Intelligent game-based open source intelligence security threat analysis method and system and medium
By introducing dynamic research agents and a credibility weighting mechanism, combined with multi-model collaboration and cross-model knowledge transfer, the problem of response lag and false intelligence in existing systems under new types of attacks has been solved. Real-time high-credibility intelligence fusion and defense strategy optimization have been achieved, improving the accuracy and response speed of network security threat analysis.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAMEN YUANTING INFORMATION TECH CO LTD
- Filing Date
- 2026-03-18
- Publication Date
- 2026-06-05
AI Technical Summary
Existing multi-agent analysis systems are unable to autonomously identify feature conflicts when dealing with new types of attacks. They lack dynamic trust assessment and module fragmentation, resulting in delayed analysis response, the infiltration of false intelligence, and a disconnect between defense strategies and attack behaviors, making real-time optimization impossible.
A dynamic research agent (DRA) mechanism is introduced, which detects conflicts and inserts verification subtasks through information entropy threshold. A credibility weighted mechanism (CWM) and a multi-model collaboration mechanism are adopted, combined with spatiotemporal weight functions and cross-model knowledge transfer, to realize dynamic calculation of intelligence source credibility and real-time generation of defense strategies.
It significantly improves the accuracy and response speed of threat analysis, reduces human intervention, enables real-time optimization of defense strategies against new types of attacks and fusion of highly reliable intelligence, and enhances the real-time and automation level of critical infrastructure defense.
Smart Images

Figure CN122160147A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and more specifically, to an open-source intelligence security threat analysis method, system, and computer-readable storage medium based on multi-agent intelligent game theory. Background Technology
[0002] In today's digital age, cybersecurity threat intelligence analysis has become a core component of protecting critical infrastructure, and its analytical paradigm is gradually shifting from static feature matching to dynamic game theory between attackers and defenders within the cognitive domain. The cognitive domain focuses on the decision-making behavior, strategy evolution, and interaction processes of attackers and defenders based on multi-source information such as open-source intelligence. In this context, information security oriented towards open-source intelligence not only emphasizes the integrity of the intelligence but, more importantly, its incremental credibility enhancement capabilities throughout its entire lifecycle to ensure the real-time nature and reliability of decision-making. However, existing multi-agent analysis systems, when dealing with new types of attacks, often separate the analysis, reasoning, and decision-making stages, neglecting the dynamic characteristics of game theory within the cognitive domain (such as attackers' adaptive strategies) and the credibility enhancement requirements of open-source intelligence in the fusion and evaluation stages. This results in serious deficiencies in the system's collaborative mechanisms and dynamic response capabilities. Specifically, existing cybersecurity technologies suffer from the following key shortcomings:
[0003] (1) Static analysis mechanisms lag behind the evolution of new attack methods. Traditional analysis mechanisms rely excessively on static rule bases. When faced with new attack vectors such as supply chain penetration or zero-day exploits, the system cannot autonomously identify feature conflicts and trigger verification processes, causing analysis results to lag behind the speed of attack evolution. Attackers often exploit rule update gaps to carry out covert operations, while defenders are forced to rely on manual intervention for feature extraction and rule iteration, resulting in a passive situation with lengthy analysis response cycles.
[0004] (2) Lack of dynamic credibility assessment in multi-source intelligence fusion In the multi-source data integration stage, the fusion process of network logs, physical sensor signals, and dark web intelligence lacks adaptive credibility assessment capabilities, and the weight allocation of intelligence sources does not incorporate spatiotemporal dynamic factors. For example, the data timeliness decay effect is not quantitatively modeled, and the impact of intelligence delay duration and geospatial matching degree on credibility is ignored, making it easy for forged logs or false threat intelligence to infiltrate the analysis process and interfere with the identification of real attack paths.
[0005] (3) The defense simulation is disconnected from the attack behavior analysis. Meanwhile, the attack behavior analysis and defense strategy generation modules are disconnected. The tactical analysis reports output by the former cannot drive the latter to generate adaptive strategies in real time, and the feedback from defensive actions cannot effectively optimize the analysis model. This lack of coordination leads to a disconnect between defense strategies and the dynamic changes in the attack chain. The delayed implementation of strategies poses a risk of business interruption, such as mistakenly blocking legitimate traffic or missing the incubation stage of advanced persistent threats in critical infrastructure scenarios. The dynamic characteristics of the attack-defense game within the cognitive domain, such as the attacker's adaptive strategy behavior, have not been incorporated into the system design, resulting in structural defects in the existing architecture's incremental trust enhancement capabilities.
[0006] Therefore, it is urgent to build a cognitive collaboration framework that integrates spatiotemporal decay modeling, dynamic credible weighting, and closed-loop feedback, so as to uniformly map intelligence timeliness, geographical matching degree, and behavioral confidence into calculable credible factors, and drive defense strategies to iteratively optimize in real time as the attack chain evolves. Summary of the Invention
[0007] The purpose of this invention is to provide an open-source intelligence security threat analysis method, system, computer-readable storage medium, and electronic device based on multi-agent intelligent game theory. It has the ability to autonomously detect and verify attack feature conflicts, dynamically calculate the credibility weight of intelligence sources, realize conflict resolution and fusion of highly credible intelligence, and generate defense strategies in real time. At the same time, it optimizes the model through knowledge transfer, thereby significantly improving the accuracy of threat analysis.
[0008] This invention provides an open-source intelligence security threat analysis method based on multi-agent intelligent game theory, the technical solution of which is as follows: An initial task path is generated based on attack feature data; and when a conflict is detected in the attack feature data, a verification subtask is dynamically inserted based on the information entropy threshold, and task instructions are output. Collect multi-source intelligence data according to mission instructions, dynamically calculate the credibility weight of each intelligence source through a spatiotemporal weight function, and perform conflict resolution and data fusion based on the weights to output highly credible fused intelligence. The attack chain analyst model is used to analyze highly reliable fused intelligence to obtain attack behavior characteristics; and a real-time defense strategy is generated through the defense inference model. Based on the corrected data of the real-time defense strategy, cross-model knowledge transfer is triggered to obtain corrected knowledge, which is used to optimize the attack chain analyst model and the defense inference model.
[0009] Furthermore, the present invention also proposes to dynamically insert verification subtasks based on information entropy thresholds, specifically including: real-time calculation of the information entropy difference between network log data and physical sensor data; The information entropy difference is compared with a preset conflict threshold, which is set based on the IEC62443-3-3 standard. When the information entropy difference exceeds the conflict threshold, it is determined that there is a conflict in the attack feature data. Verification subtasks corresponding to the conflict type are dynamically generated and inserted. Verification subtasks include container forensics, device tampering verification, or drone inspection.
[0010] Furthermore, this invention proposes that the spatiotemporal weighting function be expressed as: ( ); in, Wi(t) is the dynamic weight of intelligence source i at time t; Wi0 is the initial weight of intelligence source i, which is obtained based on historical confidence statistics; λ is the time decay coefficient, which is set according to the critical infrastructure scenario; Δt is the data delay duration; GISmatch is the geographic matching degree, which is calculated by the spherical distance between the attack source IP address and the GPS coordinates of the protected target. Nconflict is the conflict count, which counts the number of semantic contradictions between this intelligence source and other multi-source intelligence.
[0011] Furthermore, this invention proposes that the geographic matching degree GISmatch be calculated using the Haversine formula, specifically: GISmatch = 1 / (1+D / 100) Where D is the spherical distance between the attack source IP location coordinates and the target physical coordinates, in kilometers.
[0012] Furthermore, this invention proposes to trigger cross-model knowledge transfer based on corrected data from real-time defense strategies, achieved through the following steps: Adversarial examples are generated based on expert-corrected strategies and the original model strategies. Using the KL divergence loss function )Calculate knowledge differences, among which Let be the probability distribution of the expert strategy. Output the probability distribution of the policy for the model; By using KL divergence loss to simultaneously train the attack chain analyst model and the defense inferencer model through backpropagation, knowledge transfer and alignment from experts to the two models are achieved.
[0013] Furthermore, this invention also proposes a three-stage distillation mechanism to deposit corrected knowledge into a knowledge base and optimize subsequent task paths; the three-stage distillation mechanism includes: Parameter fine-tuning layer: The KL divergence loss function is used to calculate the difference between the expert correction strategy and the model output strategy, and the parameters of the defense inference model are fine-tuned based on the difference. Terminology sedimentation layer: Key parameters or patterns in the defense strategy are abstracted into structured terms, their historical validity weights are calculated, stored in the knowledge base, and bound to infrastructure topology constraints; Path optimization layer: Insert verification or test subtasks compatible with the new terminology into the task path, and refactor the API call logic of subsequent task paths.
[0014] Furthermore, this invention proposes that the attack chain analyst model is a large language model fine-tuned with knowledge in the cybersecurity domain, used to identify attack techniques, tactics and processes from fused intelligence and output an attack chain analysis report; the defense inference model is a sequence decision model based on reinforcement learning training, used to receive the attack chain analysis report and infrastructure topology model, and generate a real-time defense action sequence that minimizes the false positive rate and business impact.
[0015] Furthermore, this invention also proposes an open-source intelligence security threat analysis system based on multi-agent intelligent game theory, comprising: The intelligent agent is dynamically studied, and an initial task path is generated based on attack feature data. When a conflict is detected in the attack feature data, a verification subtask is dynamically inserted based on the information entropy threshold, and the task instruction is output. The credibility-weighted fusion agent collects multi-source intelligence data according to task instructions, dynamically calculates the credibility weight of each intelligence source through a spatiotemporal weight function, and performs conflict resolution and data fusion based on the weights to output highly credible fusion intelligence. A multi-model collaborative defense agent analyzes highly reliable fused intelligence based on the attack chain analyst model to obtain attack behavior characteristics; and generates real-time defense strategies through the defense inference model. The feedback closed-loop evolutionary agent obtains corrected knowledge by triggering cross-model knowledge transfer based on the real-time defense strategy correction data, in order to optimize the attack chain analyst model and the defense inference model.
