A long text threat intelligence analysis method, system, device and medium

By employing overlapping segmentation, parameterized memory, and gated memory reasoning mechanisms, the semantic fragmentation and multi-task conflict issues in long-text threat intelligence analysis are resolved, enabling efficient, accurate, and real-time analysis of long-text threat intelligence and improving the system's dynamic adaptability and resource utilization.

CN122160099APending Publication Date: 2026-06-05GUANGDONG POWER GRID CO LTD INFORMATION CENT

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGDONG POWER GRID CO LTD INFORMATION CENT
Filing Date
2026-02-02
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies suffer from semantic fragmentation, insufficient accuracy in external knowledge base retrieval, conflicting objectives of multiple tasks, and static rigidity of models when dealing with long-text threat intelligence analysis, resulting in insufficient completeness, accuracy, and timeliness of the analysis.

Method used

Overlapping segmentation preprocessing is used to generate segmented sequences containing overlapping regions and context labels. These sequences are then jointly trained using the main language modeling task and the threat intelligence question answering auxiliary task to construct a parameterized memory. Finally, the inference results are corrected through a gated memory inference mechanism and a timeliness weight to form an integrated threat intelligence analysis system.

Benefits of technology

It significantly improves the completeness and accuracy of long text threat analysis, enables rapid response and dynamic adaptation to new threats, and enhances real-time analysis efficiency and the system's practicality and flexibility in complex environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160099A_ABST
    Figure CN122160099A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of threat intelligence analysis, in particular to a long-text threat intelligence analysis method, system, device and medium, which comprises the following steps: carrying out overlapping segmentation preprocessing on input original long-text threat intelligence, generating a segmented sequence containing an overlapping area and corresponding context identification; based on the segmented sequence and the context identification, jointly training a threat intelligence analysis model; constructing a gated memory reasoning mechanism integrated with a parameterized memory bank; dynamically adjusting the weight ratio between parameterized memory retrieval and original context processing according to an input query through a learnable gated network to generate a reasoning result; integrating the gated memory reasoning mechanism into a threat intelligence analysis system, and outputting the reasoning result after correction by introducing a timeliness weight when processing a query. The application has the beneficial effect of comprehensively improving the accuracy, real-time performance and practicability of long-text threat intelligence analysis.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of threat intelligence analysis technology, and in particular to a method, system, device and medium for long text threat intelligence analysis. Background Technology

[0002] Cybersecurity threat intelligence analysis is a key technology for responding to complex attacks such as Advanced Persistent Threats (APTs). However, existing technologies still suffer from systemic shortcomings when dealing with real-world threat analysis scenarios. First, segmented processing can fragment attack chain information, disrupting semantic continuity and causing the loss of correlations between key threat indicators. Second, methods relying on external knowledge base retrieval are limited by retrieval accuracy and update latency, making it difficult to meet real-time analysis needs. Third, conflicts may exist between different task objectives in multi-task joint training, affecting the overall performance and generalization ability of the model. Finally, static models struggle to adapt to the rapid evolution of threat intelligence and lack a mechanism for perceiving the timeliness of information. These shortcomings collectively limit the completeness, accuracy, and timeliness of existing technologies when processing large-scale, lengthy, and dynamically evolving threat intelligence. Summary of the Invention

[0003] To solve the above-mentioned technical problems, the present invention provides the following technical solution: In a first aspect, the present invention provides a method for analyzing long text threat intelligence, including performing overlapping segmentation preprocessing on the input raw long text threat intelligence to generate a segmented sequence containing overlapping regions and corresponding context identifiers; Based on segmented sequences and context identifiers, the threat intelligence analysis model is jointly trained. The joint training includes a language modeling main task and a threat intelligence question answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. A gated memory reasoning mechanism integrating a parameterized memory bank is constructed. Through a learnable gated network, the weight ratio between parameterized memory retrieval and original context processing is dynamically adjusted according to the input query to generate reasoning results. The gated memory reasoning mechanism is integrated into the threat intelligence analysis system, and a timeliness weight is introduced to correct the reasoning results before outputting them when processing queries.

