Cybersecurity event research and judgment method, device, equipment, medium and product

By combining a security domain example library with a large-scale intelligent model, this technology enables efficient, accurate, and interpretable analysis of cybersecurity incidents, solving the problem of balancing efficiency and interpretability in existing technologies. It is suitable for real-time response to large-scale security incidents.

CN122160166APending Publication Date: 2026-06-05CHINA UNITED NETWORK COMM GRP CO LTD +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA UNITED NETWORK COMM GRP CO LTD
Filing Date
2026-04-09
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies struggle to simultaneously balance efficiency, accuracy, and interpretability of reasoning in cybersecurity incident assessment. Manual analysis is time-consuming, traditional models lack sufficient coverage, and the reasoning process of large models lacks interpretability.

Method used

A customized thought chain prompting mechanism for the security domain is constructed. Experience examples are retrieved from a pre-set security domain example library to generate structured input data and drive a large model agent to perform explicit step-by-step reasoning. Structured judgment conclusions are generated by combining multi-source data.

Benefits of technology

It significantly improves the accuracy and efficiency of cybersecurity incident analysis, ensures the reasoning process is transparent and explainable, reduces the false positive rate, and is suitable for real-time response to large-scale security incidents.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160166A_ABST
    Figure CN122160166A_ABST
Patent Text Reader

Abstract

The application provides a network security event research and judgment method and device, equipment, medium and product, and relates to the technical field of network security. The method comprises the following steps: acquiring multi-source data related to a network security event to be researched and judged; performing entity extraction and structural processing on the multi-source data to generate structured input data containing an attacker Internet Protocol address, a victim host identifier and a vulnerability identifier; retrieving an experience example matching the network security event to be researched and judged from a preset security field example library according to the structured input data; generating a first prompt text according to the retrieved experience example; inputting the structured input data and the first prompt text into a preset large model agent to generate an explicit step-by-step reasoning process and a structured research and judgment conclusion. The method of the application drives the large model agent to output the explicit step-by-step reasoning process and the structured research and judgment conclusion, and realizes efficient, accurate and interpretable network security event research and judgment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a method, apparatus, device, medium and product for analyzing network security incidents. Background Technology

[0002] As cyberattack methods become increasingly complex and covert, cybersecurity incidents are experiencing explosive growth, necessitating improvements in the automation and intelligence of cybersecurity incident analysis.

[0003] In existing technologies, the methods for assessing cybersecurity incidents mainly fall into three categories: First, relying on technical personnel for manual assessment, drawing conclusions based on experience by analyzing network logs, traffic data, and threat intelligence; second, employing automated assessment methods based on preset rules or traditional machine learning models, identifying attacks by matching known attack characteristics (such as signatures and behavioral patterns); and third, utilizing large language models to directly assess security incidents in natural language form from end to end.

[0004] However, existing technologies struggle to balance analytical efficiency, accuracy, and interpretability of reasoning. Summary of the Invention

[0005] This application provides a method, apparatus, device, medium, and product for assessing cybersecurity incidents. It is used to construct a customized thought chain prompting mechanism in the security domain, retrieve and match experience examples from a preset security domain example library to generate a first prompt text, and drive a large model intelligent agent to output an explicit step-by-step reasoning process and structured assessment conclusions based on structured input data, thereby achieving efficient, accurate, and interpretable cybersecurity incident assessment.

[0006] Firstly, this application provides a method for assessing cybersecurity incidents, the method comprising:

[0007] Acquire multi-source data related to the cybersecurity incidents to be analyzed;

[0008] Entity extraction and structured processing are performed on multi-source data to generate structured input data containing attacker Internet Protocol addresses, victim host identifiers, and vulnerability identifiers;

[0009] Based on the structured input data, retrieve experience examples that match the cybersecurity incident to be analyzed from the preset security domain example library. The experience examples include the incident input data, the thought chain reasoning process based on cybersecurity knowledge, and the historical structured analysis conclusions.

[0010] Generate the first prompt text based on the retrieved experience examples;

[0011] Both the structured input data and the first prompt text are input into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion. The explicit step-by-step reasoning process includes multiple analysis steps. Each analysis step includes a step number, analysis content, and basis label. The basis label points to the structured input data or preset network security knowledge. The analysis content is derived from the basis label based on network security rules or facts. The structured judgment conclusion includes the event type, security level, and handling recommendations.

[0012] In one possible implementation, based on structured input data, empirical examples matching the cybersecurity incident to be assessed are retrieved from a pre-defined security domain example library, including:

[0013] Based on the structured input data, determine the event type labels for the cybersecurity incidents to be analyzed;

[0014] Based on the event type label, candidate experience examples with the same event type label as the network security event to be analyzed are selected from the preset security domain example library to obtain a set of candidate experience examples;

[0015] Calculate the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set, where the semantic similarity is calculated based on the overlap of entities and the entity weight weight.

[0016] The candidate experience examples in the candidate experience example set are sorted according to semantic similarity, and the preset number of experience examples with the highest similarity are selected as the matching experience examples.

[0017] In one possible implementation, calculating the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set includes:

[0018] Extract common entities of the same type from the structured input data and the event input data of any candidate experience example to obtain the set of common entities between the structured input data and any candidate experience example;

[0019] Preset weights are assigned to each entity in the common entity set, where the weights of the attacker's Internet Protocol address and the vulnerability identifier are both higher than the weights of the victim host identifier.

[0020] For each pair of common entities of the same type in the event input data corresponding to the structured input data and any candidate experience example, calculate the local similarity score;

[0021] Based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, the semantic similarity between the structured input data and the event input data of any candidate experience example is calculated using a weighted normalization method.

[0022] In one possible implementation, the formula for calculating the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method, based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, is as follows:

[0023]

[0024] Where Sim represents the semantic similarity between the structured input data and the event input data of any candidate experience example, and E represents the semantic similarity between the structured input data and the event input data of any candidate experience example. common Let e ​​be any common entity in the set of common entities, and Weight(e) be the preset weight of entity e. query e example () represents the local similarity score.

[0025] In one possible implementation, it also includes:

[0026] If no experience example matching the cybersecurity incident to be analyzed is found in the preset security domain example library based on the structured input data, a second prompt text is generated based on the structured input data and preset cybersecurity knowledge. The second prompt text includes a description of security facts related to the cybersecurity incident to be analyzed, a preset analysis step mode, and output format constraints.

[0027] Both the structured input data and the second prompt text are input into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

[0028] In one possible implementation, after generating the explicit step-by-step reasoning process and the structured judgment conclusion, the process further includes:

[0029] For the same cybersecurity incident to be assessed, multiple inference paths are generated. Consistency analysis is performed on the analysis steps of the corresponding inference stages in each inference path to identify the consensus inference steps of each inference stage. Based on the overall consistency level, it is decided whether to regenerate some or all of the inference steps.

