Attack profiling system and method based on graph association
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SICHUAN YILAN SITUATION TECH CO LTD
- Filing Date
- 2026-04-28
- Publication Date
- 2026-07-14
Smart Images

Figure CN122120037B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, and more specifically, relates to an attack profiling system and method based on graph association. Background Technology
[0002] With the profound evolution of digital infrastructure and the continuous iteration of cyberattack methods, cybersecurity defense systems are facing unprecedented complexity challenges. Currently, new attack paradigms such as advanced persistent threats (APS), distributed collaborative attacks, and covert springboard links are becoming increasingly prevalent. Their core characteristics include multi-source IP collaborative operations, long-term latency of attack behavior, and highly dynamic attack paths. Against this backdrop, building a security analysis system capable of tracking the entire lifecycle of attackers, contextualizing, and intelligently assessing their actions has become a core requirement for ensuring the security of critical information infrastructure. Traditional security monitoring mechanisms mainly rely on event response models centered on single-point alerts, such as security information and event management platforms or intrusion detection systems. Their initial design purpose was to capture and initially filter isolated abnormal behaviors in real time. In the early stages of cyber threats, when they were relatively simple and attack chains were linearly identifiable, such systems did play a significant role in improving basic protection capabilities.
[0003] However, with the continuous development of related technologies and the increasingly stringent performance requirements of application scenarios, some inherent characteristics of the aforementioned technical solutions at the principle level have gradually revealed their limitations in addressing new challenges. Specifically, existing systems generally lack the ability to deeply integrate heterogeneous security data across time, devices, and protocols, resulting in severely fragmented information about threat targets. A typical attack often involves multiple jump hosts, proxy nodes, and masquerading identities. If judgment is based solely on a single alarm log, it is easy to misjudge different behaviors of the same attack group as several independent events, thereby losing insight into the overall attack intent. Furthermore, even if some platforms attempt to introduce visualization methods to enhance situational awareness, their underlying structure still lacks a unified semantic modeling framework. This makes it difficult for multidimensional data from logs, traffic, honeypots, and external intelligence repositories to form a consistent expression at the logical level, thus failing to support high-level correlation reasoning and collaborative identification. The reason for this is that existing methods mostly adopt static rule matching or single-dimensional feature extraction strategies, which neither establish the inherent coupling relationship between the attack surface, behavior surface and intelligence surface, nor map IP entities and their interactive behaviors to a knowledge graph with topological structure and semantic attributes. As a result, the system exhibits significant capability deficiencies when facing key tasks such as multi-IP collaborative attacks, complex attack chain reconstruction and context tracing.
[0004] Building upon this, the deep-seated contradictions exposed by existing technologies are becoming increasingly prominent: on the one hand, security operations urgently need to extract tactically significant attack profiles from massive amounts of fragmented alerts; on the other hand, traditional architectures, lacking dynamic modeling mechanisms oriented towards collaborative relationships, cannot effectively aggregate discrete behavioral clues and generate interpretable, traceable, and actionable analytical conclusions. This contradiction is not only reflected in the semantic gap at the data layer but also profoundly in the disconnect between analytical logic and handling processes—even when high-risk IPs are identified, the system struggles to automatically trigger precise, coordinated, and closed-loop response actions, resulting in an operational dilemma of "seeing but not being able to control." Correspondingly, due to the lack of visualization drill-down capabilities based on graph structures, security analysts often fall into inefficient manual correlation and experience-based speculation when facing large-scale attack networks, greatly weakening overall defense efficiency. Therefore, how to construct an attack profiling system that integrates multi-source heterogeneous data, possesses a unified semantic model, supports graph-based collaborative relationship mining, and can achieve a closed-loop process from threat discovery and profile construction to intelligent decision-making and automated handling has become a key challenge and an urgent technical problem for those skilled in the art. Summary of the Invention
[0005] This invention provides an attack profiling system and method based on graph association, aiming to solve the technical problems in existing network security defense systems, such as the dispersion of threat IP behavior information, the difficulty in dynamically displaying and traceably analyzing attack chains, and the lack of intelligent identification and visual analysis capabilities for attack groups and their collaborative relationships. To achieve the above-mentioned objectives, this invention constructs an attack profiling system that integrates multi-source heterogeneous data, possesses a unified semantic model, supports graph-based collaborative relationship mining, and can realize a closed-loop process from threat discovery and profiling to intelligent decision-making and automated handling.
[0006] The system comprises five core components: a data access and standardization module, a threat IP collaborative structure management module, a multi-dimensional profiling and analysis module, a graph-based collaborative structure analysis module, and a closed-loop analysis and handling module. The modules are seamlessly connected and operate collaboratively through predefined data interfaces and control logic.
