Dynamic policy-based configuration baseline intelligent auditing system and method

By adopting a dynamic strategy-based intelligent auditing method for configuration baselines, the problems of multi-source heterogeneity, audit logic limitations, and insufficient risk prediction in configuration baseline auditing are solved. This achieves efficient and accurate configuration baseline auditing and remediation solutions, ensuring system security and privacy protection.

CN122152352APending Publication Date: 2026-06-05SICHUAN RONGKE ZHILIAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SICHUAN RONGKE ZHILIAN TECH CO LTD
Filing Date
2026-03-04
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies have several drawbacks in baseline configuration review, including heterogeneous configuration formats from multiple sources, limitations in review logic, lack of scientific rigor in risk prediction and prioritization, single risk rating dimensions with insufficient verification, difficulty in balancing data privacy protection and global result consistency, and insufficient targeted remediation solutions.

Method used

A configuration baseline intelligent auditing method based on dynamic strategies is adopted, including standardized preprocessing, rule-data dual-drive knowledge graph matching, lightweight time series analysis, lightweight federated architecture and causal inference model. Through binary probability vector encoding, configuration entropy calculation, CVSS scoring and isolation sandbox verification, a structured audit report is generated.

Benefits of technology

It achieves format normalization and redundancy cleanup of configuration baselines from different sources, improves the processing efficiency of large-scale configuration baselines, enhances the accuracy and generalization of risk identification, ensures the consistency and privacy security of global audit results, and optimizes the targeting of resource allocation and remediation solutions.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122152352A_ABST
    Figure CN122152352A_ABST
Patent Text Reader

Abstract

The application discloses a dynamic policy-based configuration baseline intelligent auditing system and method, relates to the technical field of configuration baseline intelligent auditing, and comprises the following steps: standardizing and preprocessing a configuration baseline to be examined; constructing a time sequence trajectory graph based on a configuration baseline change record, predicting a potential risk trigger probability by adopting a lightweight time sequence analysis model, and generating an auditing priority list by combining configuration entropy and risk weight; simulating a preset attack scene in an isolated sandbox, verifying the defense resilience of the configuration baseline, and completing risk grading by combining a CVSS score. Through the standardization preprocessing step, the application realizes format normalization and redundant cleaning of configuration baselines from different sources, effectively solves the multi-source configuration heterogeneity problem, reduces errors caused by manual intervention, lays a precise data foundation for subsequent auditing links, and significantly improves the processing efficiency of large-scale configuration baselines.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of intelligent baseline auditing technology, and in particular to an intelligent baseline auditing system and method based on dynamic strategies. Background Technology

[0002] In the process of informatization and digital transformation, the configuration baselines of various systems serve as the core foundation for ensuring the safe and stable operation of systems, making their compliance and security audits increasingly critical. Configuration baselines encompass multiple core dimensions, including system permission settings, port opening policies, and data encryption parameters, and they exhibit frequent changes due to dynamic business adjustments. Traditional configuration baseline auditing methods are gradually revealing numerous shortcomings.

[0003] First, the heterogeneity of configuration formats from multiple sources is a prominent issue. The configuration baselines for different deployment scenarios are complex, with cloud platforms, local servers, and containers all using different formats. Traditional manual preprocessing methods are inefficient and prone to introducing audit biases due to format conversion errors, making it difficult to meet the needs of rapid auditing of large-scale configurations.

[0004] Secondly, the review logic has limitations. Existing technologies mostly adopt a single review logic, and the review method that relies solely on expert rules lacks flexibility and cannot cope with new risk scenarios; the review method that relies solely on data-driven approaches lacks rigid rule constraints, and is prone to insufficient accuracy in compliance verification, making it difficult to balance the rigor and generalization of the review.

[0005] Furthermore, risk prediction and prioritization lack scientific rigor. Traditional methods often rely on current configuration snapshots for risk assessment, ignoring the temporal change trajectory of the configuration baseline and failing to effectively predict potential risks. Prioritization often depends on subjective experience and lacks a quantitative assessment system, resulting in high-risk configuration items not being prioritized and reducing audit response efficiency.

[0006] Meanwhile, risk rating dimensions are too simplistic and lack sufficient verification. Existing risk assessments mostly rely solely on CVSS basic scores without incorporating verification results from actual attack scenarios. This leads to discrepancies between risk level classifications and real threat situations, making it difficult to accurately reflect the defensive resilience of the configuration baseline.

[0007] In distributed auditing scenarios, balancing data privacy protection with global result consistency is difficult. Traditional centralized auditing architectures require aggregating the original configuration data of each node, posing a risk of data leakage; while simple distributed auditing lacks an effective result fusion mechanism, making it prone to distortion of global results due to differences in node auditing standards.