[0030] For key facts involved in the reasoning process, pre-set verification tools are invoked to obtain verification results and confidence levels;

[0031] When the verification result conflicts with the analysis content in the explicit step-by-step reasoning process and the confidence level is higher than the preset confidence threshold, the verification result is injected into the original prompt text as the basis for correction, and the step of generating the explicit step-by-step reasoning process and structured judgment conclusion is returned to trigger the preset large model agent to regenerate the corrected explicit step-by-step reasoning process. The original prompt text is either the first prompt text or the second prompt text.

[0032] Integrate the reasoning process and judgment conclusions optimized by double verification to output the final structured judgment result.

[0033] Secondly, this application provides a device for analyzing network security incidents, the device comprising:

[0034] The acquisition module is used to acquire multi-source data related to the cybersecurity incidents to be analyzed.

[0035] The preprocessing module is used to extract entities and perform structured processing on multi-source data to generate structured input data containing attacker Internet Protocol addresses, victim host identifiers, and vulnerability identifiers.

[0036] The prompt generation module is used to retrieve experience examples that match the cybersecurity incident to be analyzed from a preset security domain example library based on structured input data. The experience examples include event input data, thought chain reasoning process based on cybersecurity knowledge, and historical structured analysis conclusions.

[0037] The prompt generation module is also used to generate the first prompt text based on the retrieved experience examples;

[0038] The output module is used to input both structured input data and the first prompt text into a preset large model agent, generating an explicit step-by-step reasoning process and a structured judgment conclusion. The explicit step-by-step reasoning process includes multiple analysis steps, each of which includes a step number, analysis content, and basis annotations. The basis annotations point to the structured input data or preset cybersecurity knowledge, and the analysis content is derived from the basis annotations based on cybersecurity rules or facts. The structured judgment conclusions include event type, security level, and handling recommendations.

[0039] In one possible implementation, the prompt generation module is also used to determine the event type label of the network security event to be assessed based on the structured input data;

[0040] The prompt generation module is also used to filter out candidate experience examples with the same event type tags as the network security event to be analyzed from the preset security domain example library based on the event type tags, and obtain a set of candidate experience examples;

[0041] The prompt generation module is also used to calculate the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set, wherein the semantic similarity is calculated based on the overlap of entities and the entity weight weight.

[0042] The prompt generation module is also used to sort each candidate experience example in the candidate experience example set according to semantic similarity, and select the preset number of experience examples with the highest similarity as the matching experience examples.

[0043] In one possible implementation, the prompt generation module is further configured to extract common entities of the same type from the structured input data and the event input data of any candidate experience example, to obtain a set of common entities between the structured input data and any candidate experience example.

[0044] The prompt generation module is also used to assign preset weights to each entity in the common entity set, wherein the weight of the attacker's Internet Protocol address and the weight of the vulnerability identifier are both higher than the weight of the victim host identifier.

[0045] The prompt generation module is also used to calculate local similarity scores for each pair of common entities of the same type corresponding to the event input data of any candidate experience example;

[0046] The prompt generation module is also used to calculate the semantic similarity between the structured input data and the event input data of any candidate experience example through weighted normalization, based on the common entity set, the preset weights of each entity and the corresponding local similarity scores.

[0047] In one possible implementation, the formula for calculating the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method, based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, in the prompt generation module is as follows:

[0048]

[0049] Where Sim represents the semantic similarity between the structured input data and the event input data of any candidate experience example, and E represents the semantic similarity between the structured input data and the event input data of any candidate experience example. common Let e ​​be any common entity in the set of common entities, and Weight(e) be the preset weight of entity e. query e example () represents the local similarity score.

[0050] In one possible implementation, the prompt generation module is further configured to generate a second prompt text based on the structured input data and preset cybersecurity knowledge if no experience example matching the cybersecurity incident to be analyzed is found in the preset security domain example library based on the structured input data. The second prompt text includes a description of security facts related to the cybersecurity incident to be analyzed, a preset analysis step mode, and output format constraints.

[0051] The output module is also used to input both the structured input data and the second prompt text into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

[0052] In one possible implementation, the device further includes: a verification module;

[0053] The verification module is used to generate multiple inference paths for the same cybersecurity incident to be analyzed, perform consistency analysis on the analysis steps of the corresponding inference stages in each inference path to identify the consensus inference steps of each inference stage, and decide whether to regenerate some or all of the inference steps based on the overall consistency level.

[0054] The verification module is also used to call preset verification tools to obtain verification results and confidence levels for key facts involved in the reasoning process;

[0055] The verification module is also used to inject the verification result as the basis for correction into the original prompt text when the verification result conflicts with the analysis content in the explicit step-by-step reasoning process and the confidence level is higher than the preset confidence threshold. It then returns the steps of generating the explicit step-by-step reasoning process and the structured judgment conclusion to trigger the preset large model agent to regenerate the corrected explicit step-by-step reasoning process. The original prompt text is either the first prompt text or the second prompt text.

[0056] The output module is also used to integrate the reasoning process and judgment conclusions optimized by double verification, and output the final structured judgment result.

[0057] Thirdly, this application provides an electronic device, including: a processor, and a memory communicatively connected to the processor.

[0058] The memory stores the instructions that the computer executes.

[0059] The processor executes computer execution instructions stored in memory to implement a network security incident assessment method as described in the first aspect of the invention.

[0060] Fourthly, this application provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement a method for assessing network security incidents as described in the first aspect of the invention.

[0061] Fifthly, this application provides a computer program product, including a computer program, which, when executed by a processor, is used to implement a method for judging network security incidents as described in the first aspect of the invention.

[0062] Based on the implementation methods provided in the above aspects, this application can be further combined to provide more implementation methods.

[0063] This application provides a method, apparatus, device, medium, and product for assessing cybersecurity incidents, comprising: first, acquiring multi-source data related to the cybersecurity incident to be assessed; then, performing entity extraction and structuring processing on the multi-source data to generate structured input data containing the attacker's Internet Protocol address, the victim's host identifier, and vulnerability identifiers; next, retrieving experience examples matching the cybersecurity incident to be assessed from a preset security domain example library based on the structured input data; then, generating a first prompt text based on the retrieved experience examples; finally, inputting both the structured input data and the first prompt text into a preset large-scale model agent to generate an explicit step-by-step reasoning process and a structured assessment conclusion. The explicit step-by-step reasoning process includes multiple analysis steps, each including a step number, analysis content, and a basis label. The basis label points to the structured input data or preset cybersecurity knowledge, and the analysis content is derived from the basis label based on cybersecurity domain rules or facts. The structured assessment conclusion includes the incident type, security level, and handling recommendations. The following technical effects were achieved: By retrieving historical experience examples matching the current cybersecurity incident to be analyzed from a pre-set security domain example library and converting them into structured first-level prompt text to guide the pre-set large-scale model intelligent agent inference, the knowledge and data-driven capabilities of technical personnel were effectively integrated, significantly reducing the false positive and false negative rates for new or complex attacks and improving the accuracy of the analysis. The generated explicit step-by-step reasoning process clearly includes step numbers, analysis content, and basis labels, making each conclusion traceable to specific input data or pre-set security knowledge. This avoids the problem of the black-box output of traditional large-scale models, meets the requirements of security operations for transparency, verifiability, and recapitulation of the analysis process, and enhances the interpretability and auditability of reasoning. Multi-source data is automatically converted into structured input data and combined with the pre-set large-scale model intelligent agent to achieve end-to-end intelligent analysis, greatly reducing manual intervention. It can quickly complete the analysis tasks that originally required several minutes or even hours for technical personnel, and is suitable for real-time response scenarios of large-scale security incidents, improving the efficiency and automation level of the analysis. Attached Figure Description

[0064] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0065] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0066] Figure 1A flowchart illustrating a method for assessing network security incidents provided in this application embodiment;

[0067] Figure 2 A schematic diagram of the structure of a network security event analysis device provided in an embodiment of this application;

[0068] Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.

