Security threat processing method and apparatus, terminal, and computer-readable storage medium
By monitoring abnormal behavior logs and leveraging large-scale security processing workflows and intelligent security digital object services, a perceptible security threat detection and elimination process is provided, addressing the problem that conventional software struggles to enhance enterprises' awareness of security threats and improving their security operation capabilities.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING HONGTENG INTELLIGENT TECH CO LTD
- Filing Date
- 2024-12-09
- Publication Date
- 2026-06-09
AI Technical Summary
Conventional security threat handling software struggles to provide enterprises with a perceptible process for detecting and eliminating security threats, making it difficult for enterprises to enhance their awareness of security threats.
By monitoring abnormal behavior logs, a large-scale security processing workflow is used to handle security threats. The intelligent security digital object service outputs explanatory information on the current processing stage, providing a perceptible security threat detection and elimination process.
It enhanced enterprises' awareness of security threats and improved their security operation capabilities.
Smart Images

Figure CN122174227A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a security threat handling method, apparatus, terminal, and computer-readable storage medium. Background Technology
[0002] In recent years, attack methods targeting endpoints have become increasingly complex, and cybersecurity incidents have emerged one after another. Conventional security threat handling software is unable to provide enterprises with a perceptible security threat detection and elimination process like cybersecurity experts, making it difficult for enterprises to enhance their awareness of security threats in the process of dealing with them. Summary of the Invention
[0003] This application provides a security threat handling method, apparatus, terminal, and computer-readable storage medium, which can solve the technical problem that conventional security threat handling software is unable to provide enterprises with a perceptible security threat detection and elimination process like network security experts, making it difficult for enterprises to enhance their awareness of security threats during the security threat handling process.
[0004] In a first aspect, embodiments of this application provide a method for handling security threats, the method comprising:
[0005] Detect abnormal behavior logs and determine the large-scale security handling workflow for the abnormal behavior logs;
[0006] The abnormal behavior logs are processed for security threats according to the workflow of the security processing big model.
[0007] Monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0008] Optionally, after detecting the abnormal behavior log, the method further includes:
[0009] Determine a wake-up command for the smart secure digital object service, and wake up the smart secure digital object service based on the wake-up command;
[0010] After determining the large-scale workflow for security processing of the abnormal behavior logs, the process also includes:
[0011] The security threat alert interface outputs a large-scale security processing workflow through the intelligent security digital object service.
[0012] Optionally, the step of using a large-scale security processing model to process the abnormal behavior logs for security threats according to the workflow of the large-scale security processing model includes:
[0013] Based on the security processing big model workflow, generate workflow processing prompts and input the workflow processing prompts into the security processing big model.
[0014] Based on the security processing big model, the workflow processing prompts are received, and the security processing operations corresponding to each security processing stage in the security processing big model workflow are executed step by step through the security processing big model to handle security threats in response to the abnormal behavior logs.
[0015] Optionally, the step of generating workflow processing prompts based on the security processing large model workflow includes:
[0016] Based on the aforementioned security processing big model workflow, a workflow processing description is generated, as well as a phase implementation status feedback description for the security processing big model.
[0017] Based on the workflow processing description and the stage implementation status feedback description, workflow processing prompts are generated for the security processing big model.
[0018] Optionally, the method further includes:
[0019] During the security threat handling process, the current security handling stage in the security handling big model workflow is determined, and the stage implementation status feedback information corresponding to the current security handling stage is generated.
[0020] The security processing big model transmits the phase implementation status feedback information to the intelligent security digital object service, so that the intelligent security digital object service can output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
[0021] Optionally, monitoring the current security processing stage of the security processing big model in the security processing big model workflow includes:
[0022] The system obtains the phase implementation status feedback information transmitted by the security processing big model through the intelligent security digital object service, and determines the current security processing phase of the security processing big model in the security processing big model workflow based on the phase implementation status feedback information.
[0023] On the security threat alert interface, the current security processing stage in the security processing big model workflow is output through the intelligent security digital object service.
[0024] Optionally, the step of outputting the large model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service includes:
[0025] Obtain a preset security processing stage information template, and generate a large model workflow execution prompt based on the current security processing stage;
[0026] Based on the intelligent security digital object service control object service big model, obtain the big model workflow execution explanation prompts, the security processing stage information templates, and the stage implementation status feedback information;
[0027] The large model workflow execution prompts are used, and the object service large model is used to fill in the stage implementation status feedback information and the security processing stage information template to obtain the large model workflow explanation information corresponding to the current security processing stage.
