An AI-based network security alarm accurate identification and grading method
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- JIANGSU JUNAN SAFETY INSPECTION CO LTD
- Filing Date
- 2026-03-16
- Publication Date
- 2026-06-05
AI Technical Summary
Existing network security alarm processing technologies suffer from problems such as alarm flooding, high false alarm rate, insufficient accuracy of entity disambiguation, resource misallocation due to static classification, and missed detection of high-risk cases. Furthermore, AI alarm analysis models lack dual-track evidence fusion of normal behavior and attack behavior, resulting in insufficient interpretability and robustness of the models.
By generating an alarm entity graph, extracting multi-dimensional deep features, constructing a self-supervised model for normal behavior and an attack technique identification model, and combining an evidence ratio fusion model, dynamic classification driven by risk budget is carried out to achieve accurate identification and classification of entities and alarms through disambiguation.
It improved the accuracy of alarm classification, optimized resource allocation, enhanced the efficiency of emergency response for security operations, avoided new types of evasion attacks, and enhanced the model's recognition accuracy and robustness.
Smart Images

Figure CN122160144A_ABST
Abstract
Description
Technical Field
[0001] This invention pertains to the field of network security operations, specifically to an AI-based method for accurate identification and classification of network security alarms. Background Technology
[0002] As enterprises continue to deepen their digital transformation, cyberattack methods are becoming increasingly complex, covert, and automated. Enterprises' various security systems, such as security information management, endpoint detection and response, and network detection and response, generate massive amounts of alarm data every day, and network security operation models are facing many problems.
[0003] Existing alarm handling technologies heavily rely on fixed rules and manual analysis, resulting in alarm flooding and high false positive rates. A large number of invalid alarms consume core operational resources, making it easy for genuine high-risk attacks to be overlooked. Current entity disambiguation methods rely on relatively simple field matching, leading to insufficient entity alignment accuracy in multi-source heterogeneous data scenarios and an inability to construct a complete attack chain graph. Previously, alarm grading used static, fixed thresholds without dynamically adjusting based on the enterprise's real-time handling capabilities, attack stages, and technical severity. This resulted in shortcomings such as high-priority alarm overload, misallocation of handling resources, and missed detection of new evasion attacks.
[0004] Existing AI alarm analysis models are mostly single-track discrimination modes, lacking dual-track evidence fusion of normal behavior and attack behavior. The models lack interpretability and robustness. Given the security operation needs of complex enterprise networks, there is a need for an AI-based method for accurate identification and classification of network security alarms to solve the above problems. Summary of the Invention
[0005] To address the technical problems mentioned in the background, this invention provides an AI-based method for accurate identification and classification of network security alarms.
[0006] The objective of this invention can be achieved through the following technical solutions:
[0007] This invention provides an AI-based method for accurate identification and classification of network security alarms, the specific steps of which are as follows:
[0008] Step 1, Alarm Collection: Connect with multiple security systems, generate a unique set of alarm identifiers and entity identifiers, construct a traceability multi-association table, align data entities for disambiguation, and generate an alarm entity graph;
[0009] Step 2: Multi-dimensional alarm feature extraction: Construct a temporal behavior sequence based on the alarm entity graph, and then extract deep features such as temporal self-excitation, process roughness, topological persistence, distribution drift and non-conformal fraction, normalize and splice them into feature objects and store them in the feature warehouse;
[0010] Step 3: Alarm Analysis Model Construction: Obtain stable business data and attack data through the normal behavior self-supervised model and attack technology identification model, and input them into the evidence ratio fusion model to obtain the true alarm probability;
[0011] Step 4, Dynamic Classification: Based on the probability of true alarms, the probability of each attack technique, and the probability distribution of each attack stage, a risk budget-driven dynamic classification is performed and processed.
[0012] As a preferred technical solution, based on step one, the process involves connecting to multiple security systems, generating a unique set of alarm identifiers and entity identifiers, constructing a traceability multi-association table, aligning data entities for disambiguation, and generating an alarm entity graph. The specific steps are as follows:
[0013] This system integrates with enterprise security information data, endpoint detection and response data, network detection and response data, identity and access management data, cloud platform audit logs, and email security gateways. It collects alarm and context data of various types, including asset importance, business partitions, exposure surfaces, vulnerability levels, baseline policies, historical events, handling time, and downtime costs. A unique alarm identifier is generated for each alarm and integrated into an entity identifier set. Entities include at least users, hosts, processes, file hashes, domains, applications, cloud accounts, containers, and ticket objects. The system binds the original alarm fields, trigger rules, timestamps, alarm text descriptions, and original alarm levels to the unique alarm identifier in the database. Context data is input into the database using the entity identifier set, generating a multi-association table for tracing alarms to entities and then to business processes. The system identifies entities to be aligned in the multi-association table and extracts structured and textual semantic features. Structured features include numerical and enumerated features, while textual semantic features include text fields such as hostname, process path, and account remarks. These are encoded as structured dense vectors and textual dense vectors, respectively. A gating fusion function is used to merge the structured dense vectors. and text-dense vectors The feature vectors of each entity are obtained by concatenation. Its calculation logic is as follows: ,in It is an element-wise product. The gate vector has the same dimension as the feature vector, and each element takes values in the range [0,1]. The feature similarity is obtained by calculating the cosine similarity between any two entity feature vectors. The calculation logic is as follows: Here, m1 and m2 represent the entity feature vector numbers. The distance similarity of the text fields is calculated using an edit distance function. The feature similarity and distance similarity are weighted and fused to obtain the initial matching score. All entities to be aligned are set as the node set of the entity association graph, and entities appearing in the same alarm are set as the association edge set of the entity association graph. The neighbor nodes of each node are aggregated, and the features of any two neighbor nodes are concatenated to obtain the neighbor features. Its calculation logic is as follows: Where h1 and h2 are node numbers, and WH and bs are learnable parameters. The activation parameter is fc, which represents the neighboring node.
