Attack surface management method based on multi-source information fusion

By employing a multi-source intelligence fusion attack surface management approach, and utilizing machine learning and graph databases to simulate attack paths, asset profiles are generated and closed-loop verification is performed. This approach addresses the issues of lagging asset discovery and insufficient risk assessment under hybrid information technology architectures, enabling dynamic asset management and precise quantification of attack paths. It ensures the effectiveness of remediation measures and the continuous convergence of security risks.

CN122160111APending Publication Date: 2026-06-05CSG EHV POWER TRANSMISSION

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CSG EHV POWER TRANSMISSION
Filing Date
2026-02-28
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing asset discovery technologies suffer from lag and blind spots under hybrid information technology architectures. Risk assessments lack the ability to analyze attack chain correlations, and security response mechanisms lack closed-loop verification of remediation effectiveness and the ability to detect new risks.

Method used

By employing a multi-source intelligence fusion attack surface management approach, this method utilizes machine learning algorithms to generate asset profile data, combines graph databases and graph path search algorithms to simulate attack paths, executes remediation suggestions and performs closed-loop verification, and leverages automated orchestration tools to implement remediation operations and detect new risks.

Benefits of technology

It enables dynamic asset discovery for hybrid information technology architectures, quantifies the business impact of attack paths, ensures the effectiveness of remediation measures and prevents the transfer of security risks, improves asset discovery coverage and the accuracy of attack path simulation, and achieves continuous convergence of attack surface risks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160111A_ABST
    Figure CN122160111A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security and discloses an attack surface management method based on multi-source intelligence fusion, which comprises the following steps: collecting original data through a dynamic asset fingerprint library construction module and generating asset portrait data by using a machine learning algorithm; mapping the asset portrait data into a graph database node and an edge through an attack path simulation engine, executing a graph path search algorithm, outputting an attack path simulation result and a business influence score; executing a repair suggestion instruction through an automatic repair verification module, sending a re-simulation request to the attack path simulation engine, and verifying whether the attack path is blocked according to a secondary simulation result. The application can realize real-time discovery of dynamic assets and supply chain risks, accurate quantification of attack path influence by using a graph database, effective cutting of attack paths by repair measures and non-introduction of new risks through a secondary simulation and an abnormality detection mechanism, and dynamic and accurate closed-loop management of attack surface risks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, specifically to an attack surface management method based on multi-source intelligence fusion. Background Technology

[0002] With the rapid development of cloud computing, IoT, and software supply chains, enterprise IT architectures are becoming increasingly complex, and assets are exhibiting highly dynamic and fragmented characteristics. Enterprise network boundaries are no longer limited to the interior of physical firewalls, but extend to hybrid cloud environments, third-party service interfaces, and mobile office terminals.

[0003] Existing asset discovery technologies rely on predefined static lists of Internet Protocol (IP) addresses or periodic proactive scanning tools for asset inventory. Static IP address lists cannot detect the real-time scaling changes of cloud computing instances or the dynamic online status of temporary application programming interface (API) services. Periodic proactive scanning tools often fail to discover shadow IT assets not authorized by the enterprise's IT department, nor can they deeply identify third-party component dependencies hidden deep within the software supply chain. Asset discovery methods based on a single data source and static rules result in significant lags and blind spots in asset discovery, leaving a large number of unknown assets in a state of long-term neglect.

[0004] Existing risk assessment techniques primarily focus on general vulnerability disclosure scores or configuration misconception severity levels on individual asset nodes. These techniques lack the ability to analyze the logical relationships between asset nodes, such as network access permissions, data flow, and authentication dependencies. In real-world attack scenarios, attackers often exploit low-risk vulnerabilities as stepping stones, using multi-hop network paths to laterally gain access to core business operations. Assessing based solely on single-point risk values ​​severs the contextual connections within the attack chain, failing to quantify the specific impact of attack paths on core business operations. This makes it difficult for security operations teams to prioritize remediation efforts based on business importance.