[0016] Furthermore, the present invention also proposes a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the above-described method.
[0017] Furthermore, the present invention also proposes an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to perform the above-described method.
[0018] As can be seen from the above, the open-source intelligence security threat analysis method, system, and computer-readable storage medium provided by this invention, based on multi-agent intelligent game theory, detects conflicts by dynamically inserting verification sub-tasks, dynamically calculates the credibility weights of intelligence sources to achieve trusted fusion, generates defense strategies in real time, and optimizes the model. This solves the problems of traditional technologies, such as the inability to autonomously identify feature conflicts, lack of adaptive credibility assessment, and response delays caused by module fragmentation. It has the advantages of being able to autonomously detect and verify attack feature conflicts, dynamically calculate the credibility weights of intelligence sources, achieve conflict resolution and fusion of highly credible intelligence, and generate defense strategies in real time. At the same time, it optimizes the model through knowledge transfer, thereby significantly improving the accuracy and response speed of threat analysis and reducing human intervention.
[0019] Specifically, the security threat analysis method of the present invention has the following beneficial effects: (1) This invention introduces a Dynamic Research Agent (DRA) mechanism, which uses information entropy thresholds to detect physical-digital data conflicts in real time and dynamically inserts verification subtasks. This mechanism simulates the dynamic path planning ability of human analysts in the cognitive process, breaking through the static and linear cognitive mode of traditional systems, and can respond in real time to the strategy changes initiated by attackers in the cognitive domain. It realizes the real-time generation and optimization of attack analysis paths, significantly shortens the response delay to new attack methods (such as supply chain vulnerabilities and zero-day attacks), and compresses the response time.
[0020] (1) This invention employs a credibility weighted mechanism (CWM), which dynamically allocates intelligence weights through a spatiotemporal weighting function. It combines time decay, geographic matching, and conflict counting for real-time credibility assessment. From the perspective of the root of trust in information security, this spatiotemporal dynamic assessment ensures the security of the information attributes of the fused intelligence, fundamentally improving the inherent security of the intelligence product. It also addresses the problem of false intelligence mis-collection caused by static weighting mechanisms (such as forged data from the dark web). By prioritizing the adoption of high-weight data through conflict resolution, it enhances the credibility of intelligence fusion and improves the false intelligence filtering rate.
[0021] (1) This invention constructs a multi-model collaborative mechanism, in which the attack chain analyst model (Qwen) analyzes the attack chain features, the defense inference model (DeepSeek) generates real-time defense strategies, and cross-model knowledge transfer is initiated based on user feedback (such as excessive false positive rate) (using KL divergence loss function for dual-model adversarial training). Combined with a three-level distillation feedback loop (parameter fine-tuning, terminology accumulation, and path optimization) to achieve incremental knowledge updates, this invention realizes collaborative adversarial and knowledge transfer between the defender's cognitive model (DeepSeek) and the attacker's behavioral model (Qwen), transforming unilateral static defense into proactive defense based on dynamic cognitive learning. It eliminates single-model feedback lag, ensures real-time synchronization between defense strategies and attack behaviors, reduces false positive rates, and automatically accumulates knowledge through closed-loop feedback (such as adding terminology weight binding), thus compressing the effective time of defense strategies.
[0022] (1) This invention forms a closed-loop system through progressive collaboration of DRA, CWM, multi-model collaboration and three-stage distillation, realizing end-to-end real-time processing from attack feature input to defense strategy feedback. It collaboratively solves the passive situation of "attack first, defense follow-up", improves the real-time performance, reliability and automation level of critical infrastructure defense, and avoids delays and misoperations caused by manual intervention. Attached Figure Description
[0023] Figure 1 A flowchart illustrating a security threat analysis method provided by the present invention; Figure 2 This is a schematic diagram of the three-stage distillation collaborative update mechanism provided by the present invention. Detailed Implementation
[0024] The technical solutions of this invention will be clearly and completely described below with reference to specific embodiments. Obviously, the described embodiments are only some embodiments of this invention, and not all embodiments. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.
[0025] Traditional network security threat analysis systems often separate the analysis, reasoning, and decision-making stages when dealing with new types of attacks. They neglect the dynamic characteristics of game theory within the cognitive domain and the need for credibility enhancement in the fusion and evaluation stages of open-source intelligence. This results in serious deficiencies in the system's collaborative mechanisms and dynamic response capabilities. Specifically, this manifests as a lagging static analysis mechanism, a lack of dynamic credibility assessment in intelligence fusion, and a disconnect between defense simulation and attack behavior analysis.
[0026] To address this, this invention proposes an open-source intelligence security threat analysis method based on multi-agent intelligent game theory, such as... Figure 1 As shown, it includes: An initial task path is generated based on the attack feature data; and when a conflict is detected in the attack feature data, a verification subtask is dynamically inserted based on the information entropy threshold, and the task instruction is output. According to the mission instructions, multi-source intelligence data is collected, and the credibility weight of each intelligence source is dynamically calculated through a spatiotemporal weighting function. Based on the weights, conflict resolution and data fusion are performed to output highly credible fused intelligence. The attack chain analyst model is used to analyze the highly reliable fused intelligence to obtain attack behavior characteristics; and a real-time defense strategy is generated through the defense inference model. Based on the corrected data of this real-time defense strategy, cross-model knowledge transfer is triggered to obtain corrected knowledge, which is then used to optimize the attack chain analyst model and the defense inference model.
[0027] For ease of understanding, the following explains some key terms in this embodiment: Multi-agent intelligent game refers to the interactive and optimization process in which multiple agents with specific roles and functions work together to simulate and execute attack and defense strategies in a dynamic adversarial environment. Its core lies in transcending traditional static rule matching, achieving dynamic, proactive, and intelligent security defense through competition, cooperation, and cognitive alignment among agents.
[0028] Attack signature data refers to structured or unstructured information used to describe potential cyberattack behaviors or threat indicators. This data can include IP addresses, domain names, file hashes, malicious code behavior patterns, etc. This data is the starting point for threat analysis.
[0029] The initial task path refers to a series of automated processes or steps pre-planned by the system for intelligence gathering, analysis, decision-making, and response after receiving attack signature data. This path aims to guide the initial execution of security threat analysis.
[0030] Information entropy threshold is a quantitative indicator used to measure the degree of uncertainty or conflict in data. When the detected data differences or inconsistencies exceed this preset threshold, it indicates that the attack feature data may contain conflicts or anomalies, requiring further verification.
[0031] A verification subtask refers to a specific operation dynamically generated and inserted by the system when conflicting attack signature data is detected, used to verify the authenticity of information or eliminate false intelligence. This subtask may include forensic examination of specific devices, checking for signs of physical tampering, or conducting drone inspections.
[0032] A task instruction is a specific operational directive issued to the intelligence gathering module based on the initial task path and the insertion of verification subtasks. This instruction guides the system on how to acquire the required multi-source intelligence data.
[0033] Multi-source intelligence data refers to a collection of information related to security threats obtained from different channels and types. This can include web logs, physical sensor data, public reports, social media information, and dark web forum data, among others.
[0034] The spatiotemporal weighting function is a mathematical model used to dynamically evaluate the credibility of various intelligence sources. This function comprehensively considers the timeliness of the intelligence, its geographical relevance, and its conflict with other intelligence sources, assigning appropriate weights to each source.
[0035] Credibility weight is a numerical value assigned to each intelligence source to indicate the reliability of the information provided by that source. The higher the weight, the higher the credibility of the intelligence source.
[0036] Highly reliable fused intelligence refers to comprehensive intelligence that possesses high credibility and consistency after conflict resolution and data fusion processing. This intelligence provides a reliable basis for subsequent attack chain analysis and defense strategy generation.
[0037] The Attack Chain Analyst Model is an analytical module specifically designed to parse highly reliable fused intelligence, identify attack techniques, tactics, and processes, and construct attack chains. This model aims to reveal the attacker's intent and behavioral patterns.
[0038] A defense simulation model is a decision-making module used to simulate the effects of different defense strategies based on attack chain analysis results and infrastructure topology, and to generate the optimal real-time defense action sequence. This model aims to minimize false positive rates and business impact.
[0039] A real-time defense strategy refers to a set of defense measures that are dynamically generated and immediately executed based on the current threat situation and simulation results. This strategy aims to respond quickly to attacks and protect target systems.
[0040] Cross-model knowledge transfer refers to the process of effectively transferring and integrating the experience and knowledge gained from the revised data of real-time defense strategies into the attack chain analyst model and the defense inference model. This process aims to achieve continuous learning and optimization of the models.
[0041] Corrective knowledge refers to new knowledge or optimization parameters obtained through cross-model knowledge transfer processes, which are used to improve the performance of attack chain analyst models and defense inferencer models.
[0042] The "multi-agent" in this invention is not a loose collection of software modules, but rather includes: Dynamic research agent: As the perception and planning agent, it is responsible for proactively exploring and discovering contradictions (such as physical-digital data conflicts) in uncertain threat environments, and dynamically planning investigation and evidence collection paths.
[0043] Credibility-weighted fusion intelligent agent: As an intelligence arbitrator, it is responsible for credibility assessment and game theory among multiple (multi-source) intelligence inputs, suppressing false information through dynamic weighting mechanism, and achieving high-quality intelligence consensus.
[0044] Attack Chain Analyst Model and Defense Inferrer Model: As cognitive adversaries, the two models respectively simulate the attacker's thinking and the defender's strategy, and perform adversarial inference and strategy generation at the model level.