[0008] Furthermore, the remediation solutions lack specificity. Existing technologies often provide superficial remediation suggestions without delving into the root causes of the risks, and lack verification of the remediation effectiveness, which may lead to new system problems arising from the remediation operations. Summary of the Invention

[0009] To address the aforementioned technical problems, this invention provides a configuration baseline intelligent auditing system and method based on dynamic strategies. The technical solution adopted is as follows: The intelligent auditing method for configuration baselines based on dynamic policies includes the following steps: Step 1: Standardize and preprocess the configuration baseline to be reviewed; Step 2: Encode the preprocessed core configuration items into binary probability vectors, call the rule data dual-drive knowledge graph to complete the configuration baseline matching, and initially identify the violations and potential associated risks; Step 3: Construct a time-series trajectory map based on the configuration baseline change record, use a lightweight time-series analysis model to predict the probability of triggering potential risks, and generate an audit priority list by combining configuration entropy and risk weight; Step 4: Simulate preset attack scenarios in an isolation sandbox to verify the baseline defense resilience and complete the risk assessment based on the CVSS score; Step 5: A lightweight federated architecture is adopted, in which basic audits are completed through local audit agent nodes and feature parameters are shared. The central node performs weighted fusion to generate global audit results.

[0010] Optionally, step 6 is also included: based on the causal inference model, locate the root cause of the risk, generate a remediation plan that includes remediation operations, impact assessment and sandbox verification results, and integrate the results of all stages to output a structured audit report.

[0011] Optionally, in step 2, the expression for the binary probability vector is set as follows: ; The calculation formula is: ; ; in The value ranges from 0 to 1, representing the degree to which a configuration item conforms to the expert rules. It is calculated by directly matching the symbolic rules in the knowledge graph. If it fully conforms, it is 1; if it completely violates, it is 0. The security probability of the configuration item is based on historical data, with a value range of 0-1. It is calculated through a logistic regression model, and the input is the security event occurrence rate of the same configuration in the past 3 months. α is the rule weight coefficient, with a value ranging from 0.6 to 0.8, and is dynamically adjusted according to the industry type.

[0012] Optionally, the formula for calculating entropy in step 3 is: ; Where H is the configuration entropy, with a value ranging from 0 to... N represents the total number of configuration items; a higher value indicates a more chaotic configuration. is the state discreteness of the i-th configuration item, with a value range of 0-1.

[0013] Optionally, the formula for calculating the review priority in step 3 is: ; in: The value ranges from 0 to 5, indicating the priority of review; higher values ​​indicate higher priority. This represents the probability of triggering a potential risk. Risk weighting For the current configuration entropy, The maximum configuration entropy threshold for the target system.

[0014] Optionally, the formula for quantifying the risk level in step 4 is as follows: ; To quantify and score risk, For CVSS basic score; The attack scenario matching score ranges from 0 to 10 and is calculated by dividing the total number of successful attempts in the sandbox by the total number of attempts. As the weighting for CVSS scores, Match weights to attack scenarios; Risk levels are categorized by score: 8.0-10.0 is considered catastrophic risk, 6.0-7.9 is considered high risk, 4.0-5.9 is considered medium risk, 0.1-3.9 is considered low risk, and 0 is considered observation level.

[0015] Optionally, the expression for the weighted stock mechanism in step 5 is: ; in The result is a quantitative assessment of the overall review, with a value range of 0-1, where 1 indicates full compliance and 0 indicates complete non-compliance. Let be the weight of the k-th proxy node; This represents the local audit result of the k-th proxy node; m represents the total number of agent nodes participating in the collaborative review.

[0016] A configuration baseline intelligent auditing system based on dynamic policies is used to implement a configuration baseline intelligent auditing method based on dynamic policies. The system includes an input adaptation module, a preprocessing module, a core processing module, an output module, and an iterative optimization module. The input adaptation module is used to receive the dynamic policy configuration baseline to be reviewed and to complete the format compatibility processing; The preprocessing module communicates with the input adaptation module to perform format normalization, redundancy removal, and key information annotation of the configuration baseline. The core processing module is communicatively connected to the preprocessing module. The core processing module includes a probabilistic coding unit, a knowledge graph matching unit, a temporal risk analysis unit, a lightweight adversarial detection sandbox, a federated collaborative review unit, and a causal tracing and remediation scheme generation unit. The output module communicates with the core processing module to generate structured audit reports and provide log traceability functionality; The iterative optimization module communicates with the core processing module to automatically update the knowledge graph and risk prediction rules based on the audit results.

[0017] Optionally, the probability encoding unit calculates the security probability vector of the configuration item using the formula described in claim 3 and outputs it to the knowledge graph matching unit.

[0018] Optionally, the time-series risk analysis unit calculates the configuration entropy using the formula described in claim 4, and generates an audit priority list using the formula described in claim 5; The lightweight adversarial detection sandbox calculates a risk score using the formula described in claim 6 and maps it to a risk level, which is then output to the federal collaborative review unit. The federal collaborative audit unit integrates the distributed audit results using the formula described in claim 7 to generate a global compliance conclusion.

[0019] In summary, the present invention has at least one of the following beneficial technical effects: This invention provides a configuration baseline intelligent review system and method based on dynamic strategies. Through standardized preprocessing steps, it normalizes the format of configuration baselines from different sources and cleans up redundancy, effectively solving the problem of heterogeneous configurations from multiple sources, reducing errors caused by manual intervention, laying a precise data foundation for subsequent review processes, and significantly improving the processing efficiency of large-scale configuration baselines.

[0020] By combining binary probabilistic vector coding with rule-based data-driven knowledge graphs, we can ensure the rigid requirements of compliance audits through expert rules, while also mining implicit risk associations from historical data. This approach enables risk identification to be both accurate and generalizable, adapting to the dynamic configuration audit needs of different industries.