[0004] As a preferred embodiment of the long text threat intelligence analysis method of the present invention, the input raw long text threat intelligence is subjected to overlapping segmentation preprocessing, including: A sliding window with an overlap mechanism is used to cut long texts into multiple consecutive segments, where each segment has a minimum overlap length with its adjacent segments to ensure that complete semantic units that cross the segmentation boundary can be contained in at least one segment. A corresponding context identifier is generated for each segment. The context identifier is constructed by extracting fixed-length content from the beginning and end of the long text.

[0005] As a preferred embodiment of the long text threat intelligence analysis method of the present invention, the overall optimization objective of the joint training is composed of a weighted combination of the loss function of the language modeling main task, the loss function of the threat intelligence question answering auxiliary task, and the regularization constraint terms of the model parameters. During training, the co-state between the training gradients of the main task and auxiliary tasks is monitored and adjusted to facilitate the effective encoding of domain knowledge into model parameters.

[0006] As a preferred embodiment of the long-text threat intelligence analysis method of the present invention, wherein: the gating network is implemented in the manner of a feedforward neural network, and its output is a gating value between 0 and 1; The gated memory reasoning mechanism generates reasoning results by using the gate value as a weight to perform a weighted summation of the retrieval results from the parameterized memory and the context processing results.

[0007] In a preferred embodiment of the long-text threat intelligence analysis method of the present invention, the parameters of the gating network and the parameters of the threat intelligence analysis model are jointly optimized and trained in an end-to-end manner.

[0008] As a preferred embodiment of the long-text threat intelligence analysis method of the present invention, the method includes: introducing a timeliness weight to correct the inference results before outputting them during query processing, including: Based on the time difference between the occurrence time of the threat event involved in the query and the current query time, an importance weight that decays over time is calculated, with higher weights for closer time differences. Timeliness weights are used to correct the importance assessment of the inference results.

[0009] As a preferred embodiment of the long-text threat intelligence analysis method of the present invention, the corrected output is converted into at least one of structured threat indicators, attack chain graphs, and machine-readable intelligence exchange formats.

[0010] Secondly, the present invention provides a long text threat intelligence analysis system, including: a processing module, used to perform overlapping segmentation preprocessing on the input raw long text threat intelligence, and generate a segmented sequence containing overlapping regions and corresponding context identifiers; The training module is used to jointly train the threat intelligence analysis model based on segmented sequences and context identifiers. The joint training includes a language modeling main task and a threat intelligence question answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. The reasoning module is used to build a gated memory reasoning mechanism with an integrated parameterized memory bank. Through a learnable gating network, it dynamically adjusts the weight ratio between parameterized memory retrieval and original context processing based on the input query to generate reasoning results. The output module is used to integrate the gated memory reasoning mechanism into the threat intelligence analysis system, and to introduce timeliness weights to correct the reasoning results before outputting them when processing queries.

[0011] Thirdly, the present invention provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps of the method described above.

[0012] Fourthly, the present invention provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method described above.

[0013] Compared with existing technologies, the beneficial effects of this invention are as follows: By using overlapping segmentation and parameterized memory mechanisms, the completeness and accuracy of long text threat analysis are significantly improved, effectively solving the problems of information fragmentation and loss of correlation; with the help of gated memory adapters and incremental learning capabilities, the system achieves rapid response and dynamic adaptation to new threats, greatly improving real-time analysis efficiency; at the same time, through the joint design of gradient collaborative optimization and timeliness awareness mechanisms, while ensuring multi-task performance collaboration, the resource utilization of training and inference is further optimized, enhancing the overall practicality and deployment flexibility of the system in complex and dynamic threat environments. Attached Figure Description

[0014] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0015] Figure 1 This is a flowchart illustrating the long-text threat intelligence analysis method. Detailed Implementation

[0016] To make the above-mentioned objects, features, and advantages of the present invention more apparent and understandable, specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the protection scope of the present invention.