[0005] Therefore, this invention proposes an attack surface management method based on multi-source intelligence fusion to address the shortcomings of existing technologies. Summary of the Invention

[0006] To address the shortcomings of existing technologies, this invention provides an attack surface management method based on multi-source intelligence fusion. This method solves the problems of existing asset discovery technologies having lag and blind spots in hybrid information technology architectures, existing risk assessment technologies lacking the ability to analyze attack chain correlations and quantify business impacts, and existing security response mechanisms lacking the ability to verify the effectiveness of remediation and detect new risks introduced by remediation operations.

[0007] To achieve the above objectives, the present invention provides the following technical solution:

[0008] This invention provides an attack surface management method based on multi-source intelligence fusion, comprising the following steps:

[0009] Step S1: Collect raw data from multiple data source interfaces, and use machine learning algorithms to extract features and match patterns from the raw data to generate asset profile data.

[0010] In this step, the attack surface management method based on multi-source intelligence fusion initiates a parallel data acquisition process, connecting to open-source intelligence acquisition interfaces, cloud service application programming interfaces (APIs), and the enterprise's internal configuration management database interface. The attack surface management method uses the open-source intelligence acquisition interface to call a third-party network asset mapping engine to obtain publicly exposed Internet protocol address data, domain name data, and port service data. It also uses the cloud service application programming interface to call the cloud platform resource management interface to obtain cloud computing instance data and cloud storage resource data. Finally, the attack surface management method uses the enterprise's internal configuration management database interface to read the known asset list data maintained internally by the enterprise.

[0011] In this step, the attack surface management method based on multi-source intelligence fusion utilizes a random forest algorithm or XGBoost algorithm configured with a decision tree number parameter to extract domain name resolution records, secure socket layer certificate information, and port service fingerprints as feature vectors to identify cloud resource objects, shadow IT assets, and container service objects. The method then executes a software supply chain dependency resolution procedure, scanning the application's metadata files to extract third-party component names, version numbers, and source addresses. These information are then compared with a known vulnerability database to identify supply chain asset risks. Finally, the method maps the identified asset category tags and supply chain association information to unique asset identifiers, generating asset profile data that includes asset type identifiers, port open status, and asset dependencies.

[0012] Step S2: Map the asset profile data to nodes and edges in the graph database, execute the graph path search algorithm, and output the attack path simulation results and business impact score.

[0013] In this step, the attack surface management method based on multi-source intelligence fusion defines nodes to represent specific asset objects, including servers, databases, application programming interfaces (APIs), and storage buckets. It also defines edges to represent the logical relationships between asset objects, including network access permissions, data flow direction, and authentication dependencies. Finally, the method maps exposure information from the asset profiling data to node attributes, including open port numbers, weak password status, and known vulnerability numbers.

[0014] In this step, the attack surface management method based on multi-source intelligence fusion constructs an attack model based on the MITRE ATT&CK framework and sets the path search depth. This method sets external exposure points as starting nodes and core assets as target nodes. It employs either the A* algorithm or Dijkstra's algorithm as the graph path search algorithm, traversing nodes and edges in the graph database to simulate the attack process from the starting node through intermediate stepping stones to the target node, generating simulated attack path results.

[0015] In this step, the business impact score calculation logic is executed based on the attack surface management method of multi-source intelligence fusion. The business impact score calculation logic includes: calculating the product of the single-point risk value and the risk type weight coefficient for each damaged node in the attack path to obtain the node risk product; summing the node risk products of all damaged nodes in the attack path to obtain the path risk cumulative value; and multiplying the path risk cumulative value by the business importance coefficient of the target asset node to obtain the business impact score. The single-point risk value is derived from the general vulnerability disclosure score or configuration misclassification level.

[0016] Step S3: Generate a repair suggestion instruction based on the attack path simulation results. After executing the repair suggestion instruction, send a re-simulation request, obtain the secondary simulation results generated based on the re-simulation request, and verify whether the attack path has been blocked based on the secondary simulation results.