[0069] Figure label:

[0070] 210 - Acquisition module; 220 - Preprocessing module; 230 - Prompt generation module; 240 - Output module; 310 - Processor; 320 - Memory; 330 - Communication component; 340 - Bus. Detailed Implementation

[0071] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0072] In the embodiments of this application, the terms "first" and "second" are used to distinguish identical or similar items with substantially the same function and effect. Those skilled in the art will understand that the terms "first" and "second" do not limit the quantity or execution order, and that "first" and "second" do not necessarily imply difference. It should be noted that in the embodiments of this application, the words "exemplary" or "for example" are used to indicate that something is being used as an example, illustration, or description. Any embodiment or design scheme described as "exemplary" or "for example" in this application should not be construed as being better or more advantageous than other embodiments or design schemes. Specifically, the use of "exemplary" or "for example" is intended to present the relevant concepts in a concrete manner. In the embodiments of this application, "at least one" refers to one or more, and "more than one" refers to two or more.

[0073] It should be noted that the phrase "at...time" in the embodiments of this application can refer to the instant at which a certain situation occurs, or to a period of time after the occurrence of a certain situation; the embodiments of this application do not specifically limit this. Furthermore, the method for judging network security events provided in the embodiments of this application is merely an example; a method for judging network security events may include more or fewer elements.

[0074] In today's digital age, cyberattacks are becoming increasingly complex and covert, and the number of cybersecurity incidents is exploding. As a crucial link in ensuring the stable operation of information systems, data security, and user privacy, rapid and accurate assessment of cybersecurity incidents has become a core task in ensuring cybersecurity.

[0075] Currently, in the field of cybersecurity incident analysis, existing technologies mainly cover the following three types of methods:

[0076] Firstly, there is the reliance on manual analysis based on the experience of technical personnel. This method primarily depends on technical personnel using their professional knowledge to interpret and analyze various types of information such as network logs and traffic data to arrive at a judgment. However, this method is highly dependent on the individual abilities and experience of technical personnel, and the analysis process is time-consuming, making it difficult to meet the needs of rapid judgment in large-scale cybersecurity incidents. Furthermore, due to the subjectivity of manual analysis, the accuracy and consistency of the judgment results are difficult to guarantee effectively.

[0077] Secondly, there is matching based on preset rules or traditional models. This involves pre-building an attack signature database or using simple machine learning models to match the characteristics of cybersecurity events with preset rules or models to determine the nature of the event. However, this method has significant limitations. As cyberattack methods continue to evolve and innovate, preset rules and models struggle to comprehensively cover all possible attack signatures, leading to insufficient ability to identify newly emerging attack types and a high risk of missed or false positives, thus affecting the accuracy of the assessment.

[0078] Third, large models can be directly invoked for end-to-end analysis. Large models possess powerful natural language processing capabilities and flexible adaptability, enabling them to handle security events described in natural language, thus improving analysis efficiency to some extent. However, the reasoning process of large models often lacks interpretability, making it difficult for users to understand how the conclusions are reached. This has become a significant factor restricting their widespread application in scenarios with high security and reliability requirements, such as finance and healthcare.

[0079] Therefore, existing technologies struggle to simultaneously achieve efficiency, accuracy, and interpretability in practical applications, failing to meet the increasingly complex demands of cybersecurity protection. Consequently, a new method for cybersecurity incident analysis is urgently needed to address these shortcomings of existing technologies.

[0080] Based on this, embodiments of this application propose a method, apparatus, device, medium, and product for assessing network security incidents, applicable to the field of network security technology, aiming to solve the aforementioned technical problems of existing technologies. By constructing a customized thought chain prompting mechanism in the security domain, firstly, entity extraction and structuring processing are performed on multi-source data to generate structured input data containing the attacker's Internet Protocol address, the victim's host identifier, and vulnerability identifiers. Then, experience examples matching the network security incident to be assessed are retrieved from a preset security domain example library. Based on the retrieval results, a first prompt text is generated, and the first prompt text and the structured input data are input together into a preset large-scale model agent, driving it to output an explicit step-by-step reasoning process and a structured assessment conclusion. Each reasoning step includes a step number, analysis content, and a basis label. The basis label points to the structured input data or preset network security knowledge, and the analysis content is derived from the basis label based on network security domain rules or factual logic. Therefore, this application significantly improves the accuracy of identifying new attacks and the interpretability of the reasoning process while ensuring assessment efficiency.

[0081] The technical solution of this application and how the technical solution of this application solves the above-mentioned technical problems are described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of this application will now be described with reference to the accompanying drawings.

[0082] Figure 1 This is a flowchart illustrating a method for assessing network security incidents provided in this application. The executing entity in this embodiment can be a data processing server or other devices with data processing and storage capabilities, such as laptops, personal computers, security gateways, cloud virtual machines, etc. The data processing server can be an independent physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server, etc., without specific limitations. For ease of description, this application embodiment uniformly describes the executing entity of a method for assessing network security incidents as a server. Figure 1 As shown, the method includes:

[0083] S101. Obtain multi-source data related to the cybersecurity incident to be analyzed.

[0084] In this embodiment of the application, a method for assessing network security incidents can be executed by an intelligent assessment server deployed in a Security Operations Center (SOC). This server may include a processor, memory, a communication interface, and a pre-defined large-scale model agent, such as a security domain large-scale language model finely tuned based on an existing large-scale language model architecture. The memory also stores a pre-defined security domain example library and a network security knowledge base, such as a Common Vulnerabilities and Exposures (CVE) vulnerability library, a MITRE ATT&CK tactical knowledge graph, and internal asset ledgers.

[0085] Specifically, multi-source data can come from multiple security devices or systems, including but not limited to network logs, network traffic data, threat intelligence, and event description text.

[0086] Network logs can originate from logs generated by firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS), including alarm logs and endpoint logs.

[0087] Network traffic data can include raw packet capture records or aggregated session-level traffic summaries, containing information such as the Internet Protocol (IP) addresses, port numbers, transport protocol types, and number of bytes transmitted between the communicating parties. It can be a Packet Capture (PCAP) packet or a session-level traffic summary, containing source / destination Internet Protocol (IP) addresses, ports, and number of bytes, such as IP communication traffic.