[0028] Based on the intelligent secure digital object service, the large model workflow explanation information is obtained, and the large model workflow explanation information corresponding to the current security processing stage is output.
[0029] Optionally, the security processing big model workflow includes, in sequence, the data acquisition analysis stage, the reverse chaining stage, the forward reasoning stage, the evidence chain association stage, the attack graph matching stage, the content review stage, and the report generation stage.
[0030] Optionally, the method further includes:
[0031] During the data acquisition phase of the analysis, the security processing big model is controlled to acquire the abnormal behavior logs;
[0032] In the reverse chaining stage, the security processing big model is controlled to determine malicious chain disconnection behavior based on the abnormal behavior log, and to determine the target process chain targeted by the malicious chain disconnection behavior.
[0033] During the forward reasoning phase, the security processing big model is controlled to determine attack evidence against the target process chain from the abnormal behavior log;
[0034] During the evidence chain association phase, the security processing big model is controlled to perform association processing on the attack evidence to generate an associated network kill chain.
[0035] During the attack graph matching phase, the security processing big model is controlled to acquire a network kill chain database. Based on the network kill chain database, the associated network kill chains are matched for similarity to obtain the target network kill chain, so that the security processing big model can use the target network kill chain to sequentially execute the content review phase and the report generation phase.
[0036] Optionally, the method further includes:
[0037] During the content review phase, the security processing big model is controlled to determine the reference processing strategy content for the target network kill chain, and the target processing strategy content is reviewed based on preset review rules to obtain the reviewed and qualified target processing strategy content.
[0038] During the report generation phase, the security processing big model is controlled to generate a target processing strategy report based on the target processing strategy content.
[0039] Secondly, embodiments of this application provide a security threat handling device, the device comprising:
[0040] The monitoring module is suitable for detecting abnormal behavior logs and determining a large-scale security processing workflow for the abnormal behavior logs.
[0041] The processing module is adapted to perform security threat processing on the abnormal behavior logs according to the workflow of the security processing big model;
[0042] The output module is adapted to monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0043] Thirdly, embodiments of this application provide a terminal, the terminal comprising:
[0044] Processor; and
[0045] A memory configured to store computer-executable instructions, which, when executed, cause the processor to perform any of the methods described above.
[0046] Fourthly, embodiments of this application provide a computer-readable storage medium that stores one or more programs, which, when executed by a processor, implement the method described in any one of the above-described methods.
[0047] The beneficial effects of the technical solution provided in this application include at least the following: after detecting abnormal behavior logs, the security processing big model determines the security processing big model workflow for the abnormal behavior logs, and then the security processing big model performs security threat processing on the abnormal behavior logs according to the security processing big model workflow. During the security threat processing process, the current security processing stage of the security processing big model in the security processing big model workflow is monitored, and the big model workflow explanation information corresponding to the current security processing stage is output through the intelligent security digital object service. This allows the enterprise to be provided with a perceptible security threat detection and elimination process during the security threat processing of abnormal behavior logs, which helps to enhance the enterprise's awareness of the security threats corresponding to the abnormal behavior logs. This solves the technical problem that conventional security threat processing software cannot provide enterprises with a perceptible security threat detection and elimination process like cybersecurity experts, making it difficult for enterprises to enhance their awareness of security threats during the security threat processing process, thereby effectively improving the enterprise's security operation capabilities. Attached Figure Description
[0048] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0049] Figure 1 An exemplary system architecture diagram of a security threat handling method provided in this application embodiment;
[0050] Figure 2 A flowchart illustrating a security threat handling method provided in an embodiment of this application;
[0051] Figure 3 This application provides a schematic diagram of a security threat handling process according to an embodiment of the present application.
[0052] Figure 4 A flowchart illustrating the generation of workflow processing prompts is provided for an embodiment of this application.
[0053] Figure 5 This application provides a schematic diagram of a process for controlling the output of a large model workflow explanation information corresponding to the current security processing stage of a smart security digital object service.
[0054] Figure 6 A flowchart illustrating the process of determining the current security processing stage, provided as an embodiment of this application;
[0055] Figure 7This application provides a schematic diagram of a workflow explanation for outputting the current security processing stage corresponding to a large model workflow.
[0056] Figure 8 This is a schematic diagram of an interface provided in this application embodiment for outputting explanation information of a large model workflow corresponding to the current security processing stage using the intelligent secure digital object service;
[0057] Figure 9 A flowchart illustrating another security threat handling method provided in this application embodiment;
[0058] Figure 10 This is a schematic diagram of the structure of a security threat handling device provided in an embodiment of this application;
[0059] Figure 11 This is a schematic diagram of the structure of a terminal provided in an embodiment of this application. Detailed Implementation
[0060] To make the features and advantages of the embodiments of this application more apparent and understandable, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the protection scope of the embodiments of this application.