[0017] In this step, the attack surface management method based on multi-source intelligence fusion analyzes the key vulnerable nodes in the attack path simulation results. These key vulnerable nodes include server nodes with unnecessary ports open, communication nodes using expired Secure Sockets Layer (SSL) certificates, and storage bucket nodes with misconfigurations. Based on a pre-built security policy knowledge base, the attack surface management method maps these key vulnerable nodes to specific remediation actions. Finally, it generates remediation suggestion instructions, including instructions to close specified ports, update SSL certificates, or correct storage bucket configurations.

[0018] In this step, the attack surface management method based on multi-source intelligence fusion invokes an automated orchestration tool to send configuration change commands to the target assets. The automated orchestration tool can be either an Ansible scripting tool or a Terraform orchestration tool.

[0019] In this step, the attack surface management method based on multi-source intelligence fusion performs closed-loop detection of new risks. After executing the remediation suggestion command, the attack surface management method based on multi-source intelligence fusion monitors changes in the system environment. It calculates the post-remediation environment anomaly index. If the environment anomaly index exceeds a preset anomaly threshold, it is determined that the remediation operation introduced new risks, and an alarm is generated. The calculation process of the environment anomaly index includes: statistically analyzing all newly detected exposure points after the remediation operation and determining the risk coefficient corresponding to each newly detected exposure point; summing the risk coefficients of all newly detected exposure points to obtain the total value of new risks; and dividing the total value of new risks by the total number of asset nodes within the current management scope to obtain the environment anomaly index.

[0020] This invention provides an attack surface management method based on multi-source intelligence fusion. It has the following beneficial effects:

[0021] 1. This invention utilizes a dynamic asset fingerprint database construction module and a random forest algorithm to integrate multi-source data, enabling real-time identification of cloud resource objects, shadow IT assets, and supply chain dependencies. The dynamic asset fingerprint database construction module overcomes the limitations of static scanning, solves the problems of asset discovery lag and blind spots in hybrid information technology architectures, and improves asset discovery coverage.

[0022] 2. This invention utilizes an attack path simulation engine to reconstruct multi-stage attack chains using graph databases and graph path search algorithms. The attack path simulation engine combines multi-source intelligence to calculate business impact scores, achieving accurate quantification of the potential harm of attack paths. The attack path simulation engine ensures that high-risk attack vectors are prioritized for handling, overcoming the shortcomings of one-sided risk assessments and a lack of business perspective.

[0023] 3. This invention constructs a closed-loop feedback mechanism through an automated repair and verification module. Immediately after executing the repair suggestion instruction, the attack path simulation engine is invoked for re-simulation and verification. The automated repair and verification module utilizes an anomaly detection unit to monitor new risks, ensuring the effectiveness of repair measures and preventing the transfer of security risks, thus achieving continuous convergence of attack surface risks. Attached Figure Description

[0024] Figure 1 This is a flowchart of the method of the present invention;

[0025] Figure 2 This is a system block diagram of the present invention. Detailed Implementation

[0026] The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0027] Please see Figure 1-2 This invention provides an attack surface management method based on multi-source intelligence fusion, comprising the following steps:

[0028] S1. Collect raw data from multiple data source interfaces, extract features and match patterns from the raw data to generate asset profile data;

[0029] S2. Map the asset profile data to nodes and edges in the graph database, execute the graph path search algorithm, and output the attack path simulation results and business impact score.

[0030] S3. Generate a repair suggestion instruction based on the attack path simulation results. After executing the repair suggestion instruction, send a re-simulation request, obtain the secondary simulation results generated based on the re-simulation request, and verify whether the attack path has been blocked based on the secondary simulation results.

[0031] See attached document Figure 2 This invention provides an external attack surface management system based on multi-source intelligence fusion, which is deployed on an enterprise network security operations center server or a cloud server. The hardware operating environment includes a multi-core CPU, at least 16GB of random access memory, and a high-speed solid-state drive. The software operating environment supports Linux or Windows operating systems and integrates a Python or Java development environment and the Neo4j graph database management system. The multi-source intelligence fusion-based external attack surface management system interacts bidirectionally with a security information and event management platform and a security orchestration and automated response platform via a network communication interface. Its management scope covers cloud computing service environments, IoT device network environments, and third-party asset environments in the supply chain.

