A host system security emergency response method, device, equipment and medium

By extracting multi-dimensional attack trace data from host systems using portable data collection programs and knowledge graphs, and combining this with rule engines and large language models for analysis, the problems of difficulty in evidence collection and tracing and low standardization in traditional host security emergency response are solved, achieving efficient and accurate security emergency response.

CN122160177APending Publication Date: 2026-06-05HANGZHOU DBAPPSECURITY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU DBAPPSECURITY CO LTD
Filing Date
2026-04-22
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In traditional host security incident response, the over-reliance on manual investigation leads to difficulties in evidence collection and tracing, high expert thresholds, long analysis time, and low standardization.

Method used

A portable data collection program is used in conjunction with a pre-set attack trace collection knowledge graph to extract multi-dimensional attack trace data in offline or online scenarios. The data is then converted and encrypted to generate encrypted attack trace data packets. Pre-set data analysis models are used to decrypt, clean, and format the data. Finally, a rule engine and a large language model inference engine are combined to perform correlation analysis, reconstruct the attack chain timeline, and generate a security analysis report.

Benefits of technology

It enables full-scenario evidence collection even in offline environments, improves the accuracy of abnormal behavior identification, reduces the threshold and cost of emergency response, generates standardized security analysis reports, and enhances emergency response efficiency and the resilience of the network security defense system.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160177A_ABST
    Figure CN122160177A_ABST
Patent Text Reader

Abstract

The application discloses a host system security emergency response method and device, equipment and medium, and relates to the technical field of network security. The method comprises the following steps: receiving attack trace encrypted data packets; the attack trace encrypted data packets are obtained by performing format conversion and encryption compression on target collected data through a local portable collection program of a target host; the target collected data are obtained by performing attack trace extraction in an offline or online manner based on a preset attack trace collection knowledge graph through the portable collection program; after the attack trace encrypted data packets are decrypted, data cleaning and formatting are performed to obtain attack trace data dictionaries; a preset data analysis model is used to identify security abnormal behaviors according to the attack trace data dictionaries, and an attack behavior relationship graph is obtained by reconstructing an attack chain timeline; the preset data analysis model comprises a preset rule engine and a preset large language model reasoning engine; and a security analysis report is generated based on the attack behavior relationship graph, so that security emergency response operations can be performed.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a host system security emergency response method, apparatus, equipment, and medium. Background Technology

[0002] When an operating system host is attacked or suspected of being compromised, the mainstream practice in the industry heavily relies on manual investigation by security experts. Experts need to log into the victim host, type various commands, or use scattered small tools to check for attack traces one by one. The existing purely manual investigation method has the following pain points: it is difficult to collect evidence and trace the source; the attack traces are extremely scattered; it is very easy for humans to miss key evidence; it is also highly resistant to attack; system logs are easily tampered with or deleted by hackers, causing the manual investigation to be interrupted; multi-dimensional trace correlation analysis requires highly skilled security experts to complete, which requires a very high expert threshold and time cost; manual analysis is time-consuming, and the output reports depend on personal experience, making it difficult to standardize and scale operations, resulting in efficiency and scalability bottlenecks.

[0003] In summary, the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time and low standardization caused by over-reliance on manual investigation in traditional host security emergency response are problems that urgently need to be solved. Summary of the Invention

[0004] In view of this, the purpose of this invention is to provide a host system security emergency response method, apparatus, equipment, and medium, which can solve the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time, and low standardization caused by excessive reliance on manual investigation in traditional host system security emergency response. The specific solution is as follows: Firstly, this application provides a host system security emergency response method, applied to a target server, including: Receive encrypted attack trace data packets uploaded by the target host; the encrypted attack trace data packets are encrypted compressed packets obtained by converting and encrypting the target collected data using a portable collection program local to the target host; the target collected data are multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, performing attack trace extraction on the target host in offline or online conditions. After decrypting the encrypted attack trace data packet, the decrypted attack trace data is cleaned and formatted into a corresponding attack trace data dictionary. Using a preset data analysis model and based on the attack trace data dictionary, the system identifies the abnormal security behaviors of the target host and performs correlation analysis on these abnormal security behaviors to reconstruct the attack chain timeline and obtain an attack behavior relationship graph. The preset data analysis model includes a preset rule engine and a preset large language model inference engine. Based on the attack behavior relationship graph, a security analysis report including incident response recommendations is generated so that security incident response operations can be performed on the target host according to the security analysis report.

[0005] Optionally, the step of extracting attack traces from the target host includes: Collect the underlying system behavior of the target host to identify hidden malicious behavior and obtain the first attack trace data; Obtain the network communication connection records of the target host to capture abnormal service communication traces and obtain second attack trace data; The system logs of the target host are captured, and abnormal behavior events in the system logs are detected to mark anomalies at the corresponding time points, thereby obtaining third attack trace data. Traverse the target directory of the target host, and during the traversal, read the file system display time and the main file table record time of each file in the target directory; If there are abnormal files in the target directory whose record time in the main file table is inconsistent with the display time in the file system, then the abnormal files are extracted to obtain the fourth attack trace data; The multi-dimensional attack trace data includes the first attack trace data, the second attack trace data, the third attack trace data, and the fourth attack trace data.

[0006] Optionally, the step of collecting the target host's low-level system behavior to identify hidden malicious behavior and obtain first attack trace data includes: Call the target host's native system API to obtain the list of currently active processes on the target host; The list of currently active processes is cross-compared with the kernel-level driver object of the target host to identify hidden processes; The system persistent configuration items of the target host are traversed to extract the backdoor in the system persistent configuration items; the first attack trace data includes the hidden process and the backdoor.