[0045] Feedback-loop evolutionary agent: As the strategy optimizer and knowledge manager, it is responsible for coordinating the experience transfer (knowledge transfer) and knowledge accumulation among the above agents / models, driving the entire system to continuously evolve.
[0046] The intelligent game theory of this invention is embodied on two levels: External adversarial game: The system continuously simulates "attack-defense" adversarial interactions in a virtual environment through the collaboration of attack chain analyst models (such as Qwen) and defense inference models (such as DeepSeek). The generation of defense strategies is not based on fixed rules, but on the understanding of real-time threat intelligence and the results of adversarial inference, realizing the transformation from "static response" to "dynamic game".
[0047] Internal collaborative game: There exists a collaborative game among agents with the same goal but different perspectives. For example, a dynamic research agent might want to add verification tasks to pursue analytical certainty, while the system as a whole needs to balance response speed; a credibility-weighted fusion agent needs to engage in a weighted game across multiple dimensions such as timeliness (time decay), spatial authenticity (geographic matching), and logical consistency (conflict counting) to output the optimal fusion result. This internal game achieves balance and optimization through a pre-defined payoff function (such as information entropy threshold, weight formula) and a feedback mechanism (three-stage distillation).
[0048] Specifically, this embodiment provides an open-source intelligence security threat analysis method based on multi-agent intelligent game theory.
[0049] First, the system generates an initial task path based on attack signature data. Attack signature data can be manually input, retrieved from a pre-defined threat intelligence database, or extracted from network traffic through simple rule matching. The initial task path can be a fixed, predefined analysis process; for example, intelligence gathering followed by preliminary analysis, and then report generation.
[0050] Furthermore, the system detects whether the attack signature data contains conflicts. When a conflict is detected, a verification subtask is dynamically inserted based on an information entropy threshold. For example, conflict detection can be accomplished by comparing whether attack signature data from different sources are completely identical; if inconsistencies exist, a conflict is determined. The information entropy threshold can be a fixed value; verification is triggered when data inconsistency exceeds this fixed value. The verification subtask can be a general data verification process, such as requesting manual review or performing simple repetitive data collection. The system then outputs a task instruction, which can be a simple text command indicating the next direction for intelligence gathering.
[0051] Secondly, multi-source intelligence data is collected according to the task instructions. Multi-source intelligence data can be obtained from several preset intelligence sources, such as regularly pulling data from network log servers, physical sensor interfaces, or publicly available threat intelligence websites.
[0052] Based on this, the credibility weight of each intelligence source is dynamically calculated using a spatiotemporal weighting function. The spatiotemporal weighting function can be a simple weighted average model, where the time weight can be linearly decayed based on the difference between the data generation time and the current time, and the spatial weight can be determined by a binary judgment based on whether the geographical location of the intelligence source matches the geographical location of the target asset. The conflict count can be a simple accumulator that records the number of times the intelligence source contradicts other intelligence sources in terms of content.
[0053] Subsequently, conflict resolution and data fusion are performed based on weights to output highly reliable fused intelligence. Conflict resolution can employ a majority voting mechanism, meaning that when multiple intelligence sources provide different information on the same event, the statement from the majority of intelligence sources is accepted. Data fusion can involve simply concatenating data from all intelligence sources or extracting keywords.
[0054] Furthermore, the highly reliable fused intelligence is analyzed using an attack chain analyst model to obtain attack behavior characteristics. The attack chain analyst model can be a rule-based expert system that identifies attack behavior characteristics by matching keywords and phrases in the fused intelligence with preset attack patterns.
[0055] Simultaneously, a real-time defense strategy is generated through a defense inference model. The defense inference model can be a simple decision tree-based model that selects a matching strategy from a pre-defined defense strategy library based on the identified attack behavior characteristics.
[0056] Finally, corrective knowledge is obtained by triggering cross-model knowledge transfer based on the corrected data of the real-time defense strategy. The corrective data can be manually input by security experts after evaluating the real-time defense strategy. Cross-model knowledge transfer can involve directly adding these corrective suggestions as rules to the rule bases of the attack chain analyst model and the defense inference model. Thus, this corrective knowledge is used to optimize the attack chain analyst model and the defense inference model, for example, by updating the rule base or adjusting the weights of the decision tree.
[0057] This invention addresses attack signature data conflicts by dynamically inserting verification subtasks, effectively mitigating the lag of traditional static analysis mechanisms in identifying novel attacks. Simultaneously, it significantly improves the reliability of multi-source intelligence by dynamically evaluating and fusing intelligence sources using a spatiotemporal weighting function, solving the problem of existing systems lacking dynamic reliability assessment in intelligence fusion. Furthermore, the collaborative work of the attack chain analyst model and the defense inferencer model, combined with a cross-model knowledge transfer mechanism, achieves a tight integration and continuous optimization of attack behavior analysis and defense strategy generation, overcoming the limitation of a disconnect between defense inference and attack behavior analysis, thereby enhancing the system's dynamic response capability to complex threats.
[0058] This invention further proposes the above-mentioned steps for dynamically inserting verification subtasks based on an information entropy threshold, specifically including: calculating the information entropy difference between network log data and physical sensor data in real time; comparing the information entropy difference with a preset conflict threshold, the conflict threshold being set based on the IEC62443-3-3 standard; when the information entropy difference exceeds the conflict threshold, determining that the attack feature data has a conflict, dynamically generating and inserting verification subtasks corresponding to the conflict type, the verification subtasks including container forensics, device tamper verification, or drone inspection.
[0059] Specifically, real-time calculation of the information entropy difference between network log data and physical sensor data aims to identify potential conflicts or abnormal behaviors by quantifying the degree of inconsistency or anomaly in information content between different data sources. Information entropy is an indicator that measures the uncertainty or randomness of information. In the security field, network log data (such as traffic logs, system logs, authentication logs, etc.) and physical sensor data (such as access control sensors, environmental sensors, vibration sensors, etc.) are important sources of information reflecting system status and behavior. When the system is operating normally, there may be some expected correlation or synchronization between these data sources, and their information entropy difference should be within a stable range. Once an attack or anomaly occurs, this correlation may be broken, leading to a significant change in the information entropy difference. This calculation can be performed by sampling and preprocessing network log data and physical sensor data through a sliding time window, for example, converting log events and sensor readings into discrete symbol sequences or statistical feature vectors. Subsequently, using methods such as the Shannon entropy formula or relative entropy (KL divergence) from information theory, the information entropy of the two data streams within a specific time window is calculated, and their difference is obtained. The larger the calculated difference, the higher the degree of inconsistency or anomaly between the two data sources.
[0060] The information entropy difference is compared with a preset conflict threshold, which is set based on the IEC 62443-3-3 standard. The preset conflict threshold serves as a benchmark for determining whether the information entropy difference reaches a "conflict" state. By comparing the real-time calculated information entropy difference with this threshold, the system can automatically identify potential attack feature data conflicts. Setting the conflict threshold based on the IEC 62443-3-3 standard references the internationally recognized standard in the field of Industrial Automation and Control Systems (IACS) security. The IEC 62443-3-3 standard provides IACS system security levels and requirements, including specific requirements for system availability, integrity, and confidentiality. These requirements guide how to set a reasonable conflict detection sensitivity to balance false positive and false negative rates. The conflict threshold can be a fixed value or a range dynamically adjusted based on the system operating environment, historical data, and security policies. When setting based on the IEC 62443-3-3 standard, a reasonable threshold that can reflect changes in the system's security status can be determined by combining the security level requirements such as SL-T (Target Security Level) and SL-C (Capability Security Level) defined in the standard with the risk assessment results of the specific industrial control system.
[0061] When the information entropy difference exceeds the conflict threshold, the attack feature data is determined to be conflicted. A verification subtask corresponding to the conflict type is dynamically generated and inserted. These verification subtasks include container forensics, device tampering verification, or drone inspection. This is the response mechanism after conflict detection. Once the information entropy difference exceeds a preset threshold, the system confirms that the attack feature data is conflicted, indicating a potential actual security threat or anomaly. At this point, the system no longer merely stops at the detection level but actively triggers further verification actions. Dynamically generating and inserting verification subtasks corresponding to the conflict type reflects the intelligence and targeted nature of the response. Different conflict types (e.g., abnormal network traffic versus abnormal physical access) may require different verification methods. For example, if the conflict is mainly at the network level, container forensics may be necessary; if it involves physical devices, device tampering verification may be required; and for large areas or areas difficult to access manually, drone inspection is more efficient. The system can maintain a mapping table or rule base between conflict types and verification subtasks. When a conflict is detected, the system intelligently determines the possible type of conflict based on the specific manifestation of the information entropy difference (e.g., which data source has a larger entropy change, the change pattern, etc.) or in combination with other contextual information (such as the type of asset affected, geographical location, etc.). Then, the system inserts the selected verification subtask as a new task instruction into the initial task path to guide the subsequent intelligence gathering and analysis process.
[0062] By calculating the information entropy difference between network log data and physical sensor data in real time, this invention can quantify information inconsistencies between different data sources, thus providing an objective, data-driven basis for conflict detection. Comparing this information entropy difference with a conflict threshold set based on the IEC 62443-3-3 standard ensures the accuracy and reliability of conflict determination, avoids biases caused by subjective judgment, and ensures that the detection sensitivity meets the security requirements of critical infrastructure such as industrial control systems, effectively reducing the risk of false alarms and missed alarms. Once a conflict is determined, the system can dynamically generate and insert targeted verification sub-tasks based on the conflict type, such as container forensics, device tamper verification, or drone inspection. This mechanism makes subsequent verification work more purposeful and efficient, avoids blind verification, optimizes resource allocation, and ensures timely and accurate responses to potential security threats, significantly improving the overall credibility and effectiveness of security threat analysis methods.