[0061] In related technologies, with the continuous development of information technology, hackers' attack methods targeting enterprise and personal terminals are becoming increasingly complex, such as APT (Advanced Persistent Threat) attacks, ransomware attacks, phishing email attacks, and cryptocurrency mining attacks. APT attacks are usually launched by highly professional hacker groups or even state-sponsored organizations, employing persistent and covert methods to remain lurking in the target network for a long time, thereby stealing important data or damaging critical systems, causing serious damage to network security; ransomware attacks usually result in data being encrypted and inaccessible, affecting the normal operation of enterprises and causing economic losses; phishing email attacks exploit the weak security awareness of some users, using disguised email content to lure users into clicking on links or downloading attachments, thereby completing the attack on the user's terminal; cryptocurrency mining attacks use the resources of infected systems to mine cryptocurrency, causing a decrease in productivity and service interruption, thus damaging the normal business of enterprises.
[0062] When faced with these security threats, enterprises typically use conventional security threat handling software for detection and removal. However, this software usually presents the detection and removal process to users using fixed, step-by-step instructions, making it difficult for users to obtain relevant and meaningful information about the security threats during the process. Therefore, conventional security threat handling software cannot provide enterprises with a perceptible security threat detection and removal process like a cybersecurity expert, hindering enterprises from enhancing their awareness of security threats during the threat handling process.
[0063] To address existing technical problems, this application provides a security threat handling method. The method involves a terminal detecting abnormal behavior logs and determining a large-scale security handling workflow for these logs. The large-scale security handling model is then used to handle the security threats from the abnormal behavior logs according to this workflow. Furthermore, the method monitors the current security handling stage of the large-scale security handling workflow and outputs explanations of the workflow corresponding to the current stage through an intelligent security digital object service. This solves the technical problem that conventional security threat handling software cannot provide enterprises with a perceptible security threat detection and removal process like a cybersecurity expert, making it difficult for enterprises to enhance their awareness of security threats during the security threat handling process.
[0064] Please see Figure 1 , Figure 1 This is an exemplary system architecture diagram of a security threat handling method provided in an embodiment of this application.
[0065] like Figure 1 As shown, the system architecture may include a terminal 101, a network 102, and a server 103. The network 102 serves as the medium for providing a communication link between the terminal 101 and the server 103. The network 102 may include various types of wired or wireless communication links, such as wired communication links including fiber optic cables, twisted-pair cables, or coaxial cables, and wireless communication links including Bluetooth communication links, Wireless-Fidelity (Wi-Fi) communication links, or microwave communication links, etc.
[0066] Terminal 101 can interact with server 103 via network 102 to receive messages from or send messages to server 103. Alternatively, terminal 101 can interact with server 103 via network 102 to receive messages or data sent to server 103 by other users. Terminal 101 can be hardware or software. When terminal 101 is hardware, it can be various terminals, including but not limited to smartwatches, smartphones, tablets, laptops, and desktop computers. When terminal 101 is software, it can be installed in the terminals listed above, and can be implemented as multiple software programs or software modules (e.g., to provide distributed services) or as a single software program or software module; no specific limitation is made here.
[0067] Server 103 can be a business server providing various services. It should be noted that server 103 can be either hardware or software. When server 103 is hardware, it can be implemented as a distributed server cluster consisting of multiple servers, or as a single server. When server 103 is software, it can be implemented as multiple software programs or software modules (e.g., used to provide distributed services), or as a single software program or software module; no specific limitations are made here.
[0068] In this embodiment, terminal 101 can monitor abnormal behavior logs, determine the security processing big model workflow for the abnormal behavior logs, use the security processing big model to process security threats in the abnormal behavior logs according to the security processing big model workflow, monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0069] It should be understood that Figure 1 The number of terminals, networks, and servers shown is merely illustrative; any number of terminals, networks, and servers can be used as needed. Of course, the system architecture provided in this application may not include servers; that is, servers are optional in the system architecture provided in this application.
[0070] Please see Figure 2 , Figure 2 This is a flowchart illustrating a security threat handling method provided in an embodiment of this application. The executing entity in this embodiment can be a terminal executing the security threat handling method, a processor within the terminal executing the security threat handling method, or a security threat handling service within the terminal executing the security threat handling method. For ease of description, the following uses the processor within the terminal as an example to describe the specific execution process of the security threat handling method.