[0014] The neighbor features are normalized using softmax to obtain the attention weights of two neighbor nodes. The neighbor features are then aggregated based on the neighbor features and attention weights to obtain the updated node features. The updated matching score of the entity pair is recalculated based on the updated node features. The posterior probability that the entity pair is the same entity is calculated based on the initial matching score and the updated matching score.
[0015] Extract the preset alignment threshold from the database. If the posterior probability is greater than or equal to the preset alignment threshold, the entity pair is determined to be the same entity and assigned to a unified alarm unique identifier. Otherwise, they are determined to be different entities and their respective identifiers are retained. Set the entity corresponding to the unified alarm unique identifier as a graph node. The graph node attributes include entity type, fusion features and context data. The association relationship between entities is set as a graph edge. The edge attributes include association time and association count. The alarm entity graph is then constructed.
[0016] As a preferred technical solution, based on step two, a temporal behavior sequence is constructed based on the alarm entity map. Then, deep features such as temporal self-excitation, process roughness, topological persistence, distribution drift, and non-conformal fraction are extracted, normalized, and concatenated into feature objects and stored in the feature warehouse. The specific steps are as follows:
[0017] The behavioral events corresponding to a certain number of days for each alarm's unique identifier are extracted and arranged in ascending order of time to obtain a single entity behavioral sequence. Behavioral events for all entities within a business partition are extracted and aggregated by time to construct a partitioned behavioral sequence. The single entity behavioral sequence and the partitioned behavioral sequence are then integrated into a time-series behavioral sequence. The alarm arrival sequence within the same entity or business partition is modeled using a multivariate Hawkes self-triggered point process, specifically setting the alarm arrival time sequence and calculating the alarm arrival rate. Its calculation logic is as follows: ,in For standard alarm intensity, To activate the kernel function, we need to describe how the excitation effect of historical events on the current moment decays over time. It is the time difference between the current time t and the time ti when the historical event occurred. The alarm type vector is used, such as login failure or lateral movement. The alarm variation coefficient HJ is calculated based on the alarm arrival rate. The calculation logic is as follows: ,in The standard deviation of the alarm arrival rate sequence. This is the arithmetic mean of the alarm arrival rate sequence;
[0018] Select the behavior count sequence X within several hours before and after the alarm trigger window, including the number of login failures, lateral connections, process startups, and file modifications. Perform a three-level wavelet decomposition on the behavior count sequence to obtain approximation coefficients and detail coefficients. Reconstruct the smooth sequence SX and detail sequence SD at each scale, and calculate the initial roughness RO at each scale. The calculation logic is as follows: , where Corr is the Pearson correlation coefficient, and the mean and variance of the three roughness layers are set as roughness features;
[0019] The cumulative sum sequence value is obtained by performing a cumulative sum transformation on the behavior count sequence. The cumulative sum sequence values are divided into non-overlapping windows of length s, and a linear fit is performed on each window to obtain the local trend. Calculate the detrended volatility function based on local trends Its calculation logic is as follows: , where k is the sample points of the time series and m is the total number of samples in the time series. The scaling exponent is obtained by fitting a detrended fluctuation function and a window on a double logarithmic coordinate system.
[0020] Set evidence thresholds for the alarm entity graph, calculate the set of connected components for each evidence threshold, track the generation time and merging time of each connected component, and subtract the merging time from the generation time to obtain the persistence of each connected component.
[0021] Select the behavioral characteristics of several days without alarms as stable period data, and construct a Gaussian distribution baseline. Obtain the optimal transmission distance between the current window feature distribution and the Gaussian distribution baseline. Subtract the current optimal transmission distance from the optimal transmission distance of the previous window to obtain the drift change rate.
[0022] Acquire labeled alarm data for several days to set as a calibration set. The labeled alarm data includes true alarms and false alarm labels. Obtain several nearest neighbors of any sample in the calibration set among samples of the same type and calculate their average distance to obtain the nonconformal score.
[0023] The time-series behavior sequences, alarm variation coefficients, process roughness, scaling exponents, persistence of connected components, topological persistence, drift change rate, and nonconformal scores are normalized and concatenated into feature objects and stored in the feature warehouse, which supports low-latency online queries and batch offline queries.