[0063] This invention further proposes a spatiotemporal weighting function, which is expressed as: ( ); Here, Wi(t) represents the dynamic weight of intelligence source i at time t, which reflects the reliability of the intelligence source at a specific point in time and under a specific context. This dynamic weight is derived after comprehensively considering multiple factors, and can more precisely characterize the real-time value of the intelligence source.
[0064] Wi0 represents the initial weight of intelligence source i, which is derived from historical confidence statistics. The initial weight can be set based on pre-assessed indicators such as the intelligence source's historical performance, authority, and data quality, providing a benchmark for dynamic adjustment. For example, an authoritative institution that has consistently provided accurate intelligence can have a higher initial weight.
[0065] λ is the time decay coefficient, which is set according to the critical infrastructure scenario. This coefficient is used to quantify the importance of intelligence timeliness, reflecting the rate at which the value of intelligence decreases over time. In critical infrastructure scenarios, the timeliness of security threat intelligence is particularly important, so the setting of λ directly affects the rate at which the weight of older intelligence decays. For example, for threats requiring rapid response, the value of λ can be set larger, causing the weight of older intelligence to decrease rapidly.
[0066] Δt represents the data latency, which is the time interval between intelligence generation and its reception and processing by the system. The longer the data latency, the worse the timeliness of the intelligence, and its weight should be reduced accordingly.
[0067] GISmatch is a geographic matching score, calculated using the spherical distance between the attack source's IP address and the protected target's GPS coordinates. Geographic matching score measures the spatial relevance between the intelligence source and the protected target. For example, the closer the attack source's IP address is to the protected target's geographical location, the higher the relevance of the intelligence to the current security incident, resulting in a higher geographic matching score and thus increasing the weight of the intelligence source.
[0068] Nconflict is the conflict count, which tracks the number of semantic contradictions between the intelligence source and other multi-source intelligence. The conflict count reflects the degree of consistency or contradiction between the intelligence source and other intelligence sources. When an intelligence source has many semantic contradictions with other intelligence sources, it indicates that its credibility may be low; therefore, the higher the conflict count, the lower the weight of the intelligence source should be.
[0069] Through the above technical solution, this invention overcomes the limitations of traditional static or singular intelligence source credibility assessment. By introducing a spatiotemporal weighting function, the system can dynamically and multidimensionally assess the real-time credibility of each intelligence source. Specifically, the initial weight Wi0 provides the accumulation of historical experience, and the time decay factor... Ensuring the timeliness of intelligence, the geographic matching degree (GISmatch) enhances the relevance of intelligence to specific security events, while the conflict count (Nconflict) effectively identifies and suppresses the impact of conflicting intelligence. This dynamic weighting mechanism, which comprehensively considers the consistency of time, space, and content, enables the system to more accurately resolve conflicts and fuse data after collecting multi-source intelligence data, thereby outputting more reliable fused intelligence. This not only significantly improves the accuracy and reliability of security threat analysis but also provides a more solid data foundation for subsequent attack chain analyst models and defense inference models, thereby optimizing the generation of real-time defense strategies and effectively responding to complex and ever-changing cybersecurity threats.
[0070] This invention further proposes that the geographic matching degree GISmatch is calculated using the Haversine formula, specifically: GISmatch=1 / (1+D / 100), where D is the spherical distance between the location coordinates of the attack source IP and the physical coordinates of the target, in kilometers.
[0071] Specifically, the Haversine formula is a mathematical formula for calculating the great circle distance between two points on a sphere. Based on the latitude and longitude information of the two points, this formula can accurately calculate the shortest distance between them, i.e., the spherical distance. By using the Haversine formula, the calculated spherical distance D between the attack source IP location coordinates and the target physical coordinates can be highly accurate and consistent across different geographical locations and coordinate systems, avoiding errors caused by inconsistent calculation methods. Furthermore, the formula GISmatch=1 / (1+D / 100) converts the spherical distance D calculated using the Haversine formula into a geographic matching degree, GISmatch. Here, D is the spherical distance between the attack source IP location coordinates and the target physical coordinates, in kilometers. The characteristic of this conversion formula is that the smaller the spherical distance D (i.e., the closer the attack source and target are geographically), the larger the value of GISmatch, approaching 1; conversely, the larger D is, the smaller the value of GISmatch, approaching 0. The constant 100 in the denominator acts as a scaling factor to adjust the sensitivity of distance D to the GISmatch score, allowing geographical proximity to be reflected in the match score in a non-linear manner that better aligns with the needs of actual security threat assessment. This transformation mechanism provides an intuitive and quantitative way to evaluate the geographical relevance of intelligence sources.
[0072] Through the above technical solution, this invention clarifies the calculation method of geographic matching degree GISmatch, namely, using the Haversine formula to accurately calculate the spherical distance D between the location coordinates of the attack source IP and the physical coordinates of the target, and further quantifying this spherical distance D into a geographically meaningful matching degree through the conversion formula GISmatch=1 / (1+D / 100). This precise and standardized calculation method effectively solves the problem of ambiguity or inconsistency in the calculation of geographic matching degree in intelligence source credibility assessment. Therefore, the dynamic weight Wi(t) of intelligence source i at time t can more accurately reflect its geographic relevance, thereby enabling the credibility-weighted fusion agent to more effectively identify and utilize high-value intelligence with strong geographic location relevance when performing conflict resolution and data fusion. The final output of highly reliable fused intelligence is more reliable and targeted in the geographic dimension, improving the accuracy and effectiveness of security threat analysis.
[0073] This invention further proposes a specific implementation method for triggering cross-model knowledge transfer based on the corrected data of the real-time defense strategy, which includes: generating adversarial examples based on the expert-corrected strategy and the original model strategy; and using the KL divergence loss function. )Calculate knowledge differences, among which Let be the probability distribution of the expert strategy. The model outputs the probability distribution of the strategy; and uses the KL divergence loss to simultaneously perform backpropagation training on the attack chain analyst model and the defense inference model, thereby realizing the transfer and alignment of knowledge from experts to the two models.
[0074] Specifically, in the knowledge transfer process, adversarial examples are first generated based on the expert-corrected strategy and the model's original strategy. The adversarial examples act as a bridge, visualizing the difference between expert experience (expert-corrected strategy) and the model's current capabilities (model's original strategy), thus providing input for subsequent knowledge difference calculations and model training. This can be achieved by comparing the differences between the expert-corrected strategy (e.g., the optimal defensive action sequence given by an expert in a specific attack scenario) and the model's original strategy (the defensive action sequence output by the model in the same scenario), constructing input data that highlights these differences. For example, in an attack chain analysis report, the expert-corrected strategy might indicate that the model ignored a key attack step or recommended a suboptimal defensive action. In this case, the attack chain report can be fine-tuned by adjusting its features or context to more clearly expose the policy differences between the model and the expert when inputting it into the model, thus forming adversarial examples. This can involve making small perturbations to attack features, environmental parameters, etc., so that when the model processes this perturbated data, the difference between its output strategy and the expert strategy is maximized.
[0075] Subsequently, the KL divergence loss function was used. Calculating the knowledge difference. KL divergence is an asymmetric measure of the difference between two probability distributions. Here, it is used to quantify the "knowledge difference" between the probability distribution of the expert policy and the probability distribution of the model's output policy. By calculating this difference, we can accurately determine the extent to which the model deviates from expert experience, thus providing a clear direction and objective for model optimization. It can be a probability distribution of defensive action sequences for specific security threat scenarios, extracted from expert-corrected strategies. This refers to the probability distribution of the defensive action sequence output by the attack chain analyst model and the defense inferencer model after receiving adversarial examples or relevant contextual information. During calculation, it is necessary to ensure that the support sets (i.e., all possible actions) of the two distributions are identical.
[0076] Finally, the attack chain analyst model and the defense inferencer model are simultaneously trained using the KL divergence loss to achieve knowledge transfer and alignment from the expert to the two models. Backpropagation training is a core mechanism for deep learning model optimization; it adjusts the model's internal parameters based on the gradient of the loss function (here, the KL divergence loss) to minimize the loss. Simultaneous training of the attack chain analyst model and the defense inferencer model aims to ensure that these two collaborative models can simultaneously absorb expert knowledge and maintain functional consistency and complementarity, thereby achieving effective knowledge transfer and alignment. After calculating the KL divergence loss, this loss value is used in the backpropagation algorithm. Specifically, the loss function is differentiated with respect to the parameters of the attack chain analyst model and the defense inferencer model to obtain gradient information. Then, the optimizer adjusts the weights and biases of the two models according to this gradient information, making the model output P_{model} gradually approach P_{expert}. Simultaneous training means that in the same training iteration, both models receive gradient signals from the KL divergence loss and update their parameters. This can be achieved by building an end-to-end training framework that includes both models.
[0077] By employing the aforementioned technical solution, and generating adversarial examples based on expert-corrected strategies and the original model strategies, this invention can accurately capture the difference between expert experience and the model's current capabilities, providing clear training signals for knowledge transfer. Furthermore, by quantifying this knowledge difference using the KL divergence loss function, the model optimization process has a clear mathematical objective, ensuring the accuracy and effectiveness of knowledge transfer. Finally, by simultaneously backpropagating the attack chain analyst model and the defense inferencer model using KL divergence loss, the collaborative transfer and alignment of expert knowledge to these two core models is achieved. This not only effectively solves the problems of potential model bias and slow convergence in complex and ever-changing security threat environments, but also significantly improves the accuracy of attack chain analysis and the real-time performance and effectiveness of defense strategy generation, enabling the entire security threat analysis system to continuously learn and evolve, better adapting to the ever-evolving cybersecurity threats.