[0071] like Figure 2 As shown, the methods for handling security threats include:
[0072] S202: Abnormal behavior logs were detected. Determine the large-scale workflow for the security handling of abnormal behavior logs.
[0073] This includes acquiring behavior logs generated by the terminal. Behavior logs refer to records generated in the computer system corresponding to the terminal when performing operations or running programs. These records can include information such as program execution, process calls, file operations, and network access.
[0074] The system monitors abnormal behavior logs generated by the terminal. Specifically, it can monitor abnormal behavior logs in the EDR (Endpoint Detection and Response) endpoint security monitoring and response system on the terminal. When abnormal behavior logs are found, the EDR endpoint security monitoring and response system identifies and reports the abnormal behavior logs.
[0075] After obtaining the abnormal behavior logs, in order to obtain the security processing workflow of the large model for abnormal behavior logs, the security processing stage corresponding to each agent in the large model can be determined. Then, the security processing workflow of the large model is determined based on the stage coordination relationship of each agent's corresponding security processing stage.
[0076] The large-scale security processing model can be trained on a security corpus, which is formed by preprocessing the original large-scale security data corpus. Here, data preprocessing is used to generate the training, validation, and test sets for the model from the original large-scale security data corpus, thus obtaining the security corpus. Then, the initial large-scale security processing model is pre-trained based on the security corpus. After the initial large-scale security processing model is pre-trained, it is encapsulated into multiple agents with subdivided capabilities. Each agent can be responsible for at least one security processing stage. Multiple agents collaboratively process multiple security processing stages, forming the workflow of the large-scale security processing model. Simultaneously, the multiple collaborative agents constitute the large-scale security processing model. Here, the agents possess the capabilities of perception, analysis, decision-making, and action. The large-scale security processing model, based on the collaborative cooperation of multiple agents, achieves a working mode similar to the human brain. Relying on the large-scale security processing model's capabilities in language, planning, discrimination, memory, and other aspects, it performs correlation analysis and logical reasoning to effectively identify, assess, and handle threats.
[0077] It should be noted that raw security big data corpus refers to unprocessed raw data collected in fields such as information security, network security, and system security. This raw data can include network traffic logs, system logs, security event logs, intrusion detection system alert logs, firewall logs, application logs, and other log data that may reflect the security status.
[0078] S204: Use the security processing big model to process security threats from abnormal behavior logs according to the security processing big model workflow.
[0079] The security processing master model comprises multiple cooperating agents, each handling one or more security processing stages. These stages work together to form the workflow of the master model. The agents in the master model sequentially execute the various security processing stages for abnormal behavior logs, thereby enabling security threat handling of these logs. The security processing stages may sequentially include data acquisition analysis, reverse linking, forward reasoning, evidence chain association, attack graph matching, content review, and report generation.
[0080] In the data acquisition phase, the endpoint control security processing big model acquires abnormal behavior logs. In the reverse chaining phase, the big model determines malicious disconnection behavior and the target process chain targeted by the malicious disconnection behavior based on the abnormal behavior logs. In the forward reasoning phase, the big model identifies attack evidence against the target process chain from the abnormal behavior logs. In the evidence chain association phase, the big model performs association processing on the attack evidence to generate associated network kill chains. In the attack graph matching phase, the big model acquires a network kill chain database and performs similarity matching on associated network kill chains based on the database to obtain the target network kill chain. This allows the security processing big model to sequentially execute the content review phase and the report generation phase using the target network kill chain. In the content review phase, the big model determines reference processing strategy content for the target network kill chain and performs content review on the target processing strategy content based on preset review rules to obtain approved target processing strategy content. In the report generation phase, the big model generates a target processing strategy report based on the target processing strategy content.
[0081] S206: Monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0082] Specifically, during the security threat handling process of abnormal behavior logs according to the security processing big model workflow, the current security processing stage is monitored. During or after the current security processing stage, the intelligent security digital object service outputs explanations of the big model workflow corresponding to the current security processing stage, based on the processing information of that stage. It should be noted that S204 and S206 can be executed in parallel.
[0083] For example, after determining the large-scale security processing workflow, a visual interface for the large-scale security processing workflow can be generated based on it. This visual interface can be a security threat alert interface, such as generating a visual interface corresponding to "1. Data Acquisition Stage → 2. Reverse Linking Stage → 3. Forward Reasoning Stage → 4. Evidence Chain Association Stage → 5. Attack Graph Matching Stage → 6. Content Review Stage → 7. Report Generation Stage". After determining the current security processing stage, the visual interface can differentiate the current stage to indicate the user's current stage. Simultaneously, the workflow explanation information corresponding to the current stage can be displayed in association, indicating the operations taken and their results. Furthermore, the workflow explanation information can be read aloud using pre-defined digital objects. These digital objects include, but are not limited to, digital humans and virtual assistants.