[0088] Threat intelligence (TI) can come from commercial threat intelligence platforms or open-source intelligence channels, including but not limited to IP address reputation, domain blacklists, and attack file hashes. Examples include Common Vulnerabilities and Exposures (CVE) vulnerability information.

[0089] The event description text can be a natural language summary generated by the security alert system or a description of anomalies reported manually. For example, it could be the detection of an external host launching a large number of brute-force attacks on the internal network using the Secure Shell (SSH) protocol.

[0090] The aforementioned multi-source data can be aggregated to the server in real time through an Application Programming Interface (API), a message queue (Kafka), or a log collection agent for the purpose of analyzing cybersecurity incidents.

[0091] S102. Perform entity extraction and structured processing on multi-source data to generate structured input data containing attacker's Internet Protocol address, victim host identifier, and vulnerability identifier.

[0092] Specifically, the server can call a pre-built entity recognition module, which can extract three core security entities from multi-source data based on rule templates or the Named Entity Recognition (NER) model: attacker IP address, victim host ID, and vulnerability ID.

[0093] The attacker's Internet Protocol address is used to identify the source of the attack. The victim host identifier can be a hostname, a Media Access Control (MAC) address, or an internal asset number, used to locate the affected asset. The vulnerability identifier can adopt a standard vulnerability numbering system, such as a standardized CVE number.

[0094] By integrating these three types of entities, structured input data can be generated. For example, it can be represented in a lightweight data exchange (JavaScript Object Notation, JSON) format to form structured input data in a unified format, which is convenient for subsequent machine processing and comparison.

[0095] S103. Based on the structured input data, retrieve experience examples that match the cybersecurity incident to be assessed from the preset security domain example library.

[0096] In this application's embodiments, the empirical examples include event input data, the thought chain reasoning process based on cybersecurity knowledge, and historical structured judgment conclusions.

[0097] Specifically, the pre-defined security domain example library is stored in a local database or vector index system. Each experience example is a triple structure, including: event input data, a thought chain reasoning process based on network security knowledge, and historical structured judgment conclusions.

[0098] The event input data consists of structured input of historical events, such as in JSON format. The thought chain reasoning process refers to step-by-step reasoning of the text, for example: Step 1, an attacker was detected exploiting a CVE vulnerability; Step 2, this CVE vulnerability allows remote code execution, posing an extremely high risk; Step 3, the victim host is a database server, with a wide impact. Historical structured analysis conclusions include the corresponding event type (e.g., remote vulnerability exploitation), security level (e.g., first security level), and remedial recommendations (e.g., immediately isolating the host and patching it).

[0099] In other words, the server can retrieve experience examples matching the current cybersecurity incident to be analyzed from a pre-built security domain example library based on the generated structured input data. The pre-built security domain example library is a pre-constructed knowledge base that stores a large number of historical cybersecurity incident analysis cases. Each experience example contains three components: first, the structured input data corresponding to that historical event; second, the thought process written by technical personnel based on cybersecurity knowledge, which clearly demonstrates the logical derivation path from the original facts to the analysis conclusion in a step-by-step manner; and third, the final structured analysis conclusion for that historical event, including standardized fields such as event type, security level, and handling recommendations.

[0100] S104. Generate the first prompt text based on the retrieved experience examples.

[0101] Specifically, after retrieving one or more highly relevant experience examples, the server can generate a first prompt text based on these retrieved experience examples. This first prompt text is organized in natural language, arranging the retrieved experience examples according to the logical structure of input, reasoning, and conclusion, and attaching guiding instructions that explicitly require the pre-defined large model agent to follow an explicit, step-by-step, and traceable reasoning pattern when generating judgment results.

[0102] S105. Input both the structured input data and the first prompt text into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

[0103] In this embodiment of the application, the explicit step-by-step reasoning process includes multiple analysis steps. Each analysis step includes a step number, analysis content, and basis annotations. The basis annotations point to structured input data or preset network security knowledge. The analysis content is derived from the basis annotations based on network security rules or facts. The structured judgment conclusions include event type, security level, and handling recommendations.

[0104] Specifically, the server can input the aforementioned generated structured input data and the first prompt text into a pre-defined large-scale intelligent agent. This pre-defined large-scale intelligent agent is a language model fine-tuned with security domain knowledge, possessing the ability to understand cybersecurity contexts and perform structured reasoning. After receiving the input structured input data and the first prompt text, the pre-defined large-scale intelligent agent can output two parts.

[0105] One approach is an explicit step-by-step reasoning process, which consists of multiple ordered analysis steps. Each step includes a step number, specific analysis content, and clear basis annotations. The basis annotations point to specific fields in the structured input data or pre-defined cybersecurity knowledge (such as vulnerability severity scores, attack tactic classifications, etc.), while the analysis content must be strictly based on these basis, logically deduced according to generally accepted rules or objective facts in the cybersecurity field.

[0106] Secondly, there is the structured assessment conclusion, which can be presented in a standardized form, including at least the event type, security level, and specific handling recommendations.

[0107] Specifically, the incident type can be remote vulnerability exploitation, brute-force attack attempts, etc. The security level can be Security Level 1, Security Level 2, Security Level 3, or Security Level 4, with the danger decreasing progressively from Security Level 1 to Security Level 4. Specific handling recommendations include immediately isolating the victim host, blocking the attack source IP, or installing official patches.

[0108] By using the above method, this embodiment can combine the experience and structured knowledge of technical personnel with the reasoning ability of large models, which not only improves the automation level and response speed of network security incident assessment, but also ensures the transparency, logical rigor and auditability of the reasoning process and the results, effectively solving the problem that it is difficult to balance assessment efficiency, accuracy and interpretability in the existing technology.

[0109] This embodiment provides a method for assessing network security incidents. First, multi-source data related to the network security incident to be assessed is acquired. Then, entity extraction and structuring processing are performed on the multi-source data to generate structured input data containing the attacker's Internet Protocol address, the victim's host identifier, and vulnerability identifiers. Next, based on the structured input data, experience examples matching the network security incident to be assessed are retrieved from a preset security domain example library. Then, a first prompt text is generated based on the retrieved experience examples. Finally, both the structured input data and the first prompt text are input into a preset large-scale model agent to generate an explicit step-by-step reasoning process and a structured assessment conclusion. The explicit step-by-step reasoning process includes multiple analysis steps. Each analysis step includes a step number, analysis content, and basis annotations. The basis annotations point to the structured input data or preset network security knowledge, and the analysis content is derived from the basis annotations based on network security domain rules or facts. The structured assessment conclusion includes the event type, security level, and handling recommendations.

