection.

[0190] The attack paths are sorted from highest to lowest threat level, and a list of high-threat attack paths is output. The list includes path components, associated vulnerabilities, total cost (C), and threat level. Information such as key defense points directly provides practical guidance for the security protection of the industrial internet.

[0191] More preferably, the method further includes:

[0192] The output list of high-threat attack paths is fed back to the data collection, feature quantification, vulnerability element construction, rule generation, and heterogeneous graph construction stages to guide the optimization of data collection, adjustment of feature weights, updating of vulnerability elements, correction of association rules, and refresh of heterogeneous graph weights, forming a closed-loop iteration throughout the entire process.

[0193] The list of high-threat attack paths is fed back to the aforementioned stages to guide data collection optimization, feature weight adjustment, vulnerability element updates, association rule corrections, and heterogeneous graph weight refreshes. Specifically: the high-threat path list is fed back to step 1 (guiding targeted data collection of high-threat nodes) and step 2 (optimizing feature weights); the vulnerability association determination results are fed back to step 3 (updating the vulnerability element set) and step 4 (correcting association rules); the path cost analysis results are fed back to step 5 (refreshing heterogeneous graph edge weights), achieving closed-loop optimization throughout the entire process. This forms a complete closed loop of "collection-analysis-output-optimization-re-collection," ensuring that the analysis results always align with the actual state of the industrial site and achieving continuous self-optimization of the analysis system.

[0194] To illustrate the analysis process in this embodiment more specifically, a specific application scenario example is given below:

[0195] This embodiment uses a power industry internet system as an application scenario. The system comprises 20 physical nodes (6 sensors, 6 PLCs, 4 gateways, and 4 servers), employs industrial fieldbus or industrial Ethernet communication protocols (such as Modbus TCP and Profinet), and deploys security protection devices such as firewalls, IDS, and patch management systems. The specific steps are as follows:

[0196] 1) Collect basic node attributes, network topology, vulnerability information and defense dynamic data of the system, clean and remove invalid data, normalize numerical data, and perform lexical segmentation on text descriptions to obtain a standardized dataset of 20 physical nodes, 35 vulnerabilities and 12 defense mechanisms.

[0197] 2) Feature extraction, quantization, and fusion;

[0198] Topological centrality characteristics of compute nodes: Betweenness centrality of core servers =0.75, based on the topology of the 20 nodes of the power system, calculated using the Brandes algorithm, the node... The total number of times the shortest path lies on the 150 pairs of s≠t≠i is 256, and the total number of shortest paths is 342. Therefore... Similarly, the core server has a degree centrality of 0.8, betweenness centrality of 0.75, and proximity centrality of 0.82, while the edge sensor has a degree centrality of 0.2, betweenness centrality of 0.15, and proximity centrality of 0.3; the communication cost coefficient between core nodes... Between edge and core nodes .

[0199] Calculate the privilege characteristics of the vulnerability: such as the vulnerability CVE-2023-28432. (ICS-ACCESS) (ICS-ROOT) 、 Two vulnerabilities with privilege escalation levels not exceeding zero were removed.

[0200] Calculate the dynamic characteristics of defense: the defense timeliness coefficient of the core server. Interception success rate Edge sensor , .

[0201] Security risk level of compute node: core control server Edge sensor .

[0202] The feature matrix is ​​generated by weighting the vulnerability permission features (40%), node topology centrality features (20%), defense dynamic features (20%), and basic attribute features (20%).

[0203] 3) Using historical data from the past year, 500 training samples were constructed to train the GAT-DNN fusion model. After 120 iterations, the model converged, and the accuracy was achieved. The fusion feature matrix was input to predict 12 known vulnerabilities at 20 nodes. The conditional probabilities between vulnerabilities were calculated, and 3 potential vulnerabilities were added. One of these vulnerabilities was filtered out due to a defense interception success rate of ≥90%, ultimately forming a dynamic vulnerability element set containing 14 vulnerabilities.

[0204] 4) Frequent itemset mining generates 18 single-item, 12 double-item, and 5 triple-item frequent itemsets. 28 candidate rules are constructed, 15 rules with a confidence level ≥75% are selected, and 2 additional rules with a lift ≥1.2 are added, resulting in 17 initial rules with a 90-day validity period. Regular and triggered correction mechanisms ensure that the rule base and vulnerability elements are updated synchronously.