[0084] In the embodiments provided in this application, after detecting abnormal behavior logs, a security processing big model workflow is determined for the abnormal behavior logs. The security processing big model then performs security threat processing on the abnormal behavior logs according to the security processing big model workflow. During the security threat processing, the current security processing stage of the security processing big model in the security processing big model workflow is monitored. This is achieved by outputting the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service. This allows for a perceptible security threat detection and elimination process for enterprises during the security threat processing of abnormal behavior logs, helping to enhance enterprises' awareness of the security threats corresponding to the abnormal behavior logs. This solves the technical problem that conventional security threat processing software cannot provide enterprises with a perceptible security threat detection and elimination process like cybersecurity experts, making it difficult for enterprises to enhance their awareness of security threats during the security threat processing process. Therefore, it effectively improves the enterprise's security operation capabilities.
[0085] In the embodiments provided in this application, after detecting abnormal behavior logs, the method further includes:
[0086] Determine the wake-up command for the Smart Secure Digital Object Service, and wake up the Smart Secure Digital Object Service based on the wake-up command;
[0087] After defining the overall workflow for security handling of abnormal behavior logs, the following steps are also included:
[0088] The security threat alert interface outputs a large-scale security processing workflow through the intelligent security digital object service.
[0089] Upon detecting abnormal behavior logs, a wake-up command for the Intelligent Security Digital Object Service can be automatically generated; alternatively, based on a user-input wake-up word, a corresponding wake-up command can be generated, such as "Hi, Mr. Zhou" or "Hi, Kexin." Wake-up word input methods include, but are not limited to, voice input and text input. After generating the wake-up command, the terminal confirms the command and then activates the Intelligent Security Digital Object Service, transitioning it from a dormant, standby, or off state to a running state. The Intelligent Security Digital Object Service is used to output explanations of the large-scale model workflow corresponding to the current security processing stage.
[0090] After determining the security processing workflow for abnormal behavior logs, the intelligent security digital object service is used to render the basic security threat alarm interface based on the determined security processing workflow, resulting in a security threat alarm interface that includes the security processing workflow. The security processing workflow is then output on the security threat alarm interface through the intelligent security digital object service.
[0091] The embodiments provided in this application determine a wake-up command for the intelligent security digital object service, thereby waking up the intelligent security digital object service using the wake-up command, so that the intelligent security digital object service can output a security processing large model workflow on the security threat alarm interface, and output corresponding large model workflow explanation information for the current security processing stage.
[0092] Please see Figure 3 , Figure 3 This is a schematic diagram illustrating a security threat handling process provided in an embodiment of this application. Figure 3 As shown, S204 employs a comprehensive security processing model to handle security threats from abnormal behavior logs according to the model's workflow, including:
[0093] S302: Generate workflow processing prompts based on the security processing big model workflow, and input the workflow processing prompts into the security processing big model.
[0094] The security processing workflow includes multiple security processing stages. Corresponding stage processing prompts are generated for each stage, and workflow processing prompts are derived based on these prompts. After the workflow processing prompts are input into the security processing model, the agent corresponding to each security processing stage retrieves the corresponding stage processing prompt from the workflow prompts, and then performs the appropriate processing based on the received stage processing prompts.
[0095] For example, the stage processing tasks for each security processing stage are obtained, and then stage processing prompts are generated based on the stage processing tasks for each security processing stage to instruct the corresponding agent to perform the corresponding stage processing task. Then, each stage processing prompt is tagged so that each prompt carries a tag corresponding to the security processing stage.
[0096] At least based on the processing prompts for each stage, the workflow processing prompts are obtained. The workflow processing prompts are then input into the security processing big model. Each agent in the security processing big model identifies the stage processing prompts carrying security processing stage labels, thereby obtaining the stage processing prompts for the security processing stage corresponding to the agent.
[0097] S304: Based on the security processing big model, receive workflow processing prompts and execute the security processing operations corresponding to each security processing stage in the security processing big model workflow step by step to handle security threats in abnormal behavior logs.
[0098] In this process, after the security processing big model receives the workflow processing prompts, it performs stage-by-stage processing on the workflow processing prompts to obtain the stage prompts for the corresponding security processing stages. The stage prompts include the stage processing prompts. Then, the agents responsible for each security processing stage in the security processing big model obtain the corresponding stage prompts for the security processing stages. Based on the stage processing order of each security processing stage in the security processing big model workflow, they execute the security processing operations corresponding to each security processing stage step by step, thereby handling security threats based on abnormal behavior logs.