[0110] The following technical effects were achieved: By retrieving historical experience examples matching the current cybersecurity incident to be analyzed from a pre-set security domain example library and converting them into structured first-level prompt text to guide the pre-set large-scale model intelligent agent inference, the knowledge and data-driven capabilities of technical personnel were effectively integrated, significantly reducing the false positive and false negative rates for new or complex attacks and improving the accuracy of the analysis. The generated explicit step-by-step reasoning process clearly includes step numbers, analysis content, and basis labels, making each conclusion traceable to specific input data or pre-set security knowledge. This avoids the problem of the black-box output of traditional large-scale models, meets the requirements of security operations for transparency, verifiability, and recapitulation of the analysis process, and enhances the interpretability and auditability of reasoning. Multi-source data is automatically converted into structured input data and combined with the pre-set large-scale model intelligent agent to achieve end-to-end intelligent analysis, greatly reducing manual intervention. It can quickly complete the analysis tasks that originally required several minutes or even hours for technical personnel, and is suitable for real-time response scenarios of large-scale security incidents, improving the efficiency and automation level of the analysis. The mandatory requirement that analytical content be derived from cybersecurity rules or objective facts based on annotations effectively suppresses the illusions of large models or unfounded inferences, ensuring that the judgment conclusions conform to professional logic and practical knowledge in the security field, and guaranteeing logical rigor and domain compliance. Structured judgment conclusions are output in a unified format (such as event type, security level, and handling recommendations), facilitating integration with existing Security Orchestration, Automation and Response (SOAR) systems. This enables automated execution and closed-loop handling of judgment results, thereby supporting system integration through standardized output.

[0111] In one possible implementation, based on structured input data, experience examples matching the cybersecurity event to be assessed are retrieved from a preset security domain example library. This includes: determining the event type label of the cybersecurity event to be assessed based on the structured input data; selecting candidate experience examples with the same event type label as the cybersecurity event to be assessed from the preset security domain example library based on the event type label, thus obtaining a candidate experience example set; calculating the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set, wherein the semantic similarity is calculated based on the overlap of entities and entity weights; sorting each candidate experience example in the candidate experience example set according to the semantic similarity, and selecting a preset number of experience examples with the highest similarity as the matching experience examples.

[0112] Specifically, firstly, the server can automatically determine the event type tag of the network security event to be analyzed based on key entity information contained in the structured input data, such as the attacker's Internet Protocol address, the victim's host identifier, and vulnerability identifiers, combined with a pre-built network security knowledge system (such as MITREATT&CK attack tactic classifications, common vulnerability exploitation patterns, or historical event tag libraries). For example, if the structured input data contains high-frequency SSH login failure records without valid vulnerability identifiers, its event type tag can be determined as a brute-force attack attempt. If it contains known remote code execution vulnerability identifiers (such as CVE numbers) and abnormal connection behavior from external IPs to internal hosts, the event type tag can be marked as a remote vulnerability exploit.

[0113] Secondly, the server can use the identified event type tags to perform initial screening from a pre-defined security domain example library. This library stores a large number of historical cybersecurity event cases verified by technical personnel, each case labeled with a corresponding event type tag. The server can retain only historical cases with the same event type tags as the current cybersecurity event to be analyzed, forming a smaller set of candidate experience examples, thereby effectively narrowing the scope of subsequent comparisons and improving retrieval efficiency.

[0114] Subsequently, the server can calculate the semantic similarity between the event input data and the current structured input data for each candidate experience example in the candidate experience example set. This semantic similarity does not simply rely on string matching, but comprehensively considers the overlap of the same type of entities in the two types of input data, and introduces a preset entity weighting mechanism for weighted calculation. Specifically, different types of entities have different importance in the judgment. Attacker's Internet Protocol address and vulnerability identifier usually play a decisive role in the characterization of the event, so they can be given higher weights. While victim host identifiers are helpful in locating the scope of impact, they have a relatively small impact on judging the nature of the attack, so their weights can be relatively lower. In the calculation process, for each pair of common entities of the same type (such as two IP addresses or two CVE numbers), their local similarity is first analyzed (e.g., a score of 1 when they are completely identical, otherwise 0, or a continuous value is given based on naming similarity), and then combined with the preset weight of the entity, the overall semantic similarity is finally obtained through weighted normalization.

[0115] Finally, based on the calculated semantic similarity, all candidate examples in the candidate experience example set are sorted in descending order, and a predetermined number of experience examples with the highest similarity (e.g., the top 3 or top 5) are selected as the final matched experience examples. These matched experience examples will be used to generate subsequent prompt text, providing high-quality and highly relevant reasoning references for the pre-defined large model agent, thereby ensuring that the judgment results are both close to historical practice and adapted to the specific characteristics of the current event.

[0116] Through the above-mentioned multi-level screening and weighted similarity calculation mechanism, this implementation method can efficiently and accurately locate the most relevant experience examples in a large number of historical cases, significantly improving the pertinence and reliability of subsequent intelligent judgment.

[0117] In one possible implementation, calculating the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set includes: extracting common entities of the same type from the structured input data and the event input data of any candidate experience example to obtain a set of common entities between the structured input data and any candidate experience example; assigning preset weights to each entity in the set of common entities, wherein the weights of the attacker's Internet Protocol address and the vulnerability identifier are both higher than the weight of the victim's host identifier; calculating a local similarity score for each pair of common entities of the same type corresponding to the event input data of the structured input data and any candidate experience example; and calculating the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method based on the set of common entities, the preset weights of each entity, and the corresponding local similarity scores.

[0118] Specifically, for the structured input data of the current cybersecurity incident to be analyzed and the event input data of any candidate experience example, the server can compare the entity fields contained in each item to identify entities of the same type that exist in both sets of data, thereby extracting the common entity set between the two. For example, if the current input contains the attacker's Internet Protocol address, the victim's host identifier, and the vulnerability identifier, and the specific candidate example contains the same attacker's Internet Protocol address and the same vulnerability identifier, then the common entity is the attacker's Internet Protocol address and the vulnerability identifier, constituting the common entity set of the pair of data.

[0119] Secondly, the server can assign preset weights to each entity in this common entity set. These weights reflect the relative importance of different entities in network security incident analysis and can be pre-set and embedded in the system by technical personnel based on practical experience. Among these, attacker internet address and vulnerability identifier can be assigned higher weights because the former directly relates to the traceability of the attack source, while the latter determines the technical path and severity of the attack. In contrast, while victim host identifiers are helpful in analyzing the scope of impact, their role in determining the nature of the attack is relatively minor, and therefore they can be assigned lower weights. For example, the attacker internet address weight can be set to 0.5, the vulnerability identifier weight to 0.4, and the victim host identifier weight to 0.1 (the sum of each weight is 1 or proportionally normalized).

[0120] Next, for each pair of entities of the same type in the common entity set, their local similarity scores are calculated. For discrete identifier entities (such as IP addresses and CVE numbers), if they are completely identical, the local similarity score is 1; otherwise, the score is 0. For entities that can be fuzzily matched (such as hostnames or asset tags), string similarity algorithms, such as edit distance or Jaccard similarity coefficients, can also be used to calculate a continuous score between 0 and 1. This local similarity score is used to quantify the semantic or value-level proximity of two entities.