[0007] Optionally, the process of format conversion and encryption / compression of the target acquired data includes: The target data is converted into the target data format to obtain the converted target data. The converted target data is encrypted, compressed, and archived using a preset encryption algorithm to obtain the attack trace encrypted data packet, and a first hash check value of the attack trace encrypted data packet is generated. Accordingly, after receiving the encrypted data packet containing attack traces uploaded by the target host, the method further includes: The encrypted data packet containing the attack traces is hashed to obtain a second hash verification value; Compare the second hash check value with the first hash check value; If the second hash verification value is consistent with the first hash verification value, it is determined that the attack trace encrypted data packet has passed the integrity verification, and the process jumps to the step of cleaning the decrypted attack trace data after decrypting the attack trace encrypted data packet.

[0008] Optionally, the step of identifying the abnormal security behavior of the target host using a preset data analysis model and based on the attack trace data dictionary includes: Extract the target entities from the attack trace data dictionary, and extract the parent-child process call relationship and the command line parameters corresponding to each process from the attack trace data dictionary; The target entity is matched with the preset threat intelligence database through the preset rule engine, and detection is performed according to YARA rules to identify the first security anomaly behavior of the target host. Based on the parent-child process call relationship and the command-line parameters, a target prompt word is constructed and input into the preset large language model inference engine so that the preset large language model inference engine can identify the second security anomaly behavior of the target host.

[0009] Optionally, the step of performing correlation analysis on the aforementioned security anomalies to reconstruct the attack chain timeline and obtain an attack behavior relationship graph includes: Determine the behavior timestamp of the aforementioned security anomaly; Based on the behavior timestamp and the context of the same user account, the abnormal security behavior is correlated and analyzed. The abnormal security behavior is then used as a node and connected according to the analysis results to reconstruct the attack chain timeline and obtain an attack behavior relationship graph.

[0010] Optionally, the step of generating a security analysis report based on the attack behavior relationship graph, including incident response recommendations, includes: Based on the attack behavior relationship graph, the security incident of the target host is summarized to obtain the target conclusion; The attack behavior relationship graph is organized and analyzed to generate the attack timeline of this security incident, and matched with a preset security handling knowledge base to determine the corresponding emergency response recommendations. Based on the stated objectives, the attack timeline, and the emergency response recommendations, a preset report template is rendered to generate a security analysis report for this security incident.

[0011] Secondly, this application provides a host system security emergency response device, applied to a target server, comprising: The data packet receiving module is used to receive encrypted attack trace data packets uploaded by the target host; the encrypted attack trace data packets are encrypted compressed packages obtained by converting and encrypting the target collected data using a portable collection program local to the target host; the target collected data is multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, performing attack trace extraction on the target host in offline or online conditions. The dictionary generation module is used to clean the decrypted attack trace data after decrypting the encrypted attack trace data packet, and format it into a corresponding attack trace data dictionary. The correlation analysis module is used to identify the abnormal security behavior of the target host by using a preset data analysis model and the attack trace data dictionary, and to perform correlation analysis on the abnormal security behavior to reconstruct the attack chain timeline and obtain the attack behavior relationship graph; the preset data analysis model includes a preset rule engine and a preset large language model inference engine. The report generation module is used to generate a security analysis report including emergency response recommendations based on the attack behavior relationship graph, so as to perform security emergency response operations on the target host according to the security analysis report.

[0012] Thirdly, this application provides an electronic device, comprising: Memory, used to store computer programs; A processor is used to execute the computer program to implement the aforementioned host system security emergency response method.

[0013] Fourthly, this application provides a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned host system security emergency response method.

[0014] In this application, an encrypted attack trace data packet uploaded by a target host is received. The encrypted attack trace data packet is an encrypted compressed package obtained by converting and encrypting target data using a portable acquisition program located on the target host. The target data is multi-dimensional attack trace data obtained by the portable acquisition program based on a preset attack trace acquisition knowledge graph, performing attack trace extraction on the target host offline or online. After decrypting the encrypted attack trace data packet, the decrypted attack trace data is cleaned and formatted into a corresponding attack trace data dictionary. A preset data analysis model is used, along with the attack trace data dictionary, to identify abnormal security behaviors of the target host. Correlation analysis is then performed on these abnormal behaviors to reconstruct the attack chain timeline and obtain an attack behavior relationship graph. The preset data analysis model includes a preset rule engine and a preset large language model inference engine. A security analysis report, including emergency response suggestions, is generated based on the attack behavior relationship graph, so that security emergency response operations can be performed on the target host according to the security analysis report. As can be seen from the above, this application receives encrypted attack trace data packets uploaded by the target host through a local portable acquisition program. This data packet is generated by the program based on a preset attack trace acquisition knowledge graph, extracting multi-dimensional attack trace data in offline or online conditions, and generating the data packet after format conversion, encryption and compression. Subsequently, the encrypted attack trace data packet is decrypted and the data is cleaned and formatted to obtain an attack trace data dictionary. Then, a preset rule engine and a preset large language model inference engine are used to identify abnormal security behaviors. After correlation analysis, the attack chain timeline is reconstructed to form an attack behavior relationship graph. Finally, a security analysis report containing emergency response suggestions is generated for security emergency response. In this way, through the process described above in this application, a portable data collection program combined with attack trace collection knowledge graphs is used to extract multi-dimensional data. This allows for comprehensive and accurate acquisition of attack traces, adapting to both online and offline scenarios, solving the problem of evidence collection in offline environments, and achieving full-scenario coverage. Encrypted and compressed data packets ensure data transmission security. The combination of a rule engine and a large language model inference engine improves the accuracy of abnormal behavior identification and reduces the threshold and cost of emergency response. The attack chain timeline and relationship graph are reconstructed to achieve complete visualization of the attack process, improving response efficiency and accuracy. Based on the graph, a security analysis report with emergency recommendations is generated. The output report has a unified format, conclusive evidence, and actionable recommendations, providing clear guidance for security emergency response, improving emergency handling efficiency, and enhancing the resilience of the overall network security defense system. This solves the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time, and low standardization in traditional host security emergency response due to excessive reliance on manual investigation. Attached Figure Description

[0015] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.