[0099] In the embodiments provided in this application, workflow processing prompts are generated using a large security processing model workflow. These prompts are then input into the large security processing model to control it to execute security processing operations corresponding to each security processing stage in the workflow step by step. This allows for security threat processing of abnormal behavior logs according to the workflow of the large security processing model.
[0100] Please see Figure 4 , Figure 4This is a flowchart illustrating the generation of workflow processing prompts, provided as an embodiment of this application. Figure 4 As shown, in S302, workflow processing prompts based on the large-scale security processing workflow are generated, including:
[0101] S402: Generate workflow processing descriptions based on the security processing big model workflow, and generate phase implementation status feedback descriptions for the security processing big model.
[0102] The process involves obtaining the large-scale security processing workflow, processing its data, and generating corresponding stage descriptions for each stage. Based on these stage descriptions, specific prompts can be identified for each stage. Finally, the overall workflow processing description for the large-scale security processing workflow is derived from these stage descriptions.
[0103] Simultaneously, based on the workflow of the large-scale security processing model, stage feedback descriptions are generated for each security processing stage. Based on these stage feedback descriptions, stage implementation status feedback descriptions for the large-scale security processing model are obtained. Based on the stage feedback descriptions, corresponding stage feedback prompts can be determined. These prompts instruct the corresponding agent to provide feedback on the agent's processing information at the corresponding security processing stage. This processing information includes, but is not limited to, the processing procedure and the processing result.
[0104] S404: Generate workflow processing prompts for the large-scale security processing model based on workflow processing descriptions and phase implementation status feedback descriptions.
[0105] Specifically, based on the workflow processing description, corresponding stage processing descriptions are generated for each security processing stage, and stage feedback descriptions are generated for each security processing stage based on the stage implementation status feedback descriptions. Then, stage processing prompts are determined based on the stage processing descriptions, and stage feedback prompts are determined based on the stage feedback descriptions. Next, stage prompts are determined based on the stage processing prompts and stage feedback prompts corresponding to the same security processing stage. Finally, workflow processing prompts for the overall security processing model are determined based on the stage prompts corresponding to all security processing stages.
[0106] In the embodiments provided in this application, a workflow processing description is generated through a large-scale security processing model workflow, and a phase implementation status feedback description for the large-scale security processing model is generated. Then, workflow processing prompts for the large-scale security processing model are generated based on the workflow processing description and the phase implementation status feedback description. This allows the workflow processing prompts for the large-scale security processing model to instruct it to handle security threats from abnormal behavior logs according to the large-scale security processing model workflow, and to provide feedback on processing information at each security processing stage.
[0107] Please see Figure 5 , Figure 5 This is a flowchart illustrating the workflow of a control intelligent security digital object service that outputs information about the large model's workflow corresponding to the current security processing stage, as provided in an embodiment of this application. Figure 5 As shown, the method includes:
[0108] S502: During the security threat handling process, determine the current security handling stage in the security handling big model workflow, and generate the corresponding stage implementation status feedback information.
[0109] In this process, after the security processing big model receives the workflow processing prompt, it executes the security processing operations corresponding to each security processing stage in the security processing big model workflow step by step. At the current security processing stage, the security processing big model generates the stage implementation status feedback information corresponding to the current security processing stage.
[0110] For example, in the large security processing model, the agent corresponding to the current security processing stage obtains the stage prompt word corresponding to the current security processing stage from the workflow processing prompt words. Then, based on the stage feedback prompt word in the stage prompt word, the agent is instructed to generate the stage implementation status feedback information corresponding to the current security processing stage during or after the execution of the current security processing stage. The stage implementation status feedback information includes, but is not limited to, the processing process and processing result corresponding to the current security processing stage.
[0111] S504: Transmit phase implementation status feedback information to the intelligent security digital object service through the security processing big model, so that the intelligent security digital object service can output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
[0112] Specifically, after the security processing big model generates the phase implementation status feedback information corresponding to the current security processing phase, the security processing big model sends the phase implementation status feedback information to the intelligent security digital object service. The intelligent security digital object service performs standardized processing on the phase implementation status feedback information to obtain the big model workflow explanation information, thereby controlling the intelligent security digital object service to output the big model workflow explanation information corresponding to the current security processing phase.
