System and method for dynamic network security risk identification based on multi-source information and ai driving
By using a multi-source intelligence and AI-driven dynamic cybersecurity risk identification system, the problems of high false positive rates and insufficient system coordination in existing technologies have been solved, achieving efficient cybersecurity risk management and ensuring comprehensive coverage and real-time response to complex attack paths.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CSG EHV POWER TRANSMISSION
- Filing Date
- 2026-02-28
- Publication Date
- 2026-06-05
AI Technical Summary
Existing cybersecurity risk assessment technologies rely on static vulnerability databases and periodic scanning, resulting in a high false positive rate. They are also unable to dynamically capture the real-time status of cloud resources and shadow IT assets, and lack effective system collaboration, leading to low efficiency in dynamic attack surface management.
A dynamic cybersecurity risk identification system based on multi-source intelligence and AI is adopted. The system integrates multi-source intelligence data through a dynamic attack graph modeling module, uses an AI-driven attack simulation engine to automatically discover complex attack paths, and achieves real-time linkage and closed-loop verification through external attack surface management, intrusion and attack simulation and security operations center collaboration modules.
It improves the accuracy of risk assessment, comprehensively covers potential risks, shortens the risk exposure window, and realizes a fully automated closed loop from risk discovery to verification, thereby enhancing the real-time performance and efficiency of cybersecurity management.
Smart Images

Figure CN122160113A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cybersecurity technology, specifically to a dynamic cybersecurity risk identification system and method based on multi-source intelligence and AI. Background Technology
[0002] In a cybersecurity defense system, external attack surface management, intrusion and attack simulation, and security operations centers are core components for identifying and managing network risks. However, existing risk assessment technologies primarily rely on static vulnerability databases and periodic scanning tools, typically determining risk levels solely based on vulnerability scoring standards without considering network topology analysis of the attacker's actual exploitation paths. This assessment approach may result in high-scoring vulnerabilities located in isolated networks and lacking paths to core systems being given excessive priority, leading to a false positive rate of up to 30%. Regarding attack path analysis, existing technologies largely depend on manually predefined attack scripts, making it difficult to dynamically capture the real-time exposure status of cloud resources or shadow IT assets. Furthermore, they cannot automatically build complete attack chain models that include complex actions such as lateral movement or privilege escalation, resulting in path coverage of only about 65%, with numerous high-risk exposure points going undetected.
[0003] Furthermore, existing technologies primarily rely on manual penetration testing for the remediation and verification phase. This process typically takes over 72 hours and is extremely costly, while also making it difficult to detect newly introduced risks such as configuration errors resulting from remediation operations. Regarding system collaboration, external attack surface management, intrusion and attack simulation, and the security operations center usually operate as independent systems, lacking an effective data linkage mechanism. While external attack surface management tools can identify asset exposure points, they cannot verify their exploitability. Intrusion and attack simulation relies on manually entered target lists, limiting the testing scope. The disconnect between security operations center log analysis and attack simulation data results in response times typically exceeding 10 minutes. These technological limitations lead to inefficient dynamic attack surface management, failing to meet the real-time risk protection requirements of cloud computing environments and critical information infrastructure. Summary of the Invention
[0004] To address the shortcomings of existing technologies, this invention provides a dynamic network security risk identification system and method based on multi-source intelligence and AI-driven approaches, which solves the problems of assessment errors and missed detections of complex attack paths caused by uneven quality of multi-source data in existing technologies.
[0005] To achieve the above objectives, the present invention provides the following technical solution: The first aspect of the present invention provides a dynamic network security risk identification system based on multi-source intelligence and AI-driven technology. The system includes: a dynamic attack graph modeling module, an AI-driven attack simulation engine, and a collaborative module for external attack surface management, intrusion and attack simulation, and security operations center.