[0016] Figure 1 This application discloses a flowchart of a host system security emergency response method. Figure 2 This is a schematic diagram of the structure of a host system security emergency response device disclosed in this application; Figure 3 This is a structural diagram of an electronic device disclosed in this application. Detailed Implementation

[0017] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0018] When an operating system host is attacked or suspected of being compromised, the mainstream practice in the industry heavily relies on manual investigation by security experts. Experts need to log into the victim host, type various commands, or use scattered small tools to check for attack traces one by one. The existing purely manual investigation method has the following pain points: it is difficult to collect evidence and trace the source; the attack traces are extremely scattered; it is very easy for humans to miss key evidence; it is also highly resistant to attack; system logs are easily tampered with or deleted by hackers, causing the manual investigation to be interrupted; multi-dimensional trace correlation analysis requires highly skilled security experts to complete, which requires a very high expert threshold and time cost; manual analysis is time-consuming, and the output reports depend on personal experience, making it difficult to standardize and scale operations, resulting in efficiency and scalability bottlenecks.

[0019] To overcome the aforementioned technical problems, this application provides a host system security emergency response method that can solve the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time and low standardization in traditional host security emergency response due to excessive reliance on manual investigation.

[0020] See Figure 1 As shown, this embodiment of the invention discloses a host system security emergency response method, applied to a target server, including: Step S11: Receive the attack trace encrypted data packet uploaded by the target host; the attack trace encrypted data packet is an encrypted compressed package obtained by converting and encrypting the target collected data through a portable collection program on the target host; the target collected data is multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, in offline or online conditions, for attack trace extraction against the target host.

[0021] In this embodiment, the target server receives an encrypted attack trace data packet uploaded by the target host. This data packet is generated by a portable collection program on the target host, which extracts multi-dimensional attack trace data of the target host in offline or online scenarios based on a preset attack trace collection knowledge graph, and then generates the data packet after format conversion, encryption and compression. The target server is a SaaS (Software as a Service) platform or a local private server; the target host is the target operating system host (Windows, Linux, and other system hosts) where the security incident occurred; the preset attack trace collection knowledge graph is a knowledge graph obtained by knowledge graphing and rule-based processing of the anti-APT (Advanced Persistent Threat) practical experience of senior security experts, covering 6 major dimensions and 30+ sub-items, including system underlying behavior, network external connection traces, log anomalies, and proactive file detection; the target collection data includes abnormal processes and modules (such as disguised system processes), suspicious network external connection records, tampered registry startup items, abnormal events in system security logs (such as logs being cleared, brute-force login), and malicious files with tampered timestamps (such as WebShells (script Trojans or website backdoors)).

[0022] Understandably, to address the technical challenges of traditional operating system host security emergency response, such as difficulties in manual investigation, evidence collection, and tracing, high expert thresholds, time-consuming analysis, and lack of standardization due to over-reliance on manual investigation, this embodiment proposes an integrated technical solution for automatic deep trace collection, intelligent model correlation reasoning, and automatic standard report generation. This is a host system security emergency response method that uses a knowledge graph and rules to formalize the anti-APT practical experience of senior security experts. It constructs an integrated technical closed loop encompassing an intelligent collection module, an AI automatic analysis module, and a report and handling suggestion generation module. This method can automatically extract all hidden attack traces on the host comprehensively, deeply, and tamper-proofly without relying on the intervention of senior security experts. Like human experts, it performs multi-dimensional intelligent correlation analysis on this massive amount of fragmented data, ultimately reconstructing the hacker's attack path with a single click and providing a standardized handling report. The system comprises three modules: The intelligent data collection module, deployed on the target operating system host, is responsible for automatically and multi-dimensionally extracting trace data such as the host's underlying state, network connections, log records, and suspicious files, based on a pre-defined attack trace collection knowledge graph model, under both isolated (disconnected) and connected network environments, and packaging it in an anti-tampering manner. The AI ​​automatic analysis module, deployed on a SaaS platform or local private server, receives encrypted data packets output by the intelligent data collection module. Utilizing a built-in anti-APT intelligent analysis model (including a rule engine and a large language model inference engine), it performs structured analysis, feature extraction, multi-dimensional correlation, and attack chain timeline reconstruction on massive amounts of fragmented traces. The report and handling suggestion generation module, connected to the AI ​​automatic analysis module, maps the final conclusions of the correlation inference to standardized templates, outputs qualitative conclusions and actionable security hardening instructions. This three-layer architecture solves the macro-level technical problems of fragmented data collection and analysis and reliance on network environments in existing technologies, achieving an automated pipeline with one-click import and expert-level conclusions generated in seconds.

[0023] It should be noted that the intelligent data collection module is compiled into a standalone, dependency-free portable executable file, i.e., the portable data collection program. In the event of a security incident, the user can copy it to the victim's operating system host (supporting various systems such as Windows and Linux) that is offline via USB flash drive and run it directly. No prior installation or deployment is required, enabling offline one-click execution. This allows the portable data collection program on the target host to extract deep traces based on the knowledge graph and upload them to the target server after tamper-proof processing. Furthermore, the host system security emergency response method of this application is applicable to all host systems, supporting host systems including but not limited to various operating systems such as Windows, Linux, and Unix.