[0205] 5) Construct a heterogeneous graph containing 20 physical nodes, 14 vulnerability nodes, and 12 defense mechanism nodes, generating 186 directed edges. Assign weights according to the following rules: the edge weight between physical nodes is the communication cost coefficient; the edge weight between a physical node and a vulnerability node is the vulnerability exploitation difficulty coefficient; the edge weight between a physical node and a defense node is the defense timeliness coefficient; the edge weight between vulnerability nodes is the confidence of the association rule; and the edge weight between a defense node and a vulnerability node is the interception success rate. (The weights between core nodes are also considered.) The exploitation difficulty of vulnerability CVE-2023-28432 is related to edge weight. Enable dynamic refresh mechanism.

[0206] 6) Attack path discovery and vulnerability correlation determination;

[0207] Hierarchical clustering was used to divide the six sensors into an edge layer, the six PLCs and four gateways into a middle layer, and the four servers into a core layer. A four-dimensional attack cost model was constructed, with weights of α=0.4, β=0.2, γ=0.2, and δ=0.2. An improved shortest path algorithm was used to discover three effective attack paths under privilege escalation constraints, satisfying the condition that the privilege level of the preceding vulnerability is no lower than the prerequisite privilege level of the subsequent vulnerability.

[0208] Through multi-condition quantitative analysis, 5 pairs of validly related vulnerabilities were identified, while 2 pairs were deemed unrelated due to excessively high defense interception success rates. The threat values ​​for the three paths were calculated to be 4.7, 3.8, and 3.5, respectively. A list of high-threat attack paths was output in descending order:

[0209] Path 1: Edge sensor (vulnerable node v1) → Gateway (vulnerable node v5) → Control server (vulnerable node v12), C=1.8 4.7;

[0210] Path 2: Edge camera (vulnerable node v3) → PLC (vulnerable node v8) → Database server (vulnerable node v15), C=2.1 3.8;

[0211] Path 3: Edge sensor (vulnerable node v2) → Intermediate server (vulnerable node v7) → Control server (vulnerable node v12), C=2.3 3.5.

[0212] Based on the output list of high-threat attack paths, targeted protection was implemented: patches were deployed for v1, v2, and v3 vulnerabilities on edge nodes, gateway / PLC access control was strengthened, and cross-node communication costs were increased. For core server vulnerabilities v12 and v15, defense-in-depth was enabled, increasing the interception success rate to 0.95. After implementation, the average total cost of the three attack paths increased to 3.2, and the average threat value decreased to 2.1, significantly improving the system's security level and verifying the feasibility and effectiveness of this application.

[0213] The second embodiment of this application further details the fusion model in the first embodiment. The fusion model is a fusion model of graph attention network and deep neural network, consisting of five parts: input layer, GAT layer, DNN layer, feature fusion layer, and output layer. The structure and function of each layer are as follows:

[0214] Input layer: Receives the fusion feature matrix M generated in step 2, and inputs each row of the matrix as a sample into the model;

[0215] GAT layer: Contains 2 attention heads, with a hidden layer dimension of 64. It uses a multi-head attention mechanism to learn the topological relationship features between nodes and outputs a node topological relationship feature vector. The activation function of the GAT layer is LeakyReLU to solve the gradient vanishing problem.

[0216] DNN layer: Contains 3 fully connected hidden layers with dimensions of 128, 64 and 32 respectively, used to learn the non-linear mapping relationship between vulnerability privilege features and defense dynamic features, and output vulnerability-defense feature vector; The activation function of the DNN layer is ReLU, which improves the non-linear fitting ability of the model;

[0217] Feature fusion layer: The topological correlation feature vector output by the GAT layer is concatenated with the vulnerability-defense feature vector output by the DNN layer. Batch normalization is used to eliminate feature distribution differences and output a fused prediction feature vector.

[0218] Output layer: The Sigmoid activation function is used to output the probability of existence of each node-vulnerability association pair (value range [0,1]). When the probability of existence is ≥0.8, the vulnerability is determined to exist in the corresponding node.

[0219] The method for pre-training the fusion model is as follows:

[0220] 1) Construction of training sample set: Collect historical topology maps, node attributes, vulnerability elements and corresponding attack link tags of industrial Internet, construct training sample set, and divide it into training sample set, verification sample set and test sample set in a ratio of 7:1.5:1.5.

[0221] 2) Setting the loss function and optimizer: The cross-entropy loss function is used to calculate the error between the model's predicted values ​​and the true values, specifically:

[0222]

[0223] in, The true label for sample i (e.g., preferably 1 if present, 0 if absent). For the sample i The model predicts the probability. N The total number of samples is used; the Adam optimizer is used to optimize the model parameters, setting the learning rate (e.g., 0.001) and weight decay (e.g., 0.0001) to avoid overfitting.