[0006] The dynamic attack graph modeling module addresses the issues of multi-source data fusion and quality quantification. This module integrates multi-source intelligence data to construct a network attack graph containing asset nodes, vulnerability nodes, and attack action edges. During construction, the module includes a confidence calculation unit to calculate the intelligence confidence index for asset nodes in the network attack graph. This confidence index is not a static value but is determined by the product of the basic authority weight coefficient of the intelligence source and the decay factor of intelligence timeliness. The basic authority weight coefficient has different preset priority values based on the type of intelligence source to distinguish the credibility of data from different sources; the decay factor is calculated based on a time difference exponential function, controlling the decay rate through a time decay constant, thereby ensuring that the credibility of the intelligence automatically degrades over time through a mathematical model, truly reflecting the timeliness of the network environment. Furthermore, this module can utilize deep learning algorithms (such as deep Q-networks) to optimize the weights of edges in the network attack graph, comprehensively considering the severity of vulnerability scores, the business value weight of assets, and the exploit probability of zero-day vulnerabilities, to achieve a high-fidelity digital mapping of the network environment.
[0007] The AI-driven attack simulation engine addresses the issues of automated discovery and false negatives for complex attack paths. Based on a network attack graph constructed by a dynamic attack graph modeling module, the engine uses reinforcement learning algorithms to simulate multi-stage attack paths from external exposure points to core assets and quantifies risk scores. The engine constructs a reinforcement learning state space containing an intelligence confidence index and is configured with dynamic entropy coefficient mapping logic. During simulation, the engine dynamically adjusts the exploration strategy parameters of the reinforcement learning algorithm (such as a near-end policy optimization algorithm) in real time based on the intelligence confidence index of the current asset node. Specifically, this logic sets lower and upper limits for the entropy coefficient, establishing an inverse mapping relationship between intelligence confidence and exploration randomness: when the intelligence confidence index is high, the entropy coefficient is reduced, prompting the agent to tend to utilize known high-probability paths, accelerating convergence; when the intelligence confidence index is low, the entropy coefficient is increased, forcing the agent to increase the randomness of action selection and the breadth of exploration. Through this dynamic entropy regularization mechanism, the system directly intervenes in the gradient update direction of the policy network using data quality, effectively preventing the algorithm from getting stuck in local optima in areas lacking intelligence, thereby discovering hidden deep attack paths.
[0008] The external attack surface management, intrusion and attack simulation, and security operations center collaboration modules address the issues of fragmented security operations processes and lack of verification. This module is responsible for generating remediation suggestions based on simulation results and performing closed-loop feedback verification. The workflow includes: scanning and identifying exposed assets using external attack surface management tools and marking them as the initial entry point for attack simulations; establishing real-time linkage with the security operations center, triggering the dynamic attack graph modeling module to update the intelligence acquisition time and confidence index of the corresponding nodes when changes in network traffic or asset status are detected, thereby initiating incremental simulations. After executing the remediation suggestions, this module updates the network topology status in the graph database and triggers the AI engine to rerun the simulation. It quantifies the path elimination rate by calculating the change in the number of high-risk paths before and after remediation, and simultaneously uses a rule engine to scan the remediated configuration to detect whether policy changes have introduced new exposure points, achieving a fully automated closed-loop process from risk discovery and simulation to effect verification.
[0009] A second aspect of this invention provides a dynamic cybersecurity risk identification method based on multi-source intelligence and AI-driven approaches, the method comprising the following steps:
[0010] The system utilizes a dynamic attack graph modeling module to fuse multi-source intelligence data, constructs a network attack graph, and calculates the intelligence confidence index for each node. During this process, the system cleanses and identifies entities from incoming open-source intelligence, cloud service interface data, logs, and dark web intelligence. Based on the intelligence source type and acquisition time difference, it dynamically generates a confidence index representing the reliability of the current data using a pre-defined calculation model, thus constructing a network environment foundation with confidence weights.