[0024] As a preferred technical solution, based on step three, stable business data and attack data are obtained through the normal behavior self-supervised model and the attack technique identification model, respectively, and then input into the evidence ratio fusion model to obtain the true alarm probability. The specific steps are as follows:
[0025] Feature objects for each time period are extracted from the feature bin and input into the normal behavior self-supervised model. Thirty percent of the feature objects are masked and the mask positions are marked. The masked feature objects are then input into the Transformer encoder to obtain the encoding vector. The masked features are predicted by the encoding vector of the mask positions through a fully connected layer.
[0026] The time series of feature objects from two different time windows of different entities are labeled as positive samples, and the behavior sequences of alarm periods of different entities are labeled as negative samples. The sample contrast loss is calculated by using mask features that bring the positive samples closer and mask features that push the negative samples further apart. The calculation logic is as follows: ,in is the encoding vector for positive and negative sample pairs, 2N is the total number of sample pairs, c is the sample pair encoding, exp is the exponential function, -log is the negative logarithm operation, sim is the similarity function, and the sample comparison loss is set to the stable business data.
[0027] The feature object, text semantic features, and alarm entity graph are encoded to obtain feature object embedding vector, text embedding vector, and graph embedding vector, respectively. Attention-weighted graph features are calculated from the text embedding vector and graph embedding vector, and attention-weighted numerical features are calculated from the feature object embedding vector and graph embedding vector. The graph features and numerical features are concatenated to obtain a fusion vector. Through the preset attack technology classification header and attack stage classification header, the probability of each attack technology and the probability distribution of each attack stage are output and set as attack type data. Attack technology types include malicious code evasion, system kernel vulnerabilities, and domain penetration attacks, etc. Attack stages include reconnaissance, weaponization, delivery, installation, command and control, and action.
[0028] Featured objects, stable business data, and attack-related data are input into a dual-track evidence ratio fusion model. Each data type is mapped to the identification framework using a basic probability allocation function to obtain the allocation probability for each data type. The allocation probabilities of each data type are then synthesized using the Dempster combination rule to obtain the global allocation probability. A trust function and a likelihood function are calculated based on the global allocation probability. The generalized likelihood ratio (HM) is obtained through the trust function and likelihood function, and finally, based on the sigmoid function... The probability of obtaining a true alarm is obtained by using the generalized likelihood ratio, and its calculation logic is as follows: .
[0029] As a preferred technical solution, based on step four, risk budget-driven dynamic classification is performed and processed according to the probability distribution of true alarms, the probability of each attack technique, and the probability distribution of each attack stage. The specific steps are as follows:
[0030] Obtain the current graded time window Tw, the number of on-duty safety analysts NW, the average manual handling time Ta for a single high-priority alarm, and the effective work coefficient NE of the personnel, and calculate the current manual handling capacity QC. The calculation logic is as follows: ;
[0031] Obtain the average time TS for automated handling of a single alarm in the current automated response system and the number of concurrent automated handling channels Cu, and calculate the automated handling capacity QR. The calculation logic is as follows: ;
[0032] The total risk budget is obtained by adding the manual processing capacity and the automated processing capacity. The number of high-priority alarms allocated in the real-time monitoring window is divided by the total risk budget to obtain the risk budget utilization rate.
[0033] Set up an attack phase risk weight matrix and predefined hazard weights for attack techniques. The weights increase linearly with each subsequent attack phase. The attack phase risk weight matrix and the probabilities of each attack technique are weighted and summed to obtain the attack phase risk coefficient. The predefined hazard weights of attack techniques and the probability distributions of each attack phase are weighted and summed to obtain the attack technique hazard coefficient. The true alarm probability, the attack technique hazard coefficient, and the attack phase risk coefficient are multiplied to obtain the attack determinism coefficient.
[0034] Extract the first attack threshold, second attack threshold, first budget threshold, and second budget threshold from the database. If the attack certainty coefficient is greater than or equal to the first attack threshold and the risk budget utilization rate is greater than or equal to the first budget threshold, a top-level alarm is generated, and reversible emergency response actions are immediately executed, including blocking the attack source IP, temporarily freezing the involved account, and isolating the controlled host from the network. If the first attack threshold is less than the attack certainty coefficient and less than or equal to the second attack threshold, and the first budget threshold is less than or equal to the risk budget utilization rate and less than or equal to the second budget threshold, a medium-priority alarm is generated. Priority is given to matching the automated handling channel, and the corresponding response script is invoked according to the attack stage and technology type, including executing malicious session blocking and process termination during the command and control stage, and executing vulnerability patch push during the exploitation stage. If the second attack threshold is less than the attack certainty coefficient and the second budget threshold is less than the risk budget utilization rate, a low-priority alarm is generated. Low-priority alarms of the same entity and the same type are aggregated daily to generate a daily security operation report.
[0035] Compared with the prior art, the beneficial effects of the present invention are:
[0036] The structured features and textual semantic features of entities are extracted and encoded separately. Entity feature vectors are generated through a gated fusion function. Node features are then optimized through graph neighbor attention weighted aggregation. Entity alignment is completed based on posterior probability, achieving disambiguation and unified identification of multiple types of entities such as users, hosts, and processes.