[0024] It should be noted that the processing flow for extracting attack traces from the target host is as follows: Collect the underlying system behavior of the target host to identify hidden malicious behavior and obtain first attack trace data; acquire the network communication connection records of the target host to capture abnormal service communication traces and obtain second attack trace data; capture the system logs of the target host and detect abnormal behavior events in the system logs to mark anomalies at corresponding time points and obtain third attack trace data; traverse the target directory of the target host, and during the traversal, read the file system display time and master file table record time of each file in the target directory; if there are abnormal files in the target directory whose master file table record time and file system display time are inconsistent, extract the abnormal files and obtain fourth attack trace data; wherein, the multi-dimensional attack trace data includes the first attack trace data, the second attack trace data, the third attack trace data, and the fourth attack trace data. That is, traditional collection usually only captures Windows system logs (Event Log), while this embodiment expands the collection scope to a systematic trace of 6 dimensions and 30+ subcategories. Specifically, by collecting the underlying system behavior of the target host, hidden malicious behaviors are identified to obtain the first attack trace data; network communication connection records are obtained to capture abnormal communication traces, resulting in the second attack trace data collected through the network and external connections. Specifically, not only is the GetExtendedTcpTable (a function used to retrieve a table containing a list of TCP endpoints that can be used by applications) called to obtain the current TCP (Transmission Control Protocol) / UDP (User Datagram Protocol) connection, but the DNS (Domain Name System) resolution cache (the underlying implementation of ipconfig / displaydns) and ARP (Address Resolution Protocol) tables are also read to capture the communication traces of the C2 (Command and Control) server that the hacker has just disconnected; system logs are captured and abnormal behavior events are time-marked to obtain the third attack trace data obtained from logs and anomaly detection. Specifically, the focus is on capturing specific Event IDs in the Security Log (such as ID 4624 / 4625 representing successful / failed login, and ID 1102 representing that the log has been cleared).For example, if ID 1102 is detected, the module will automatically mark that time point as having anti-forensic adversarial behavior; it will traverse the target directory, compare the file system display time with the master file table (MFT) record time, and extract abnormal files with inconsistent timestamps, obtaining the fourth type of attack trace data obtained through proactive malicious file detection. Specifically, it targets key directories on the disk (such as the web root directory and the temporary directory), comparing the file's creation time, modification time, and MFT record time. If an MFT timestamp is found to be inconsistent with the timestamp displayed in the file system, it is determined that the hacker used timestamp forgery technology, and the file is forcibly extracted as a suspicious sample. The above four types of data together constitute multi-dimensional attack trace data.

[0025] It should be further noted that the process of collecting the target host's low-level system behavior to identify hidden malicious behavior is as follows: The target host's native system API is invoked to obtain a list of currently active processes; this list is cross-compared with the target host's kernel-level driver objects to identify hidden processes; the target host's persistent system configuration items are traversed to extract backdoors from these items; the first attack trace data includes the hidden processes and the backdoors. That is, by invoking the target host's native system API (Application Programming Interface) (such as CreateToolhelp32Snapshot) to obtain a list of currently active processes, cross-comparing it with kernel-level driver objects to identify hidden processes, and simultaneously traversing persistent system configuration items, including registry startup items (such as Run / RunOnce key values), WMI (Windows Management Instrumentation) event subscriptions, and Windows scheduled tasks, potential persistent backdoors are extracted, and the hidden processes and backdoors are used as the first attack trace data.

[0026] It should be noted that the process of converting and encrypting the target collected data is as follows: converting the target collected data into a target data format to obtain the converted target collected data; encrypting, compressing, and archiving the converted target collected data using a preset encryption algorithm to obtain the attack trace encrypted data packet, and generating a first hash verification value for the attack trace encrypted data packet; correspondingly, after receiving the attack trace encrypted data packet uploaded by the target host, the process further includes: performing a hash calculation on the attack trace encrypted data packet to obtain a second hash verification value; comparing the second hash verification value with the first hash verification value; if the second hash verification value is consistent with the first hash verification value, then the attack trace encrypted data packet is determined to have passed the integrity verification, and the process proceeds to the step of cleaning the decrypted attack trace data after decrypting the attack trace encrypted data packet. In other words, after data collection is completed, the program automatically converts the target data collected, namely all collected logs, process snapshots, and registry information, into the target data format, such as JSON, in memory. Then, it encrypts, compresses, and archives the data using a preset encryption algorithm, such as AES (Advanced Encryption Standard)-256, to generate an encrypted attack trace data packet. At the same time, it calculates the SHA-256 (Secure Hash Algorithm 256-bit) hash check value, which is the first hash check value. After the target server receives the data packet, it calculates the second hash check value and compares it with the first hash check value. If the check matches, the subsequent decryption and cleaning steps begin.This embodiment designs a portable data collection program that requires no installation or configuration, supports both offline and online modes, and can run in a completely isolated environment without network access. This expands the applicable scenarios and data collection scope, filling the gap in existing security products' inability to cover special scenarios such as isolated networks and classified networks, achieving full-scenario coverage and solving the problem of forensics in offline environments. It constructs a pre-defined attack trace collection knowledge graph based on practical experience in anti-APT attacks, breaking through the limitations of traditional reliance on single logs or traffic, and achieving deep extraction of advanced adversarial traces. It can comprehensively and accurately extract multi-dimensional attack traces. By cross-comparing process lists with kernel-level driver objects, it can effectively identify malicious hidden processes, and traversing system persistent configuration items can accurately extract hidden backdoors, improving the depth and reliability of malicious behavior identification and the comprehensiveness of attack trace discovery. Combined with network... Network communication logs capture abnormal communication traces, enabling precise location of network-level attack behaviors. Time-marking of system log anomalies facilitates subsequent attack sequence analysis and tracing. Comparison of file time attributes identifies abnormal files, effectively discovering tampered or hidden malicious files. Multi-dimensional synchronous collection achieves complete coverage of attack traces, improving the accuracy of subsequent security analysis and attack chain reconstruction. Data encryption and compression prevent secondary tampering, reducing transmission volume while ensuring the security and integrity of attack trace data during transmission, guaranteeing the integrity of the evidence chain during data transfer from the victim host to the analysis platform. Generating hash checksums and performing comparison verification effectively verifies whether data packets have been tampered with during transmission, ensuring the tamper-proof and legal validity of forensic data during transmission, providing a reliable data foundation for subsequent security analysis.