[0007] The data access and standardization module collects multi-source heterogeneous data in real time from security devices, honeypots, logging systems, and external intelligence repositories through a built-in multi-protocol adapter. This adapter supports Syslog (system log protocol), Kafka (a distributed stream processing platform / message queue system) message queues, and RESTful APIs (representation layer state transition application programming interfaces). The module uses a unified graph computing data model based on JSON Schema (a specification for describing JSON data structures and validation rules) to clean and format the collected data. This unified graph computing data model explicitly defines the core dimensions and field constraints used for graph construction, where the subject and object dimensions define the source IP address. and destination IP address For standard string type, source port With destination port The type is integer, and protocol is an enumeration type; the temporal dimension defines the Coordinated Universal Time (UTC) timestamp. It uses a 13-bit Long integer millisecond timestamp to unify time zone differences across different devices. This module is further configured with a pre-defined heterogeneous field mapping rule table, used to map non-standard key-value pairs in the original data to standard fields in the unified model, outputting a structured standard event stream.
[0008] The Threat IP Collaborative Structure Management module utilizes distributed search engine technology and knowledge graph association technology to achieve structured aggregation management of threat IPs. This module constructs a "collaborative structure" object for each unique threat IP. The collaborative structure is stored in the backend database as a document with a nested structure, including a basic identifier field, attribute tag field, and collaborative association field. The basic identifier field contains the IP address as the primary key, the first discovery time, and the most recent active time; the attribute tag field contains geographic location information, the home operator ASN (Autonomous System Number), and the network type; the collaborative association field stores a list of related source IPs or a set of historical attack event IDs, forming a logical cluster of collaborative relationships. This module further establishes an inverted index for the time, geographic location, and attack type fields in the collaborative structure to support millisecond-level fast filtering. The frontend initiates query requests through a RESTful interface, and the backend search engine returns a list of collaborative structure objects that meet the filtering conditions based on Boolean logic combinations. The frontend component then renders this list as a table view. For in-depth profiling of a single IP, this module uses the ForceGraph engine for visualization and rendering, and incorporates the MITRE ATT&CK knowledge base (a global knowledge base based on real-world observations of attacker tactics and techniques). By traversing the IP's historical attack logs, it extracts attack feature keywords and uses a tag matching algorithm to automatically associate the corresponding tactical stage and technique number.
[0009] The multi-dimensional profiling analysis module, based on a graph computing engine and a multi-factor quantization model, constructs a deep collaborative profile from three dimensions: attack surface, behavior surface, and intelligence surface. In attack surface analysis, the system constructs a bipartite graph of attack source and attack target, projecting it into an isomorphic association graph of attack source and attack source. If different source IPs attack the same honeypot node or use the same payload hash value within a preset time window, an edge is established between the two IP nodes, with the edge weight proportional to the number of common attack targets. The system uses the Louvain community detection algorithm or weakly connected component algorithm to partition the association graph. When the modularity of nodes within a community exceeds a preset threshold, all IPs within that community are identified as potential collaborative attack groups. In behavior surface analysis, the system sorts the interaction logs between IPs and business systems by time and converts them into operation sequences. It also incorporates a finite state machine for attack behavior. When the state transition path of the operation sequence matches a high-risk path defined by the finite state machine, the IP is determined to have high-risk intrusion behavior, and its outbound activity frequency and packet size entropy value are recorded as behavioral feature vectors. In intelligence analysis, the system integrates internal and external intelligence data and uses a linear weighted scoring model to calculate the final risk level. The scoring factors include the normalized score of historical activity frequency, the reputation score of the external intelligence database, and the agent characteristic score. The comprehensive risk value is determined by the sum of the products of each factor and its corresponding preset weight coefficient. The system outputs the final risk judgment level based on the interval in which the comprehensive risk value falls.
[0010] The graph-based collaborative architecture analysis module constructs a four-layer attack correlation model based on attribute graph technology, comprising two stages: graph construction and interactive rendering. In the graph construction stage, the system is equipped with an ETL transformation engine to map the cleaned standard event stream into graph elements, extracting key information from the events. Generate threat entity nodes and extract them. Generate asset entity nodes and extract event types. Intelligence tag nodes are generated, each storing attributes such as risk value and geographic information. Event logs are traversed, creating directed edges between the attacking IPA and the attacked IPB, with edge attributes including time and payload information. If an IPA is tagged in the intelligence database, an associated edge is created between it and the intelligence tag node. In the advanced aggregation stage, the system uses a weakly connected component algorithm to mine closely connected node groups in the graph. All discrete nodes connected by the same attack file hash value or the same C&C server are aggregated into a cooperative behavior subgraph, representing a potential attack group. This subgraph and all its attributes and statistical indicators are encapsulated into an independent JSON graph object, serving as the smallest unit for panoramic analysis. In the interactive rendering stage, the front end uses the WebGL (Web Graphics Library) graphics rendering engine to load the cooperative structure data. Rendering colors are dynamically mapped based on the node's risk value, and node radius is mapped based on the number of connections. By default, only face-level cluster centers are displayed. When a user double-clicks a node, an adjacency query is triggered in the backend graph database, dynamically expanding the node's one-hop or multi-hop neighbors, achieving a layer-by-layer drill-down from macro-structure to micro-entities.