[0021] A time-series trajectory map is constructed based on configuration baseline change records. A lightweight time-series analysis model is used to predict the probability of triggering potential risks. At the same time, configuration entropy is introduced to quantify the degree of configuration disorder. A review priority calculation model is constructed through multi-dimensional parameters to ensure that high-risk and high-priority configuration items are processed first, thereby improving the utilization efficiency of review resources.

[0022] We construct a risk quantification model that integrates CVSS basic scores with attack scenario matching. By simulating real attack scenarios in an isolation sandbox, we verify the configuration of defense resilience, avoid the bias caused by single-dimensional assessment, make the risk level classification more in line with the actual threat situation, and provide accurate basis for risk response.

[0023] Employing a lightweight federated architecture, each agent node only shares characteristic parameters rather than the original configuration data, effectively ensuring data privacy and security. At the same time, a weighted fusion mechanism integrates distributed audit results to solve the problem of differences in node audit standards, ensuring the consistency and accuracy of global audit results. Attached Figure Description

[0024] Figure 1 This is a flowchart illustrating the intelligent auditing method for configuration baselines based on dynamic strategies according to the present invention. Detailed Implementation

[0025] The present invention will be further described in detail below with reference to the accompanying drawings.

[0026] This invention discloses a configuration baseline intelligent auditing system and method based on dynamic strategies.

[0027] Reference Figure 1 Example 1, a configuration baseline intelligent auditing method based on dynamic policies, includes the following steps: Step 1: Standardize and preprocess the configuration baseline to be reviewed; Step 2: Encode the preprocessed core configuration items into binary probability vectors, call the rule data dual-drive knowledge graph to complete the configuration baseline matching, and initially identify the violations and potential associated risks; Step 3: Construct a time-series trajectory map based on the configuration baseline change record, use a lightweight time-series analysis model to predict the probability of triggering potential risks, and generate an audit priority list by combining configuration entropy and risk weight; Step 4: Simulate preset attack scenarios in an isolation sandbox to verify the baseline defense resilience and complete the risk assessment based on the CVSS score; Step 5: A lightweight federated architecture is adopted, in which basic audits are completed through local audit agent nodes and feature parameters are shared. The central node performs weighted fusion to generate global audit results.

[0028] Example 2 also includes step 6, which involves locating the root cause of the risk based on the causal inference model, generating a remediation plan that includes remediation operations, impact assessment and sandbox verification results, and integrating the results of all stages to output a structured audit report.

[0029] By employing the aforementioned technical solutions, configuration baselines come from a wide range of sources (such as cloud platforms, local servers, and containers), naturally leading to issues like heterogeneous formats, data redundancy, and information clutter, directly impacting the accuracy and efficiency of subsequent reviews. This step addresses these issues by using format normalization technology to convert configuration data from different formats into a unified standard format, eliminating parsing obstacles caused by format differences; by removing redundancy and noise, invalid comments, duplicate parameters, and other non-core information, reducing data interference; and by annotating key information, locating core fields related to security and compliance, providing a precise data foundation for subsequent targeted reviews, and ensuring the smoothness of the review process from the outset.

[0030] Traditional single-logic auditing logic struggles to balance compliance rigidity with scenario generalization capabilities. Therefore, a rule- and data-driven dual-engine mechanism is adopted. Binary probability vector coding quantifies the security and risk probabilities of configuration items, overcoming the limitations of absolute black-and-white judgments and accurately reflecting the uncertainty of configuration security status. The rule- and data-driven dual-engine knowledge graph integrates symbolic expert rules with implicit relationships driven by data. Expert rules ensure the authority and rigidity of compliance audits, while historical data mining captures potential risk correlations between configurations. Through precise matching of coding results and the knowledge graph, explicit violations are quickly identified, and potential risks are initially identified, balancing audit accuracy with scenario adaptability.

[0031] The dynamic nature of configuration baseline changes means that static snapshot-based audits cannot predict potential risks, and traditional subjective prioritization can easily lead to resource misallocation. This step constructs a time-series trajectory diagram based on configuration change records, fully reconstructing the change patterns of configurations throughout their lifecycle (such as change frequency, subject, and scope), providing a time-series dimension to support risk prediction; a lightweight time-series analysis model uses the correlation between historical change data and risk events to predict the probability of future potential risk triggers; configuration entropy quantifies the degree of disorder in the configuration system, reflecting the stability and controllability of the configuration; combined with risk weights (set based on the degree of business impact), a quantitative formula is used to calculate audit priorities, ensuring that high-risk, high-impact, and high-disorder configuration items are processed first, optimizing the efficiency of audit resource allocation.

[0032] Relying solely on the Common Vulnerability Score (CVSS) for risk assessment lacks integration with actual configuration scenarios, making it prone to rating bias. This step constructs a secure simulation environment through an isolated sandbox to prevent attack testing from impacting the production system. Simultaneously, it simulates real attack behaviors based on a pre-defined attack scenario library to obtain actual defense resilience data (i.e., attack scenario matching degree) for the configuration baseline. The CVSS base score (reflecting the inherent risk of vulnerabilities) and the attack scenario matching degree (reflecting actual defense capabilities) are weighted and integrated to form a comprehensive risk score. Risk levels are then categorized according to the score range, ensuring that risk assessment more closely matches the actual security status of the configuration and providing a precise basis for risk response.