[0037] Using the probability distribution of true alarms, attack techniques, and stages as inputs, a risk budget-driven dynamic alarm classification and handling system is constructed. Specifically, by acquiring the enterprise's manual and automated handling capacity, a risk budget model that can be monitored in real time is established; and by integrating dimensions such as attack lifecycle and technical harm, the attack risk coefficient is quantified; and the overall process of adaptively adjusting the classification threshold through budget and risk linkage solves the pain points of static classification alarm flooding, resource mismatch, and high-risk missed detection, thereby improving the accuracy of alarm classification and the efficiency of security operation emergency response.
[0038] By employing a dual-track model architecture that combines self-supervision of normal behavior with attack technology identification, stable business data and attack-related data are acquired separately. Then, an evidence ratio fusion model is constructed using DS evidence theory and generalized likelihood ratio to calculate the probability of a true alarm. This step overcomes the limitation of insufficient generalization in single-track models, improves the accuracy of alarm identification and model robustness, and avoids new types of evasion attacks. Attached Figure Description
[0039] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. The following drawings are not drawn to scale according to the actual size, but are intended to illustrate the main idea of the present invention.
[0040] Figure 1 This is a diagram illustrating the method steps of the present invention. Detailed Implementation
[0041] The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are also within the scope of protection of the present invention.
[0042] Please refer to Figure 1 As shown, this invention provides an AI-based method for accurate identification and classification of network security alarms, the specific steps of which are as follows:
[0043] Step 1, Alarm Collection: Connect with multiple security systems, generate a unique set of alarm identifiers and entity identifiers, construct a traceability multi-association table, align data entities for disambiguation, and generate an alarm entity graph;
[0044] Step 2: Multi-dimensional alarm feature extraction: Construct a temporal behavior sequence based on the alarm entity graph, and then extract deep features such as temporal self-excitation, process roughness, topological persistence, distribution drift and non-conformal fraction, normalize and splice them into feature objects and store them in the feature warehouse;
[0045] Step 3: Alarm Analysis Model Construction: Obtain stable business data and attack data through the normal behavior self-supervised model and attack technology identification model, and input them into the evidence ratio fusion model to obtain the true alarm probability;
[0046] Step 4, Dynamic Classification: Based on the probability of true alarms, the probability of each attack technique, and the probability distribution of each attack stage, a risk budget-driven dynamic classification is performed and processed.
[0047] As a preferred technical solution, based on step one, the process involves connecting to multiple security systems, generating a unique set of alarm identifiers and entity identifiers, constructing a traceability multi-association table, aligning data entities for disambiguation, and generating an alarm entity graph. The specific steps are as follows:
[0048] It integrates with enterprise security information data, endpoint detection response data, network detection response data, identity and access management data, cloud platform audit logs, and email security gateways to collect alarm and context data of various types. Context data includes asset importance, business partitions, exposure surfaces, vulnerability levels, baseline policies, historical events, handling time, and downtime costs. A unique alarm identifier is generated for each alarm and integrated into a set of entity identifiers. Entities include at least users, hosts, processes, file hashes, domains, applications, cloud accounts, containers, and ticket objects. The original alarm fields, trigger rules, timestamps, alarm text descriptions, and original alarm levels are bound to the unique alarm identifier. The context data is entered into the database using entity identifier sets as input, generating a multi-association table for tracing alarms to entities and then to business processes. It should be noted that the context data mainly represents the business and asset background information of the alarms, enhancing alarm risk assessment. The entities to be aligned in the multi-association table are identified, and structured features and textual semantic features are extracted. Structured features include numerical (IP segment prefix, MAC address vendor code) and enumerated (asset type and cloud vendor) features, while textual semantic features include text fields such as hostname, process path, and account remarks. These are encoded into structured dense vectors and textual dense vectors, respectively. A gating fusion function is then used to merge the structured dense vectors... and text-dense vectors The feature vectors of each entity are obtained by concatenation. Its calculation logic is as follows: ,in It is an element-wise product. The gate vector has the same dimension as the feature vector, and each element takes values in the range [0,1]. The feature similarity is obtained by calculating the cosine similarity between any two entity feature vectors. The calculation logic is as follows: Here, m1 and m2 represent the entity feature vector numbers. The distance similarity of the text fields is calculated using an edit distance function. The feature similarity and distance similarity are weighted and fused to obtain the initial matching score. All entities to be aligned are set as the node set of the entity association graph, and entities appearing in the same alarm are set as the association edge set of the entity association graph. The neighbor nodes of each node are aggregated, and the features of any two neighbor nodes are concatenated to obtain the neighbor features. Its calculation logic is as follows: Where h1 and h2 are node numbers, and WH and bs are learnable parameters. The activation parameter is fc, which represents the neighboring node.