[0011] The closed-loop assessment and response module, based on SOAR (Security Orchestration, Automation, and Response) logic and finite state machine technology, achieves closed-loop management of the threat lifecycle. The system maintains a state machine attribute for each threat IP object, with its state transition logic including automatic identification, assessment, and response execution. When the IP risk score calculated by the multi-dimensional profiling module exceeds the alarm threshold, the system automatically creates a work order and sets the status to Pending. The assessment engine performs secondary verification according to preset policies; if the high confidence condition is met, the status automatically transitions to Confirmed and triggers automatic response; otherwise, it transitions to... Awaiting manual confirmation; after handling, the status is updated to Blocked or Failed based on device feedback. For confirmed threat IPs, the system calls the control interfaces of heterogeneous security devices through the policy orchestration engine. For next-generation firewalls supporting RESTful API interfaces, the system constructs a JSON command packet containing action instructions, source IP address, and duration, and requests the blocking policy via HTTPS POST (POST request method in Hypertext Transfer Protocol Security). For older routers or switches, the system establishes a connection via SSH protocol and automatically executes pre-configured ACL configuration scripts. This module further maintains status synchronization with the external security operations center through a standard northbound data interface, using HTTPS protocol with OAuth2.0 authentication mechanism. When the IP handling status changes, a Webhook callback mechanism is triggered to push structured handling logs to a specified URL on the SOC platform. The push message includes the work order number, threat IP address, handling status, and executing device information, ensuring that the upper-layer platform has real-time knowledge of the underlying handling results.
[0012] This invention, through the organic integration of the above five modules, realizes closed-loop management of threat IPs across the entire chain, from data collection, standardized modeling, collaborative relationship mining, multi-dimensional profile construction, graph-based display to automated handling. It effectively solves the problems of threat fragmentation, inefficient analysis, and delayed response caused by the lack of a unified semantic model and dynamic collaborative modeling mechanism in existing technologies, and significantly improves the network security defense system's ability to identify, analyze, and handle advanced persistent threats and complex collaborative attacks.
[0013] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, embodiments of the present invention are described below in detail with reference to the accompanying drawings. Attached Figure Description
[0014] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation on the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0015] Figure 1 This is a schematic diagram of the overall structure of the attack profiling system based on graph association of the present invention.
[0016] Figure 2 This is a schematic diagram of the logical structure and data organization of the Threat IP Collaborative Architecture Management Module in this invention.
[0017] Figure 3 This is a schematic diagram of the three-dimensional analysis process and collaborative gang identification of the multi-dimensional profile analysis module in this invention.
[0018] Figure 4 This is a schematic diagram of the construction of the four-layer attack correlation model of the graph-based co-structure analysis module in this invention.
[0019] Figure 5 This is a schematic diagram of interactive rendering in this invention. Detailed Implementation
[0020] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are some embodiments of the present invention, but not all embodiments.
[0021] This invention provides an attack profiling system and method based on graph association, aiming to construct a complete technical system encompassing multi-source heterogeneous security data acquisition, standardized modeling, collaborative relationship mining, multi-dimensional profile generation, and automated closed-loop processing. The following will combine... Figure 1 The system architecture and the specific implementation logic of each functional module shown in the diagram provide a detailed explanation of the technical solution of this invention.
[0022] The data access and standardization module, serving as the data entry point for the entire system, undertakes the core task of transforming raw data from various security devices, logging systems, honeypot platforms, and external threat intelligence sources into a structured event stream. This module integrates multiple protocol adapters, corresponding to the Syslog protocol, Kafka message queue, and RESTful API interfaces, to ensure compatibility with the data output formats of mainstream security devices. When raw logs enter the system through any of these channels, the protocol parser first extracts key fields based on a preset syntax template, including but not limited to source IP address, destination IP address, source port, destination port, transport layer protocol type, timestamp, payload feature hash value, and event type identifier. Subsequently, the system calls a unified graph computation data model based on JSON Schema to verify and transform the extracted results. This data model clearly defines the core dimensions required for graph construction and their data type constraints: in the subject and object dimensions, and The field is forcibly defined as the standard String type to uniquely identify the two ends of the network communication; and The field is defined as an Integer type to ensure the consistency of the port number value; the protocol field uses an enumeration type, limiting its value range to standard network protocol identifiers such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol). Regarding the time sequence dimension, The field is defined as a 13-bit Long millisecond timestamp and uniformly converted to Coordinated Universal Time (UTC) to eliminate time misalignment issues caused by differences in time zone settings across different device deployment regions. To address inconsistencies in field naming across logs from different vendors, this module includes a built-in heterogeneous field mapping rule table. This table stores the mapping relationship between the original field name and the target standard field name in key-value pairs. For example, a firewall log might use "source" to represent the source IP, while another IDS system might use "...". (Attacker IP)”, then configure “source→” in the mapping rule table respectively. "and" → The entries are labeled "". After the above cleaning and mapping process, all raw events are transformed into standardized event objects that conform to the unified graph computation data model and output to downstream modules in a streaming manner for subsequent analysis.