[0011] An AI-driven attack simulation engine is used to simulate attack paths based on network attack graphs. During this process, a reinforcement learning agent is instantiated, incorporating an intelligence confidence index into the state space. In the decision-making process, the system calculates a dynamic entropy coefficient in real time based on the intelligence confidence index of the current node and substitutes it into the entropy regularization term in the loss function. By dynamically adjusting the entropy value of the exploration strategy, the system balances the utilization of the algorithm with the exploration behavior, outputting simulation results that include multi-stage attack path chains and risk scores.
[0012] The system leverages external attack surface management, intrusion and attack simulation, and security operations center collaboration modules to perform response and verification. The system analyzes simulation results, generates defense strategies, and deploys them. It then updates the attack surface map status and triggers a second simulation. By comparing the number of attack paths and risk scores before and after remediation, the system quantifies and verifies the effectiveness of attack path elimination, confirms the absence of newly introduced configuration risks, and completes the security loop.
[0013] This invention provides a dynamic cybersecurity risk identification system and method based on multi-source intelligence and AI-driven approaches. It offers the following advantages:
[0014] 1. This invention effectively solves the problem of inconsistent quality of multi-source intelligence data by constructing a confidence calculation model based on the authority and timeliness of intelligence sources. The system does not simply aggregate open-source intelligence, cloud APIs, and dark web data; instead, it uses an exponential decay function to dynamically calculate the intelligence confidence index of nodes. This allows the network attack graph to reflect the credibility of intelligence in real time, avoiding false alarms caused by outdated or misleading intelligence and improving the accuracy of risk assessment.
[0015] 2. This invention directly intervenes in the loss function of reinforcement learning algorithms by establishing a negative correlation between dynamic entropy coefficients and intelligence confidence: when intelligence is reliable, known paths are utilized; when intelligence is ambiguous, the exploration probability is forcibly increased. This mechanism overcomes the shortcomings of traditional algorithms that are prone to getting trapped in local optima or missing unknown paths, ensuring comprehensive coverage of potential risks.
[0016] 3. This invention establishes a real-time linkage and closed-loop verification mechanism through external attack surface management, intrusion and attack simulation, and a security operations center collaboration module. The collaboration module triggers a status update in the dynamic attack graph modeling module and a secondary simulation by the AI engine after executing an automated response. This mechanism achieves quantitative verification of the attack path elimination effect and detection of newly introduced risks by differentially comparing the simulation results before and after the patching. This elevates security operations from static vulnerability patching to dynamic effect verification, significantly shortening the risk exposure window. Attached Figure Description
[0017] Figure 1 This is a schematic diagram of the overall architecture of the dynamic network security risk identification system based on multi-source intelligence and AI driven according to an embodiment of the present invention;
[0018] Figure 2 This is a flowchart illustrating the dynamic attack graph modeling process of an embodiment of the present invention.
[0019] Figure 3 This is a flowchart illustrating the operation of the AI-driven attack simulation engine according to an embodiment of the present invention.
[0020] Figure 4 This is a flowchart illustrating the operation of the external attack surface management, intrusion and attack simulation, and security operations center collaboration modules according to an embodiment of the present invention.
[0021] Figure 5 This is a flowchart of a method according to an embodiment of the present invention. Detailed Implementation
[0022] The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0023] This embodiment provides a dynamic network security risk identification system based on multi-source intelligence and AI. The system is deployed on a computing device equipped with a 16-32 core CPU, at least 64GB of RAM, and at least 1TB of SSD storage, running a Linux operating system. The data storage layer uses the Neo4j graph database (version 4.4+), and the algorithm computation layer is based on the TensorFlow 2.5 or PyTorch 1.8 deep learning framework, with Python 3.8 as the programming language. The device is deployed in a security operations center, connected to the intranet and the internet via a gigabit network interface, with API response latency to external systems controlled within 200 milliseconds.
[0024] See attached document Figure 1 The overall logical architecture of the system mainly consists of three core processing units: a dynamic attack graph modeling module, an AI-driven attack simulation engine, and a collaborative module for external attack surface management, intrusion and attack simulation, and security operations center.