[0032] The external attack surface management system based on multi-source intelligence fusion includes, in its logical architecture, a dynamic asset fingerprint database construction module, an attack path simulation engine, and an automated repair and verification module, which are connected in sequence.

[0033] The dynamic asset fingerprint database construction module serves as the system's input, connecting to open-source intelligence gathering interfaces, cloud service application interfaces, and enterprise internal configuration management database interfaces. The open-source intelligence gathering interface connects to a third-party online asset mapping engine to obtain internet exposure data. Specifically, the third-party online asset mapping engine may be either the Shodan search engine or the Censys search engine, or multiple search engines may be integrated to improve data coverage. By integrating this third-party online asset mapping engine, the dynamic asset fingerprint database construction module can obtain global snapshots of internet assets and identify unregistered shadow assets held by the enterprise.

[0034] The cloud service application programming interface (API) connects to the cloud platform resource management interface to obtain cloud resource data. The cloud platform resource management interface can specifically use either the AWS EC2 API or the Azure Resource Manager API, or it can be adapted to the management interfaces of other major cloud vendors such as Google Cloud Platform. By calling the cloud platform resource management interface, the system can synchronize the running status of cloud computing instances, security group configurations, and bucket permission policies in real time.

[0035] The enterprise's internal configuration management database interface reads a known asset list. The dynamic asset fingerprint database construction module uses either a random forest or XGBoost algorithm to clean and classify the collected data. The random forest algorithm is configured with 10 to 100 decision trees. This module identifies cloud resource objects, shadow IT assets, and container service objects, and parses NPM or PyPI metadata files to identify risks associated with third-party components in the supply chain. The module generates asset profile data containing asset type, internet protocol address, port status, and dependencies, achieving a coverage rate of over 95%, and stores the data in a MySQL or MongoDB database.

[0036] The attack path simulation engine, as the core processing unit, maps asset profile data to nodes and edges in the Neo4j graph database. Nodes represent asset objects such as servers and storage buckets, while edges represent logical relationships such as access permissions. The node capacity is set to a range of 10^4 to 10^6. Based on the MITRE ATT&CK framework, the attack path simulation engine uses a graph path search algorithm to simulate attack paths from external exposure points to core assets within a depth range of 5 to 10 layers.

[0037] The graph path search algorithm specifically selects either the A algorithm or Dijkstra's algorithm. During the path calculation process, the attack path simulation engine traverses the node connections in the graph database according to the logic of the graph path search algorithm. If Dijkstra's algorithm is used, the attack path simulation engine focuses on finding the shortest attack springboard path; if the A algorithm is used, the attack path simulation engine introduces a heuristic evaluation function, focusing on finding the path combination with the lowest attack cost or the highest probability of success.

[0038] The attack path simulation engine combines general vulnerability disclosure scores and configuration error levels to calculate a business impact score. The calculation logic for the business impact score is as follows: calculate the product of the single-point risk value of each compromised node in the attack path and the risk type weight coefficient, sum the products, and then multiply by the business importance coefficient of the target asset node. Based on the business impact score, the attack path simulation engine outputs high-risk attack vectors and transmits the evaluation results to the automated remediation and verification module.

[0039] The automated remediation and verification module acts as both output and feedback, generating remediation suggestions such as closing specified ports, updating certificates, or correcting bucket configurations based on high-risk attack paths. This module then invokes an automated orchestration tool to execute these suggestions. Specifically, the automated orchestration tool is either Ansible or Terraform. Through this tool, the automated remediation and verification module achieves unified management and operation of heterogeneous infrastructure, ensuring that remediation commands are accurately executed across physical servers, virtual machines, and cloud-native containers.