[0224] 3) Cross-validation: During training, 5x cross-validation is used. The training sample set is divided into 5 subsets. Four subsets are used for training and one subset is used for validation. The average accuracy of the 5 validations is taken as the validation accuracy of the model to ensure the stability and generalization ability of the model.

[0225] 4) Model convergence determination: When the model's validation accuracy improves by ≤0.1% for 10 consecutive iterations, or when the number of iterations reaches 200, the model is determined to have converged and training is stopped.

[0226] It should be noted that the above-described fusion model of graph attention network and deep neural network is merely a preferred example for implementing the vulnerability element prediction function. Those skilled in the art will understand that any machine learning model capable of processing graph-structured data and performing classification or probability prediction, such as graph convolutional networks (GCN) and recurrent neural networks (RNN), can also be used to implement the vulnerability element prediction function described in this application after appropriate training, and these alternative solutions should all fall within the protection scope of this application.

[0227] A third aspect of this application proposes an industrial internet multi-vulnerability correlation analysis system, comprising:

[0228] The data processing module is configured to acquire a standardized structured dataset that includes basic node attributes, network topology, vulnerability data, and dynamic defense data.

[0229] The feature quantization module is configured to extract node topological centrality features, vulnerability permission features, and defense dynamic features from a standardized dataset and quantify them respectively. The quantized features are then weighted and fused to generate a fused feature matrix.

[0230] The element construction module is configured to predict vulnerability elements on each physical node based on the fused feature matrix, and to supplement and filter potential vulnerabilities in combination with the defense effect, generating a vulnerability element set.

[0231] The rule generation module is configured to mine vulnerability association rules based on vulnerability element sets to build a rule knowledge base, and to set a lifecycle for each rule, dynamically iterating the rule knowledge base through periodic and triggered corrections.

[0232] The model building module is configured to construct a ternary weighted heterogeneous graph based on the quantized features, vulnerability element set and rule knowledge base, and assign numerical weights to the directed edges.

[0233] The path discovery module is configured to divide the node levels of the ternary weighted heterogeneous graph to determine the attack start point and target. Based on the attack cost model and by introducing vulnerability privilege escalation logic constraints, it performs path search to discover the attack path with the minimum total cost from the attack start point to the target, performs vulnerability correlation analysis, and outputs a list of high-threat attack paths.

[0234] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process and related descriptions of the system described above can be found in the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0235] It should be noted that the industrial internet multi-vulnerability correlation analysis system provided in the above embodiments is only an example of the division of the above functional units. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the modules or steps in the embodiments of this application can be further decomposed or combined. For example, the modules in the above embodiments can be merged into one module, or further divided into multiple sub-modules to complete all or part of the functions described above. The names of the modules and steps involved in the embodiments of this application are only for distinguishing the various modules or steps and are not considered as an improper limitation of this application.

[0236] A device according to the fourth embodiment of this application includes:

[0237] At least one processor;

[0238] and a memory communicatively connected to at least one of the processors;

[0239] The memory stores instructions that can be executed by the processor to implement the aforementioned industrial internet multi-vulnerability correlation analysis method.

[0240] A computer-readable storage medium according to the fifth embodiment of this application stores computer instructions, which are executed by a computer to implement the above-described industrial internet multi-vulnerability correlation analysis method.

[0241] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process and related descriptions of the storage device and processing device described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0242] The following is for reference. Figure 2 It shows a schematic diagram of the structure of a computer system for implementing the methods, apparatus, and electronic devices of this application. Figure 2 The server shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

[0243] like Figure 2As shown, the computer system includes a Central Processing Unit (CPU) 201, which can perform various appropriate actions and processes based on programs stored in Read Only Memory (ROM) 202 or programs loaded from storage section 208 into Random Access Memory (RAM) 203. The RAM 203 also stores various programs and data required for system operation. The CPU 201, ROM 202, and RAM 203 are interconnected via a bus 204. An Input / Output (I / O) interface 205 is also connected to the bus 204.

[0244] The following components are connected to I / O interface 205: an input section 206 including a keyboard, mouse, etc.; an output section 207 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 208 including a hard disk, etc.; and a communication section 209 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 209 performs communication processing via a network such as the Internet. A drive 210 is also connected to I / O interface 205 as needed. Removable media 211, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 210 as needed so that computer programs read from them can be installed into storage section 208 as needed.