[0049] The neighbor features are normalized using softmax to obtain the attention weights of two neighbor nodes. The neighbor features are then aggregated based on the neighbor features and attention weights to obtain the updated node features. The updated matching score of the entity pair is recalculated based on the updated node features. The posterior probability that the entity pair is the same entity is calculated based on the initial matching score and the updated matching score.
[0050] Extract the preset alignment threshold from the database. If the posterior probability is greater than or equal to the preset alignment threshold, the entity pair is determined to be the same entity and assigned to a unified alarm unique identifier. Otherwise, they are determined to be different entities and their respective identifiers are retained. Set the entity corresponding to the unified alarm unique identifier as a graph node. The graph node attributes include entity type, fusion features and context data. The association relationship between entities is set as a graph edge. The edge attributes include association time and association count. The alarm entity graph is then constructed.
[0051] As a preferred technical solution, based on step two, a temporal behavior sequence is constructed based on the alarm entity map. Then, deep features such as temporal self-excitation, process roughness, topological persistence, distribution drift, and non-conformal fraction are extracted, normalized, and concatenated into feature objects and stored in the feature warehouse. The specific steps are as follows:
[0052] The algorithm extracts the behavioral events corresponding to a certain number of days for each alarm's unique identifier and arranges them in ascending order of time to obtain a single entity behavioral sequence. It then extracts the behavioral events for all entities within a business partition and aggregates them by time to construct a partitioned behavioral sequence. It should be noted that behavioral events mainly consist of entity type, behavior type (such as user login, process startup, host access IP, and file modification), and a set of associated entity IDs (such as the file ID or host ID associated with the process startup behavior). The single entity behavioral sequence and the partitioned behavioral sequence are then integrated into a time-series behavioral sequence. The algorithm models the alarm arrival sequence within the same entity or business partition using a multivariate Hawkes self-triggered point process, specifically setting the alarm arrival time series and calculating the alarm arrival rate. Its calculation logic is as follows: ,in For standard alarm intensity, To activate the kernel function, we need to describe how the excitation effect of historical events on the current moment decays over time. It is the time difference between the current time t and the time ti when the historical event occurred. The alarm type vector is used, such as login failure or lateral movement. The alarm variation coefficient HJ is calculated based on the alarm arrival rate. The calculation logic is as follows: ,in The standard deviation of the alarm arrival rate sequence. This is the arithmetic mean of the alarm arrival rate sequence;
[0053] Select the behavior count sequence X within several hours before and after the alarm trigger window, including the number of login failures, lateral connections, process startups, and file modifications. Perform a three-level wavelet decomposition on the behavior count sequence to obtain approximation coefficients and detail coefficients. Reconstruct the smooth sequence SX and detail sequence SD at each scale, and calculate the initial roughness RO at each scale. The calculation logic is as follows: , where Corr is the Pearson correlation coefficient, and the mean and variance of the three roughness layers are set as roughness features;
[0054] The cumulative sum sequence value is obtained by performing a cumulative sum transformation on the behavior count sequence. The cumulative sum sequence values are divided into non-overlapping windows of length s, and a linear fit is performed on each window to obtain the local trend. Calculate the detrended volatility function based on local trends Its calculation logic is as follows: , where k is the sample points of the time series and m is the total number of samples in the time series. The scaling exponent is obtained by fitting a detrended fluctuation function and a window on a double logarithmic coordinate system.
[0055] Evidence thresholds are set for the alarm entity graph. The set of connected branches for each evidence threshold is calculated. The generation time and merging time of each connected branch are tracked. The difference between the merging time and the generation time is calculated to obtain the persistence of each connected branch. It should be noted that the evidence threshold is the confidence level of the corresponding graph edge. The connected branches are constructed based on the alarm entity graph after disambiguation alignment. The same entity will not split into multiple branches due to multiple source identifiers.
[0056] Select the behavioral characteristics of several days without alarms as stable period data, and construct a Gaussian distribution baseline. Obtain the optimal transmission distance between the current window feature distribution and the Gaussian distribution baseline. Subtract the current optimal transmission distance from the optimal transmission distance of the previous window to obtain the drift change rate.
[0057] Acquire labeled alarm data for several days to set as a calibration set. The labeled alarm data includes true alarms and false alarm labels. Obtain several nearest neighbors of any sample in the calibration set among samples of the same type and calculate their average distance to obtain the nonconformal score.
[0058] The time-series behavior sequences, alarm variation coefficients, process roughness, scaling exponents, persistence of connected components, topological persistence, drift change rate, and nonconformal scores are normalized and concatenated into feature objects and stored in the feature warehouse, which supports low-latency online queries and batch offline queries.
[0059] As a preferred technical solution, based on step three, stable business data and attack data are obtained through the normal behavior self-supervised model and the attack technique identification model, respectively, and then input into the evidence ratio fusion model to obtain the true alarm probability. The specific steps are as follows:
[0060] Feature objects for each time period are extracted from the feature bin and input into the normal behavior self-supervised model. Thirty percent of the feature objects are masked and the mask positions are marked. The masked feature objects are then input into the Transformer encoder to obtain the encoding vector. The masked features are predicted by the encoding vector of the mask positions through a fully connected layer.