[0113] In the embodiments provided in this application, the security processing big model generates phase implementation status feedback information corresponding to the current security processing phase based on workflow processing prompts, and then transmits the phase implementation status feedback information to the intelligent security digital object service, thereby controlling the intelligent security digital object service to output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
[0114] Please see Figure 6 , Figure 6 This is a flowchart illustrating a process for determining the current security processing stage, as provided in an embodiment of this application. Figure 6 As shown in S206, the current security processing stage of the large-scale security processing model in the security processing workflow includes:
[0115] S602: Obtain the phase implementation status feedback information of the security processing big model transmission through the intelligent security digital object service, and determine the current security processing phase of the security processing big model in the security processing big model workflow based on the phase implementation status feedback information.
[0116] The security processing big model sends phase implementation status feedback information to the intelligent security digital object service, which in turn receives the phase implementation status feedback information sent by the security processing big model.
[0117] Subsequently, the intelligent security digital object service performs data parsing and processing on the phase implementation status feedback information to obtain the current security processing phase in the security processing big model workflow corresponding to the phase implementation status feedback information.
[0118] S604: On the security threat alarm interface, the current security processing stage in the security processing big model workflow is output through the intelligent security digital object service.
[0119] Specifically, the system utilizes intelligent security digital object services to render the basic security threat alarm interface based on a large-scale security processing model workflow. This results in a security threat alarm interface that includes the large-scale security processing model workflow, which is then output through the intelligent security digital object services. Simultaneously, based on the determined current security processing stage, the system displays the corresponding current security processing stage within the large-scale security processing model workflow output by the intelligent security digital object services.
[0120] For example, the current security processing stage in the security processing big model workflow can be displayed differently on the security threat alarm interface. The means of displaying the differences include, but are not limited to, different color display, different icon display, etc.
[0121] In the embodiments provided in this application, the security processing big model sends the phase implementation status feedback information to the intelligent security digital object service. The intelligent security digital object service receives the phase implementation status feedback information sent by the security processing big model, performs data parsing processing on the phase implementation status feedback information to obtain the current security processing phase in the security processing big model workflow corresponding to the phase implementation status feedback information. At the same time, based on the determined current security processing phase, the corresponding current security processing phase in the security processing big model workflow output by the intelligent security digital object service is output in the security threat alarm interface.
[0122] Please see Figure 7 , Figure 7 This is a flowchart illustrating the output of a large model workflow explanation corresponding to the current security processing stage, provided as an embodiment of this application. Figure 7 As shown in Figure S206, the intelligent security digital object service outputs the large model workflow explanation information corresponding to the current security processing stage, including:
[0123] S702: Obtain the preset security processing stage information template, and generate large model workflow execution prompts based on the current security processing stage.
[0124] Each security processing stage has its own corresponding security processing stage information template. The security processing stage information templates corresponding to each security processing stage in the large security processing model workflow are obtained, and then the execution explanation prompt words of the large model workflow corresponding to the current security processing stage are generated.
[0125] S704: Based on the intelligent security digital object service control object service large model, obtain the large model workflow execution instructions, security processing stage information templates, and stage implementation status feedback information.
[0126] Among them, the large model workflow execution explanation prompts are used to instruct the object service large model to process the security processing stage information template and stage implementation status feedback information, thereby obtaining the large model workflow explanation information corresponding to the current security processing stage.
[0127] S706: Utilize the large model workflow to execute explanation prompts. Through the object service large model, perform template filling processing on the phase implementation status feedback information and safety processing phase information templates to obtain the large model workflow explanation information corresponding to the current safety processing phase.
[0128] Among them, after receiving the large model workflow execution explanation prompts, security processing stage information templates, and stage implementation status feedback information, the object service large model uses the stage implementation status feedback information to fill the security processing stage information template based on the large model workflow execution explanation prompts, thereby obtaining the large model workflow explanation information corresponding to the current security processing stage.
[0129] S708: Obtain large model workflow explanation information based on intelligent secure digital object service, and output the large model workflow explanation information corresponding to the current security processing stage.
[0130] Specifically, after obtaining the workflow explanation information of the large model corresponding to the current security processing stage based on the object service large model, the intelligent security digital object service is used to obtain the workflow explanation information of the large model. Then, the intelligent security digital object service outputs the workflow explanation information of the large model corresponding to the current security processing stage on the security threat alarm interface.