[0078] This invention further proposes a three-stage distillation mechanism to deposit corrected knowledge into a knowledge base and optimize subsequent task paths. This three-stage distillation mechanism aims to systematically and structurally process the corrected knowledge obtained through cross-model knowledge transfer, enabling it not only to optimize existing models but also to be deposited as reusable knowledge assets, further guiding and optimizing task paths throughout the entire security threat analysis process. Through layered processing, it ensures deep learning, effective storage, and flexible application of knowledge.
[0079] like Figure 2 As shown, the three-stage distillation mechanism includes a parameter fine-tuning layer, a terminology sedimentation layer, and a path optimization layer. User-corrected data (such as strategy parameter adjustments) triggers the three-stage collaborative update mechanism, constructing a closed-loop feedback path: The main function of the parameter fine-tuning layer is to continuously and finely adjust the defense inferencer model by utilizing the difference between the expert-corrected strategy and the model's output strategy. Specifically, it uses the KL divergence loss function to quantify the inconsistency between the probability distribution of the expert strategy and the probability distribution of the model's output strategy. Based on this difference, optimization algorithms such as gradient descent are used to iteratively update the internal parameters of the defense inferencer model. For example, the model's weights, bias terms, or hyperparameters can be adjusted to make its output defense strategy closer to expert experience, thereby improving the model's decision-making accuracy and robustness when facing complex or new threats. This process ensures that the model can learn and adapt from each expert correction, rather than just undergoing a one-time training. In this embodiment, the KL divergence loss function is... ; This refers to the probability distribution of strategies revised by Security Operations Center (SOC) experts; This refers to the probability distribution of the original output of a model (such as Deepseek).
[0080] The terminology layer is responsible for abstracting and structuring key parameters or patterns with universal guiding significance in defense strategies, forming "terms" that can be understood and reused by the system. For example, specific attack methods (such as "spear phishing"), defense measures (such as "traffic scrubbing" and "access control list updates"), or security configurations (such as "port blocking" and "service hardening") can be abstracted into standardized terms. For each abstracted term, the system calculates its historical effectiveness weight, which can be quantified based on indicators such as the term's success rate in past actual defense scenarios, expert evaluations, or the degree to which it reduces its impact on business. These weighted structured terms are then stored in a knowledge base, which can be in the form of an ontology, graph database, or relational database. Simultaneously, these terms are bound to infrastructure topology constraints; for example, the term "port blocking" can be associated with the topology information of a specific server or network area, ensuring that the knowledge is context-aware and targeted when applied. The terminology accumulation in this embodiment includes: adding key terms (such as frequency thresholds) to the domain knowledge base, assigning initial weights (e.g., weight 0.85) based on historical validity, and binding topological constraint rules (such as avoiding database timeouts).
[0081] The path optimization layer aims to directly apply the accumulated corrected knowledge to the planning and execution of task paths. When new or updated terms with high historical validity weights are added to the knowledge base, the path optimization layer dynamically inserts verification or testing subtasks compatible with these new terms into the current or future task paths. For example, if terms related to the defense against new ransomware are accumulated, the system may automatically insert a verification subtask such as "ransomware sample sandbox analysis" or "specific port traffic monitoring" after the intelligence gathering or analysis phase. Furthermore, this layer reconstructs the API call logic of subsequent task paths based on new terms and their associated infrastructure topology constraints. This means that the system can dynamically adjust which security tool APIs are called, in what order, and with which parameters are passed based on the latest defense knowledge, making the entire security analysis and response process more intelligent, automated, and efficient. In this embodiment, compatibility subtasks (such as "connection pool testing") are permanently inserted through DRA and bound to API interfaces to reconstruct the subsequent analysis path.
[0082] This solution achieves a closed-loop response to user feedback through terminology weighting and automatic path expansion, constructing a full-dimensional knowledge accumulation path for user-corrected data. This effectively solves the problems of systematically accumulating and reusing corrected knowledge, and the difficulty of directly guiding future task path planning with model optimization results. The parameter fine-tuning layer ensures that the defense inference model can continuously learn from expert corrections, making its decisions more accurate and significantly reducing misjudgment rates and business impact. The terminology accumulation layer transforms scattered expert experience and model optimization results into structured, quantifiable knowledge assets. It filters the most reliable defense strategies through historical effectiveness weights and binds them to infrastructure topology constraints, giving the knowledge high contextual relevance and operability. This not only builds a continuously evolving knowledge base but also provides a solid foundation for subsequent decision-making. Based on this, the path optimization layer can directly utilize this accumulated knowledge to dynamically adjust and optimize task paths, such as inserting targeted verification subtasks or refactoring API call logic, making the entire security threat analysis process more intelligent, efficient, and adaptive. Overall, the three-stage distillation mechanism deeply integrates the model's learning ability with the system's operational capabilities, achieving a comprehensive evolution from model optimization to process optimization, and greatly enhancing the system's long-term adaptability and robustness in the face of complex security threats.
[0083] The present invention further proposes that the attack chain analyst model is a large language model fine-tuned with knowledge in the cybersecurity domain, used to identify attack techniques, tactics and processes from fused intelligence and output an attack chain analysis report; the defense inference model is a sequence decision model based on reinforcement learning training, used to receive the attack chain analysis report and infrastructure topology model, and generate a real-time defense action sequence that minimizes the false positive rate and business impact.
[0084] Specifically, the attack chain analyst model is designed as a large language model fine-tuned with cybersecurity knowledge. A large language model (LLM) is a deep learning-based natural language processing model that, through pre-training on massive amounts of text data, possesses powerful language understanding, generation, and reasoning capabilities. To better adapt it to the specific needs of cybersecurity threat analysis, this large language model is fine-tuned using a large amount of cybersecurity-related text data, including but not limited to threat intelligence reports, vulnerability analysis documents, attack case libraries, security protocol specifications, and industry standard frameworks such as MITREATT&CK. Through this fine-tuning, the attack chain analyst model can deeply understand the complex logical relationships between cybersecurity terminology, concepts, attack methods, and defense strategies. This allows it to automatically and accurately extract, correlate, and infer the attacker's techniques, tactics, and processes from unstructured or semi-structured fused intelligence, ultimately outputting a structured attack chain analysis report, providing a clear and comprehensive basis for subsequent defense decisions.
[0085] Meanwhile, the defense inference model is designed as a sequence decision model trained using reinforcement learning. Reinforcement learning (RL) is a machine learning paradigm that learns optimal decision-making strategies through the interaction of an agent with its environment. A sequence decision model means that the model can generate a series of continuous and interconnected defensive actions based on the current network security situation and historical information. Through continuous interaction and learning with simulated or real network environments, this defense inference model can master which sequence of defensive actions will achieve the best defensive effect under different attack scenarios. Its inputs include an attack chain analysis report output by the attack chain analyst model, which provides detailed attack information and predicted paths; and an infrastructure topology model, which describes the structure, components, dependencies, and potential vulnerabilities of the protected system. By comprehensively analyzing this information, the defense inference model can generate a series of specific and executable defensive actions, such as isolating infected hosts, updating firewall rules, deploying security patches, and adjusting access control policies. The core optimization goal of this model is to generate a real-time defensive action sequence that minimizes the false positive rate and business impact, that is, effectively resisting attacks while minimizing interference with normal business operations and false positives.
[0086] By introducing a large language model fine-tuned with cybersecurity knowledge as the attack chain analyst model, the accuracy and depth of identifying complex attack techniques, tactics, and processes from massive amounts of fused intelligence can be significantly improved, overcoming the limitations of traditional models in handling unstructured data and responding to unknown threats. Simultaneously, a sequence decision model trained using reinforcement learning is employed as the defense inference model. This model can comprehensively consider attack chain analysis reports and infrastructure topology models, autonomously learn and generate optimal real-time defense action sequences while minimizing false positive rates and business impact, thus achieving a more refined and intelligent defense response. This model combination greatly enhances the intelligence level of security threat analysis and the adaptability and effectiveness of defense strategies, ensuring the safe and stable operation of critical infrastructure.
[0087] This invention also proposes an open-source intelligence security threat analysis system based on multi-agent intelligent game theory.
[0088] The system comprises a dynamic research agent, a credibility-weighted fusion agent, a multi-model collaborative defense agent, and a feedback-loop evolutionary agent. The dynamic research agent generates an initial task path based on attack feature data; and when a conflict is detected in the attack feature data, it dynamically inserts a verification subtask based on an information entropy threshold and outputs a task instruction. The credibility-weighted fusion agent collects multi-source intelligence data according to the task instruction, dynamically calculates the credibility weight of each intelligence source using a spatiotemporal weight function, and performs conflict resolution and data fusion based on the weights to output highly credible fused intelligence. The multi-model collaborative defense agent analyzes this highly credible fused intelligence based on an attack chain analyst model to obtain attack behavior characteristics; and generates a real-time defense strategy through a defense inference model. The feedback-loop evolutionary agent triggers cross-model knowledge transfer based on the corrected data of the real-time defense strategy to obtain corrected knowledge, thereby optimizing the attack chain analyst model and the defense inference model.
[0089] To address the uncertainty of attack paths in the cognitive domain, this embodiment utilizes a Dynamic Research Agent (DRA) to generate dynamic attack analysis paths. Upon system startup, the DRA receives attack characteristics input by the user (such as abnormal network logs or device signals) and generates initial task paths (e.g., vulnerability verification, authorization tracing) based on a pre-trained model. When a physical-digital data conflict is detected (i.e., inconsistency between network logs and physical sensor data), the DRA inserts a verification subtask in real time (e.g., device tamper verification) and triggers multi-source data collection (e.g., drone inspection or container memory snapshots) via API calls. The core innovation of the DRA lies in its dynamic task insertion mechanism: it uses an information entropy threshold (based on the IEC62443-3-3 standard, with a default conflict threshold of 1.8 bits) for real-time decision-making, overcoming the limitation of traditional static rule systems (such as SIEM) that require pre-defining all paths. The DRA's output instructions (e.g., container forensics instructions) are directly input into the CWM module, achieving seamless integration of task paths and intelligence gathering.