[0023] like Figure 2As shown, the Threat IP Collaboration Structure Management module, based on distributed search engine and knowledge graph association technology, achieves structured aggregation and efficient retrieval of threat IPs. This module creates a unique "collaboration structure" object for each threat IP address that first appears in the standardized event stream. This object is persistently stored in the background using a document-oriented database, and its data structure includes three core fields: a basic identifier field, an attribute tag field, and a collaboration association field. The basic identifier field uses the IP address as the primary key and records the IP's first discovery time and most recent activity time to characterize its lifecycle. The attribute tag field stores metadata parsed from external intelligence databases or internal geolocation services, including geographic location (country, region / province, city-level administrative division), home Autonomous System Number (ASN), and network type (e.g., data center, residential broadband, mobile network). The collaboration association field dynamically maintains a list of other entities with potential collaborative relationships with this IP, specifically including a set of source IPs (i.e., other IPs sharing the same C2 server, the same payload hash, or the same scanning pattern) and a set of historical attack event IDs (pointing to specific event records in the standardized event stream). To improve query efficiency, this module creates inverted indexes for the time, geolocation, and attack type fields in the collaborative construct. When the frontend initiates a query request via a RESTful interface, the backend retrieval engine parses the filtering conditions based on Boolean logic combinations (such as AND, OR, NOT) and returns a list of matching collaborative construct objects within milliseconds. For in-depth profiling of a single IP, the system calls the force-guided graph rendering engine to visualize the IP and its associated entities in a node-edge format. Meanwhile, the module has a built-in local copy of the MITRE ATT&CK knowledge base. By traversing the historical attack logs of the IP, it extracts keywords related to operational behaviors (such as "powershell execution", "registry modification", "lateral movement"), etc., and uses a tag matching algorithm based on string matching and semantic similarity calculation to automatically associate the corresponding ATT&CK tactical stages (such as Initial Access, Execution, Persistence, etc.) with specific technical numbers (such as T1059, T1112, T1021, etc.). The matching results are then overlaid as additional tags on the force graph nodes to help security analysts quickly understand the attack intent.
[0024] like Figure 3As shown, the multi-dimensional profiling and analysis module, relying on a graph computing engine and a multi-factor quantification model, deeply characterizes threat IPs from three orthogonal dimensions: attack surface, behavior surface, and intelligence surface. At the attack surface analysis level, the system first constructs a bipartite graph, where one side represents the set of attack source IPs, and the other side represents the set of attacked targets (including real business assets and honeypot nodes). An edge represents an attack event launched by a source IP against a target. Subsequently, the system performs a single-modal projection operation on this bipartite graph to generate an attack source-attack source isomorphic association graph. In this graph, if two different source IPs jointly attack at least one identical honeypot node within a preset time window (e.g., 24 hours), or if their attack payloads have completely identical SHA256 hash values, an undirected edge is established between these two IP nodes. The edge weight... Defined as the number of targets that both parties jointly attack, i.e.:
[0025]
[0026] Where T is the target node set and E is the edge set of the original bipartite graph. After constructing the weighted association graph, the system calls the Louvain algorithm (a community detection algorithm) to cluster the graph. This algorithm identifies node groups with tight internal connections and sparse external connections by maximizing the modularity Q value. The formula for calculating the modularity Q is as follows:
[0027]
[0028] in Let the weight of the edge between nodes i and j be . Let be the weighted degree of node i (i.e., the sum of the weights of all edges connected to it). Let be the weighted degree of node j, and m be the sum of the weights of all edges in the graph. Let i be the community ID to which node i belongs. Let be the community number to which node j belongs, and δ be the Kronecker function (when...). = (1 if the condition is met, 0 otherwise). When the module degree increment of a community exceeds a preset threshold (e.g., 0.3), the system determines that all IPs within that community constitute a potential coordinated attack group and assigns it a unique group identifier (Group ID). At the behavioral analysis level, the system sorts the interaction logs between each IP and the business system in ascending order of timestamps, forming an operation sequence S = [ , , ..., ],in Indicates the behavior type of the k-th operation (e.g., "login"). (File Upload) (Database query, etc.). The system has a built-in Finite State Machine (FSM) for attack behavior, whose state set Q includes Normal, Reconnaissance, Exploitation, and PostExploitation states. The transition function δ: Q × Σ → Q defines the legal transition path of the state under a specific input symbol. When the state transition path triggered by the operation sequence S completely matches the predefined high-risk path in the FSM (such as Normal → Reconnaissance → Exploitation → PostExploitation), the system determines that the IP has high-risk intrusion behavior. In addition, the system also calculates the IP's outbound activity frequency f (the number of outbound connections initiated per unit time) and packet size entropy H as components of its behavioral feature vector. The formula for calculating the entropy H is:
[0029]
[0030] in Let p(s) be the discrete set of all packet sizes sent by this IP, where p(s) is the probability of a packet of size s occurring. At the intelligence surface analysis level, the system integrates internal historical activity data with external threat intelligence (such as VirusTotal (an online virus analysis platform), AlienVault OTX (an open threat exchange platform), and business intelligence subscription services), and uses a linear weighted scoring model to calculate the comprehensive risk value R for each IP. This model includes three core factors: the normalized score of historical activity frequency. (The original frequency is compressed to the [0,1] interval through logarithmic transformation), external intelligence database reputation score (Values range from 0 to 100, linearly scaled to [0,1]), proxy feature analysis (If the IP is identified as a Tor egress node, public proxy, or cloud host, it is assigned a value of 1; otherwise, it is assigned a value of 0). The overall risk value R is determined by the following formula:
[0031]
[0032] in , , For the preset weighting coefficients, satisfying The system outputs the final risk assessment level based on the preset range into which R falls (e.g., [0,0.3] is low risk, [0.3,0.7] is medium risk, and [0.7,1.0] is high risk), and uses this level as the key basis for subsequent handling decisions.
[0033] The graph-based collaborative architecture analysis module, based on attribute graph technology, constructs a four-layer attack correlation model, enabling a leap from discrete events to group profiles. For example... Figure 4 and Figure 5 As shown, the workflow of this module is divided into two stages: graph construction and interactive rendering. During the graph construction stage, the system is configured with an ETL (Extract-Transform-Load) engine, which continuously consumes the standard event stream from the data access and standardization modules. For each event record, the ETL engine performs the following operations: Extract... The field generates a threat entity node, with the node type marked as " (Threat IP)”, with additional attributes (Comprehensive risk value from the multi-dimensional profile analysis module) (Geographic location), ASN (Autonomous System Number), etc.; Extract The field generates an asset entity node, with the node type marked as " (Asset IP), additional attributes (Asset types, such as web servers, databases, IoT devices, etc.); Extraction The field generates an intelligence tag node, with the node type marked as " The "(Threat Tag)" section contains standardized descriptions of attack types (such as "Brute Force," "SQL Injection," "Malware Delivery," etc.). Subsequently, the system creates a directed edge between the threat entity node and the asset entity node, with the edge type "ATTACKS" and an attached timestamp attribute. (SHA256 hash of the attack payload), etc. If the threat IP has been marked as malicious by an external intelligence database, an additional undirected edge is created from the threat entity node to the corresponding intelligence tag node, with the edge type being "". After completing the construction of basic graph elements, the system enters the advanced aggregation stage. In this stage, the system traverses the entire graph and uses the Weakly Connected Component (WCC) algorithm to identify all subsets of nodes connected by paths. For each WCC subgraph, the system further checks whether there are nodes sharing the same attack file hash value or connected to the same C2 server. If so, the WCC is considered a cooperative behavior subgraph, representing a potential attack group. The system calculates a set of aggregated statistical indicators for each cooperative behavior subgraph, including group size (number of nodes), average risk value, geographical distribution entropy, attack technique diversity index, etc., and encapsulates the subgraph structure and all its attributes into an independent JSON graph object as the smallest unit for panoramic analysis. In the interactive rendering stage, the front end uses a WebGL-based graphics rendering engine (such as the commonly used JavaScript graph visualization library Cytoscape.js or G6) to load the cooperative structure data. The color of the nodes is determined by their... Values are dynamically mapped to a red-yellow-green gradient color spectrum, with higher risks appearing more red. The radius of a node is proportional to its degree centrality, reflecting its connectivity activity within the network. The default view only displays the cluster center nodes of each cooperative behavior subgraph (calculated using the PageRank algorithm) to avoid an overly dense initial interface. When a user double-clicks a node, the front-end triggers the adjacency query interface of the back-end graph database (such as Neo4j or JanusGraph) to dynamically retrieve the node's one-hop neighbors (directly associated assets, tags, or other threat IPs) and render them onto the canvas. If the user continues to double-click newly expanded nodes, they can further drill down to two-hop or even three-hop neighbors, achieving a layer-by-layer exploration from the macro-level group view to the micro-level individual behavior.