[0033] The cross-regional and cross-organizational nature of distributed systems presents a dual challenge to both privacy protection and result consistency in auditing. The lightweight federated architecture employs a local processing, parameter-sharing model. Each agent node completes basic auditing locally, sharing only feature parameters, not raw configuration data, with the central node, thus ensuring data privacy and security at the transmission level. The central node assigns weights based on the importance of node business operations and integrates the audit results from each node using a weighted fusion algorithm. This resolves conflicts caused by differences in auditing standards across different nodes, ensuring the consistency and authority of the overall audit results and balancing privacy protection with audit effectiveness.

[0034] Traditional remediation solutions often address surface symptoms, lacking root cause analysis and effectiveness verification, which can easily lead to recurring problems or introduce new risks. This step, based on a causal inference model, constructs the causal chain of the risk problem, eliminates irrelevant factors, and accurately identifies the core cause of the risk. The remediation solution is pre-executed and verified in a sandbox environment to assess its impact on system stability and business availability, preventing secondary problems caused by the remediation operation. The results of each stage of the review are integrated to generate a structured report, clearly presenting compliance conclusions, risk details, remediation steps, and verification results, forming a complete closed loop of review-root cause analysis-remediation-verification, improving the pertinence and feasibility of risk management.

[0035] Example 3, in step 2, the binary probability vector expression is set as: ; The calculation formula is: ; ; in The value ranges from 0 to 1, representing the degree to which a configuration item conforms to the expert rules. It is calculated by directly matching the symbolic rules in the knowledge graph. If it fully conforms, it is 1; if it completely violates, it is 0. The security probability of the configuration item is based on historical data, with a value range of 0-1. It is calculated through a logistic regression model, and the input is the security event occurrence rate of the same configuration in the past 3 months. α is the rule weight coefficient, with a value ranging from 0.6 to 0.8, and is dynamically adjusted according to the industry type.

[0036] By adopting the above technical solution, the binary probability vector uses P(secure) and P(vulnerable) to represent the security probability and risk probability of a configuration item, respectively. Based on probabilistic complementarity, they form a complete security status description system, avoiding the information bias caused by single-dimensional assessment. The calculation of P(secure) employs a weighted fusion model, balancing the influence weights of expert rules and historical data through the rule weight coefficient α, adapting to the audit requirements of different scenarios.

[0037] Srule, as a quantitative indicator of the degree to which a configuration item conforms to expert rules, is derived from symbolic compliance standards and security rules in a knowledge graph. The direct matching calculation method ensures the authority and rigidity of the audit, ensuring that core compliance requirements are not breached, which is key to maintaining the audit baseline.

[0038] Sdate focuses on the actual operational security performance of configuration items. It analyzes the occurrence rate of security events for similar configurations over the past three months using a logistic regression model, uncovers hidden security patterns in historical data, and obtains security probabilities based on actual scenarios. This compensates for the scenario lag that may exist in expert rules and improves the ability of audits to adapt to dynamic risks.

[0039] The rule weight coefficient α is set in the range of 0.6 to 0.8 and supports dynamic adjustment according to industry type. This design fully considers the compliance characteristics of different industries: for industries such as finance and government affairs with extremely high requirements for rule rigidity, a higher α value can be selected to strengthen the leading role of expert rules; for industries such as the Internet with rapid business iteration and changing scenarios, the α value can be appropriately reduced to allow the actual risk patterns reflected by historical data to play a greater role and achieve a dynamic balance between rule rigidity and scenario flexibility.

[0040] P(vulnerable) is calculated from the difference between 1 and P(secure). Based on the fundamental logic that the total probability is 1, a precise correspondence is formed between the secure state and the risk state. This provides a clear quantitative basis for subsequent baseline matching and risk identification, ensuring the scientific nature and consistency of risk assessment.

[0041] Example 4, the formula for calculating entropy in step 3 is: ; Where H is the configuration entropy, with a value ranging from 0 to... N represents the total number of configuration items; a higher value indicates a more chaotic configuration. is the state discreteness of the i-th configuration item, with a value range of 0-1.

[0042] Example 5, the formula for calculating the review priority in step 3 is: ; in: The value ranges from 0 to 5, indicating the priority of review; higher values ​​indicate higher priority. This represents the probability of triggering a potential risk. Risk weighting For the current configuration entropy, The maximum configuration entropy threshold for the target system.

[0043] By adopting the above technical solution, the degree of disorder in the state distribution of configuration items directly affects the maintainability and security risk level of the system. The higher the disorder, the more likely configuration conflicts and missing vulnerabilities will occur. The calculation formula achieves a quantitative transformation of this degree of disorder by performing a weighted logarithmic operation on the state dispersion of various configuration items.

[0044] in, The state discreteness of the i-th configuration item accurately reflects the distribution proportion and consistency of this type of configuration in the overall system. Its value range is limited to 0 to 1, ensuring that the description of the state of a single configuration category has standardized characteristics. This is achieved by analyzing all configuration items... and The product of these factors is summed and inverted to obtain the configuration entropy H. This calculation logic enables H to comprehensively cover the state characteristics of all configuration categories, avoiding misjudgment of the overall situation by a single category of configuration state.