[0017] Example 1, referring to Figure 1This is the first embodiment of the present invention, which provides a long text threat intelligence analysis method, including: S100: Perform overlapping segmentation preprocessing on the input raw long text threat intelligence to generate a segmented sequence containing overlapping areas and corresponding context identifiers; S200: Based on segmented sequences and context identifiers, the threat intelligence analysis model is jointly trained. The joint training includes the main task of language modeling and the auxiliary task of threat intelligence question answering. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. S300: Construct a gated memory reasoning mechanism with an integrated parameterized memory bank. Through a learnable gated network, the weight ratio between parameterized memory retrieval and original context processing is dynamically adjusted according to the input query to generate reasoning results. S400: Integrates a gated memory reasoning mechanism into the threat intelligence analysis system, and introduces a timeliness weight to correct the reasoning results before outputting them when processing queries.

[0018] It should be noted that, addressing the semantic fragmentation, external dependency bottlenecks, difficulties in task collaboration, and static rigidity of models in existing long text processing technologies, this method first preserves the semantic continuity of the text by employing a forced overlapping segmentation strategy, providing a structured input foundation for subsequent analysis. Furthermore, through domain-customized joint training, key threat knowledge is internalized into the model parameters, constructing a stable parameterized memory that does not require frequent external retrieval. Even further, an intelligent gating inference mechanism is designed to dynamically fuse the internalized memory with real-time context, achieving accurate adaptive responses to different queries. Finally, by integrating a timeliness weight module, the system output reflects the dynamic value of threat intelligence, enabling complete, accurate, and timely automated analysis and tracing of APT attack chains.

[0019] Example 2, refer to Figure 1 As an embodiment of the present invention, based on the above embodiment, a method for analyzing threat intelligence in long texts is provided.

[0020] In this embodiment of the application, step S100 performs overlapping segmentation preprocessing on the input raw long text threat intelligence to generate a segmented sequence containing overlapping regions and corresponding context identifiers, including the following steps A1-A2: A1: A sliding window with an overlap mechanism is used to cut long text into multiple consecutive segments, where each segment has a minimum overlap length with its adjacent segments to ensure that complete semantic units that cross the segmentation boundary can be contained in at least one segment.

[0021] Specifically, the system receives raw, long-text threat intelligence data. (Where L represents the total number of tokens in the long threat intelligence text, and) The token is used to generate the segmented sequence required for training through an overlapping sliding window algorithm. The k-th segment is represented as: The segmentation parameters satisfy: It should be noted that the above mathematical rules define the specific method of text segmentation: where the first formula represents the k-th segment. From the original text, from position arrive Composed of consecutive tokens; the first sub-formula in the second formula group defines the starting position of the segment. The calculation method is as follows: s is the sliding step size; the second sub-equation defines the end position of the segment. The first sub-formulation ensures that the overlap length does not exceed the total text length L; the second sub-formulation specifies that the overlap length o must be at least 20% of the window length w or the larger of 128 tokens. This design ensures the continuity of critical threat information at segment boundaries by forcing overlap.

[0022] Understandably, in threat intelligence processing scenarios, long text data often contains complex relationships. For example, an attack event description may span multiple pages, and key Indicators of Compromise (IoCs) and their corresponding behavioral descriptions may be distributed across different paragraphs. Traditional non-overlapping segmentation methods artificially sever these naturally existing semantic connections. This method, however, uses mathematical constraints to ensure that any semantic unit that might be separated by segmentation boundaries is preserved within at least one complete segment. Specifically, when processing long reports containing multi-stage attacks, if the end of a segment contains the attacker's C2 server address, and the beginning of the next segment describes the specific attack behavior initiated by that C2 server, the overlapping area ensures that the crucial "address-behavior" relationship is completely preserved.

[0023] A2: Generate a corresponding context identifier for each segment. The context identifier is constructed by extracting fixed-length content from the beginning and end of the long text.

[0024] Specifically, for each segment Equipped with corresponding context identifiers (Taking r=512 tokens for both the first and last segments), these segment sets The context identifiers are used as input data for subsequent training.