[0034] The closed-loop analysis and response module, based on SOAR (Security Orchestration, Automation and Response) logic and finite state machine technology, automates the lifecycle management of threat IPs. The system maintains a state machine attribute in the database for each threat IP object, whose state set includes... (Automatic identification status), Pending (awaiting evaluation status), Confirmed (confirmed status) The status transition logic is driven by preset rules: when the comprehensive risk value R of the IP calculated by the multi-dimensional profiling analysis module is greater than the alarm threshold (e.g., 0.7), the system automatically creates a security work order and sets the IP's status to Pending; subsequently, the analysis engine initiates a secondary verification process, with verification conditions including but not limited to: whether the IP appears in at least two independent intelligence sources, whether its behavior sequence matches a high-risk FSM path, and whether the modularity of its collaborating group exceeds the threshold. If all verification conditions are met, the system automatically transitions the status to Confirmed and triggers the automatic handling process; if some conditions are not met but the risk value is still high, the status transitions to Pending. Awaiting manual confirmation from a security analyst; if the risk value is below the threshold, the status remains unchanged. The system only logs information without triggering alarms. For threat IPs with a Confirmed status, the system invokes the policy orchestration engine to perform automated handling. This engine has multiple built-in device control adapters: For next-generation firewalls that support RESTful APIs (such as Palo Alto and Fortinet), the system constructs a JSON command packet containing fields such as action, source_ip (threat IP address), and duration (blocking duration in seconds), and sends it to the firewall's policy management interface via an HTTPS POST request; for older network devices that only support CLI (command-line interface) commands (such as Cisco IOS routers and Huawei switches), the system establishes an encrypted session via SSH (Secure Shell) and automatically executes a pre-configured ACL (Access Control List) configuration script, such as "ip access-list extended BLOCK_THREAT\n deny ip host [threat_ip] any\n permit ip anyany". After the handling is completed, the system listens for the execution result returned by the device: if a successful response is received, the IP status is updated to Blocked; if a timeout occurs or an error code is returned, the status is updated to Failed, and an alarm is generated to notify the operations and maintenance personnel. Furthermore, this module maintains state synchronization with the external Security Operations Center (SOC) platform via a standard northbound data interface. The interface uses the HTTPS protocol and enables OAuth (Open Authorization, an open standard allowing users to authorize third-party applications to access their server resources) 2.0 authentication mechanism to ensure secure communication. When the handling status of any threat IP changes, the system immediately triggers a Webhook (an HTTP callback mechanism used to automatically send data to a specified URL when an event occurs) callback mechanism, pushing structured handling logs to a pre-registered URL on the SOC platform. The push message is in JSON format and includes key fields such as work order number, threat IP address, handling status, and executing device information, ensuring that the upper-layer platform can monitor the handling execution status of the underlying security devices in real time, forming a complete feedback loop.
[0035] To verify the effectiveness of the technical solution of the present invention, a specific embodiment and comparative example are provided below, and comparative analysis is performed through quantitative data.
[0036] In one specific embodiment, the system described in this invention was deployed in the data center environment of a large financial institution. System access sources included 10 next-generation firewalls, 50 web application firewalls, 200 honeypot nodes, an internal SIEM (Security Information and Event Management) log platform, and 3 external threat intelligence sources. During a 30-day observation period, the system processed 120 million raw security events, generating 86 million valid event streams after standardization. The multi-dimensional profiling analysis module identified a total of 12,450 high-risk IPs, among which 87 potential attack groups were discovered through attack surface collaborative analysis, with an average group size of 18.3 IPs. The graph-based collaborative structure analysis module successfully aggregated 76 of these groups into independent collaborative behavior subgraphs, enabling visual drill-down in an interactive interface. The closed-loop assessment and handling module automatically created 11,890 work orders, of which 9,320 (78.4%) were automatically blocked after secondary verification, with an average handling delay of 4.2 seconds; the remaining 2,570 went into the manual review process, and ultimately 2,150 were manually blocked after the threat was confirmed. Throughout the entire cycle, the system successfully intercepted 12 simulated attacks from known APT (Advanced Persistent Threat) groups, with an average early warning time of 36 hours before the actual attack occurred.
[0037] As a comparison, a traditional security analysis platform based on rule matching and isolated IP scoring was run in parallel in the same environment. This platform only interfaces with firewall and SIEM logs, lacking honeypot data, external intelligence, and the ability to uncover collaborative relationships. Within the same 30-day period, the platform generated 28,600 alerts, 98% of which were isolated IP alerts, failing to identify any coordinated attack groups. Human analysts had to review each alert individually, with an average processing time of 12 minutes per alert, resulting in a total manpower cost equivalent to 5.8 person-months. In APT simulated attack tests, the platform's average alert time was 2.1 hours before the attack occurred, with a false negative rate of 41.7%.