[0090] To ensure intelligence information security and prevent false information from contaminating decision-making, the CWM module performs credibility-weighted fusion of multi-source intelligence. The CWM module receives task instructions from the DRA, collects multi-source intelligence in real time from network logs, physical sensors, dark web data, and other sources, and dynamically assigns source weights using a spatiotemporal weighting function. The weight calculation formula is as follows: (Right now Here, Wi0 is the initial weight (based on historical confidence), λ is the attenuation coefficient (0.1 for critical infrastructure scenarios), Δt is the data latency, GISmatch is the geographic matching degree (calculated via IP and GPS coordinates), and Nconflict is the multi-source data conflict count. CWM performs conflict resolution, prioritizing high-weight data (e.g., Wi(t) ≥ 0.8) and outputting fused, highly credible intelligence (e.g., vulnerability exploitation evidence) to the multi-model collaboration module. By introducing spatiotemporal attenuation factors and geographic constraints, the problem of false intelligence mis-collection caused by static weighting mechanisms (e.g., forged data from the dark web) is solved. The output data drives the generation of defense strategies, realizing the transformation from intelligence credibility to defense actions.
[0091] The multi-model collaboration module receives fused intelligence from CWM output, which is then analyzed by the attack chain analyst model (Qwen) to identify attack chain characteristics (such as malicious code injection paths) and output attack behavior reports (e.g., APT groups using CVE numbers). Simultaneously, the defense inference model (DeepSeek) generates real-time defense strategies (such as spoofed command injection schemes) based on infrastructure topology models (such as power grid or cloud platform architecture), ensuring the false positive rate remains below a threshold (default <8%). When users report that the actual false positive rate exceeds the threshold, the system activates a cross-model knowledge transfer mechanism: generating adversarial examples (such as comparing the original strategy with the modified strategy) and applying the KL divergence loss function (…). () The distribution is generated through one-hot encoding of expert policy logs. The Qwen and DeepSeek models are trained simultaneously (using the Softmax probability distribution output by the model). Dual-model adversarial training eliminates the feedback lag of a single model (e.g., the traditional approach requires 30 minutes), resolving the disconnect between defense strategies and attack behaviors. The optimized strategy is input into a three-stage distillation module, completing the transition from strategy to knowledge accumulation.
[0092] Adversarial example generation logic: #Pseudocode example: if user feedback false positive rate > threshold: Generate adversarial examples = { "Original Strategy": Current defense strategy. "Strategy Adjustment": Experts adjust the strategy. "Constraints": System operating boundary parameters } Simultaneous update of dual model parameters The core innovation of this embodiment lies in combining a dynamic research agent, a credibility-weighted fusion agent, a multi-model collaborative defense agent, and a feedback loop evolutionary agent in a collaborative manner. This enables dynamic game theory between attackers and defenders and incremental enhancement of intelligence credibility within the cognitive domain. It solves key problems in existing systems, such as lagging static analysis mechanisms, lack of dynamic credibility assessment in intelligence fusion, and disconnect between defense simulation and attack behavior analysis, thereby improving the real-time performance and reliability of threat analysis. Specifically, the dynamic research agent dynamically inserts verification sub-tasks using information entropy thresholds, effectively addressing the conflict problem of attack feature data and avoiding the response delay of traditional static analysis mechanisms to new attacks. The credibility-weighted fusion agent utilizes a spatiotemporal weight function to comprehensively evaluate the time decay, geographical matching degree, and conflict count of intelligence sources, achieving dynamic credibility assessment of multi-source intelligence fusion and significantly reducing false intelligence interference. The linkage mechanism between the multi-model collaborative defense agent and the feedback loop evolutionary agent enables the attack chain analyst model and the defense simulation model to generate defense strategies based on real-time fused intelligence and continuously optimize model performance through cross-model knowledge transfer, thus ensuring real-time synchronization and dynamic adaptation between defense simulation and attack behavior analysis.
[0093] Through the above technical solution, this embodiment constructs a complete multi-agent collaborative analysis closed loop within the cognitive domain. The dynamic research agent first handles the initial conflicts in attack feature data, triggering a verification sub-task to enhance data reliability; the credibility-weighted fusion agent further quantifies the credibility of intelligence sources through a spatiotemporal weighting function, achieving high-precision conflict resolution; the multi-model collaborative defense agent synchronously executes attack behavior analysis and defense strategy generation based on the optimized fused intelligence; and the feedback closed-loop evolutionary agent transforms strategy correction data into correction knowledge, driving the continuous evolution of the dual models. This layered and progressive technical architecture not only compensates for the lagging defects of static analysis mechanisms but also fundamentally solves the problems of missing credibility assessment in intelligence fusion and the disconnect between defense simulation and the system's capabilities. This enables the system to respond in real-time to attackers' adaptive strategies, significantly improving the proactive defense capabilities for critical infrastructure protection.
[0094] The technical solution of the present invention will be described in detail below with reference to specific examples; Case Study: Defense Simulation of Penetrating a Website Using the Log4j Vulnerability in a Simulated Network Attack This case study simulates the complete process of a system based on dynamic research agents and incremental trust enhancement responding to a Log4j vulnerability attack (CVE-2021-44228) on critical infrastructure (such as a website's cloud platform), from attack signature input to a closed-loop feedback mechanism for defense strategies. The attack scenario involves attackers exploiting an unpatched Log4j vulnerability to launch high-frequency JNDI requests, attempting to tamper with database access permissions and steal data. The system, through multi-module collaboration, achieves real-time threat intelligence generation and defense optimization.
[0095] Step 1: DRA dynamically generates attack analysis paths.
[0096] Upon system startup, the system dynamically studies the attack characteristics of user input received by the intelligent agent, including abnormal WAF logs (high-frequency JNDI requests) and database audit logs (abnormal permission changes). This data is collected from a website's real-time security device. Based on a pre-trained model, DRA generates an initial task path, including a vulnerability verification task (outputting Log4j vulnerability exploitation confirmation) and a permission tracing task (outputting abnormal account operation location). When a physical-digital data conflict is detected—specifically, based on the container process information entropy exceeding a threshold, which is based on the IEC62443-3-3 standard (recommended value 1.8 bits)—the system calculates the information entropy difference by comparing network logs (showing normal permissions) with container monitoring signals (detecting abnormal processes such as sudden_crypto_miner). DRA then inserts a dynamic subtask (container forensics) in real time and triggers cloud host memory data collection via API calls. This task insertion mechanism eliminates the limitation of traditional SIEM systems requiring predefined paths (response latency is based on standard test reports). Output instructions (such as malicious process memory snapshot collection commands) are seamlessly connected to the credibility weighting mechanism module in step 2, serving as input instructions for CWM to drive multi-source intelligence collection.
[0097] Input data: Initial attack characteristics: abnormal WAF logs (high-frequency JNDI requests) + abnormal changes in database access permissions.
[0098] Data source: WAF logs from a certain website, database audit logs.
[0099] Dynamic path generation and subtask insertion: Initial path generation: base_tasks=[ {"task":"Vulnerability Verification","output":"Log4j Vulnerability Exploitation Confirmation"}, {"task":"Permission tracing","output":"Locating abnormal account operations"} ] Reference basis: Physical-digital conflict triggering condition: IF container process entropy value > threshold THEN insert container evidence collection subtask.
[0100] Technical rationale: The entropy threshold is based on the industrial control system safety standard (IEC62443-3-3), and the creation of abnormal processes leads to a significant increase in information entropy.
[0101] Physical-digital conflict triggers subtask insertion: Judgment criteria: When the database log shows normal permissions, but the container monitoring detects the creation of an abnormal process (such as sudden_crypto_miner), the conflict threshold (>1.8 bits of information entropy) is triggered.
[0102] Insertion action: ifentropy(container_behavior)>1.8: insert_task("Container forensics",output="Malicious process memory snapshot")#Dynamic subtask.
[0103] Data integration: Output container forensics commands to the CWM module to trigger cloud host memory data collection.
[0104] Compared to traditional solutions: Traditional SIEM systems require predefined container monitoring rules, while this solution dynamically inserts forensic tasks through real-time information entropy calculation, thus improving response speed.
[0105] Step 2: CWM spatiotemporal weighted fusion of multi-source intelligence.
[0106] The CWM module receives the output command (container forensics command) from step 1 and collects multi-source intelligence in real time, including network logs (WAF interception records), physical signals (container memory characteristics), and external intelligence (dark web Log4j vulnerability trading posts). Data is sourced from commercial databases such as MaxMind IP location and cloud platform monitoring systems. Weights are dynamically allocated using a spatiotemporal weighting function, the formula of which is... (Where Wi0 is the initial weight, based on historical confidence statistics such as an initial value of 0.95 in WAF logs; λ is the attenuation coefficient, set to 0.1 based on expert experience for critical infrastructure scenarios; Δt is the data latency, derived from the difference in collection timestamps; GISmatch is the geographic matching degree, calculated using the Haversine formula as the spherical distance between the IP address (58.32.1.1) and the GPS coordinates (a website's data center in Guangzhou); Nconflict is the conflict count, based on semantic analysis of multi-source data to count the number of conflicts, such as the dark web claiming "the vulnerability is unavailable" but detecting malicious load in container memory). In the Log4j case, the dark web data weight calculation shows Δt = 300 seconds (latency caused e With a weight of 0.1 × 300 ≈ 0.000045, GISmatch = 1.0 (distance 0 km), and Nconflict = 3 (three content conflicts), the final weight approaches 0, thus adopting high-weight container memory evidence (weight increases to 1.0), and outputting fused intelligence (Log4j vulnerability exploitation confirmation) to step 3 for multi-model collaborative generation of defense strategies. This process solves the mis-collection problem of traditional static weighting mechanisms, and the false intelligence filtering rate is improved based on laboratory benchmark tests.