[0045] The value of the configuration entropy H is defined as ranging from 0 to... Between H and N, where N is the total number of configuration items, this range is designed to fit practical application scenarios: when H approaches 0, it indicates that the states of various configuration items are evenly distributed and highly consistent, and the system configuration is in a highly ordered state; when H approaches 0, it indicates that the total number of configuration items is between N and N, where N is the total number of configuration items. When the status of configuration items is extremely uneven and significantly different, the system configuration is in a highly chaotic state, which intuitively presents the overall health of the configuration.

[0046] The calculation model for review priorities integrates three core dimensions: risk probability, business impact, and configuration status, breaking through the limitations of traditional subjective ranking and forming an objective and quantifiable priority assessment system.

[0047] As a potential risk trigger probability, it focuses on the likelihood dimension of risk occurrence and is predicted based on the correlation between historical change data and risk events through a lightweight time series analysis model. This provides core support for priority calculation at the level of risk occurrence probability, ensuring that configuration items that are more likely to cause risks are dealt with first.

[0048] As a risk weight, it focuses on the business impact dimension of risk and sets the risk weight according to the degree of impact of different risk types on core business objectives such as business continuity and data security. It reflects the actual business need that "the greater the risk impact, the higher the priority level", and makes the priority ranking closely linked to business value.

[0049] and The ratio focuses on the state dimension of the configuration itself, where For the current configuration entropy, The maximum configuration entropy threshold for the target system (set based on industry benchmarks or historical best data) is used to visually reflect the deviation of the current configuration disorder from the reasonable boundary of the industry. The closer the disorder is to the threshold, the greater the potential threat to system security, and the higher the review priority will be.

[0050] By , and Multiplying these three factors together organically integrates the three core dimensions, ultimately yielding an approval priority value ranging from 0 to 5. The setting of this value range enables clear gradient differentiation of priorities, making it easier for reviewers to quickly identify high-priority tasks. At the same time, the quantitative calculation logic ensures that the priorities of different configuration baselines are comparable horizontally, providing precise guidance for the reasonable allocation of review resources.

[0051] Example 6, the formula for quantifying the risk level in step 4 is: ; To quantify and score risk, For CVSS basic score; The attack scenario matching score ranges from 0 to 10 and is calculated by dividing the total number of successful attempts in the sandbox by the total number of attempts. As the weighting for CVSS scores, Match weights to attack scenarios; Risk levels are categorized by score: 8.0-10.0 is considered catastrophic risk, 6.0-7.9 is considered high risk, 4.0-5.9 is considered medium risk, 0.1-3.9 is considered low risk, and 0 is considered observation level.

[0052] By adopting the above technical solution, the risk level quantification formula comprehensively covers the inherent risk of vulnerabilities and the actual defense capabilities configured through a weighted fusion of two core assessment indicators, forming a scientific risk quantification score. Among them, the CVSS basic score, as a core indicator of the general vulnerability scoring standard, can objectively reflect the inherent risk attributes of the vulnerability itself, covering key dimensions such as attack vectors, attack complexity, and privilege requirements. It provides basic data support with industry universality and authority for risk quantification, ensuring the consistency of risk assessment benchmarks.

[0053] Attack Scenario Matching focuses on the defensive performance of the configuration baseline in real-world application scenarios. It simulates a real attack environment through an isolated sandbox, avoiding any impact on production systems from testing. Its value is calculated based on the ratio of successful attacks in the sandbox to the total number of attempts, and is standardized to a range of 0 to 10. This value directly reflects the strength of the configuration baseline's ability to resist actual attacks, compensating for the shortcomings of CVSS basic scoring, which only focuses on the vulnerability itself and is detached from specific configuration scenarios, making risk assessment more closely aligned with real-world application situations.

[0054] The CVSS scoring weight and attack scenario matching weight serve as adjustment coefficients, dynamically balancing the influence of the two assessment dimensions according to the needs of different audit scenarios. For example, in the audit of general systems, the CVSS scoring weight can be increased to highlight the importance of the inherent risks of vulnerabilities; in the audit of customized business systems, the attack scenario matching weight can be increased to strengthen the impact of actual defense capabilities on risk rating, making the risk quantification system flexible and adaptable to different scenarios.

[0055] The risk levels are divided into five distinct ranges based on quantitative scores, forming a clear risk gradient. The scoring ranges for critical, high, medium, and low risk levels provide clear priority guidance for risk response, facilitating auditors to quickly identify and prioritize high-risk situations. The observation level is set for configuration items that do not directly trigger attacks but have potential vulnerabilities, achieving comprehensive risk coverage and refined management, preventing potential risks from being overlooked, and providing a complete basis for subsequent risk monitoring and handling.

[0056] The entire technical solution, through the integration of two-dimensional indicators, dynamic adjustment of weights, and clear classification of levels, not only ensures the industry universality of risk assessment but also takes into account the particularity of specific configuration scenarios. This enables the risk level classification to accurately match the actual security status of the configuration baseline, providing scientific support for the formulation of subsequent risk response strategies and the rational allocation of audit resources.

[0057] Example 7, the expression for the weighted stock mechanism in step 5 is: ; in The result is a quantitative assessment of the overall review, with a value range of 0-1, where 1 indicates full compliance and 0 indicates complete non-compliance. Let be the weight of the k-th proxy node; This represents the local audit result of the k-th proxy node; m represents the total number of agent nodes participating in the collaborative review.