[0040] The automated remediation verification module establishes a closed-loop verification mechanism. After the remediation suggestion command is executed, the automated remediation verification module immediately sends a re-simulation request to the attack path simulation engine. The attack path simulation engine runs the graph path search algorithm again for the remediated area and outputs the secondary simulation results. The automated remediation verification module verifies whether the attack path has been blocked based on the secondary simulation results, achieving an elimination rate of over 98%. Simultaneously, the automated remediation verification module activates the anomaly detection unit to monitor whether the remediation operation introduces new attack surface blind spots. The final remediation effect report and new risk detection results are pushed to the security information and event management platform via the application programming interface.

[0041] During attack path inference, the attack path simulation engine builds an attack model based on the MITRE ATT&CK framework. The engine employs a graph path search algorithm to traverse the nodes and edges in the graph database. The path search algorithm chosen is either A* or Dijkstra's algorithm. The engine sets external exposure points as the starting node. External exposure points include open port 3389 on the internet or vulnerable web services. The engine sets core assets as the target node. Core assets include core databases or business payment systems. The engine simulates the entire process of an attacker infiltrating from the starting node, moving laterally through intermediate nodes, and finally reaching the target node. The engine sets the path search depth to 5 to 10 layers. The engine can simulate specific attack scenarios in cloud-native environments. These scenarios include gaining access using leaked access keys or security keys (AK / SK) and stealing data by exploiting misconfigured storage buckets.

[0042] During the risk quantification and scoring process, the attack path simulation engine incorporates multi-source intelligence data to weight and evaluate attack paths. This multi-source intelligence data includes Common Vulnerability Exposure (CVE) database scores, misconfiguration severity levels, and social engineering risk indices. The attack path simulation engine calculates a business impact score for each simulated attack path.

[0043] The attack path simulation engine calculates the business impact score of the attack path using the following formula:

[0044] ;

[0045] in, Defined as the business impact score of the attack path; Defined as the business importance coefficient of the target asset node, the value range is determined by the enterprise's business attributes; Defined as the total number of damaged nodes involved in the attack path; Defined as the first in the attack path Sequence index of each damaged node; Defined as the first The single-point risk value of each damaged node, which is derived from the general vulnerability disclosure score or configuration error level. Defined as the first The risk type weight coefficient for each damaged node ranges from 0.1 to 1.0.

[0046] The attack path simulation engine sorts all simulated attack paths based on their business impact scores. The engine marks the attack path with the highest business impact score as a high-risk attack vector. Through weighted calculation logic, the engine ensures that the error in the business impact score is less than 5%. The engine then transmits the evaluation results, including attack path details and business impact scores, to the automated remediation and verification module.

[0047] The automated remediation verification module's operational mechanism includes steps for generating remediation suggestions, implementing remediation measures, secondary verification of attack paths, and closed-loop detection of new risks. Through these steps, the automated remediation verification module achieves closed-loop management from risk discovery to risk convergence.

[0048] In the remediation suggestion generation step, the automated remediation verification module receives high-risk attack path data from the attack path simulation engine. This module parses key vulnerable nodes within the high-risk attack paths. Key vulnerable nodes include server nodes with unnecessary ports open, communication nodes using expired Secure Sockets Layer (SSL) certificates, and storage bucket nodes with misconfigurations. Based on a pre-built security policy knowledge base, the automated remediation verification module maps these key vulnerable nodes to specific remediation actions. These actions include commands to close port 3389, update SSL certificates, and correct S3 storage bucket access permissions.

[0049] During the remediation execution process, the automated remediation verification module initiates the automated execution engine. This engine is configured with script interfaces adaptable to various heterogeneous environments. The engine then invokes automated orchestration tools. These tools describe the desired state of the infrastructure using standardized scripting languages. Orchestration tools (e.g., Terraform) track resource changes via state files, or (e.g., Ansible scripts) issue commands via the agentless SSH protocol. The engine then sends configuration change commands to the target assets via an application programming interface (API). Throughout the execution process, the engine logs execution information and status return codes to ensure the remediation actions are correctly applied to the target assets.