[0025] Ideally, by attaching contextual identifiers to each segment, the model can see not only the current segment during training and inference. It can perceive local details and the entire document's opening summary and closing conclusion, helping the model to build an understanding of the document's overall theme, severity, and conclusions, thereby better understanding local segments. The role and importance of threat intelligence in the global attack narrative, enhancing the ability to grasp threat intelligence at a macro level and improve the accuracy of analysis.

[0026] In an optional implementation, the generation of corresponding context identifiers for each segment in step A2 can also be achieved through a dynamic context summary construction method based on the segment position. That is, the relative position ratio of the current segment is calculated according to the start and end positions of the current segment in the original long text, and representative context information is extracted from the entire document accordingly. For example, for segments at the beginning of the document, the focus is on extracting key sentences from the document summary and background introduction; for segments in the middle of the document, the focus is on extracting topic sentences or subheadings of the adjacent chapters; and for segments at the end of the document, the focus is on extracting the core statements of the conclusion and summary. Finally, these extracted key sentences are combined to form a personalized context identifier for the segment.

[0027] In another optional implementation, generating a corresponding context identifier for each segment in step A2 can also be achieved by fusing document metadata with a key entity index. Specifically, the metadata of the entire threat intelligence document is extracted first, including the source, release time, threat level, related attack group (APT group), and main attack techniques (TTP) classification tags. Simultaneously, a key entity index covering the entire document is constructed, recording important threat indicators (IoCs) such as malicious domains, IP addresses, vulnerability numbers, and their first appearance locations. When generating an identifier for a specific segment, the aforementioned global metadata is concatenated with the core entities appearing in that segment and their related descriptions in the index, thereby forming an enhanced context identifier that includes both macro-threat attributes and is associated with specific local entities.

[0028] In this embodiment of the application, step S200 involves joint training of the threat intelligence analysis model based on segmented sequences and context identifiers. This joint training includes a main language modeling task and a threat intelligence question-answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model, including the following steps B1-B4: B1: A dual-task training framework is adopted, in which the main task is a language modeling task based on segmented sequences, and the auxiliary task is a threat intelligence question answering task based on context identifiers.

[0029] It should be noted that the core objective of the main task is to enable the model to master the language style, statistical patterns, domain terminology, and basic grammatical structure of threat intelligence documents. For example, through learning, the model can understand the precise meaning and usage patterns of professional concepts such as lateral movement, persistent persistence, and spear phishing in context. The auxiliary task, on the other hand, is to force the model not only to passively understand the text, but also to actively locate, extract, correlate, and infer specific threat elements (IoC), attack techniques (TTP), and attack phases from lengthy narratives.

[0030] Preferably, the dual-task training framework adopted in this step forms a collaborative learning pattern that lays the foundation for general language ability and strengthens domain expertise. The language modeling task provides the model with the basic ability to understand long texts, while the threat intelligence question answering task ensures that the learning process does not deviate from the actual analysis needs by continuously testing and deepening the model's mastery of core security knowledge.

[0031] B2: By weighting and combining the loss function of the language modeling task with the loss function of the threat intelligence question answering task, and introducing regularization constraints on the model parameters, the overall optimization objective of joint training is formed.

[0032] Specifically, the overall optimization objective is represented as follows: Understandably, the above loss function consists of three parts: the main task loss is the sum of the segmented language modeling losses, representing the model's performance in a given context C. k Predicting segment S under certain conditions k The negative log-likelihood; the auxiliary task loss is the weighted sum of the losses of all question-answer pairs, where α is a balancing hyperparameter used to balance the importance between the primary and auxiliary tasks, and an appropriate α value can enable the two tasks to form a good synergistic effect, rather than a simple compromise; regularization term. Used to control model complexity and prevent overfitting.

[0033] Ideally, the joint optimization objective in this step guides the training process in a balanced and robust direction, ensuring that while the model actively internalizes threat knowledge (through the question-answering task), it does not undermine its original language understanding foundation (through the language modeling task) and always maintains good generalization properties (through regularization), thus laying an optimized foundation for forming a high-quality, highly usable parameterized memory.