[0107] Input data: Network logs: WAF interception records (initial weight Wi0=0.95); Physical signals: Container memory characteristics (Wi0=0.90); External intelligence: Dark web Log4j vulnerability trading post (Wi0=0.30).
[0108] Dynamic weight calculation and conflict resolution: Applications of the spatiotemporal weighting function:
[0109] Δt: Dark web data latency (Δt = 300s → e) (0.1 × 300 = 0.000045). GIS matching score: Distance between the attack source IP (58.32.1.1) and the container location (a website's data center in Guangzhou) = 0km → Match score = 1.0; Conflict count: The dark web claims the vulnerability is unusable, but malicious payloads are detected in the container memory → Conflict count = 3; Dark web weight results: →The weight approaches 0.
[0110] GIS matching degree calculation: # Pseudocode implementation of defcalc_gis_match(ip,gps): ip_location = geolite2.lookup(ip) # Commercial IP location database distance = haversine(ip_location, gps) # Spherical distance algorithm return 1 / (1+distance / 100) # The matching accuracy halves for every 100 kilometers increase in distance. Fusion decision: Adopt container memory evidence (weight = 0.90 → increased to 1.0) to confirm vulnerability exploitation behavior.
[0111] Comparison with traditional solutions: Traditional fusion mechanisms (such as CN13004786A) statically weighted dark web data (weight=0.5) have a false sampling rate of 32%; this solution improves the false intelligence filtering rate by using spatiotemporal decay factors and GIS constraints.
[0112] Step 3: Multi-model collaborative generation of defense strategies.
[0113] The multi-model collaboration module receives the fused intelligence (container memory characteristics) from step 2. The attack chain analyst model (Qwen) analyzes the attack chain characteristics (such as APT groups injecting malicious classes like ldap_Exploit.class) and outputs an attack behavior report (stealing database credentials). Simultaneously, the defense inference model (DeepSeek) generates a real-time defense strategy based on the infrastructure topology model (a website's cloud platform architecture). (The defense strategy "injecting fake database responses" is not only a technical action but also a cognitive-level deception, designed to mislead the attacker's judgment and render their cognitive model ineffective.) When users report that the actual false positive rate exceeds the standard (based on operation and maintenance log statistics), the system activates a cross-model knowledge transfer mechanism, generates adversarial examples (such as a comparison between the original strategy "5 times / second response injection" and the modified strategy "3 times / second response injection"), and uses the KL divergence loss function. Synchronous training is performed to minimize the loss function. This dual-model adversarial training reduces the feedback time from 30 minutes in the traditional single-model mechanism to 1 minute. Based on real-time system stress testing, optimized strategies (such as adjusted camouflage responses) are output to the tertiary distillation module in step 4, achieving real-time synchronization between defense strategies and attack behaviors.
[0114] Role division and combat training: Model Input data Output Action Attack Chain Analyst (Qwen) CWM-integrated container memory features "An APT group injected the malicious class ldap_Exploit.class to steal database credentials." Defense Inference Tool (DeepSeek) Website topology + vulnerability evidence Recommendations: ① Isolate the controlled container; ② Inject a fake database response (false positive rate <5%). Cross-model knowledge transfer mechanism: User feedback: Actual false positive rate is 12% → The frequency of fake response needs to be adjusted.
[0115] Adversarial example generation: adversarial_sample={ Original strategy: "5 injections / second" "Modified Strategy": "Response Injection 3 times / second", "Constraint": "Avoid triggering database connection pool timeout" } Simultaneous training of two models: Qwen's backpropagation update: LKD = ∑KL(PSOC expert∥PQwen); DeepSeek reinforcement learning: reward function R= | False positive rate 5% |, 3 iterations.
[0116] Compared with traditional solutions: Microstep XGPT single-model fine-tuning takes 30 minutes, while this solution greatly reduces the feedback time by sharing adversarial examples.
[0117] Step 4: Three-stage distillation feedback closed loop.
[0118] User-corrected data (e.g., adjusting policy parameters to a 3Hz response frequency) triggers a three-level collaborative update mechanism, constructing a closed-loop feedback path. First, at the parameter fine-tuning layer, model parameters are updated using the KL divergence loss function (e.g., LKD in the DeepSeek model) to minimize the difference between the expert policy and the model output. Second, at the terminology accumulation layer, key terms (e.g., "database response injection frequency threshold") are added to the domain knowledge base, with initial weight allocation (e.g., 0.85) based on historical effectiveness statistics (success rate over the past 90 days). Finally, at the path optimization layer, the agent dynamically inserts compatibility subtasks (e.g., "connection pool compatibility testing"), binds output instructions to API interfaces (e.g., avoiding database timeouts), and reconstructs the subsequent analysis path. This mechanism achieves a closed-loop response to user feedback, knowledge accumulation requires no manual intervention (compared to the traditional 48-hour update cycle), and the optimized task path returns to the DRA in step 1, restarting the analysis process to address new attacks.
[0119] User feedback drives updates: Parameter fine-tuning layer: DeepSeek model updates KL divergence loss:
[0120] Terminology: Precipitation layer The term "database response injection frequency threshold" was added to a website's knowledge base with an initial weight of 0.85.
[0121] Path optimization layer: DRA Permanent Insert Task: {"task":"Connection Pool Compatibility Test","output":"Avoid Triggering Timeout Mechanism"}.
[0122] Compared with traditional solutions: Traditional knowledge bases require manual updates every 48 hours; this solution reduces the error rate of defense strategies by using terminology weight binding and automatic path expansion.
[0123] In addition, the present invention also proposes a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the above-described method.
[0124] Specifically, the computer-readable storage medium refers to any non-transitory medium capable of storing computer programs or other data and readable by a computer system. It can be, for example, flash memory, hard disk, solid-state drive, optical disc (such as CD-ROM, DVD-ROM, Blu-ray disc), or read-only memory (ROM). This medium provides the foundation for carrying and distributing the complex method. The computer program refers to a set of instructions that can be read and executed by a processor to perform a specific function or task. The program can exist as source code, a compiled executable file, a script, or any other form that can be understood and executed by a computer system. It is the specific logical carrier for implementing the security threat analysis method. When the computer program is executed by the processor, it will automatically complete the various steps in the open-source intelligence security threat analysis method based on intelligent game theory according to a preset logical order and algorithm. This includes, but is not limited to, generating an initial task path based on attack feature data, dynamically inserting verification subtasks, collecting multi-source intelligence data, calculating the credibility weight of intelligence sources, performing conflict resolution and data fusion, parsing highly reliable fused intelligence, generating real-time defense strategies, and triggering cross-model knowledge transfer. Through the execution of the program, the complex method can operate automatically and efficiently.
[0125] By storing the complex method as a computer program on a computer-readable storage medium and executing it via a processor, this invention ensures that the security threat analysis method operates efficiently, stably, and consistently in various computing environments. This greatly simplifies the deployment and management process, reduces the complexity and error rate of manual operations, and enables the widespread application and promotion of the multi-agent game theory and incremental trust enhancement security threat analysis method. Furthermore, the programmatic implementation facilitates iterative updates and maintenance of the method, thereby continuously optimizing the accuracy and efficiency of security threat analysis.
[0126] The present invention also proposes an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the above-described method.
[0127] Specifically, the electronic device is the physical carrier that supports and runs the method, and it can be a server, workstation, embedded system, or dedicated network security device, etc. This device provides the necessary computing resources, storage space, and network interface to support the various operations of the method. The memory is used to store the computer program and data generated or needed during program execution. This includes, but is not limited to, program code, configuration parameters, intermediate calculation results, intelligence data, model parameters, etc. The memory can be random access memory (RAM) for temporary data storage and program execution, or non-volatile memory such as hard disk drive (HDD) or solid-state drive (SSD) for persistent storage. The processor is the core computing unit of the electronic device, responsible for parsing and executing the computer program instructions in the memory. It performs various arithmetic and logical operations, data processing, and control operations, driving the various steps of the method to be implemented, such as data acquisition, information entropy calculation, weight function calculation, model inference, and policy generation. The computer program is a set of instructions for implementing the method, stored in the memory in the form of executable code. When the processor executes the program, it calls the corresponding algorithms and modules according to the preset logical flow to complete the various functions defined in the method, thereby realizing open-source intelligence security threat analysis based on intelligent game theory.
[0128] By providing a specific electronic device as the operating platform for the method, this invention transforms abstract analytical methods into practically deployable and operable solutions. The memory ensures efficient storage and rapid access to complex program code and massive amounts of intelligence data, providing a data foundation for the method's execution. The processor provides powerful computing capabilities, enabling efficient execution of computationally intensive tasks such as multi-agent game theory, credibility-weighted fusion, attack chain analysis, and defense simulations, thereby guaranteeing the real-time performance and accuracy of security threat analysis. When the processor executes the computer program, the various functions defined in the method are precisely implemented, allowing the system to respond promptly to constantly evolving cybersecurity threats, generate and deploy effective defense strategies, and significantly improve the practicality, stability, and operational efficiency of security threat analysis.
[0129] The following example will provide a more detailed explanation of the above technical solution: Suppose a critical infrastructure, such as a smart grid substation located at location A, is facing a sophisticated cyberattack. This attack is characterized by exploiting novel vulnerabilities and attempting to confuse defense systems by fabricating intelligence.