[0061] The time series of feature objects from two different time windows of different entities are labeled as positive samples, and the behavior sequences of alarm periods of different entities are labeled as negative samples. The sample contrast loss is calculated by using mask features that bring the positive samples closer and mask features that push the negative samples further apart. The calculation logic is as follows: ,in is the encoding vector for positive and negative sample pairs, 2N is the total number of sample pairs, c is the sample pair encoding, exp is the exponential function, -log is the negative logarithm operation, sim is the similarity function, and the sample comparison loss is set to the stable business data.
[0062] The feature object, text semantic features, and alarm entity graph are encoded to obtain feature object embedding vector, text embedding vector, and graph embedding vector, respectively. Attention-weighted graph features are calculated from the text embedding vector and graph embedding vector, and attention-weighted numerical features are calculated from the feature object embedding vector and graph embedding vector. The graph features and numerical features are concatenated to obtain a fusion vector. Through the preset attack technology classification header and attack stage classification header, the probability of each attack technology and the probability distribution of each attack stage are output and set as attack type data. Attack technology types include malicious code evasion, system kernel vulnerabilities, and domain penetration attacks, etc. Attack stages include reconnaissance, weaponization, delivery, installation, command and control, and action.
[0063] Featured objects, stable business data, and attack-related data are input into a dual-track evidence ratio fusion model. Each data type is mapped to the identification framework using a basic probability allocation function to obtain the allocation probability for each data type. The allocation probabilities of each data type are then synthesized using the Dempster combination rule to obtain the global allocation probability. A trust function and a likelihood function are calculated based on the global allocation probability. The generalized likelihood ratio (HM) is obtained through the trust function and likelihood function, and finally, based on the sigmoid function... The probability of obtaining a true alarm is obtained by using the generalized likelihood ratio, and its calculation logic is as follows: .
[0064] As a preferred technical solution, based on step four, risk budget-driven dynamic classification is performed and processed according to the probability distribution of true alarms, the probability of each attack technique, and the probability distribution of each attack stage. The specific steps are as follows:
[0065] Obtain the current graded time window Tw, the number of on-duty safety analysts NW, the average manual handling time Ta for a single high-priority alarm, and the effective work coefficient NE of the personnel, and calculate the current manual handling capacity QC. The calculation logic is as follows: ;
[0066] Obtain the average time TS for automated handling of a single alarm in the current automated response system and the number of concurrent automated handling channels Cu, and calculate the automated handling capacity QR. The calculation logic is as follows: ;
[0067] The total risk budget is obtained by adding the manual processing capacity and the automated processing capacity. The number of high-priority alarms allocated in the real-time monitoring window is divided by the total risk budget to obtain the risk budget utilization rate.
[0068] Set up an attack phase risk weight matrix and predefined hazard weights for attack techniques. The weights increase linearly with each subsequent attack phase. The attack phase risk weight matrix and the probabilities of each attack technique are weighted and summed to obtain the attack phase risk coefficient. The predefined hazard weights of attack techniques and the probability distributions of each attack phase are weighted and summed to obtain the attack technique hazard coefficient. The true alarm probability, the attack technique hazard coefficient, and the attack phase risk coefficient are multiplied to obtain the attack determinism coefficient.
[0069] Extract the first attack threshold, second attack threshold, first budget threshold, and second budget threshold from the database. If the attack certainty coefficient is greater than or equal to the first attack threshold and the risk budget utilization rate is greater than or equal to the first budget threshold, a top-level alarm is generated, and reversible emergency response actions are immediately executed, including blocking the attack source IP, temporarily freezing the involved account, and isolating the controlled host from the network. If the first attack threshold is less than the attack certainty coefficient and less than or equal to the second attack threshold, and the first budget threshold is less than or equal to the risk budget utilization rate and less than or equal to the second budget threshold, a medium-priority alarm is generated. Priority is given to matching the automated handling channel, and the corresponding response script is invoked according to the attack stage and technology type, including executing malicious session blocking and process termination during the command and control stage, and executing vulnerability patch push during the exploitation stage. If the second attack threshold is less than the attack certainty coefficient and the second budget threshold is less than the risk budget utilization rate, a low-priority alarm is generated. Low-priority alarms of the same entity and the same type are aggregated daily to generate a daily security operation report.
[0070] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, ATA hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium can be a solid-state ATA hard disk.
[0071] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0072] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0073] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.
[0074] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0075] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0076] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable ATA hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0077] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for accurate identification and classification of network security alarms based on AI, characterized in that, Includes the following steps: Step 1: Connect with multiple security systems, generate a unique set of alarm identifiers and entity identifiers, construct a traceability multi-association table, align data entities for disambiguation, and generate an alarm entity graph; Step 2: Construct a temporal behavior sequence based on the alarm entity graph, then extract deep features such as temporal self-excitation, process roughness, topological persistence, distribution drift and nonconformal fraction, normalize and splice them into feature objects and store them in the feature warehouse; Step 3: Obtain stable business data and attack data through the normal behavior self-supervised model and attack technology identification model, and input them into the evidence ratio fusion model to obtain the true alarm probability; Step 4: Perform dynamic risk budget-driven classification based on the probability of true alarms, the probability of each attack technique, and the probability distribution of each attack stage, and then process the data.