[0027] Step S12: After decrypting the encrypted attack trace data packet, perform data cleaning on the obtained decrypted attack trace data and format it into a corresponding attack trace data dictionary.

[0028] In this embodiment, the decrypted attack trace data obtained after decrypting the encrypted attack trace data packet is cleaned and formatted into a unified attack trace data dictionary. This data cleaning process removes invalid and redundant information, reducing interference in subsequent analysis; formatting the data into a dictionary structure standardizes the data, improving the efficiency and accuracy of subsequent model recognition and correlation analysis.

[0029] Step S13: Using a preset data analysis model and based on the attack trace data dictionary, identify the abnormal security behavior of the target host, and perform correlation analysis on the abnormal security behavior to reconstruct the attack chain timeline and obtain an attack behavior relationship graph; the preset data analysis model includes a preset rule engine and a preset large language model inference engine.

[0030] In this embodiment, based on the attack trace data dictionary, a preset data analysis model, namely the anti-APT intelligent analysis model, is used to combine a preset rule engine and a preset large language model inference engine to identify abnormal security behaviors, conduct correlation analysis on the abnormal security behaviors, reconstruct the attack chain timeline, and form an attack behavior relationship graph.

[0031] It should be noted that the process of identifying the abnormal security behavior of the target host using a preset data analysis model and based on the attack trace data dictionary is as follows: The target entity is extracted from the attack trace data dictionary, and the parent-child process call relationship and command-line parameters corresponding to each process are extracted from the attack trace data dictionary; the target entity is matched with a preset threat intelligence database using the preset rule engine, and detection is performed according to YARA rules to identify the first abnormal security behavior of the target host; a target prompt word is constructed based on the parent-child process call relationship and the command-line parameters, and the target prompt word is input into the preset large language model inference engine so that the preset large language model inference engine can identify the second abnormal security behavior of the target host. The target entity includes IP address, file hash, process ID (PID), user account, and timestamp. That is, the target entity, parent-child process call relationship, and command line parameters corresponding to each process are extracted from the attack trace data dictionary. Through the preset rule engine, the target entity (IP, domain name, and file hash) is accurately matched with the built-in preset threat intelligence database. Combined with YARA rules (a pattern matching tool for identifying and classifying files), file characteristics are scanned to quickly identify known WebShell or Trojan programs and identify the first security anomaly behavior of the target host. At the same time, for fileless attacks or white-hat exploits (using system built-in tools such as PowerShell) used by advanced hackers, traditional rules are difficult to identify. This embodiment constructs prompt words based on the parent-child process call relationship and the command line parameters, and inputs them into the preset large language model inference engine to obtain the second security anomaly behavior. For example, when the AI ​​finds that the parent process is winword.exe (Word document), but its child process launches cmd.exe and executes powershell.exe with base64 encoded parameters, the AI ​​model will infer from the built-in security knowledge that this belongs to the typical execution logic of phishing email macro viruses and judge it as high-risk behavior.

[0032] It should be further pointed out that the processing flow for performing correlation analysis on the aforementioned security anomalies to reconstruct the attack chain timeline and obtain the attack behavior relationship graph is as follows: Determine the behavior timestamp of the security anomaly; based on the behavior timestamp and the context of the same user account, perform correlation analysis on the security anomaly, and connect the security anomalies as nodes according to the analysis results to reconstruct the attack chain timeline and obtain the attack behavior relationship graph. That is, using the timestamp as the main axis and the process parent-child relationship (PID / PPID) and user session ID as the association keys, isolated anomalies are linked together. For example, at time point T1, an abnormal request from a web application occurs; at T2, a new file is generated in the web directory (discovered through the file timestamp); at T3, the process corresponding to that file initiates an abnormal outbound network connection (discovered through network status logs); and at T4, the system creates a hidden administrator account. The model performs correlation analysis based on the timestamps (chronological order) of the described security anomalies and the context of the unified user account. Using the security anomalies as nodes, it connects them into a Directed Acyclic Graph (DAG) according to the analysis results, reconstructing the attack chain timeline, restoring the complete attack path of initial breach, backdoor implantation, and lateral movement, and forming an attack behavior relationship graph. In this way, this embodiment uses a rule engine and a large language model inference engine for fusion analysis, combining traditional static rule matching (such as YARA, threat intelligence) with the logical reasoning capabilities of large language models. This can accurately identify known anomalies and intelligently uncover unknown related threats, reducing the threshold and cost of emergency response, improving the comprehensiveness and accuracy of anomaly detection, as well as response efficiency and accuracy. Utilizing AI to perform multi-dimensional correlation analysis on parent-child process chains, command-line parameters, and timestamp sequences, it can accurately restore the attack sequence and logical relationships, automatically identify complex attack methods such as fileless attacks and white-hat exploitation, and reconstruct a complete attack timeline, making the attack path and propagation relationship intuitively visible, improving the efficiency of attack tracing and analysis.

[0033] Step S14: Generate a security analysis report including emergency response recommendations based on the attack behavior relationship graph, so as to perform security emergency response operations on the target host according to the security analysis report.

[0034] In this embodiment, a security analysis report with emergency response suggestions is generated based on the attack behavior relationship graph, which is used to carry out security emergency response operations on the target host.