[0025] See attached document Figure 2 The dynamic attack graph modeling module, serving as the system's data processing foundation, is responsible for establishing and maintaining a digital mapping of the network environment. This module continuously receives multi-source intelligence data through a data acquisition interface, covering open-source intelligence, cloud service application programming interface data, security operations center logs, and dark web threat intelligence. Internally, the dynamic attack graph modeling module employs data cleaning and fusion algorithms to transform heterogeneous source data into standardized graph structure data, which is then stored in the graph database.
[0026] During the graph structure construction process, the dynamic attack graph modeling module identifies asset entities in the network environment and instantiates them as asset nodes, identifies potential software defects and instantiates them as vulnerability nodes, and identifies lateral movement or privilege escalation operations that attackers may take and instantiates them as edges connecting nodes.
[0027] The dynamic attack graph modeling module includes a confidence calculation unit that calculates an intelligence confidence index for each asset node in the graph. The intelligence confidence index is a dynamically changing numerical attribute, its value depending on the authority level of the intelligence source and the difference between the intelligence generation time and the current system time. This intelligence confidence index, as part of the node attributes, is written to the graph database in real time and passed to the downstream computing engine as a key environmental state parameter.
[0028] See attached document Figure 3 The AI-driven attack simulation engine connects to the dynamic attack graph modeling module via a high-bandwidth data channel, reading network attack graph data containing intelligence confidence indices. Internally, the engine runs a reinforcement learning-based agent that performs virtual penetration testing tasks within the network attack graph.
[0029] The AI-driven attack simulation engine constructs a reinforcement learning state space that includes not only the type of asset node, vulnerability score, and business value, but also an intelligence confidence index passed by the dynamic attack graph modeling module.
[0030] The AI-driven attack simulation engine integrates dynamic entropy policy control logic. During simulation, this logic establishes a functional mapping relationship between the intelligence confidence index and the exploration policy parameters in the reinforcement learning algorithm. Specifically, when the agent is at a certain asset node, the engine reads the node's intelligence confidence index and calculates the corresponding dynamic entropy coefficient based on it. This dynamic entropy coefficient is directly input into the loss function calculation process of the reinforcement learning algorithm to adjust the randomness of the agent's action selection in real time. In this way, the system achieves direct control of data quality over algorithm behavior: it tends to simulate deterministic paths when intelligence confidence is high, and forces an increase in exploration breadth when intelligence confidence is low.
[0031] The External Attack Surface Management, Intrusion and Attack Simulation, and Security Operations Center Collaboration Module (hereinafter referred to as the Collaboration Module) is responsible for the system's input initialization and output closed-loop execution. The external attack surface management tool in this module periodically scans the target network boundary, identifies a list of assets exposed on the public network, and marks these assets as initial access entry nodes for the AI-driven attack simulation engine to simulate paths.
[0032] The collaboration module receives simulation results from an AI-driven attack simulation engine. These results include the optimal set of attack paths from the initial access entry node to core high-value asset nodes, along with a comprehensive risk score. Based on these simulation results, the collaboration module generates targeted security configuration hardening suggestions or vulnerability remediation instructions.
[0033] The collaboration module establishes a two-way communication mechanism with the security operations center. On one hand, the collaboration module sends the simulated high-risk path characteristics to the monitoring rule base of the security operations center; on the other hand, the collaboration module receives network traffic status change information from the security operations center in real time. When the security operations center detects a change in the actual status of an asset node (e.g., service port closed or traffic abnormally interrupted), the collaboration module immediately sends a status update signal to the dynamic attack graph modeling module.
[0034] Upon receiving the update signal, the dynamic attack graph modeling module updates the intelligence acquisition timestamp of the corresponding asset node and triggers a recalculation of the intelligence confidence index. The updated intelligence confidence index is then transmitted to the AI-driven attack simulation engine, triggering a new round of attack path simulation and risk assessment, thus forming a closed-loop workflow from intelligence perception and simulation to defense response and status update.