2. The method for accurate identification and classification of network security alarms based on AI according to claim 1, characterized in that, The specific steps for interfacing with multiple security systems, generating a unique set of alarm and entity identifiers, and constructing a traceability multi-association table are as follows: It connects to enterprise security information data, endpoint detection response data, network detection response data, identity and access management data, cloud platform audit logs, and email security gateways, collecting alarm and context data of various types of data. Context data includes asset importance, business partition, exposure surface, vulnerability level, baseline policy, historical events, handling time, and downtime cost. It generates a unique alarm identifier for each alarm and integrates them into an entity identifier set. Entities include at least users, hosts, processes, file hashes, domain names, applications, cloud accounts, containers, and work order objects. It binds information such as alarm original fields, trigger rules, timestamps, alarm text descriptions, and original alarm levels with the alarm unique identifier into the database. It uses the entity identifier set as input to the database to generate a multi-association table for tracing alarms to entities and then to business.
3. The method for accurate identification and classification of network security alarms based on AI according to claim 2, characterized in that, The specific steps for disambiguating and aligning data entities to generate an alarm entity graph are as follows: The system identifies entities to be aligned in multiple association tables and extracts structured features and textual semantic features. Structured features include numerical and enumerated features, while textual semantic features include text fields such as hostname, process path, and account remarks, which are encoded as structured dense vectors and textual dense vectors, respectively. The structured dense vectors and textual dense vectors are concatenated using a gated fusion function to obtain the feature vectors of each entity. The cosine similarity of any two entity feature vectors is calculated to obtain the feature similarity. The distance similarity of text fields is calculated using an edit distance function. The feature similarity and distance similarity are weighted and fused to obtain the initial matching score. All entities to be aligned are set as the node set of the entity association graph, and entities appearing in the same alarm are set as the association edge set of the entity association graph. The neighbor nodes of each node are aggregated, and the features of any two neighbor nodes are concatenated to obtain the neighbor features. The neighbor features are normalized using softmax to obtain the attention weights of two neighbor nodes. The neighbor features are then aggregated based on the neighbor features and attention weights to obtain the updated node features. The updated matching score of the entity pair is then recalculated based on the updated node features. The posterior probability that an entity pair is the same entity is calculated based on the initial matching score and the updated matching score. Extract the preset alignment threshold from the database. If the posterior probability is greater than or equal to the preset alignment threshold, the entity pair is determined to be the same entity and assigned to a unified alarm unique identifier. Otherwise, they are determined to be different entities and their respective identifiers are retained. Set the entity corresponding to the unified alarm unique identifier as a graph node. The graph node attributes include entity type, fusion features and context data. The association relationship between entities is set as a graph edge. The edge attributes include association time and association count. The alarm entity graph is then constructed.
4. The AI-based method for accurate identification and classification of network security alarms according to claim 1, characterized in that, The specific steps for constructing a time-series behavior sequence based on the alarm entity graph and extracting alarm variation coefficients, roughness features, and scaling exponents are as follows: Extract the behavioral events corresponding to a certain number of days for each alarm's unique identifier, and arrange them in ascending order of time to obtain a single entity behavioral sequence. Extract the behavioral events of all entities within a business partition, aggregate them by time to construct a partition behavioral sequence, and integrate the single entity behavioral sequence and the partition behavioral sequence into a time-series behavioral sequence. Model the alarm arrival sequence within the same entity or business partition using a multivariate Hawkes self-triggered point process, specifically set the alarm arrival time sequence, calculate the alarm arrival rate, and calculate the alarm variation coefficient based on the alarm arrival rate. Select the behavior count sequence X within several hours before and after the alarm trigger window, including the number of login failures, the number of lateral connections, the number of processes started, and the number of file modifications. Perform three-level wavelet decomposition on the behavior count sequence to obtain the approximation coefficient and detail coefficient. Reconstruct the smooth sequence and detail sequence at each scale, and calculate the initial roughness at each scale. Set the mean and variance of the three-level roughness as roughness features. The cumulative sum sequence value is obtained by performing a cumulative sum transformation on the behavior count sequence. The cumulative sum sequence value is divided into non-overlapping windows of length s. A linear fit is performed on each window to obtain the local trend. The detrended fluctuation function is calculated based on the local trend. The detrended fluctuation function and the window are fitted in a double logarithmic coordinate system to obtain the scaling exponent.