[0034] B3: During training, monitor and adjust the collaborative state between the training gradients of the main task and the auxiliary task in real time to promote the effective encoding and solidification of domain knowledge into model parameters.

[0035] Specifically, during training, effective collaboration between the two tasks is ensured by monitoring gradient coordination. Understandably, the indicators Essentially, it's the cosine similarity of the gradient vectors of the losses from two tasks; that is, when... When the gradients are close to 1, it indicates that the gradient directions of the two tasks are highly consistent and mutually reinforcing, representing an ideal cooperative state; when... When the value is close to 0 or negative, it indicates that the gradient directions are orthogonal or opposite, and there is a task conflict.

[0036] It should be noted that, based on the monitoring of γ, adjustment strategies can be adopted, such as dynamically fine-tuning the hyperparameter α, or using a more advanced gradient surgery algorithm to project or modify conflicting gradient components to reduce conflict and make parameter updates as beneficial as possible to both tasks simultaneously.

[0037] Preferably, the gradient collaborative management in this step can effectively alleviate the potential contradiction between the generality of language modeling and the specialization of threat question answering, and enable the model to find a shared parameter space in which the feature representations learned can serve both tasks well at the same time.

[0038] B4: After training, the distributed knowledge representations internalized in the model parameters that are related to threat intelligence entities, behaviors and relationships constitute the parameterized memory.

[0039] Understandably, after the joint training through steps B1-B3 above, the knowledge closely related to threat intelligence analysis (e.g., characteristics of specific malware families, common exploitation methods, TTP patterns of APT groups, typical correlations between attack indicators, etc.) is not stored in a separate database or file, but is sculpted and solidified in the millions or even billions of connection weights (parameters) of the neural network in a distributed representation. Specific patterns or activation paths in these weights correspond to specific threat knowledge.

[0040] It should be noted that the fine-tuned model parameters are obtained after training. and its implicit parameterized memory (in (These outputs, representing key threat information in a distributed manner, will serve as initialization parameters for subsequent gating memory adapters.)

[0041] In an optional implementation, the formation of the parameterized memory in step S200 can also be achieved through a progressive memory solidification method based on knowledge distillation. That is, a teacher model pre-trained on a general threat intelligence corpus is introduced. During joint training, not only are the losses of the main task and the auxiliary task optimized, but the output distribution difference between the student model (i.e., the threat intelligence analysis model) and the teacher model on the same segment is calculated as the distillation loss. This loss guides the student model parameters to gradually align with and internalize the general threat knowledge patterns and robust feature representations encoded in the teacher model while fitting the current task. After multiple iterations, the knowledge structure that is stably carried in the student model parameters and has both task specificity and generalization constitutes the parameterized memory.

[0042] In another optional implementation, the formation of the parameterized memory in step S200 can also be achieved through adversarial training and comparative learning of memory prototypes. Specifically, an adversarial training stage is added to the joint training framework. A generator constructs perturbation text fragments simulating new threats, and a discriminator (sharing the backbone of the main model) is trained to distinguish these fragments from real threat intelligence, thereby enhancing the model's robustness to unknown threat patterns. Simultaneously, a learnable "memory prototype" vector is maintained for each type of typical threat technology (TTP) or entity in the model's high-dimensional feature space. By using a comparative learning loss function, the distance between the features of similar threat samples and their corresponding prototypes is narrowed, while the distance between different types of prototypes is widened. This allows the model parameters to explicitly form and solidify these highly class-discriminative prototype vector sets during the training process, which constitute a structured parameterized memory.

[0043] In this embodiment of the application, step S300 involves constructing a gated memory reasoning mechanism integrated with a parameterized memory bank. A learnable gating network dynamically adjusts the weight ratio between parameterized memory retrieval and the original context processing based on the input query to generate reasoning results, including the following steps C1-C2: C1: The gating network is implemented using a feedforward neural network approach, and its output is a gating value between 0 and 1.