[0035] It should be noted that the process of generating a security analysis report including emergency response recommendations based on the attack behavior relationship graph is as follows: Based on the attack behavior relationship graph, the security incident on the target host is summarized to obtain the target conclusion; the attack behavior relationship graph is organized and analyzed to generate an attack timeline for this security incident, and matched against a preset security handling knowledge base to determine the corresponding emergency response recommendations; based on the target conclusion, the attack timeline, and the emergency response recommendations, a preset report template is rendered to generate a security analysis report for this security incident. In other words, based on the attack behavior relationship graph and attribute tags, the report rendering engine is invoked to transform the technical data into a standard PDF / Word report containing event characterization (e.g., determined to be a ransomware attack), an attack timeline Gantt chart, a list of affected assets, and details of the evidence chain. By summarizing the security incident, the target conclusion is drawn, an attack timeline is generated, and based on the identified vulnerabilities (e.g., weak passwords leading to the brute-force attack of RDP (Remote Desktop Protocol), a preset security handling knowledge base is matched to generate structured hardening suggestions, i.e., emergency response suggestions, which include blocking specific IPs, resetting account passwords, and patching specific system patches. The target conclusion, the attack timeline, and the emergency response suggestions are then rendered to a preset report template to generate the final security analysis report. In this way, this embodiment forms conclusions and attack timelines based on attack graphs, making emergency response more intuitive and sufficient, and clearly and completely reconstructing the entire attack process; it matches the preset handling knowledge base to obtain response suggestions and outputs them simultaneously, making the handling plan more standardized and professional, which can directly guide security handling operations and improve the efficiency and pertinence of emergency response; it uses template rendering to generate reports, and can output standardized reports containing qualitative conclusions, evidence chain details, and handling suggestions without manual intervention, improving report generation efficiency and standardizing the format, making it possible to simultaneously investigate and handle large-scale host security incidents, and enhancing the resilience of the overall network security defense system.

[0036] As can be seen from the above, this application embodiment receives an encrypted attack trace data packet uploaded by the target host through a local portable acquisition program. This data packet is generated by the program based on a preset attack trace acquisition knowledge graph, extracting multi-dimensional attack trace data in offline or online conditions, and generating it after format conversion, encryption and compression. Subsequently, the encrypted attack trace data packet is decrypted and the data is cleaned and formatted to obtain an attack trace data dictionary. Then, a preset rule engine and a preset large language model inference engine are used to identify abnormal security behaviors. After correlation analysis, the attack chain timeline is reconstructed to form an attack behavior relationship graph. Finally, a security analysis report containing emergency response suggestions is generated for security emergency response. In this way, through the above-described process of this application embodiment, using a portable collection program combined with attack trace collection knowledge graph to extract multi-dimensional data, attack traces can be comprehensively and accurately obtained and adapted to offline and online scenarios, solving the problem of evidence collection in offline environments and achieving full-scenario coverage; data transmission security is ensured by encrypting and compressing transmission data packets; analysis using a combination of rule engine and large language model inference engine improves the accuracy of abnormal behavior identification and reduces the threshold and cost of emergency response; the attack chain timeline and relationship graph are reconstructed to achieve complete visualization of the attack process, improving response efficiency and accuracy; based on the graph, a security analysis report with emergency suggestions is generated, the output report has a unified format, conclusive evidence, and actionable suggestions, which can provide clear guidance for security emergency response, improve emergency response efficiency, enhance the resilience of the overall network security defense system, and thus solve the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time, and low standardization caused by excessive reliance on manual investigation in traditional host security emergency response.

[0037] As can be seen from the previous embodiment, this application discloses a host system security emergency response method, which can solve the problems of difficulty in evidence collection and tracing, high expert threshold, long analysis time, and low standardization caused by excessive reliance on manual investigation in traditional host system security emergency response. Next, a detailed explanation of the host system security emergency response method will be given using a real-world scenario of an APT hacker intruding into a company's financial host as an example.

[0038] Suppose a hacker exploits a web application vulnerability in the financial system (such as a deserialization vulnerability) to upload a hidden JSP webshell (web backdoor) to the server. The hacker then uses this webshell to execute system commands, download the Cobalt Strike trojan, create a hidden account named admin$, and, after stealing core data, executes a command to clear the system security logs to destroy evidence. The company administrator notices server lag and suspects a breach.

[0039] First, a one-click data collection startup is performed: the administrator inserts a USB drive containing the intelligent data collection module into the financial host and double-clicks to run it. Within 5 minutes, the module silently extracts all process, network, log, and registry states.

[0040] Then, hidden traces were captured: the data collection module discovered Event ID 1102 in the system event log (the audit log had been cleared), and immediately locked onto that time point (e.g., 2:00 AM yesterday). The data collection module scanned local user groups and found an account ending in $, admin$, triggering the hidden account detection logic. The data collection module compared web directory files and found that the MFT creation time of a certain config.jsp file was two days prior, and it contained suspicious characteristics of the Runtime.getRuntime().exec function, which was forcibly extracted.

[0041] Next, AI-powered cloud-based intelligent inference is performed: the data collection package is uploaded to the AI ​​automatic analysis module. The AI ​​first determines that config.jsp is a WebShell tool. By analyzing memory remnants and historical processes, the AI ​​discovers that the parent process java.exe, running the financial web application, had previously launched a child process powershell.exe (normally, web applications do not launch this program). The AI ​​further extracts the command-line logs of powershell.exe and finds that it connected to a malicious overseas IP address and downloaded a Trojan.

[0042] Finally, a complete chain of evidence and report are generated: The report generation module outputs a report concluding that the host has suffered a high-level web intrusion and backdoor implantation. The reconstructed attack timeline is as follows: [Step 1 - Initial Access]: Two days ago at 14:00, the hacker exploited the vulnerability to write to config.jsp (WebShell).

[0043] [Step 2 - Tool Download]: Two days ago at 15:30, the hacker used java.exe to trigger powershell.exe to download a remote control Trojan.

[0044] [Step 3 - Maintaining Privileges]: At 1:00 AM yesterday, the hacker created a hidden administrator account, admin$.

[0045] [Step 4 - Trace Cleanup]: At 2:00 AM yesterday, the hacker cleared the Windows security log.

[0046] Recommended actions: Immediately disconnect the host from the network, delete the config.jsp file, block the malicious remote control IP, delete the admin$ account, and patch the vulnerabilities in the financial system source code.