[0121] Finally, by combining the aforementioned set of common entities, the preset weights of each entity, and the local similarity scores of each pair of entities, the overall semantic similarity is calculated using a weighted normalization method. Specifically, the local similarity scores of each common entity are multiplied by its weight, summed, and then divided by the sum of the weights of all involved entities (or the maximum possible sum of weights) to eliminate bias caused by differences in the number of entities, ultimately yielding a standardized semantic similarity value between 0 and 1. The higher this semantic similarity value, the more similar the current cybersecurity event to be assessed is to candidate experience examples in key security elements, and the more suitable it is as a reference for inference.

[0122] In one possible implementation, the formula for calculating the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method, based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, is as follows:

[0123]

[0124] Where Sim represents the semantic similarity between the structured input data and the event input data of any candidate experience example, and E represents the semantic similarity between the structured input data and the event input data of any candidate experience example. common Let e ​​be any common entity in the set of common entities, and Weight(e) be the preset weight of entity e. query e example () represents the local similarity score.

[0125] Through the refined similarity calculation mechanism described above, this implementation method can effectively distinguish the contributions of entities in different dimensions, avoid misjudgments caused by simple matching, and thus provide a reliable basis for the accurate selection of subsequent experience examples.

[0126] In one possible implementation, the method further includes: if no experience example matching the cybersecurity incident to be analyzed is found in the preset security domain example library based on the structured input data, then a second prompt text is generated based on the structured input data and preset cybersecurity knowledge. The second prompt text includes a description of security facts related to the cybersecurity incident to be analyzed, a preset analysis step mode, and output format constraints. Both the structured input data and the second prompt text are input into a preset large model agent to generate an explicit step-by-step reasoning process and a structured analysis conclusion.

[0127] Specifically, this embodiment also includes a zero-sample analysis and processing mechanism for unknown or novel cybersecurity events.

[0128] Specifically, after searching the pre-defined security domain example library based on structured input data, if no experience example matching the cybersecurity incident to be analyzed is found (for example, because the incident involves attack methods not yet included, new vulnerability exploitation methods, or rare combination features, resulting in insufficient similar historical cases), the server can automatically trigger the zero-sample inference mode.

[0129] In this mode, the server no longer relies on historical experience examples. Instead, it automatically generates a second warning text based on current structured input data (including attacker's Internet Protocol address, victim host identifier, and vulnerability identifier) ​​and a pre-built cybersecurity knowledge base, such as the Common Vulnerability Scoring System (CVSS), the MITRE ATT&CK attack tactical framework, and a rule base for common attack patterns. This second warning text contains three core components: a description of the security facts, a preset analysis procedure pattern, and output format constraints.

[0130] The security fact description refers to the objective statement of the key elements of the current cybersecurity incident to be assessed, which may include the attack source IP address, target host identifier, and vulnerability identifier. The pre-defined analysis procedure pattern refers to a standard reasoning pattern pre-defined by technical personnel, which can explicitly require the pre-defined large-scale model agent to perform step-by-step reasoning in the logical order of first identifying the attack type, then analyzing the vulnerability exploitability, then determining the scope of impact, and finally determining the risk level. Output format constraints refer to the structured requirements for the final output content. For example, the reasoning process must include step numbers, analysis content, and basis annotations, and the assessment conclusion must include the event type, security level, and handling recommendation fields in JSON format.

[0131] Subsequently, the server can input the generated structured input data and the second prompt text together into the preset large model agent. After receiving the structured input data and the second prompt text, the preset large model agent can, based on the security fact description, preset analysis step mode, and output format constraints in the second prompt text, and combined with its own language understanding and logic generation capabilities, output an explicit step-by-step reasoning process and structured judgment conclusion that meet the requirements.

[0132] Each reasoning step must clearly cite the basis (e.g., "Based on the CVSS score of the vulnerability identifier in the structured input data being 9.8, it belongs to a high-risk remote code execution vulnerability") to ensure that the reasoning chain is traceable and verifiable.

[0133] Through this mechanism, this embodiment effectively expands the applicable boundaries of the judgment method, enabling it not only to efficiently reuse historical experience to handle known attacks, but also to rely on domain knowledge to conduct reliable and interpretable autonomous reasoning when facing unknown threats, significantly improving the adaptability and judgment stability to new or zero-day attack events.

[0134] In one possible implementation, after generating the explicit step-by-step reasoning process and structured judgment conclusion, the process further includes: generating multiple reasoning paths for the same cybersecurity event to be judged; performing consistency analysis on the analysis steps of the corresponding reasoning stages in each reasoning path to identify consensus reasoning steps in each reasoning stage; and determining whether to regenerate some or all reasoning steps based on the overall consistency level; for key facts involved in the reasoning process, calling a preset verification tool to obtain verification results and confidence levels; when the verification results conflict with the analysis content in the explicit step-by-step reasoning process and the confidence level is higher than a preset confidence threshold, injecting the verification results as a correction basis into the original prompt text, and returning to the steps of generating the explicit step-by-step reasoning process and structured judgment conclusion to trigger the preset large model agent to regenerate the corrected explicit step-by-step reasoning process, with the original prompt text being the first prompt text or the second prompt text; and integrating the reasoning process and judgment conclusion optimized by double verification to output the final structured judgment result.

[0135] Specifically, after generating the explicit step-by-step reasoning process and structured judgment conclusions, this embodiment further introduces a dual verification optimization mechanism to improve the reliability, logical consistency, and factual accuracy of the judgment results. This mechanism includes two dimensions: self-consistency verification and external tool-assisted verification.

[0136] First, in the self-consistency verification phase, multiple independent inference paths can be generated in parallel for the same cybersecurity event to be analyzed. Each inference path is generated multiple times by a pre-defined large model agent under the same input (structured input data and original prompt text), thereby obtaining diverse inference attempts. Subsequently, consistency analysis is performed on the analysis steps in each inference path that are at the same inference stage (such as the vulnerability exploitability analysis stage or the attack impact scope determination stage).

[0137] Specifically, all steps in the same stage can be considered as a set. Semantic comparison is used to identify content with similar expressions and logical equivalence, and these are then clustered into consistent clusters and noisy clusters. If a stage has a majority of similar steps, it is considered a consensus reasoning step for that stage; otherwise, it is marked as a low-consistency stage.

[0138] Based on the consensus level at each stage, the consistency level of the overall reasoning chain is calculated. If the consistency level is high, the current reasoning result is retained; if the consensus level at some stages is insufficient, only the reasoning steps at that stage are regenerated; if the overall consistency is too low, the regeneration of all reasoning paths is triggered to ensure that the output logic is stable and the conclusion is reliable.