[0044] It should be noted that the gated network is implemented as a lightweight feedforward neural network. Specifically, it is a two-layer network: the first layer is a fully connected layer with ReLU activation, and the second layer is an output layer with Sigmoid activation. Its mathematical expression is: The network's output g(q) is a scalar value (gating value) between 0 and 1. This value is not a binary switch, but a continuous scaling factor.

[0045] That is: when When the value approaches 1, it indicates that the system determines that the current query q is highly dependent on historical threat knowledge stored in the parameterized memory M (e.g., querying the conventional tactics of a specific APT group).

[0046] when When the value approaches 0, it indicates that the system should primarily rely on the contextual information carried by the query q itself for processing (e.g., parsing a new, unseen log fragment or a general concept).

[0047] For example, when queries involve the tactics and techniques of a specific APT group, the gating value tends to be 1, and the system primarily retrieves relevant threat intelligence knowledge from the parameterized memory. When queries involve general network concepts or real-time log analysis, the gating value tends to be 0, and the system primarily relies on the model's original capabilities and current context information. This dynamic routing mechanism ensures that the system can fully utilize the advantages of long-term memory without compromising the model's general capabilities.

[0048] It should be further explained that the parameters of the gating network and the threat intelligence analysis model are jointly optimized and trained in an end-to-end manner. That is, while the model learns how to answer questions, the gating network is also simultaneously learning how to make the best knowledge source selection decisions for different types of questions. This joint training directly links gating decisions to the performance of the final analysis task, thereby learning the optimal routing strategy.

[0049] Preferably, this step provides the system with a learnable, task-aligned intelligent routing capability that can dynamically and finely allocate knowledge resources based on the semantic content of the query, rather than applying a fixed processing mode to all queries. This provides a key control mechanism for achieving an adaptive balance between general capabilities and domain expertise.

[0050] C2: The gated memory reasoning mechanism generates reasoning results by using the gate value as a weight to perform a weighted summation of the retrieval results from the parameterized memory and the context processing results.

[0051] Specifically, the parameterized memory M is integrated into the Transformer architecture to construct a gated memory inference mechanism. For the input query q, the attention output is calculated as follows: The mathematical expression above defines how attention output is calculated: it is a weighted combination of memory retrieval and context processing, with the weights dynamically determined by the gating function g(q). CrossAttn represents the cross-attention calculation between query q and parameterized memory M, and SelfAttn represents the self-attention calculation between query and the current context.

[0052] That is, the final reasoning result generates a structured output that includes response text and evidence source identifiers.

[0053] In this embodiment of the application, step S400 integrates the gated memory reasoning mechanism into the threat intelligence analysis system, and introduces a timeliness weight to correct the reasoning results before outputting them when processing queries, including the following steps D1-D3: D1: Calculate an importance weight that decays over time based on the time difference between the occurrence time of the threat event involved in the query and the current query time. The closer the time difference, the higher the weight.

[0054] Understandably, in the real-world cybersecurity environment, the value of threat intelligence diminishes over time. For example, a vulnerability has the highest value when it is first disclosed, but its threat level gradually decreases as time goes on and patches are released. The exponential decay model can capture this time sensitivity well and assign appropriate importance weights to security events at different times.

[0055] Specifically, the formula for calculating the timeliness weight using the exponential decay weighting mechanism is as follows: That is, if the time has just occurred ( (very small), then A value close to 1 indicates that the information is of the highest importance. If the event occurred a long time ago (…), this value is considered extremely high. (very small, much larger than τ), then A value approaching 0 indicates that its importance has significantly diminished.

[0056] D2: Use timeliness weights to correct the importance assessment of the inference results.

[0057] Specifically, the structured inference results generated in step S300 (e.g., predictions containing fields such as "threat type: ransomware", "confidence level: 0.85", and "associated organization: FIN7") are compared with the corresponding results calculated in step D1. Weights are combined.