[0047] Accordingly, see Figure 2As shown in the illustration, this application also provides a host system security emergency response device, applied to a target server, comprising: The data packet receiving module 11 is used to receive the attack trace encrypted data packet uploaded by the target host; the attack trace encrypted data packet is an encrypted compressed package obtained by converting and encrypting the target collected data through a portable collection program local to the target host; the target collected data is multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, performing attack trace extraction on the target host in offline or online conditions. The dictionary generation module 12 is used to clean the decrypted attack trace data after decrypting the encrypted attack trace data packet, and format it into a corresponding attack trace data dictionary. The correlation analysis module 13 is used to identify the abnormal security behavior of the target host by using a preset data analysis model and the attack trace data dictionary, and to perform correlation analysis on the abnormal security behavior to reconstruct the attack chain timeline and obtain the attack behavior relationship graph; the preset data analysis model includes a preset rule engine and a preset large language model inference engine. The report generation module 14 is used to generate a security analysis report including emergency response recommendations based on the attack behavior relationship graph, so as to perform security emergency response operations on the target host according to the security analysis report.

[0048] In some specific embodiments, the data packet receiving module 11 may specifically include: The behavior collection submodule is used to collect the underlying system behavior of the target host in order to identify hidden malicious behaviors and obtain the first attack trace data; The record acquisition unit is used to acquire the network communication connection records of the target host in order to capture abnormal service communication traces and obtain second attack trace data; The event detection unit is used to capture the system logs of the target host and detect abnormal behavior events in the system logs, so as to mark the abnormality at the corresponding time points and obtain third attack trace data. The time reading unit is used to traverse the target directory of the target host and, during the traversal, read the file system display time and the main file table record time of each file in the target directory; The file extraction unit is used to extract the abnormal file and obtain the fourth attack trace data if there is an abnormal file in the target directory whose record time in the main file table is inconsistent with the display time of the file system. The multi-dimensional attack trace data includes the first attack trace data, the second attack trace data, the third attack trace data, and the fourth attack trace data.

[0049] In some specific implementations, the behavior acquisition submodule may specifically include: The interface call unit is used to call the target host's native system API to obtain the list of currently active processes of the target host; The cross-comparison unit is used to cross-compare the list of currently active processes with the kernel layer driver object of the target host in order to identify hidden processes; The configuration item traversal unit is used to traverse the persistent system configuration items of the target host to extract the backdoor in the persistent system configuration items; the first attack trace data includes the hidden process and the backdoor.

[0050] In some specific embodiments, the data packet receiving module 11 may specifically include: The format conversion unit is used to convert the target acquisition data into the target data format to obtain the converted target acquisition data; The data compression unit is used to encrypt, compress, and archive the converted target data using a preset encryption algorithm to obtain the attack trace encrypted data packet and generate the first hash check value of the attack trace encrypted data packet. Accordingly, the host system security emergency response device may further include: A hash calculation unit is used to perform hash calculations on the encrypted data packets containing the attack traces to obtain a second hash verification value; A verification value comparison unit is used to compare the second hash verification value with the first hash verification value; The step jump unit is used to determine that the attack trace encrypted data packet has passed the integrity check if the second hash verification value is consistent with the first hash verification value, and to jump to the step of cleaning the decrypted attack trace data after decrypting the attack trace encrypted data packet.

[0051] In some specific embodiments, the correlation analysis module 13 may specifically include: The parameter extraction unit is used to extract the target entity from the attack trace data dictionary and extract the parent-child process call relationship and the command line parameters corresponding to each process from the attack trace data dictionary. The entity matching unit is used to match the target entity with the preset threat intelligence database through the preset rule engine, and to detect it according to YARA rules in order to identify the first security anomaly behavior of the target host. The prompt word input unit is used to construct a target prompt word based on the parent-child process call relationship and the command line parameters, and input the target prompt word into the preset large language model inference engine so that the preset large language model inference engine can identify the second security abnormal behavior of the target host.

[0052] In some specific embodiments, the correlation analysis module 13 may specifically include: A timestamp determination unit is used to determine the behavior timestamp of the security anomaly behavior; The node connection unit is used to perform correlation analysis on the security anomaly behavior based on the behavior timestamp and the context of the same user account, and to connect the security anomaly behavior as nodes according to the analysis results to reconstruct the attack chain timeline and obtain the attack behavior relationship graph.

[0053] In some specific embodiments, the report generation module 14 may specifically include: The event summary unit is used to summarize the security event of the target host based on the attack behavior relationship graph to obtain the target conclusion; The knowledge base matching unit is used to organize and analyze the attack behavior relationship graph to generate the attack timeline of this security incident, and match it with the preset security handling knowledge base to determine the corresponding emergency response suggestions. The template rendering unit is used to render a preset report template based on the target conclusion, the attack timeline, and the emergency response recommendations to generate a security analysis report for this security incident.

[0054] Furthermore, embodiments of this application also disclose an electronic device, Figure 3 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input / output interface 25, and a communication bus 26. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the host system security emergency response method disclosed in any of the foregoing embodiments. Furthermore, the electronic device 20 in this embodiment may specifically be an electronic computer.

[0055] In this embodiment, the power supply 23 is used to provide operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 25 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.

[0056] In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk or optical disk, etc. The resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage.

[0057] The operating system 221 is used to manage and control the various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, Netware, Unix, Linux, etc. In addition to including a computer program capable of performing the host system security emergency response method executed by the electronic device 20 as disclosed in any of the foregoing embodiments, the computer program 222 may further include computer programs capable of performing other specific tasks.

[0058] Furthermore, this application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned disclosed host system security emergency response method. Specific steps of this method can be found in the corresponding content disclosed in the foregoing embodiments, and will not be repeated here.

[0059] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.