[0058] By adopting the above technical solution, in the distributed audit architecture, multiple proxy nodes are responsible for auditing the configuration baselines of different regions or business modules. The business importance, data quality, and audit capabilities of each node naturally differ. If a simple averaging method is used to merge the results, the audit value of core nodes will be weakened, or the biased data from edge nodes will lower the accuracy of the overall results. The weighted mechanism introduces node weights. This allows nodes with higher importance (such as those carrying core business functions) to have a greater impact on the overall results, ensuring that the overall results match the actual business priorities.

[0059] Local audit results of each proxy node Based on independent calculations of local data, the value range is limited to 0 to 1, which quantifies the compliance level from the perspective of a single node (1 is fully compliant, 0 is completely non-compliant) and avoids cross-node transmission of original configuration data, thus ensuring data privacy and security from the source.

[0060] The formula for calculating the global audit result uses a ratio of the numerator (the sum of the products of each node's weight and the local result) to the denominator (the sum of weights) to achieve a weighted fusion of the results from each node. This calculation logic ensures that the global audit result always falls within the range of 0 to 1, maintaining a consistent quantitative scale with the single-node result, making it easier to intuitively understand the overall compliance level. At the same time, through the differentiated allocation of weights, it automatically corrects for result deviations caused by differences in audit standards among different nodes, making the global result more closely reflect the overall security status of the system.

[0061] The total number of agent nodes participating in the collaborative review, m, is used as the summation range parameter in the formula to ensure that the results of all participating nodes are included in the fusion calculation, avoiding omission of review information from any region or business module, and achieving global coverage.

[0062] Example 8: A configuration baseline intelligent auditing system based on dynamic strategies, used to implement a configuration baseline intelligent auditing method based on dynamic strategies. The system includes an input adaptation module, a preprocessing module, a core processing module, an output module, and an iterative optimization module. The input adaptation module is used to receive the dynamic policy configuration baseline to be reviewed and to complete the format compatibility processing; The preprocessing module communicates with the input adaptation module to perform format normalization, redundancy removal, and key information annotation of the configuration baseline. The core processing module is communicatively connected to the preprocessing module. The core processing module includes a probabilistic coding unit, a knowledge graph matching unit, a temporal risk analysis unit, a lightweight adversarial detection sandbox, a federated collaborative review unit, and a causal tracing and remediation scheme generation unit. The output module communicates with the core processing module to generate structured audit reports and provide log traceability functionality; The iterative optimization module communicates with the core processing module to automatically update the knowledge graph and risk prediction rules based on the audit results.

[0063] In Example 9, the probability coding unit calculates the security probability vector of the configuration item using the formula described in claim 3 and outputs it to the knowledge graph matching unit.

[0064] Example 10: The time-series risk analysis unit calculates the configuration entropy using the formula described in claim 4, and generates an audit priority list using the formula described in claim 5. The lightweight adversarial detection sandbox calculates a risk score using the formula described in claim 6 and maps it to a risk level, which is then output to the federal collaborative review unit. The federal collaborative audit unit integrates the distributed audit results using the formula described in claim 7 to generate a global compliance conclusion.

[0065] The following specific embodiments illustrate the implementation principle of the present invention: Taking the configuration baseline review of a fintech company's hybrid cloud architecture as an example, the company's system includes Alibaba Cloud server clusters, local containerized business modules, and cross-regional data centers. The configuration baseline to be reviewed covers permission policies, port opening rules, data encryption parameters, etc. The specific implementation process is as follows: Step 1, the standardization preprocessing stage, involves the system receiving multi-source configuration data from cloud platform API interfaces, local container configuration files, and data center operation and maintenance systems. It then uniformly converts the configuration baselines from Alibaba Cloud JSON format, container YAML format, and local server INI format into the standard JSONSchema format. Comments and duplicate default parameters are removed from the configuration files, and core security and compliance fields such as administrator account permissions, database encryption keys, and external service ports are highlighted.

[0066] In step 2, core configuration items such as database password complexity and SSH port access rules are selected and encoded into binary probability vectors. A dual-drive knowledge graph of rule data is invoked, where symbolic expert rules include the clause in the Cybersecurity Law 2.0 requiring "password length not less than 12 characters," and historical data covers security event records of similar financial enterprise database configurations over the past three months. By matching, explicit violations such as "a container database password length of 8 characters" are identified, while potential associated risks of "open SSH port and lack of two-factor authentication for administrator privileges" are also uncovered.

[0067] Step 3, based on configuration change records from the past 6 months, constructs a time-series trajectory graph, revealing three batch permission adjustment operations on a core business server during non-working hours. A lightweight time-series analysis model, combined with historical data, predicts the potential risk trigger probability of such operations, calculates the current system's configuration entropy, and, based on data leakage risk weights, generates an audit priority list, assigning the aforementioned batch permission adjustment-related configuration items as the highest priority.

[0068] Step 4: Load the enterprise's core business configuration image into the isolation sandbox and simulate preset attack scenarios such as brute-force attacks and port scanning. For the SSH port open configuration, obtain attack scenario matching data, and combine it with the corresponding CVSS basic score to complete the risk assessment, classifying it as a high-risk level.