[0035] The dynamic attack graph modeling module first collects intelligence data from multiple sources, including open-source intelligence, cloud service API data, SOC logs, and dark web threat intelligence. After cleaning, the collected data is mapped to asset nodes, vulnerability nodes, and attack action edges in a graph database. Node attributes include asset type, vulnerability score, business value weight, and intelligence confidence index.
[0036] To address the issue of intelligence timeliness, the module utilizes a mathematical model to calculate the timeliness of each asset node. Intelligence confidence index The calculation formula is as follows:
[0037] ;
[0038] in, The weighting coefficients are based on the authority of the intelligence source and are preset according to the source type: SOC log source weight is 1.0, cloud API source weight is 0.8, open source intelligence source weight is 0.6, and dark web intelligence source weight is 0.4. It is a natural constant. This represents the difference between the current system time and the intelligence acquisition time. λ is a time decay constant used to control the decay rate. This formula ensures that the credibility of intelligence decreases exponentially over time.
[0039] After the graph is constructed, the module uses a Deep Q-Network (DQN) algorithm to optimize the edge weights. The learning rate of DQN is set to 0.001 to 0.01. The algorithm minimizes the loss function. Update network parameters:
[0040] ;
[0041] in, The reward function takes into account the severity of the vulnerability score, the weight of the asset's business value, and the probability of zero-day vulnerability exploitation. Discount factor; The predicted Q-value for the action in the current state; These are the target network parameters.
[0042] AI-driven attack simulation engines build reinforcement learning environments based on attack graphs. The agent's state space. Includes asset node feature vectors and intelligence confidence index passed from the modeling module. Action space Based on a network attack technology framework.
[0043] The engine incorporates dynamic entropy coefficient mapping logic to adjust exploration strategies in real time based on intelligence confidence levels. (Dynamic entropy coefficient) The calculation formula is as follows:
[0044] ;
[0045] in, Let be the lower limit of the entropy coefficient (set to 0.01). This represents the upper limit of the entropy coefficient (set to 0.05). This represents the intelligence confidence index for the current node. This formula ensures that when the intelligence confidence index approaches 1, The algorithm tends to exploit the minimum value; when the confidence level approaches 0... As the algorithm approaches its maximum value, it forces the addition of random exploration.
[0046] The engine uses the Proximal Policy Optimization (PPO) algorithm to train the policy network, and its objective function is... Includes dynamic entropy regularization term:
[0047] ;
[0048] in, To truncate the proxy target item, used to limit the scope of policy updates; This is the loss term in the value function; This is the value coefficient. Let be the entropy value of the policy in the current state. This is achieved by introducing... The system directly intervenes in the gradient update direction using intelligence confidence levels, in areas of intelligence ambiguity (high confidence level). By maximizing entropy, it encourages the exploration of unknown paths, effectively preventing underreporting due to a lack of intelligence.
[0049] See attached document Figure 4The External Attack Surface Management (EASM) module, which integrates intrusion and attack simulation and security operations center (BAS) and the Security Operations Center (SOC) module, first initiates a periodic scan of the target network boundary using the EASM-BAS-SOC collaborative architecture. The scan task is configured with 100 to 500 asset fingerprinting rules, covering common web service frameworks, remote management ports, and IoT device protocols. The EASM-BAS-SOC collaborative architecture first initiates a periodic scan of the target network boundary using the external attack surface management tool. The scan task is configured with 100 to 500 asset fingerprinting rules, covering common web service frameworks, remote management ports, and IoT device protocols. The EASM-BAS-SOC collaborative architecture first initiates a periodic scan of the target network boundary using the external attack surface management tool. The scan task is configured with 100 to 500 asset fingerprinting rules, covering common web service frameworks, remote management ports, and IoT device protocols. The external attack surface management tool outputs a list of assets exposed on the public network, including IP addresses, open ports, and service version information. The collaborative module marks these exposed assets as the initial access entry points for attack simulation and pushes this information to the dynamic attack graph modeling module, thereby establishing the boundary starting point of the attack graph.