[0058] Understandably, the specific correction method can be flexibly designed according to the output type. For example, weighting the confidence or severity score: Final confidence = Original inference confidence × An incident that occurred 3 years ago ( For high-confidence ransomware incidents (even those with very low confidence), the corrected current attention level will be significantly reduced. Adjustments to sorting or priority should be made: when generating the threat list, consider... Reorder the entries to ensure that recent high-threat events are prioritized. Dynamically adjust the decision threshold: This serves as an additional condition for whether an alarm is triggered. For example, for historical events, even if the model's inference confidence is high, it may still be triggered because... If the value is too low, no real-time alarm will be triggered; it will only be logged.

[0059] D3: The corrected output is converted into at least one of the following: structured threat indicators, attack chain maps, and machine-readable intelligence exchange formats.

[0060] It should be noted that the Structured Threat Indicators (TTIs) output extracted IoCs (IP addresses, domain names, hashes, vulnerability numbers, etc.) and their attributes (type, confidence level, timeliness weight) in standard formats (such as STIX / TAXII, JSON, CSV). This allows threat intelligence to be directly absorbed, deduplicated, and enriched by the Threat Intelligence Platform (TIP), and pushed to security detection devices for real-time matching and interception. Attack Chain Graph: Based on the identified TTPs (tactics, techniques, and procedures), a visualized attack chain graph is automatically constructed according to the MITRE ATT&CK framework. This provides security analysts with an intuitive global attack perspective, facilitating the understanding of attackers' intentions, paths, and key technical nodes, and assisting in the formulation of containment and elimination strategies. Machine-readable Intelligence Exchange Format: This mainly refers to intelligence objects that conform to international standards such as STIX and contain complete context (Who, What, When, Where, Why, How). This format facilitates the sharing and exchange of high-quality, actionable threat intelligence among different organizations and security products, improving collaborative defense capabilities.

[0061] In summary, the beneficial effects of the long-text threat intelligence analysis method of this invention are as follows: by using overlapping segmentation and parameterized memory mechanisms, the completeness and accuracy of long-text threat analysis are significantly improved, effectively solving the problems of information fragmentation and loss of correlation; with the help of gated memory adapters and incremental learning capabilities, the system achieves rapid response and dynamic adaptation to new threats, greatly improving real-time analysis efficiency; at the same time, through the joint design of gradient collaborative optimization and timeliness awareness mechanisms, while ensuring multi-task performance collaboration, the resource utilization of training and inference is further optimized, enhancing the overall practicality and deployment flexibility of the system in complex and dynamic threat environments.

[0062] Example 3 illustrates a schematic scheme for a long text threat intelligence analysis method. It should be noted that the technical solution of this long text threat intelligence analysis system and the technical solution of the aforementioned long text threat intelligence analysis method belong to the same concept. Details not described in detail in this embodiment can be found in the description of the technical solution of the aforementioned long text threat intelligence analysis method.

[0063] This embodiment also provides a long text threat intelligence analysis system, including: The processing module is used to perform overlapping segmentation preprocessing on the input raw long text threat intelligence, and generate segmented sequences containing overlapping regions and corresponding context identifiers; The training module is used to jointly train the threat intelligence analysis model based on segmented sequences and context identifiers. The joint training includes a language modeling main task and a threat intelligence question answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. The reasoning module is used to build a gated memory reasoning mechanism with an integrated parameterized memory bank. Through a learnable gating network, it dynamically adjusts the weight ratio between parameterized memory retrieval and original context processing based on the input query to generate reasoning results. The output module is used to integrate the gated memory reasoning mechanism into the threat intelligence analysis system, and to introduce timeliness weights to correct the reasoning results before outputting them when processing queries.

[0064] This embodiment also provides an electronic device suitable for long text threat intelligence analysis, including: a memory and a processor; the memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions to implement the long text threat intelligence analysis method proposed in the above embodiment.

[0065] This embodiment also provides a storage medium on which a computer program is stored. When the program is executed by a processor, it implements the long text threat intelligence analysis method proposed in the above embodiments.

[0066] The storage medium proposed in this embodiment and the method for implementing long text threat intelligence analysis proposed in the above embodiments belong to the same inventive concept. Technical details not described in detail in this embodiment can be found in the above embodiments, and this embodiment has the same beneficial effects as the above embodiments.