[0139] Secondly, during the external tool-assisted verification phase, the focus can be on key facts involved in the reasoning process, actively invoking pre-set external verification tools for objective verification. These key facts include, but are not limited to: the existence and exploitability of vulnerabilities (e.g., by querying the CVE database), whether the attack source IP has a poor reputation (e.g., by calling a threat intelligence platform API), and whether the host asset attributes are accurate (e.g., by accessing the internal configuration management database asset ledger). Each verification tool returns two parts of information: a verification conclusion (e.g., existence, non-existence, or uncertainty) and a confidence level of that conclusion (ranging from 0 to 1, reflecting the authority and timeliness of the data source). When the verification conclusion conflicts with the analysis content in the reasoning step (e.g., a pre-set large-scale model agent infers that a specific vulnerability can be exploited remotely, but the official announcement clearly states that it is only for local exploitation), and the confidence level of the verification result is higher than a pre-set confidence threshold (e.g., 0.9), it can be determined that there is a factual error in that reasoning step.

[0140] At this point, the verification result can be used as a correction basis and dynamically injected into the original prompt text used to generate the current inference. The original prompt text may be either the first prompt text (generated based on experiential examples) or the second prompt text (generated based on zero-sample knowledge), depending on the context. The corrected prompt text explicitly includes instructions such as "Note: Verification by the tool shows that the first fact is false; the actual situation is the second fact," to guide the pre-set large-scale model agent to correct errors in subsequent inference. Subsequently, the process returns to the step of generating the explicit step-by-step inference process and structured judgment conclusions, and the pre-set large-scale model agent is invoked again to regenerate the inference chain based on the corrected prompt text, thereby achieving closed-loop error correction.

[0141] Ultimately, the server can integrate the reasoning process and judgment conclusions optimized by the aforementioned dual verification mechanism to form the final structured judgment result. This final structured judgment result is not only logically consistent and multi-path consistent, but also has key facts verified by external authoritative data sources, significantly improving the credibility, auditability, and practical usability of the judgment output.

[0142] This application embodiment can divide an electronic device or main control device into functional modules according to the above method examples. For example, each function can be divided into its own functional modules, or two or more functions can be integrated into one processing unit. The integrated unit can be implemented in hardware or as a software functional module. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division; in actual implementation, there may be other division methods.

[0143] Figure 2 This is a schematic diagram of a network security incident analysis device provided in an embodiment of this application. Figure 2As shown, the device includes: an acquisition module 210, a preprocessing module 220, a prompt generation module 230, and an output module 240.

[0144] The acquisition module 210 is used to acquire multi-source data related to the network security incident to be analyzed.

[0145] The preprocessing module 220 is used to extract entities and perform structured processing on multi-source data to generate structured input data containing attacker Internet Protocol addresses, victim host identifiers, and vulnerability identifiers.

[0146] The prompt generation module 230 is used to retrieve experience examples that match the cybersecurity incident to be analyzed from a preset security domain example library based on structured input data. The experience examples include event input data, reasoning process based on cybersecurity knowledge, and historical structured analysis conclusions.

[0147] The prompt generation module 230 is also used to generate the first prompt text based on the retrieved experience examples.

[0148] The output module 240 is used to input both the structured input data and the first prompt text into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion. The explicit step-by-step reasoning process includes multiple analysis steps. Each analysis step includes a step number, analysis content, and basis label. The basis label points to the structured input data or preset network security knowledge. The analysis content is derived from the basis label based on network security rules or facts. The structured judgment conclusion includes the event type, security level, and handling recommendations.

[0149] In one possible implementation, the prompt generation module 230 is also used to determine the event type label of the network security event to be assessed based on the structured input data.

[0150] The prompt generation module 230 is also used to filter out candidate experience examples with the same event type tags as the network security event to be assessed from the preset security domain example library according to the event type tags, and obtain a set of candidate experience examples.

[0151] The prompt generation module 230 is also used to calculate the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set, wherein the semantic similarity is calculated based on the overlap of entities and the entity weight weight.

[0152] The prompt generation module 230 is also used to sort each candidate experience example in the candidate experience example set according to semantic similarity, and select the preset number of experience examples with the highest similarity as the matching experience examples.

[0153] In one possible implementation, the prompt generation module 230 is further configured to extract common entities of the same type from the structured input data and the event input data of any candidate experience example, to obtain a set of common entities between the structured input data and any candidate experience example.

[0154] The prompt generation module 230 is also used to assign preset weights to each entity in the common entity set, wherein the weight of the attacker's Internet Protocol address and the weight of the vulnerability identifier are both higher than the weight of the victim host identifier.

[0155] The prompt generation module 230 is also used to calculate a local similarity score for each pair of common entities of the same type corresponding to the event input data of any candidate experience example.

[0156] The prompt generation module 230 is also used to calculate the semantic similarity between the structured input data and the event input data of any candidate experience example through weighted normalization based on the common entity set, the preset weights of each entity and the corresponding local similarity scores.

[0157] In one possible implementation, the prompt generation module 230 calculates the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method, based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores:

[0158]

[0159] Where Sim represents the semantic similarity between the structured input data and the event input data of any candidate experience example, and E represents the semantic similarity between the structured input data and the event input data of any candidate experience example. common Let e ​​be any common entity in the set of common entities, and Weight(e) be the preset weight of entity e. query e example () represents the local similarity score.

[0160] In one possible implementation, the prompt generation module 230 is further configured to generate a second prompt text based on the structured input data and preset cybersecurity knowledge if no experience example matching the cybersecurity incident to be analyzed is retrieved from the preset security domain example library based on the structured input data. The second prompt text includes a description of security facts related to the cybersecurity incident to be analyzed, a preset analysis step mode, and output format constraints.

[0161] The output module 240 is also used to input both the structured input data and the second prompt text into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

[0162] In one possible implementation, the device further includes a verification module.

[0163] The verification module is used to generate multiple inference paths for the same cybersecurity incident to be analyzed, perform consistency analysis on the analysis steps of the corresponding inference stages in each inference path to identify the consensus inference steps of each inference stage, and decide whether to regenerate some or all of the inference steps based on the overall consistency level.

[0164] The verification module is also used to call preset verification tools to obtain verification results and confidence levels for key facts involved in the reasoning process.

[0165] The verification module is also used to inject the verification result as the basis for correction into the original prompt text when the verification result conflicts with the analysis content in the explicit step-by-step reasoning process and the confidence level is higher than the preset confidence threshold. It then returns the steps of generating the explicit step-by-step reasoning process and the structured judgment conclusion to trigger the preset large model agent to regenerate the corrected explicit step-by-step reasoning process. The original prompt text is either the first prompt text or the second prompt text.

[0166] The output module 240 is also used to integrate the reasoning process and judgment conclusions optimized by double verification, and output the final structured judgment result.

[0167] This embodiment provides a network security event assessment device that can execute a network security event assessment method described in the above embodiment. Its implementation principle and technical effects are similar, and will not be repeated here.

[0168] In the specific implementation of the aforementioned network security incident assessment device, each module can be implemented as a processor. The processor can execute computer execution instructions stored in the memory, thereby enabling the processor to execute the aforementioned network security incident assessment method.