5. The AI-based method for accurate identification and classification of network security alarms according to claim 4, characterized in that, The specific steps for extracting the persistence, drift rate, and nonconformal fraction of each connected component and integrating them into a feature object are as follows: Set evidence thresholds for the alarm entity graph, calculate the set of connected components for each evidence threshold, track the generation time and merging time of each connected component, and subtract the merging time from the generation time to obtain the persistence of each connected component. Select the behavioral characteristics of several days without alarms as stable period data, and construct a Gaussian distribution baseline. Obtain the optimal transmission distance between the current window feature distribution and the Gaussian distribution baseline. Subtract the current optimal transmission distance from the optimal transmission distance of the previous window to obtain the drift change rate. Acquire labeled alarm data for several days to set as a calibration set. The labeled alarm data includes true alarms and false alarm labels. Obtain several nearest neighbors of any sample in the calibration set among samples of the same type and calculate their average distance to obtain the nonconformal score. The temporal behavior sequence, alarm variation coefficient, process roughness, scaling exponent, persistence of connected components, topological persistence, drift change rate and nonconformal score are normalized and concatenated into feature objects and stored in the feature warehouse.
6. The method for accurate identification and classification of network security alarms based on AI according to claim 1, characterized in that, The specific steps for obtaining stable business data and attack-related data through a normal behavior self-supervised model and an attack technique identification model are as follows: Feature objects for each time period are extracted from the feature bin and input into the normal behavior self-supervised model. Thirty percent of the feature objects are masked and the mask positions are marked. The masked feature objects are then input into the Transformer encoder to obtain the encoding vector. The masked features are predicted by the encoding vector of the mask positions through a fully connected layer. The feature object time series of two different time windows of different entities are marked as positive samples, and the alarm period behavior series of different entities are marked as negative samples. The sample comparison loss is calculated by masking features that bring the positive samples closer and masking features that push the negative samples further away. The sample comparison loss is set as stable business data. The feature object, text semantic features, and alarm entity graph are encoded to obtain feature object embedding vector, text embedding vector, and graph embedding vector, respectively. Attention-weighted graph features are calculated from the text embedding vector and graph embedding vector, and attention-weighted numerical features are calculated from the feature object embedding vector and graph embedding vector. The graph features and numerical features are concatenated to obtain a fusion vector. Through preset attack technology classification headers and attack stage classification headers, the probability of each attack technology and the probability distribution of each attack stage are output and set as attack-type data. Attack technology types include malicious code evasion, system kernel vulnerabilities, and domain penetration attacks. Attack stages include reconnaissance, weaponization, delivery, installation, command and control, and action.
7. The AI-based method for accurate identification and classification of network security alarms according to claim 6, characterized in that, The evidence ratio fusion model obtains the true alarm probability through the following specific steps: Featured objects, stable business data, and attack data are input into the dual-track evidence ratio fusion model. Each type of data is mapped to the identification framework through a basic probability allocation function to obtain the allocation probability of each type of data. The allocation probabilities of each type of data are synthesized through the Dempster combination rule to obtain the global allocation probability. The trust function and likelihood function are calculated based on the global allocation probability. The generalized likelihood ratio is obtained through the trust function and likelihood function. The current true alarm probability is obtained based on the sigmoid function and the generalized likelihood ratio.
8. The AI-based method for accurate identification and classification of network security alarms according to claim 1, characterized in that, Based on the probability distribution of true alarms, the probability of each attack technique, and the probability distribution of each attack stage, a risk budget-driven dynamic classification is performed and processed. The specific steps are as follows: Obtain the current graded time window, the number of on-duty safety analysts, the average manual handling time for a single high-priority alarm, and the effective working coefficient of personnel to calculate the current manual handling capacity. Obtain the average time for automated handling of a single alarm and the number of concurrent automated handling channels in the current automated response system, and calculate the automated handling capacity. The total risk budget is obtained by adding the manual handling capacity and the automated handling capacity. The number of high-priority alarms allocated in the real-time monitoring window is divided by the total risk budget to obtain the risk budget utilization rate. Set up an attack phase risk weight matrix and predefined hazard weights for attack techniques. The weights increase linearly with each subsequent attack phase. The attack phase risk weight matrix and the probabilities of each attack technique are weighted and summed to obtain the attack phase risk coefficient. The predefined hazard weights of attack techniques and the probability distributions of each attack phase are weighted and summed to obtain the attack technique hazard coefficient. The true alarm probability, the attack technique hazard coefficient, and the attack phase risk coefficient are multiplied to obtain the attack determinism coefficient. Extract the first attack threshold, second attack threshold, first budget threshold, and second budget threshold from the database; If the attack certainty coefficient is greater than or equal to the first attack threshold and the risk budget utilization rate is greater than or equal to the first budget threshold, a special alarm will be generated, and reversible emergency response actions will be immediately executed, including blocking the attack source IP, temporarily freezing the account involved, and isolating the controlled host from the network. If the first attack threshold < attack certainty coefficient ≤ second attack threshold and the first budget threshold < risk budget utilization rate ≤ second budget threshold, a medium-priority alarm is generated, and the automated handling channel is prioritized. The corresponding response script is invoked according to the attack stage and technology type, including executing malicious session blocking and process termination in the command control stage, and pushing vulnerability patches in the exploit stage. If the second attack threshold < attack certainty coefficient and the second budget threshold < risk budget utilization rate, a low-priority alarm is generated. Low-priority alarms of the same entity and the same type are aggregated on a daily basis to generate a daily security operations report.