[0050] The collaboration module establishes a real-time data subscription channel with the Security Operations Center. The Security Operations Center continuously monitors network traffic and host status. When it detects network topology changes or specific asset status changes, it generates a status change event. For example, if a firewall policy change causes a port to close, or a server crash causes service interruption, the Security Operations Center pushes the event to the collaboration module within 200 milliseconds. The collaboration module parses the asset ID involved in the event and immediately triggers the dynamic attack graph modeling module to update the intelligence acquisition timestamp of the corresponding graph node. This action directly causes the node's intelligence confidence index to decrease or reset, thereby triggering the AI-driven attack simulation engine to start a new round of incremental simulations, ensuring that risk assessments are always based on the latest network status.
[0051] For simulation results containing high-risk attack paths output by the AI-driven attack simulation engine, the collaborative module's built-in decision engine generates targeted remediation suggestions. These suggestions are categorized based on the type of key nodes in the attack path: for vulnerable nodes, patch update or virtual patch deployment instructions are generated; for configuration defect nodes, access control list blocking rules or service hardening configuration scripts are generated.
[0052] The collaboration module executes automated response actions, distributing the generated blocking rules to the policy enforcement component of the security operations center, or implementing blocking by calling firewall interfaces through orchestration tools. The entire automated response process is kept within 5 minutes to minimize the attack window.
[0053] After performing the remediation actions, the collaboration module initiates a closed-loop feedback verification process. First, the collaboration module instructs the external attack surface management tool to retest the remediated object to confirm that the vulnerability or exposure point is no longer physically reachable. Subsequently, the collaboration module notifies the dynamic attack graph modeling module to update the network topology status in the graph database, such as removing the remediated vulnerable node or cutting off blocked edges.
[0054] After the status update is complete, the collaboration module triggers the AI-driven attack simulation engine to rerun the simulation task. This simulation aims to verify the effectiveness and side effects of the remediation measures. The collaboration module compares the simulation results before and after the remediation and calculates the path elimination rate. The path elimination rate is defined as the number of high-risk paths before the remediation minus the number of high-risk paths after the remediation, and then divided by the number of high-risk paths before the remediation.
[0055] Simultaneously, the collaboration module utilizes a rules engine to scan the repaired system configuration to detect whether policy changes have introduced new exposure points or vulnerabilities, such as unexpected port openings due to configuration errors. Only when the path elimination rate reaches a preset threshold (e.g., 100% for critical paths) and no new risks are detected is the collaboration module marked as resolved, thus completing the full closed loop of security operations. The entire verification process is designed to ensure that every security change is a reliable operation that has undergone quantitative evaluation and regression testing.
[0056] See attached document Figure 5 The present invention also provides a dynamic cybersecurity risk identification method based on multi-source intelligence and AI-driven methods, comprising the following steps:
[0057] Step S1: Utilize the dynamic attack graph modeling module to fuse multi-source intelligence data, constructing a network attack graph containing asset nodes, vulnerability nodes, and attack action edges, and calculate the intelligence confidence index for the asset nodes in the network attack graph. In this step, the system initializes the data acquisition interface and connects to open-source intelligence, cloud APIs, SOC logs, and dark web data in parallel. Unstructured data is transformed into nodes and edges in the graph database using an entity recognition algorithm. For each asset node, the system reads its intelligence source type and intelligence acquisition timestamp, and uses a preset confidence calculation model to multiply the basic authority weight coefficient corresponding to the intelligence source by an exponential decay factor based on time difference to obtain the intelligence confidence index at the current moment. This index is stored along with the graph structure, forming the network environment base with confidence weights.