[0245] Specifically, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 209, and / or installed from removable medium 211. When the computer program is executed by central processing unit (CPU) 201, it performs the functions defined in the methods of this application. It should be noted that the computer-readable medium described above in this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on a computer-readable medium can be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0246] Computer program code for performing the operations of this application can be written in one or more programming languages ​​or a combination thereof, including object-oriented programming languages ​​such as Java, Smalltalk, and C++, and conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0247] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0248] The terms “first”, “second”, etc., are used to distinguish similar objects, not to describe or indicate a specific order or sequence.

[0249] The term "comprising" or any other similar term is intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus / device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent in such process, method, article, or apparatus / device.

[0250] The technical solutions of this application have been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it will be readily understood by those skilled in the art that the scope of protection of this application is obviously not limited to these specific embodiments. Without departing from the principles of this application, those skilled in the art can make equivalent changes or substitutions to the relevant technical features, and the technical solutions after these changes or substitutions will all fall within the scope of protection of this application.

Claims

1. A method for multi-vulnerability correlation analysis in the industrial internet, characterized in that, Includes the following steps: Obtain a standardized, structured dataset that includes basic node attributes, network topology, vulnerability data, and dynamic defense data. Node topology centrality features, vulnerability access features, and defense dynamic features are extracted from a standardized dataset and quantified separately. The quantified features are then weighted and fused to generate a fused feature matrix. The process involves dividing user permissions into multiple levels and assigning corresponding weights, calculating the privilege escalation before and after vulnerability exploitation, eliminating vulnerabilities with privilege escalation values ​​that are not greater than zero, quantifying the vulnerability exploitation difficulty coefficient by combining CVSS attack complexity and authentication requirements, and generating a privilege feature vector. The timeliness coefficient is calculated based on the effective duration of the defense mechanism, and the interception success rate is calculated based on historical interception data to generate a dynamic defense feature vector. Based on the fusion feature matrix, the vulnerability elements on each physical node are predicted, and the potential vulnerabilities are supplemented and filtered in combination with the defense effect to generate a vulnerability element set. Based on vulnerability element sets, vulnerability association rules are mined to build a rule knowledge base, and a lifecycle is set for each rule. The rule knowledge base is dynamically iterated through periodic and triggered corrections. Based on the quantified features, vulnerability element set, and rule knowledge base, a ternary weighted heterogeneous graph is constructed, and numerical weights are assigned to directed edges. The ternary weighted heterogeneous graph includes three types of nodes: physical nodes, vulnerability nodes, and defense mechanism nodes, as well as five types of directed edges. Numerical weights related to the attack cost are assigned to different types of directed edges. Specifically, the directed edges are: The weight of a directed edge between physical nodes is determined based on the cross-node communication cost coefficient. The weight of a directed edge from a physical node to a vulnerable node is determined based on the vulnerability exploitation difficulty coefficient and the privilege escalation level. The weight of a directed edge from a physical node to a defense mechanism node is determined based on the defense timeliness coefficient. The weights of directed edges between vulnerable nodes are determined based on the confidence level of the association rules. The weight of the directed edge pointing from the defense mechanism node to the vulnerability node is determined based on the defense interception success rate. The ternary weighted heterogeneous graph is divided into node levels to determine the attack starting point and target. Based on the attack cost model and by introducing vulnerability privilege escalation logic constraints, path search is performed to find the attack path with the minimum total cost from the attack starting point to the target. Vulnerability correlation analysis is performed to output a list of high-threat attack paths. To classify nodes in a ternary weighted heterogeneous graph, the following steps are taken: after normalizing the security risk level, in-degree, and out-degree of each node, a node feature vector is constructed; using Euclidean distance as a similarity measure, the node feature vectors are divided into three clusters; among them, the cluster closest to the origin is defined as the attack starting point, and the cluster farthest from the origin is defined as the attack target. The path search includes: based on the numerical weights assigned to the directed edges, using a graph shortest path search algorithm to find the attack path from the attack origin to the target with the minimum sum of weights.

2. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 1, characterized in that, Extracting and quantifying node topological centrality features, vulnerability access control features, and defense dynamic features, and further including: Based on the inter-node connectivity, the degree centrality, betweenness centrality, and proximity centrality are calculated, and the node topological centrality feature vector is generated. The cross-node communication cost coefficient between any connected node pairs is independently calculated based on the inter-node communication bandwidth and transmission delay. The node topological centrality feature vector, permission feature vector, and defense dynamic feature vector are weighted and fused according to preset weights to generate a fused feature matrix.

3. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 1, characterized in that, Based on the fused feature matrix, vulnerability elements on each physical node are predicted, specifically: The fused feature matrix is ​​input into a pre-trained fusion model to predict vulnerability elements on each physical node. The pre-trained fusion model is a fusion model of graph attention network and deep neural network. The graph attention network layer extracts the topological association features between nodes, and the deep neural network layer extracts the nonlinear mapping relationship between vulnerability permission features and defense dynamic features. The two types of features are fused and the vulnerability existence probability is output. The existence probability is used to determine whether the vulnerability exists on the corresponding physical node.

4. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 3, characterized in that, In conjunction with the defense's effectiveness, potential vulnerabilities are patched and filtered, specifically as follows: The conditional probability between vulnerabilities is calculated based on the co-occurrence frequency of vulnerabilities. When the conditional probability meets the preset strong correlation judgment condition, it is determined that the two vulnerabilities are strongly correlated. If a physical node has a known vulnerability but no strongly correlated vulnerability is detected, the physical node is predicted to have the associated vulnerability as a potential vulnerability. If the interception success rate of the defense mechanism corresponding to the potential vulnerability reaches or exceeds the preset filtering threshold, the potential vulnerability is filtered; otherwise, it is added to the vulnerability element set. Each element in the vulnerability element set includes a node identifier, a vulnerability identifier, and quantitative features related to the vulnerability.

5. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 1, characterized in that, The vulnerability association rules based on vulnerability element sets specifically include: Candidate association rules are generated through frequent itemset mining. The support, confidence, and lift of each candidate rule are calculated. Rules whose confidence reaches the screening threshold are directly included in the rule knowledge base. Rules whose confidence does not reach the screening threshold but whose lift reaches the preset lift threshold are also included. The dynamic iteration of the rule knowledge base includes: setting an expiration period for each rule; recalculating rule indicators and removing rules with confidence levels lower than the failure confidence threshold and lift levels lower than the failure lift threshold when the update ratio of the vulnerability element set reaches a preset update threshold; and triggering rule recalculation and correction when the update ratio of the vulnerability element set reaches a preset update threshold.

6. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 2, characterized in that, When the confidence level of the quantized features or the association rules changes, the corresponding numerical edge weights are automatically refreshed within a preset period.

7. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 6, characterized in that, The attack cost model defines the total cost of an attack path as the sum of the cost weights of all edges in the path; The cost weights are allocated to different types of directed edges based on the four-dimensional attack cost factors, specifically including: Distribute the cost of cross-node communication to the edge weights between physical nodes; The combined cost of the difficulty of privilege escalation and the difficulty of exploitation is allocated to the edge weights of physical nodes pointing to vulnerable nodes. The cost of defense evasion is allocated to the edge weights of the defense mechanism nodes pointing to the vulnerability nodes.

8. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 7, characterized in that, Introducing privilege escalation logic constraints, specifically including: Add privilege escalation logic constraints to perform pruning checks during node traversal: the privileges obtained after exploiting a preceding vulnerability must be no lower than the prerequisite privileges required for exploiting a subsequent vulnerability; otherwise, prune the path.

9. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 2, characterized in that, The vulnerability correlation analysis includes: Multi-condition quantification is performed on adjacent vulnerabilities in the attack path, and the determination includes verifying whether the following conditions are met simultaneously: Privilege escalation conditions: the resulting privilege level of a preceding vulnerability must not be lower than the prerequisite privilege level of a subsequent vulnerability. Association rule conditions, that is, the confidence level of the association rule between two vulnerabilities reaches a preset association threshold; Cross-node communication conditions, namely, the communication cost coefficient between the two physical nodes where the vulnerability is located does not exceed the preset cost threshold; When all the above conditions are met, reverse defense filtering is performed: if the interception success rate of the defense mechanism corresponding to the subsequent vulnerability does not reach the preset interception threshold, the two vulnerabilities are determined to have actual related value.

10. The method for multi-vulnerability correlation analysis in the industrial internet according to claim 1, characterized in that, The method further includes: The output list of high-threat attack paths is fed back to the data collection, feature quantification, vulnerability element construction, rule generation, and heterogeneous graph construction stages to guide the optimization of data collection, adjustment of feature weights, updating of vulnerability elements, correction of association rules, and refresh of heterogeneous graph weights, forming a closed-loop iteration throughout the entire process.