[0060] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0061] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0062] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0063] The technical solutions provided in this application have been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the methods and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A host system security emergency response method, characterized in that, Applied to the target server, including: Receive encrypted attack trace data packets uploaded by the target host; the encrypted attack trace data packets are encrypted compressed packets obtained by converting and encrypting the target collected data using a portable collection program local to the target host; the target collected data are multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, performing attack trace extraction on the target host in offline or online conditions. After decrypting the encrypted attack trace data packet, the decrypted attack trace data is cleaned and formatted into a corresponding attack trace data dictionary. Using a preset data analysis model and based on the attack trace data dictionary, the system identifies the abnormal security behaviors of the target host and performs correlation analysis on these abnormal security behaviors to reconstruct the attack chain timeline and obtain an attack behavior relationship graph. The preset data analysis model includes a preset rule engine and a preset large language model inference engine. Based on the attack behavior relationship graph, a security analysis report including incident response recommendations is generated so that security incident response operations can be performed on the target host according to the security analysis report.

2. The host system security emergency response method according to claim 1, characterized in that, The process of extracting attack traces from the target host includes: Collect the underlying system behavior of the target host to identify hidden malicious behavior and obtain the first attack trace data; Obtain the network communication connection records of the target host to capture abnormal service communication traces and obtain second attack trace data; The system logs of the target host are captured, and abnormal behavior events in the system logs are detected to mark anomalies at the corresponding time points, thereby obtaining third attack trace data. Traverse the target directory of the target host, and during the traversal, read the file system display time and the main file table record time of each file in the target directory; If there are abnormal files in the target directory whose record time in the main file table is inconsistent with the display time in the file system, then the abnormal files are extracted to obtain the fourth attack trace data; The multi-dimensional attack trace data includes the first attack trace data, the second attack trace data, the third attack trace data, and the fourth attack trace data.

3. The host system security emergency response method according to claim 2, characterized in that, The collection of the target host's low-level system behavior to identify hidden malicious behavior and obtain first attack trace data includes: Call the target host's native system API to obtain the list of currently active processes on the target host; The list of currently active processes is cross-compared with the kernel-level driver object of the target host to identify hidden processes; The system persistent configuration items of the target host are traversed to extract the backdoor in the system persistent configuration items; the first attack trace data includes the hidden process and the backdoor.

4. The host system security emergency response method according to claim 1, characterized in that, The process of converting and encrypting the target data includes: Convert the target data to the target data format to obtain the converted target data; The converted target data is encrypted, compressed, and archived using a preset encryption algorithm to obtain the attack trace encrypted data packet, and a first hash check value of the attack trace encrypted data packet is generated. Accordingly, after receiving the encrypted data packet containing attack traces uploaded by the target host, the method further includes: The encrypted data packet containing the attack traces is hashed to obtain a second hash verification value; Compare the second hash check value with the first hash check value; If the second hash verification value is consistent with the first hash verification value, it is determined that the attack trace encrypted data packet has passed the integrity verification, and the process jumps to the step of cleaning the decrypted attack trace data after decrypting the attack trace encrypted data packet.

5. The host system security emergency response method according to claim 1, characterized in that, The step of identifying the abnormal security behavior of the target host using a preset data analysis model and based on the attack trace data dictionary includes: Extract the target entities from the attack trace data dictionary, and extract the parent-child process call relationship and the command line parameters corresponding to each process from the attack trace data dictionary; The target entity is matched with the preset threat intelligence database through the preset rule engine, and detection is performed according to YARA rules to identify the first security anomaly behavior of the target host. Based on the parent-child process call relationship and the command-line parameters, a target prompt word is constructed and input into the preset large language model inference engine so that the preset large language model inference engine can identify the second security anomaly behavior of the target host.

6. The host system security emergency response method according to claim 1, characterized in that, The aforementioned correlation analysis of the abnormal security behaviors, in order to reconstruct the attack chain timeline and obtain an attack behavior relationship graph, includes: Determine the behavior timestamp of the aforementioned security anomaly; Based on the behavior timestamp and the context of the same user account, the abnormal security behavior is correlated and analyzed. The abnormal security behavior is then used as a node and connected according to the analysis results to reconstruct the attack chain timeline and obtain an attack behavior relationship graph.

7. The host system security emergency response method according to any one of claims 1 to 6, characterized in that, The security analysis report generated based on the attack behavior relationship graph, including incident response recommendations, includes: Based on the attack behavior relationship graph, the security incident of the target host is summarized to obtain the target conclusion; The attack behavior relationship graph is organized and analyzed to generate the attack timeline of this security incident, and matched with a preset security handling knowledge base to determine the corresponding emergency response recommendations. Based on the stated objectives, the attack timeline, and the emergency response recommendations, a preset report template is rendered to generate a security analysis report for this security incident.

8. A host system security emergency response device, characterized in that, Applied to the target server, including: The data packet receiving module is used to receive encrypted attack trace data packets uploaded by the target host; the encrypted attack trace data packets are encrypted compressed packages obtained by converting and encrypting the target collected data using a portable collection program local to the target host; the target collected data is multi-dimensional attack trace data obtained by the portable collection program based on a preset attack trace collection knowledge graph, performing attack trace extraction on the target host in offline or online conditions. The dictionary generation module is used to clean the decrypted attack trace data after decrypting the encrypted attack trace data packet, and format it into a corresponding attack trace data dictionary. The correlation analysis module is used to identify the abnormal security behavior of the target host by using a preset data analysis model and the attack trace data dictionary, and to perform correlation analysis on the abnormal security behavior to reconstruct the attack chain timeline and obtain the attack behavior relationship graph; the preset data analysis model includes a preset rule engine and a preset large language model inference engine. The report generation module is used to generate a security analysis report including emergency response recommendations based on the attack behavior relationship graph, so as to perform security emergency response operations on the target host according to the security analysis report.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the host system security emergency response method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, Used to store computer programs; wherein, when the computer programs are executed by a processor, they implement the host system security emergency response method as described in any one of claims 1 to 7.