[0058] Step S2: Utilizing an AI-driven attack simulation engine, based on the network attack graph constructed by the dynamic attack graph modeling module, a reinforcement learning algorithm is used to simulate a multi-stage attack path from external exposure points to core assets and quantify risk scores to generate simulation results. During the simulation, the exploration strategy parameters of the reinforcement learning algorithm are dynamically adjusted based on the intelligence confidence index calculated by the dynamic attack graph modeling module. In this step, the AI engine instantiates a reinforcement learning agent. The agent performs multiple rounds of tentative attack simulations on the attack graph. At each decision step, the agent reads the intelligence confidence index of the current node and calculates the dynamic entropy coefficient based on a preset dynamic entropy coefficient mapping logic. This coefficient is substituted into the loss function of the near-end policy optimization algorithm to adjust the entropy regularization term of the policy in real time. When encountering a low-confidence node, the algorithm automatically increases the entropy coefficient to encourage exploration of unknown paths; when encountering a high-confidence node, the algorithm decreases the entropy coefficient to quickly converge to the optimal path. Finally, the engine outputs simulation results containing the attack path chain and risk scores.
[0059] Step S3: Utilizing the external attack surface management, intrusion and attack simulation, and security operations center collaboration modules, remediation suggestions are generated based on the simulation results output by the AI-driven attack simulation engine. Closed-loop feedback verification is then performed to confirm the effectiveness of attack path elimination and detect newly introduced risks. In this step, the collaboration module analyzes the simulation results and identifies critical path nodes leading to the compromise of core assets. The system automatically generates corresponding defense strategies, such as firewall rule updates or patch distribution instructions, and executes them. After remediation, the system updates the attack surface graph status and triggers a second simulation. By comparing the number of paths and risk scores before and after remediation, the remediation effect is quantified, and a scan confirms that no new configuration risks have been introduced, thus completing the full closed loop of risk identification and mitigation.
Claims
1. A dynamic cybersecurity risk identification system based on multi-source intelligence and AI-driven technology, characterized in that: include: The dynamic attack graph modeling module is used to integrate multi-source intelligence data, construct a network attack graph that includes asset nodes, vulnerability nodes and attack action edges, and calculate the intelligence confidence index for the asset nodes in the network attack graph. The AI-driven attack simulation engine is used to simulate a multi-stage attack path from external exposure points to core assets based on the network attack graph using reinforcement learning algorithms. The attack path is risk-quantified to generate a risk score, and the simulation results containing the attack path and risk score are output. During the simulation, the exploration strategy parameters of the reinforcement learning algorithm are dynamically adjusted according to the intelligence confidence index calculated by the dynamic attack graph modeling module. The external attack surface management, intrusion and attack simulation, and security operations center collaboration module is used to generate remediation suggestions based on the simulation results. After executing the remediation suggestions, a closed-loop feedback verification is performed to confirm the elimination effect of the attack paths contained in the simulation results and to detect whether new risks are introduced.
2. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The dynamic attack graph modeling module integrates multi-source intelligence data, including open-source intelligence, cloud service application interface data, security operations center logs, and dark web threat intelligence. The dynamic attack graph modeling module cleans the multi-source intelligence data and maps it to nodes and edges in the graph database. The attribute information of the nodes includes at least asset type, vulnerability score, business value weight, and intelligence confidence index.
3. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The dynamic attack graph modeling module determines the intelligence confidence index through a calculation model, which is determined by the product of the basic authority weight coefficient of the intelligence source and the decay factor of intelligence timeliness. The basic authority weight coefficient is preset with different priority values according to the type of intelligence source; the decay factor is calculated based on the time difference exponential function of the natural logarithm base, the time difference is the difference between the current system calculation time and the intelligence acquisition time, and the decay rate is controlled by the time decay constant.
4. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The AI-driven attack simulation engine constructs a reinforcement learning agent based on a near-end policy optimization algorithm; The state space of the reinforcement learning agent includes the feature vector of the current asset node, and the feature vector contains the intelligence confidence index transmitted by the dynamic attack graph modeling module. The action space of the reinforcement learning agent is based on a set of attack techniques defined by the network attack technique framework.