[0050] In the secondary verification step of the attack path, the automated remediation verification module immediately sends a retest request to the attack path simulation engine after confirming that the remediation action has been executed. The attack path simulation engine responds to the retest request and reruns the path search algorithm for the target asset area where the remediation has been performed. The query response latency of the attack path simulation engine is controlled within 100 milliseconds. The attack path simulation engine verifies whether the original high-risk attack path has been cut off. The automated remediation verification module receives the secondary simulation results. If the secondary simulation results show that the attack path is unreachable, the automated remediation verification module determines that the remediation measures are effective. The automated remediation verification module calculates the elimination rate of the remediation measures; the elimination rate indicator reaches 98% or higher.

[0051] In the new risk closed-loop detection process, the automated remediation verification module initiates the anomaly detection unit. The anomaly detection unit identifies whether changes to the system environment caused by remediation operations have introduced new attack surface blind spots. Attack surface blind spots include unexpected port openings due to service restarts or erroneous exposures due to firewall rule changes. The anomaly detection unit executes anomaly detection algorithms.

[0052] The anomaly detection unit calculates the environmental anomaly index after repair using the following formula:

[0053] ;

[0054] in, Defined as the environmental anomaly index after restoration; Defined as the total number of newly detected exposure points after the repair operation; Defined as the sequence index of the newly detected exposure point; Defined as the first The risk coefficient of each newly detected exposure point is determined based on the port sensitivity of the exposure point; Defined as the total number of asset nodes within the current management scope.

[0055] The automated remediation verification module compares the calculated environmental anomaly index with a preset anomaly threshold. The preset anomaly threshold is set in the range of 0.01 to 0.1. When the environmental anomaly index exceeds the preset threshold, the automated remediation verification module determines that the remediation operation has introduced a new risk. The module generates an alarm message containing details of the new risk. The automated remediation verification module sends the remediation effect report and alarm message to the security information and event management platform via an application programming interface (API). The API response time is less than 200 milliseconds. Based on the received data, the security information and event management platform generates a final attack surface risk convergence report.

[0056] See attached document Figure 1The dynamic asset fingerprint database construction module executes a specific process for asset discovery and profile generation, including multi-source intelligence collection, asset identification and classification, supply chain correlation analysis, and asset profile generation.

[0057] In the multi-source intelligence gathering step, the dynamic asset fingerprint database construction module initiates a parallel collection process. This parallel process connects to open-source intelligence data sources, cloud service platform interfaces, and the enterprise's internal configuration management database. For open-source intelligence data sources, the dynamic asset fingerprint database construction module calls the application programming interface (API) of a third-party networked asset mapping engine. The module sends a query request to the engine, containing keywords or network segment ranges related to the enterprise's registered domain names. It then receives the returned publicly exposed Internet Protocol address data, domain name resolution record data, and port service fingerprint data. For the cloud service platform interface, the module calls the cloud platform's resource management interface. After authentication, the module iterates through and retrieves a list of cloud computing instances, cloud storage bucket configuration information, and virtual private cloud network topology data.

Claims

1. An attack surface management method based on multi-source intelligence fusion, characterized in that, Includes the following steps: S1. Collect raw data from multiple data source interfaces, perform feature extraction and pattern matching on the raw data, and generate asset profile data; S2. Map the asset profile data to nodes and edges in the graph database, execute the graph path search algorithm, and output the attack path simulation results and business impact score. S3. Generate a repair suggestion instruction based on the attack path simulation result, send a re-simulation request after executing the repair suggestion instruction, obtain the secondary simulation result generated based on the re-simulation request, and verify whether the attack path has been blocked based on the secondary simulation result.

2. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, The specific steps for collecting raw data from multiple data source interfaces in step S1 include: Start a parallel data collection process and connect to the open-source intelligence collection interface, the cloud service application interface, and the enterprise internal configuration management database interface respectively. By calling a third-party network asset mapping engine through the open-source intelligence gathering interface, publicly exposed Internet protocol address data, domain name data, and port service data can be obtained. The cloud service application interface is used to call the cloud platform resource management interface to obtain cloud computing instance data and cloud storage resource data. The system reads the known asset list data maintained internally by the enterprise through the enterprise internal configuration management database interface.

3. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S1, the specific steps for extracting features and matching patterns from the raw data to generate asset profile data include: Using a random forest algorithm or XGBoost algorithm configured with a decision tree number parameter, domain name resolution records, secure socket layer certificate information and port service fingerprints are extracted as feature vectors to identify cloud resource objects, shadow IT assets and container service objects; The software supply chain dependency resolution program is executed to scan the application's metadata file, extract the names, version numbers, and source addresses of third-party components, and compare them with a known vulnerability database to identify supply chain asset risk points. The identified asset category tags and supply chain association information are mapped to unique asset identifiers to generate asset profile data that includes asset type identifiers, port open status, and asset dependencies.

4. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S2, the specific steps for mapping the asset profile data to nodes and edges in the graph database include: Define the nodes to represent specific asset objects, including servers, databases, application programming interfaces (APIs), and storage buckets; The edges are defined to represent the logical relationships between the asset objects, including network access permissions, data flow direction, and identity authentication dependencies. The exposure point information in the asset profile data is mapped to the attributes of the node. The exposure point information includes open port number, weak password status, and known vulnerability number.

5. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S2, the specific steps for executing the graph path search algorithm and outputting the attack path simulation results include: An attack model was built based on the MITRE ATT&CK framework, and the path search depth was set. Set the external exposure point as the starting node and the core asset as the target node; The A* algorithm or Dijkstra's algorithm is used as the graph path search algorithm to traverse the nodes and edges in the graph database, simulate the attack process from the starting node through intermediate stepping nodes to the target node, and generate the attack path simulation result.

6. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S2, the specific calculation process for outputting the business impact score includes: The node risk product is obtained by multiplying the single-point risk value of each damaged node in the attack path by the risk type weight coefficient. The cumulative path risk value is obtained by summing the node risk products of all damaged nodes in the attack path. The business impact score is obtained by multiplying the cumulative path risk value by the business importance coefficient of the target asset node. The single-point risk value is derived from the general vulnerability disclosure score or the configuration error level.

7. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S3, the specific steps for generating a repair suggestion instruction based on the attack path simulation results include: The key vulnerable nodes in the attack path simulation results are analyzed. These key vulnerable nodes include server nodes that open unnecessary ports, communication nodes that use expired Secure Sockets Layer certificates, and storage bucket nodes with misconfigurations. Based on a pre-built security policy knowledge base, the critical vulnerable nodes are mapped to specific repair actions; Generate the repair suggestion instructions, which include instructions to close a specified port, update a secure socket layer certificate, or correct a storage bucket configuration.

8. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, In step S3, the specific steps for executing the repair suggestion instruction include: Invoke the automated orchestration tool and send configuration change instructions to the target asset through the automated orchestration tool; The automated orchestration tool is either the Ansible scripting tool or the Terraform orchestration tool.

9. The attack surface management method based on multi-source intelligence fusion according to claim 1, characterized in that, S3 also includes a new risk closed-loop detection step: After executing the suggested repair instructions, monitor changes in the system environment; Calculate the environmental anomaly index after repair. If the environmental anomaly index exceeds a preset anomaly threshold, it is determined that the repair operation has introduced new risks, and an alarm message is generated.

10. The attack surface management method based on multi-source intelligence fusion according to claim 9, characterized in that, The specific calculation process for the post-remediation environmental anomaly index includes: After the repair operation, all newly detected exposure points are statistically analyzed, and the risk coefficient corresponding to each exposure point is determined. The risk coefficients of all newly detected exposure points are summed to obtain the total new risk value; The environmental anomaly index is obtained by dividing the total value of the newly added risks by the total number of asset nodes within the current management scope.