[0069] Step 5 employs a lightweight federated architecture, distributing audit tasks to Alibaba Cloud nodes, local container nodes, and local audit proxy nodes in the North China and South China data centers. Each node completes basic audits locally, sharing risk characteristic parameters only with the central node. The central node assigns higher weights based on the core transaction business attributes of the South China data center, generating a global audit result through a weighted fusion algorithm. The result shows an overall compliance rate of 82%, with the main risks concentrated in the permission configuration and port management modules.

[0070] In step 6, the root causes of high risk were identified based on a causal inference model: "improvement of permissions outside of working hours without approval" and "SSH port not configured with an access whitelist." The remedial actions, such as "restricting permission adjustments outside of working hours" and "adding SSH port to the internal network access whitelist," were verified in a sandbox to assess that the remediation had no significant impact on the response speed of business transactions. All results were integrated to generate a structured audit report, including compliance conclusions, a risk list, remediation steps, and sandbox verification results, and system logs were updated simultaneously for subsequent audit traceability.

[0071] For the database password complexity configuration items of the aforementioned fintech companies, P(secure) and P(vulnerable) are calculated. Srule is calculated based on the rule in the knowledge graph that "password length should not be less than 12 characters." Since the password length for this configuration item is 8 characters, Srule is set to 0.2. Logistic regression analysis of the security incident rate caused by short passwords in similar databases over the past three months yields Sdate, which is 0.3. Considering the high rigidity of rules in the financial industry, α is set to 0.8. The security probability and risk probability of this configuration item are calculated using formulas, providing a quantitative basis for subsequent risk identification.

[0072] For the enterprise administrator permission configuration module, which includes five types of configuration items such as super administrator, business administrator, and operations and maintenance administrator, the state dispersion pi of each type of configuration item is calculated. The entropy value of the current permission configuration is obtained through the configuration entropy formula. Combined with the probability of triggering permission abuse risk predicted by the lightweight time series analysis model, and the business interruption risk weight, and referring to the maximum configuration entropy threshold of similar systems in the financial industry, the review priority of this module is calculated and finally determined to be the second highest priority, second only to the port security configuration module.

[0073] For the configuration of the 8080 port open for external services of enterprises, its basic CVSS score is 7.5. In the sandbox simulation of 10 injection attack scenarios, 6 were successfully triggered, and the attack scenario matching degree was obtained. The CVSS score weight μ was set to 0.7 in the financial industry scenario, and the attack scenario matching weight θ was set to 0.3. The risk quantification score was calculated by formula, and the configuration item was finally determined to be of high risk level and included in the key remediation list.

[0074] Five proxy nodes participated in the collaborative audit, with the South China Data Center node and Alibaba Cloud core business node being core nodes with a weight of 1.5, and the remaining three ordinary nodes with a weight of 1.0. Each node output its local audit results, and the central node calculated the global audit result using a weighted fusion formula, ultimately achieving an overall compliance rate of 82%. This result reflects both the configuration status weight of the core business nodes and integrates the audit information from the ordinary nodes, ensuring the accuracy of the global assessment.

[0075] A fintech company deployed a configuration baseline intelligent auditing system based on dynamic strategies. The operation status of each module of the system is as follows: The input adaptation module connects to Alibaba Cloud OpenAPI, Docker configuration interface and local server operation and maintenance management system to receive multi-source dynamic policy configuration baselines, complete the compatibility processing of different data formats, and ensure that subsequent modules can parse them normally.

[0076] The preprocessing module works in conjunction with the input adaptation module to perform format normalization on the received configuration data, clean up invalid comments and duplicate parameters in the configuration file, automatically mark the core fields corresponding to the provisions of the Cybersecurity Classified Protection 2.0, and transmit the processed data to the core processing module.

[0077] In the core processing module, the probabilistic coding unit calculates the security probability vectors of configuration items such as database password complexity and port access rules using the binary probability vector formula, and outputs them to the knowledge graph matching unit to complete the initial risk identification; the temporal risk analysis unit calculates the configuration entropy of the permission configuration module, and generates an audit priority list by combining the risk trigger probability and weight; the lightweight adversarial detection sandbox simulates attack scenarios, calculates scores using the risk level quantification formula, and maps them to risk levels; the federated collaborative audit unit integrates the audit results of 5 proxy nodes using a weighted fusion formula to generate a global compliance conclusion; and the causal tracing and remediation scheme generation unit locates the root causes of risks and designs remediation schemes to complete sandbox verification.

[0078] The output module receives the results from the core processing module and generates a structured audit report that includes compliance conclusions, a risk list, remediation plans, and source tracing logs. It supports exporting in PDF format and stores the audit logs in a dedicated database for traceability and querying.

[0079] Based on the new risk pattern of "permission adjustment during non-working hours" discovered in this audit, the iterative optimization module automatically updates the expert rule base in the knowledge graph and adjusts the parameters of the risk prediction model in sync, thereby improving the system's ability to identify similar new risks.

[0080] The above are all preferred embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Therefore, all equivalent changes made in accordance with the structure, shape and principle of the present invention should be covered within the scope of protection of the present invention.