[0038] The table below summarizes the comparison results of key performance indicators between the embodiments of the present invention and the traditional platform:
[0039] Indicator Item This invention Traditional Platform Total number of events processed (in ten thousand) 8600 7200 High-risk IP identification numbers 12450 28600 (including numerous false alarms) Number of coordinated attack groups identified 87 0 Automation rate 78.4% 0% Average processing delay 4.2 seconds N / A (All manual labor) Average warning lead time for APT attacks 36 hours 2.1 hours APT attack false alarm rate 8.3% 41.7% Manual analysis workload (person-month) 0.9 5.8
[0040] The above data shows that by constructing a unified semantic model, introducing a graph-based collaborative relationship mining mechanism, and realizing a fully automated closed loop, this invention significantly improves the accuracy of threat identification, the depth of gang discovery, and the timeliness of response and handling, while greatly reducing the manpower burden of security operations.
[0041] In summary, the attack profiling system and method based on graph association described in this invention achieves an end-to-end technology chain from raw data to intelligent decision-making through the organic synergy of five core modules. The system can not only perform multi-dimensional and in-depth characterization of individual threat IPs, but also reveal the collaborative attack networks hidden behind massive logs, providing solid technical support for addressing advanced persistent threats and complex group attacks.
[0042] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. An attack profiling system based on graph association, characterized in that, It includes a data access and standardization module, a threat IP collaborative structure management module, a multi-dimensional profiling and analysis module, a graph-based collaborative structure analysis module, and a closed-loop analysis and handling module; The data access and standardization module collects multi-source heterogeneous data in real time through a multi-protocol adapter, and uses a unified graph computing data model based on JSON Schema to clean and format the collected data, outputting a structured standard event stream. The threat IP collaboration structure management module constructs a collaboration structure object for each unique threat IP. The collaboration structure object is stored in the background database as a document with a nested structure to support index-based fast filtering and profiling. The multi-dimensional profiling analysis module is based on a graph computing engine and a multi-factor quantification model. It constructs a deep collaborative profile from three dimensions: attack surface, behavior surface, and intelligence surface, identifies potential collaborative attack groups, and calculates the final risk level. The graph-based collaborative architecture analysis module constructs an attack correlation model based on attribute graph technology, maps standard event flows to graph elements, and uses graph algorithms to mine closely connected node groups in the graph, aggregating discrete nodes into collaborative behavior subgraphs. The closed-loop assessment and handling module implements closed-loop management of the threat lifecycle based on SOAR logic and finite state machine technology. The system maintains a state machine attribute for each threat IP object, and its state transition logic includes automatic identification state, assessment and evaluation state, and handling execution state. When the IP risk score is greater than the alarm threshold, a work order is automatically created and the assessment process is triggered. For confirmed threat IPs, the system calls the control interface of heterogeneous security devices through the policy orchestration engine to perform automated handling. The structure of the collaborative architecture object includes a basic identifier field, an attribute tag field, and a collaborative association field. The basic identifier field contains the IP address as the primary key, the first discovery time, and the most recent active time. The attribute tag field contains geographic location information, the home operator ASN number, and the network type. The collaborative association field stores a list of source IPs associated with this IP or a set of historical attack event IDs. The threat IP collaborative architecture management module establishes an inverted index for the time field, geographic location field, and attack type field in the collaborative architecture to support fast filtering based on Boolean logic combination filtering conditions. The threat IP collaborative architecture management module has a built-in MITRE ATT&CK knowledge base, which extracts attack feature keywords by traversing the historical attack logs of threat IPs and automatically associates the corresponding tactical stage and technical number using a tag matching algorithm. In attack surface analysis, the multi-dimensional profiling module constructs an attack source-target bipartite graph and projects it into an attack source-attack source isomorphic association graph. If different source IPs attack the same target or use the same payload hash value within a preset time window, an edge is established between the two IP nodes, with the edge weight proportional to the number of common attack targets. Specifically, a community detection algorithm is used to cluster the attack source-attack source isomorphic association graph. When the modularity of nodes within a community exceeds a preset threshold, all IPs within that community are identified as potential coordinated attack groups. The formula for calculating the modularity is: in, Let the weight of the edge between nodes i and j be . Let be the weighted degree of node i. Let be the weighted degree of node j, and m be the sum of the weights of all edges in the graph. Let i be the community ID to which node i belongs. Let δ be the community number to which node j belongs, and let δ be the Kronecker function; In behavioral analysis, the multi-dimensional profiling module transforms the interaction logs between the IP and the business system into operation sequences by sorting them chronologically. It also incorporates a built-in finite state machine for attack behavior. When the state transition path of the operation sequence matches a high-risk path defined by the finite state machine, the IP is determined to have high-risk intrusion behavior. The multi-dimensional profiling module also records the IP's outbound activity frequency and packet size entropy as behavioral feature vectors. The formula for calculating the packet size entropy H is: in, Let p(s) be the discrete set of all data packet sizes sent by this IP address, where p(s) is the probability of a data packet of size s appearing. In intelligence analysis, the multi-dimensional profiling module integrates internal and external intelligence data and uses a linear weighted scoring model to calculate the final risk level. The linear weighted scoring model includes three core factors: normalized score of historical activity frequency, reputation score of external intelligence database, and agent characteristic score. The comprehensive risk value R is determined by the sum of the products of each factor and its corresponding preset weight coefficient. The system outputs the final risk judgment level based on the preset range in which the comprehensive risk value falls.