5. The dynamic cybersecurity risk identification system based on multi-source intelligence and AI-driven technology according to claim 1, characterized in that, The AI-driven attack simulation engine is configured with dynamic entropy coefficient mapping logic, which is used to calculate the dynamic entropy coefficient in real time based on the intelligence confidence index of the current asset node. The dynamic entropy coefficient mapping logic is set with a lower limit and an upper limit for the entropy coefficient; when the intelligence confidence index approaches complete trust, the dynamic entropy coefficient tends towards the lower limit of the entropy coefficient, causing the reinforcement learning agent to tend to use known high-probability paths. When the intelligence confidence index approaches unreliability, the dynamic entropy coefficient tends towards the upper limit of the entropy coefficient, thereby increasing the probability of random exploration by the reinforcement learning agent.
6. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 4, characterized in that, The near-end policy optimization algorithm constructs a policy network and updates the parameters of the policy network by maximizing the objective function, wherein the objective function includes a truncated agent objective term, a value function loss term, and a dynamic entropy regularization term. The AI-driven attack simulation engine is configured with dynamic entropy coefficient mapping logic, which is used to calculate the dynamic entropy coefficient in real time based on the intelligence confidence index of the current asset node. The dynamic entropy regularization term is the product of the entropy value of the policy in the current state and the dynamic entropy coefficient. By adjusting the weight of the dynamic entropy regularization term through the dynamic entropy coefficient, the intelligence confidence index intervenes in the gradient update direction of the policy network.
7. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The dynamic attack graph modeling module is also used to optimize the weights of edges in the network attack graph using the deep Q-network algorithm; The reward function of the deep Q-network algorithm comprehensively considers the severity of the vulnerability score, the business value weight of the asset, and the exploit probability of zero-day vulnerabilities. It updates the network parameters by minimizing the mean squared error loss between the predicted Q value and the target Q value.
8. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The workflow of the external attack surface management, intrusion and attack simulation, and security operations center collaboration modules includes: Exposed assets are identified by scanning with external attack surface management tools and used as the initial access entry point for the AI-driven attack simulation engine. The security operations center monitors network traffic status in real time. When a status change is detected, the dynamic attack graph modeling module is triggered to update the intelligence acquisition time of the corresponding node, thereby triggering the recalculation of the intelligence confidence index.
9. The dynamic network security risk identification system based on multi-source intelligence and AI-driven as described in claim 1, characterized in that, The steps for the closed-loop feedback verification performed by the external attack surface management, intrusion and attack simulation, and security operations center collaboration modules include: After implementing the remediation recommendations, the network topology status in the graph database is updated, and the AI-driven attack simulation engine is triggered to rerun the simulation. The change in the number of high-risk paths before and after the repair is calculated to determine the path elimination rate, and the rule engine is used to scan the post-repair configuration to detect whether new exposure points have been introduced.
10. A dynamic cybersecurity risk identification method based on multi-source intelligence and AI-driven approaches, characterized in that... The system applied to the dynamic cybersecurity risk identification system based on multi-source intelligence and AI as described in any one of claims 1-9 includes the following steps: S1. Using the dynamic attack graph modeling module, multi-source intelligence data is integrated to construct a network attack graph containing asset nodes, vulnerability nodes, and attack action edges, and an intelligence confidence index is calculated for the asset nodes in the network attack graph. S2. Using an AI-driven attack simulation engine, based on the network attack graph constructed by the dynamic attack graph modeling module, a reinforcement learning algorithm is used to simulate a multi-stage attack path from external exposure points to core assets and quantify risk scores to generate simulation results. During the simulation process, the exploration strategy parameters of the reinforcement learning algorithm are dynamically adjusted according to the intelligence confidence index calculated by the dynamic attack graph modeling module. S3. Utilize the external attack surface management, intrusion and attack simulation, and security operations center collaboration modules to generate remediation suggestions based on the simulation results output by the AI-driven attack simulation engine; after executing the remediation suggestions, perform closed-loop feedback verification to confirm the effectiveness of attack path elimination and detect whether new risks are introduced.