Claims

1. A configuration baseline intelligent auditing method based on dynamic strategies, characterized in that: Includes the following steps: Step 1: Standardize and preprocess the configuration baseline to be reviewed; Step 2: Encode the preprocessed core configuration items into binary probability vectors, call the rule data dual-drive knowledge graph to complete the configuration baseline matching, and initially identify the violations and potential associated risks; Step 3: Construct a time-series trajectory map based on the configuration baseline change record, use a lightweight time-series analysis model to predict the probability of triggering potential risks, and generate an audit priority list by combining configuration entropy and risk weight; Step 4: Simulate preset attack scenarios in an isolation sandbox to verify the baseline defense resilience and complete the risk assessment based on the CVSS score; Step 5: A lightweight federated architecture is adopted, in which basic audits are completed through local audit agent nodes and feature parameters are shared. The central node performs weighted fusion to generate global audit results.

2. The intelligent auditing method for configuration baseline based on dynamic strategy according to claim 1, characterized in that: It also includes step 6, which locates the root cause of the risk based on the causal inference model, generates a remediation plan that includes remediation operations, impact assessment and sandbox verification results, and integrates the results of all stages to output a structured audit report.

3. The intelligent auditing method for configuration baseline based on dynamic strategy according to claim 2, characterized in that: In step 2, let the expression for the binary probability vector be: ; The calculation formula is: ; ; in The value ranges from 0 to 1, representing the degree to which a configuration item conforms to the expert rules. It is calculated by directly matching the symbolic rules in the knowledge graph. If it fully conforms, it is 1; if it completely violates, it is 0. The security probability of the configuration item is based on historical data, with a value range of 0-1. It is calculated through a logistic regression model, and the input is the security event occurrence rate of the same configuration in the past 3 months. α is the rule weight coefficient, with a value ranging from 0.6 to 0.8, and is dynamically adjusted according to the industry type.

4. The intelligent auditing method for configuration baseline based on dynamic strategy according to claim 3, characterized in that: The formula for calculating entropy in step 3 is as follows: ; Where H is the configuration entropy, with a value ranging from 0 to... N represents the total number of configuration items; a higher value indicates a more chaotic configuration. is the state discreteness of the i-th configuration item, with a value range of 0-1.

5. The intelligent auditing method for configuration baseline based on dynamic strategy according to claim 4, characterized in that: The formula for calculating the review priority mentioned in step 3 is: ; in: The value ranges from 0 to 5, indicating the priority of review; higher values ​​indicate higher priority. This represents the probability of triggering a potential risk. Risk weighting For the current configuration entropy, The maximum configuration entropy threshold for the target system.

6. The intelligent auditing method for configuration baseline based on dynamic strategy according to claim 5, characterized in that: The formula for quantifying the risk level in step 4 is as follows: ; To quantify and score risk, For CVSS basic score; The attack scenario matching score ranges from 0 to 10 and is calculated by dividing the total number of successful attempts in the sandbox by the total number of attempts. As the weighting for CVSS scores, Match weights to attack scenarios; Risk levels are categorized by score: 8.0-10.0 is considered catastrophic risk, 6.0-7.9 is considered high risk, 4.0-5.9 is considered medium risk, 0.1-3.9 is considered low risk, and 0 is considered observation level.

7. The intelligent auditing method for configuration baselines based on dynamic strategies according to claim 6, characterized in that: The expression for the weighted stock mechanism in step 5 is: ; in The result is a quantitative assessment of the overall review, with a value range of 0-1, where 1 indicates full compliance and 0 indicates complete non-compliance. Let be the weight of the k-th proxy node; This represents the local audit result of the k-th proxy node; m represents the total number of agent nodes participating in the collaborative review.

8. A configuration baseline intelligent auditing system based on dynamic strategies, characterized in that: To implement the intelligent auditing method for configuration baselines based on dynamic strategies as described in claim 7, the system includes an input adaptation module, a preprocessing module, a core processing module, an output module, and an iterative optimization module: The input adaptation module is used to receive the dynamic policy configuration baseline to be reviewed and to complete the format compatibility processing; The preprocessing module communicates with the input adaptation module to perform format normalization, redundancy removal, and key information annotation of the configuration baseline. The core processing module is communicatively connected to the preprocessing module. The core processing module includes a probabilistic coding unit, a knowledge graph matching unit, a temporal risk analysis unit, a lightweight adversarial detection sandbox, a federated collaborative review unit, and a causal tracing and remediation scheme generation unit. The output module communicates with the core processing module to generate structured audit reports and provide log traceability functionality; The iterative optimization module communicates with the core processing module to automatically update the knowledge graph and risk prediction rules based on the audit results.

9. The intelligent auditing system for configuration baselines based on dynamic strategies according to claim 8, characterized in that: The probability encoding unit calculates the security probability vector of the configuration item using the formula described in claim 3, and outputs it to the knowledge graph matching unit.

10. The intelligent auditing system for configuration baselines based on dynamic strategies according to claim 9, characterized in that: The time-series risk analysis unit calculates the configuration entropy using the formula described in claim 4, and generates an audit priority list by combining it with the formula described in claim 5. The lightweight adversarial detection sandbox calculates a risk score using the formula described in claim 6 and maps it to a risk level, which is then output to the federal collaborative review unit. The federal collaborative audit unit integrates the distributed audit results using the formula described in claim 7 to generate a global compliance conclusion.