[0067] Based on the above description of the implementation methods, those skilled in the art can clearly understand that the present invention can be implemented using software and necessary general-purpose hardware, and of course, it can also be implemented using hardware. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as a computer floppy disk, read-only memory (ROM), random access memory (RAM), flash memory, hard disk, or optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of the various embodiments of the present invention.

[0068] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

Claims

1. A method for analyzing threat intelligence from long texts, characterized in that: include, The input raw long text threat intelligence is preprocessed by overlapping segmentation to generate a segmented sequence containing overlapping regions and corresponding context identifiers; Based on the segmented sequence and context identifier, the threat intelligence analysis model is jointly trained, wherein the joint training includes a language modeling main task and a threat intelligence question answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. A gated memory reasoning mechanism integrating the parameterized memory bank is constructed. Through a learnable gated network, the weight ratio between parameterized memory retrieval and original context processing is dynamically adjusted according to the input query to generate reasoning results. The gated memory reasoning mechanism is integrated into the threat intelligence analysis system, and a timeliness weight is introduced to correct the reasoning results before outputting them when processing queries.

2. The long-text threat intelligence analysis method as described in claim 1, characterized in that: The overlapping segmentation preprocessing of the input raw long text threat intelligence includes, A sliding window with an overlap mechanism is used to cut long texts into multiple consecutive segments, where each segment has a minimum overlap length with its adjacent segments to ensure that complete semantic units that cross the segmentation boundary can be contained in at least one segment. A corresponding context identifier is generated for each segment. The context identifier is constructed by extracting fixed-length content from the beginning and end parts of the long text.

3. The long-text threat intelligence analysis method as described in claim 2, characterized in that: The overall optimization objective of the joint training is a weighted combination of the loss function of the main language modeling task, the loss function of the threat intelligence question answering auxiliary task, and the regularization constraint terms of the model parameters. During training, the co-state between the training gradients of the main task and the auxiliary task is monitored and adjusted to facilitate the effective encoding of domain knowledge into model parameters.

4. The long-text threat intelligence analysis method as described in claim 1, characterized in that: The gating network is implemented using a feedforward neural network, and its output is a gating value between 0 and 1. The gated memory reasoning mechanism generates the reasoning result by using the gate value as a weight to perform a weighted summation of the retrieval results and context processing results from the parameterized memory.

5. The long-text threat intelligence analysis method as described in claim 4, characterized in that: The parameters of the gating network and the parameters of the threat intelligence analysis model are jointly optimized and trained in an end-to-end manner.

6. The long-text threat intelligence analysis method as described in claim 1, characterized in that: The step of introducing a timeliness weight to correct the reasoning result before outputting it during query processing includes: Based on the time difference between the occurrence time of the threat event involved in the query and the current query time, an importance weight that decays over time is calculated, with a higher weight for closer time differences. The timeliness weight is used to correct the importance assessment of the reasoning result.

7. A long-text threat intelligence analysis method as described in any one of claims 1-6, characterized in that: The corrected output is converted into at least one of a structured threat index, an attack chain map, and a machine-readable intelligence exchange format.

8. A long-text threat intelligence analysis system, employing the method described in any one of claims 1-7, characterized in that, include: The processing module is used to perform overlapping segmentation preprocessing on the input raw long text threat intelligence, and generate segmented sequences containing overlapping regions and corresponding context identifiers; The training module is used to jointly train the threat intelligence analysis model based on the segmented sequence and context identifier. The joint training includes a language modeling main task and a threat intelligence question answering auxiliary task. After training, a parameterized memory is formed in the parameters of the threat intelligence analysis model. The reasoning module is used to construct a gated memory reasoning mechanism that integrates the parameterized memory bank. Through a learnable gating network, it dynamically adjusts the weight ratio between parameterized memory retrieval and original context processing according to the input query to generate reasoning results. The output module is used to integrate the gated memory reasoning mechanism into the threat intelligence analysis system, and to introduce a timeliness weight to correct the reasoning results before outputting them when processing queries.

9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 7.