2. The attack profiling system based on graph association according to claim 1, characterized in that, The unified graph computing data model defines the core dimensions and field constraints for graph construction, wherein the subject and object dimensions define the source IP address and destination IP address as string types, the source port and destination port as integer types, and the protocol as an enumeration type; The time-series dimension defines the Coordinated Universal Time (UTC) timestamp as a 13-bit long integer millisecond timestamp; the data access and standardization module has a built-in pre-set heterogeneous field mapping rule table, which is used to map non-standard key values in the original data to standard fields of the unified graph computing data model; the multi-protocol adapter supports Syslog protocol, Kafka message queue and RESTful API interface.
3. The attack profiling system based on graph association according to claim 1, characterized in that, In the graph construction phase, the graph-based co-construction analysis module maps standard event streams into graph elements through an ETL transformation engine, extracting key information from the events. Generate threat entity nodes and extract them. Generate asset entity nodes, extract event types to generate intelligence tag nodes, and create directed edges between the threat entity node that launched the attack and the asset entity node that was attacked. In the advanced aggregation stage, the weakly connected component algorithm is used to mine closely connected node groups in the graph, and all discrete nodes connected by the same attack file hash value or the same C&C server are aggregated into a cooperative behavior subgraph; in the interactive rendering stage, the front end uses a web graphics library graphics rendering engine to load the cooperative structure data, dynamically maps the rendering color according to the risk value of the node, and maps the node radius size according to the number of connections of the node. The default view only displays the center node of the face-level cluster. When the user double-clicks a node, it triggers an adjacency query in the backend graph database, dynamically expanding the one-hop or multi-hop neighbors of that node.
4. The attack profiling system based on graph association according to claim 1, characterized in that, In the closed-loop analysis and handling module, the policy orchestration engine constructs a JSON instruction package containing action instructions, source IP address and duration for next-generation firewalls that support RESTful APIs and sends the blocking policy through an HTTPS POST request; for network devices that support CLI command line, it establishes a connection through the SSH protocol and automatically executes the pre-set ACL configuration script.
5. The attack profiling system based on graph association according to claim 1, characterized in that, The closed-loop analysis and handling module further maintains status synchronization with the external security operations center through a standard northbound data interface; the interface adopts the HTTPS protocol and enables the OAuth 2.0 authentication mechanism; when the handling status of the threat IP changes, a Webhook callback mechanism is triggered to push a structured handling log containing the work order number, threat IP address, handling status and execution device information to a specified URL on the external platform.
6. An attack profiling method based on graph association, characterized in that, Applied to the system as described in any one of claims 1 to 5, the method comprises: Through the data access and standardization module, multi-source heterogeneous security data is collected using a multi-protocol adapter, and cleaned and formatted based on a predefined unified graph computation data model to output a standard event stream; The Threat IP Collaborative Structure Management module creates and maintains a collaborative structure object for each emerging threat IP. The collaborative structure object contains basic identifiers, attribute tags, and collaborative association information, and supports fast index-based retrieval and in-depth profile display based on knowledge base. The multi-dimensional profiling and analysis module analyzes threat IPs from three dimensions: attack surface, behavior surface, and intelligence surface. On the attack surface, it constructs and analyzes attack source association graphs to identify coordinated attack groups. On the behavior surface, it matches operation sequences based on finite state machines to determine high-risk intrusion behaviors. On the intelligence surface, it integrates multi-source data to calculate the comprehensive risk level. The graph-based collaborative architecture analysis module converts standard event streams into attribute graphs, constructs an attack association model that includes threat entities, asset entities, and intelligence tag nodes, and aggregates collaborative behavior subgraphs using graph algorithms, which are then visualized and drilled down through an interactive interface. Through the closed-loop assessment and handling module, the lifecycle status of threat IPs is managed based on a finite state machine. The assessment process is automatically triggered according to the risk score, and the confirmed threat IPs are automatically handled across heterogeneous security devices. At the same time, the handling status is synchronized to the external security operations platform.