[0169] Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Figure 3 As shown, the electronic device includes at least one processor 310 and a memory 320. The electronic device also includes a communication component 330. The processor 310, memory 320, and communication component 330 are connected via a bus 340.

[0170] In the specific implementation process, at least one processor 310 executes computer execution instructions stored in memory 320, causing at least one processor 310 to execute a network security event assessment method as executed on the electronic device side.

[0171] The specific implementation process of processor 310 can be found in the above method embodiments, and its implementation principle and technical effect are similar. It will not be repeated here.

[0172] In the above embodiments, it should be understood that the processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this invention can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules within the processor.

[0173] The memory may include high-speed RAM, and may also include non-volatile storage (NVM), such as at least one disk storage.

[0174] The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, the buses shown in the accompanying drawings are not limited to a single bus or a single type of bus.

[0175] The above description of the functions implemented by electronic devices and main control devices has introduced the solutions provided by the embodiments of the present invention. It is understood that, in order to implement the above functions, the electronic device or main control device includes hardware structures and / or software modules corresponding to the execution of each function. By combining the units and algorithm steps of the various examples described in the embodiments of the present invention, the embodiments of the present invention can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed by hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of the technical solutions of the embodiments of the present invention.

[0176] This application also provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the above-mentioned method for assessing network security incidents.

[0177] The aforementioned readable storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk. The readable storage medium can be any available medium accessible to a general-purpose or special-purpose computer.

[0178] An exemplary readable storage medium is coupled to a processor, enabling the processor to read information from and write information to the readable storage medium. Of course, the readable storage medium can also be a component of the processor. The processor and the readable storage medium can reside in an Application Specific Integrated Circuit (ASIC). Alternatively, the processor and the readable storage medium can exist as discrete components in an electronic device or a host device.

[0179] This application also provides a computer program product, which includes a computer program stored in a readable storage medium. At least one processor of an electronic device can read the computer program from the readable storage medium, and the at least one processor executes the computer program to cause the electronic device to perform the solution provided in the above embodiments.

[0180] Those skilled in the art will understand that all or part of the steps of the above method embodiments can be implemented by hardware related to program instructions. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it performs the steps of the above method embodiments; and the aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disk, or optical disk.

[0181] The technical solutions of this application have been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it is readily understood by those skilled in the art that the scope of protection of this application is obviously not limited to these specific embodiments. The above embodiments are only used to illustrate the technical solutions of this application and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. These modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.

Claims

1. A method for analyzing network security incidents, characterized in that, include: Acquire multi-source data related to the cybersecurity incidents to be analyzed; The multi-source data is subjected to entity extraction and structured processing to generate structured input data containing attacker Internet Protocol address, victim host identifier and vulnerability identifier; Based on the structured input data, retrieve experience examples that match the cybersecurity incident to be assessed from a preset security domain example library; Generate the first prompt text based on the retrieved experience examples; The structured input data and the first prompt text are both input into a preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

2. The method according to claim 1, characterized in that, The step of retrieving experience examples matching the cybersecurity incident to be assessed from a preset security domain example library based on the structured input data includes: Based on the structured input data, determine the event type label of the network security event to be analyzed; Based on the event type label, candidate experience examples with the same event type label as the network security event to be assessed are selected from the preset security domain example library to obtain a set of candidate experience examples; Calculate the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set, wherein the semantic similarity is calculated based on the overlap of entities and the entity weight weight. The candidate experience examples in the candidate experience example set are sorted according to the semantic similarity, and a preset number of experience examples with the highest similarity are selected as the matched experience examples.

3. The method according to claim 2, characterized in that, The calculation of the semantic similarity between the structured input data and the event input data of each candidate experience example in the candidate experience example set includes: Extract common entities of the same type from the structured input data and the event input data of any candidate experience example to obtain a set of common entities between the structured input data and any candidate experience example; A preset weight is assigned to each entity in the common entity set, wherein the weight of the attacker's Internet Protocol address and the weight of the vulnerability identifier are both higher than the weight of the victim host identifier. For each pair of common entities of the same type corresponding to the structured input data and the event input data of any candidate experience example, calculate the local similarity score; Based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, the semantic similarity between the structured input data and the event input data of any candidate experience example is calculated using a weighted normalization method.

4. The method according to claim 3, characterized in that, The formula for calculating the semantic similarity between the structured input data and the event input data of any candidate experience example using a weighted normalization method, based on the common entity set, the preset weights of each entity, and the corresponding local similarity scores, is as follows: Where Sim is the semantic similarity between the structured input data and the event input data of any candidate experience example, and E common Let e ​​be any common entity in the set of common entities, and Weight(e) be the preset weight of entity e. query e example The local similarity score is denoted as ).

5. The method according to any one of claims 1 to 4, characterized in that, Also includes: If no experience example matching the cybersecurity incident to be assessed is found in the preset security domain example library based on the structured input data, a second prompt text is generated based on the structured input data and preset cybersecurity knowledge. The second prompt text includes a description of security facts related to the cybersecurity incident to be assessed, a preset analysis step mode, and output format constraints. The structured input data and the second prompt text are both input into the preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

6. The method according to claim 5, characterized in that, After generating the explicit step-by-step reasoning process and structured judgment conclusions, the process also includes: For the same cybersecurity incident to be assessed, multiple inference paths are generated. Consistency analysis is performed on the analysis steps of the corresponding inference stages in each inference path to identify the consensus inference steps of each inference stage. Based on the overall consistency level, it is decided whether to regenerate some or all of the inference steps. For key facts involved in the reasoning process, pre-set verification tools are invoked to obtain verification results and confidence levels; When the verification result conflicts with the analysis content in the explicit step-by-step reasoning process and the confidence level is higher than the preset confidence threshold, the verification result is injected into the original prompt text as the basis for correction, and the step of generating the explicit step-by-step reasoning process and the structured judgment conclusion is returned to trigger the preset large model agent to regenerate the corrected explicit step-by-step reasoning process. The original prompt text is either the first prompt text or the second prompt text. Integrate the reasoning process and judgment conclusions optimized by double verification to output the final structured judgment result.

7. A device for analyzing network security incidents, characterized in that, include: The acquisition module is used to acquire multi-source data related to the cybersecurity incidents to be analyzed. The preprocessing module is used to extract entities and perform structured processing on the multi-source data to generate structured input data containing attacker Internet Protocol addresses, victim host identifiers, and vulnerability identifiers. The prompt generation module is used to retrieve experience examples that match the network security incident to be assessed from a preset security domain example library based on the structured input data. The prompt generation module is also used to generate a first prompt text based on the retrieved experience examples; The output module is used to input both the structured input data and the first prompt text into a preset large model agent to generate an explicit step-by-step reasoning process and a structured judgment conclusion.

8. An electronic device, characterized in that, include: Memory, processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory, causing the processor to perform the method as described in any one of claims 1 to 6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any one of claims 1 to 6.

10. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the method as described in any one of claims 1 to 6.