[0130] First, the system generates an initial task path based on attack signature data extracted from network traffic, logs, and security device alarms. For example, it detects abnormal login attempts from unknown IP addresses and scanning behavior on specific ports of the SCADA system. During task execution, the system detects conflicts in the attack signature data: network logs show that a user account on an internal server successfully logged in from multiple different geographical locations within a short period, but physical sensor data (such as access control records and video surveillance) does not show anyone entering the server room. To address this conflict, the system calculates the information entropy difference between the network log data and the physical sensor data in real time. This information entropy difference is compared to a preset conflict threshold, set based on the IEC 62443-3-3 standard. When the information entropy difference exceeds the conflict threshold, the system determines that the attack signature data is conflicted and dynamically generates and inserts a verification subtask corresponding to the conflict type. For example, for the above conflict, the system might insert a "container forensics" subtask to perform in-depth analysis of the server container involved in the abnormal login, or insert a "device tampering verification" subtask to check for signs of tampering in the physical access control system. In this way, the system can proactively identify and verify suspicious intelligence, avoiding the problem of traditional static analysis mechanisms being slow to respond to new types of attacks, and effectively countering interference from attackers' fabricated intelligence. After completing the verification, the system outputs task instructions containing these verification steps.
[0131] Next, the system collects multi-source intelligence data according to task instructions, including information from network logs, physical sensors, threat intelligence platforms, and dark web forums. To assess the reliability of these intelligence sources, the system dynamically calculates the credibility weight of each source using a spatiotemporal weighting function. This function considers the initial weight of the intelligence source (based on historical confidence statistics), data latency, geographic matching degree, and conflict count. For example, intelligence from dark web forums may have a lower initial weight and a longer data latency; while data from physical sensors inside substations typically has a higher initial weight and a shorter data latency. Geographic matching degree is calculated using the spherical distance between the attack source's IP address location coordinates and the protected target's GPS coordinates. For example, if the attack source's IP address is located near location A, its geographic matching degree is high. The conflict count counts the number of semantic contradictions between the intelligence source and other multi-source intelligence. Through this dynamic weighting mechanism, the system can effectively identify and reduce the impact of low-credibility intelligence, solving the problem of existing systems lacking dynamic credibility assessment in multi-source intelligence fusion and ensuring the generation of highly credible fused intelligence. Subsequently, the system resolves conflicts and fuses data based on these dynamically calculated weights, outputting highly reliable fused intelligence.
[0132] Then, the system inputs highly reliable fused intelligence into the attack chain analyst model. This model is a large language model fine-tuned with cybersecurity knowledge, capable of identifying attack techniques, tactics, and processes (TTPs) from the fused intelligence. For example, it identifies an attacker exploiting a specific CVE vulnerability for initial access, subsequently infiltrating the SCADA network laterally, and attempting to tamper with control commands. The model outputs a detailed attack chain analysis report. Simultaneously, the defense inference model receives this attack chain analysis report and the substation's infrastructure topology model. The defense inference model is a sequence decision model trained using reinforcement learning. Based on the current attack posture and infrastructure vulnerabilities, it generates a real-time defense action sequence that minimizes the false positive rate and business impact. For example, it generates a series of defense strategies such as "isolate the infected SCADA workstation," "update firewall rules to block specific C2 traffic," and "trigger physical security alarms." This close collaborative mechanism solves the problem of the disconnect between defense inference and attack behavior analysis, enabling real-time response to attacks.
[0133] Finally, the system triggers cross-model knowledge transfer based on the real-time defense strategy correction data to continuously optimize the attack chain analyst model and the defense inferencer model. For example, if a defense strategy generated by the defense inferencer model is found to be insufficient or requires adjustment after actual implementation, this correction data will be used to generate adversarial examples. The system uses the KL divergence loss function to calculate the knowledge difference between the expert-corrected strategy and the model output strategy. Using this KL divergence loss, the system simultaneously performs backpropagation training on the attack chain analyst model and the defense inferencer model, realizing the transfer and alignment of knowledge from expert experience to the two models. In addition, the system also uses a three-level distillation mechanism to deposit the corrected knowledge into the knowledge base and optimize subsequent task paths. The parameter fine-tuning layer uses the KL divergence loss function to fine-tune the parameters of the defense inferencer model. The terminology deposition layer abstracts key parameters or patterns in the defense strategy (such as "SCADA network isolation strategy") into structured terms, calculates their historical validity weights, stores them in the knowledge base, and binds them to infrastructure topology constraints. The path optimization layer inserts verification or testing subtasks compatible with the new terminology into subsequent task paths and restructures the API call logic of those paths. Through this closed-loop feedback and continuous learning mechanism, the system can continuously adapt to new types of attacks, improve its analysis and defense capabilities, and effectively avoid the passive situation of "attack first, defense follow-up," thus achieving incremental trust enhancement.
[0134] The above description is merely an embodiment of the present invention and is not intended to limit the scope of protection of the present invention. For those skilled in the art, the present invention can have various modifications and variations. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. An open-source intelligence security threat analysis method based on multi-agent intelligent game theory, characterized in that, include: Generate an initial task path based on attack signature data; And when a conflict is detected in the attack feature data, a verification subtask is dynamically inserted based on the information entropy threshold, and a task instruction is output. Collect multi-source intelligence data according to the task instructions, and dynamically calculate the credibility weight of each intelligence source through a spatiotemporal weight function; It also performs conflict resolution and data fusion based on weights to output highly reliable fused intelligence; The attack chain analyst model is used to analyze the highly reliable fused intelligence and obtain attack behavior characteristics. And generate real-time defense strategies through a defense inference model; Based on the corrected data of the real-time defense strategy, cross-model knowledge transfer is triggered to obtain corrected knowledge, so as to optimize the attack chain analyst model and the defense inference model.
2. The method according to claim 1, characterized in that, The dynamic insertion of verification subtasks based on information entropy thresholds specifically includes: Real-time calculation of the information entropy difference between network log data and physical sensor data; The information entropy difference is compared with a preset conflict threshold, which is set based on the IEC62443-3-3 standard; When the information entropy difference exceeds the conflict threshold, it is determined that the attack feature data is conflicted, and a verification subtask corresponding to the conflict type is dynamically generated and inserted. The verification subtask includes container forensics, device tampering verification, or drone inspection.
3. The method according to claim 1, characterized in that, The spatiotemporal weighting function is expressed as follows: ( ); in, Wi(t) is the dynamic weight of intelligence source i at time t; Wi0 is the initial weight of intelligence source i, which is obtained based on historical confidence statistics; λ is the time decay coefficient, which is set according to the critical infrastructure scenario; Δt is the data delay duration; GISmatch is the geographic matching degree, which is calculated by the spherical distance between the attack source IP address and the GPS coordinates of the protected target. Nconflict is the conflict count, which counts the number of semantic contradictions between this intelligence source and other multi-source intelligence.
4. The system according to claim 3, characterized in that, The geographic matching degree GISmatch is calculated using the Haversine formula, specifically: GISmatch = 1 / (1+D / 100) Where D is the spherical distance between the attack source IP location coordinates and the target physical coordinates, in kilometers.
5. The method according to claim 1, characterized in that, Based on the corrected data of the real-time defense strategy, cross-model knowledge transfer is triggered through the following steps: Adversarial examples are generated based on expert-corrected strategies and the original model strategies. Using the KL divergence loss function )Calculate knowledge differences, among which Let be the probability distribution of the expert strategy. Output the probability distribution of the policy for the model; The attack chain analyst model and the defense inferencer model are trained by backpropagation using the KL divergence loss to achieve knowledge transfer and alignment from the expert to the two models.
6. The method according to claim 5, characterized in that, Furthermore, a three-stage distillation mechanism is used to deposit corrected knowledge into a knowledge base and optimize subsequent task paths; the three-stage distillation mechanism includes: Parameter fine-tuning layer: The KL divergence loss function is used to calculate the difference between the expert correction strategy and the model output strategy, and the parameters of the defense inference model are fine-tuned based on the difference. Terminology sedimentation layer: Key parameters or patterns in the defense strategy are abstracted into structured terms, their historical validity weights are calculated, stored in the knowledge base, and bound to infrastructure topology constraints; Path optimization layer: Insert verification or testing subtasks compatible with the new terminology into the task path, and refactor the API call logic of subsequent task paths.
7. The method according to claim 1, characterized in that, The attack chain analyst model is a large language model fine-tuned with knowledge from the cybersecurity domain. It is used to identify attack techniques, tactics, and processes from fused intelligence and output an attack chain analysis report. The defense inference model is a sequence decision model trained based on reinforcement learning. It is used to receive the attack chain analysis report and the infrastructure topology model and generate a real-time defense action sequence that minimizes the false positive rate and business impact.
8. An open-source intelligence security threat analysis system based on multi-agent intelligent game theory, characterized in that, include: Dynamically study intelligent agents and generate initial task paths based on attack feature data; And when a conflict is detected in the attack feature data, a verification subtask is dynamically inserted based on the information entropy threshold, and a task instruction is output. A credibility-weighted fusion intelligent agent collects multi-source intelligence data according to the task instructions and dynamically calculates the credibility weight of each intelligence source through a spatiotemporal weight function. It also performs conflict resolution and data fusion based on weights to output highly reliable fused intelligence; A multi-model collaborative defense agent analyzes the highly reliable fused intelligence based on the attack chain analyst model to obtain attack behavior characteristics. And generate real-time defense strategies through a defense inference model; The feedback closed-loop evolutionary agent obtains corrected knowledge by triggering cross-model knowledge transfer based on the corrected data of the real-time defense strategy, so as to optimize the attack chain analyst model and the defense inference model.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1-7.