[0131] For example, during the data acquisition phase of the analysis, the workflow explanation for the large model could be: "The security processing large model has begun executing the hunting mission, has automatically acquired EDR behavior logs from its own core, and is simulating a security expert to conduct human-like analysis"; specifically... Figure 8 As shown, Figure 8 This is a schematic diagram illustrating an interface used in an embodiment of this application to output explanation information of a large model workflow corresponding to the current security processing stage, utilizing the Smart Secure Digital Object Service. Figure 8 As shown, you can light up "1. Data Acquisition Analysis" (lighting illustration). Figure 8 (Not shown in the image), and then, based on the pre-customized digital human (the digital human on the left in the image) in the intelligent security digital object service, the explanation information of the large model workflow corresponding to the current security processing stage is broadcast. Here, the appearance of the pre-customized digital human is not limited, and in addition, the digital human can answer customer questions during the explanation.
[0132] In the reverse chaining stage (corresponding to) Figure 8 The workflow explanation for the large model can be described as follows: "The intelligent agent uses expert knowledge and event chain backtracking to identify and lock malicious chain break behavior from a large number of log alarms, and accurately repairs the process chain to complete the reverse chain connection."
[0133] In the forward reasoning stage (corresponding to) Figure 8 (Forward reasoning in section 3), the workflow explanation information for the large model can be: "Forward reasoning has been started. Starting from the head of the process chain, combining the original behavioral data, attack and defense tactics knowledge, and evidence chain association knowledge, relevant attack evidence is obtained."
[0134] In the evidence chain linking stage (corresponding to) Figure 8(4 evidence chain associations) The workflow explanation information for the large model can be "Evidence chain association has been performed, evidence chain association based on attack evidence has been performed, and complete drawing has been performed";
[0135] During the attack graph matching phase (corresponding to) Figure 8 (Middle 5 attack graph matching), the large model workflow explanation information can be "The attack process has been replayed, and by combining family group information and knowledge graph, similarity matching is performed in the kill chain of the knowledge graph to discover the complete attack intent and attack organization information, and to give the real attack intent and related handling suggestions".
[0136] During the content review stage (corresponding to) Figure 8 (Content review in section 6), the workflow explanation information for the large model can be "The report has been completed and reviewed without error, and the result feedback is being processed for security purposes."
[0137] In the report formation stage (corresponding to) Figure 8 The report (formed in section 7) provides information on the large model workflow, which states: "The security processing large model has completed the alarm intelligent analysis report. The report includes attack results, alarm interpretation, complete attack chain, impact analysis, and handling suggestions. To ensure the safe operation of your business, please review it carefully and take timely action."
[0138] In the embodiments provided in this application, a large model workflow execution explanation prompt is generated based on the current security processing stage. Then, the large model workflow execution explanation prompt is used to fill the stage implementation status feedback information and security processing stage information template through the object service large model to obtain the large model workflow explanation information corresponding to the current security processing stage. Finally, the intelligent security digital object service is used to output the large model workflow explanation information corresponding to the current security processing stage.
[0139] In the embodiments approved in this application, the security processing large model workflow sequentially includes the following stages: data acquisition, reverse linking, forward reasoning, evidence chain association, attack graph matching, content review, and report generation. For details, please refer to... Figure 9 , Figure 9 This is a flowchart illustrating another security threat handling method provided in an embodiment of this application. Figure 9 As shown, security threat handling methods may also include:
[0140] S902: During the data acquisition phase of analysis, control the security processing of large model acquisition of abnormal behavior logs.
[0141] In the data acquisition and analysis phase, the behavior logs generated by the terminal are acquired, and abnormal behavior logs are monitored. Once abnormal behavior logs are detected, the security processing model is controlled to acquire the abnormal behavior logs.
[0142] S904: During the reverse chaining phase, the control security processing big model determines malicious chain breaking behavior based on abnormal behavior logs, and determines the target process chain targeted by the malicious chain breaking behavior.
[0143] Among them, S904 identifies malicious disconnection behavior based on abnormal behavior logs, including:
[0144] Abnormal behavior events are identified based on abnormal behavior logs. These abnormal behavior events are then correlated to obtain an abnormal behavior event chain. Feature extraction processing is performed on the abnormal behavior event chain to obtain event link features. Based on the event link features, the behavior type of the abnormal behavior event chain is determined. When the behavior type is the target type, the target behavior corresponding to the abnormal behavior event chain is determined to be a malicious chain disconnection behavior.
[0145] Specifically, by analyzing the correlation or causal relationship between abnormal behavior events, events with correlation or causal relationship can be associated to obtain abnormal behavior event chains. Then, feature extraction processing is performed on each abnormal behavior event chain to obtain the event link features corresponding to each chain. A link feature-behavior type mapping relationship is obtained, and the behavior type of the event link features is determined based on this mapping relationship. When the behavior type matches the target type, it indicates that the target behavior corresponding to the abnormal behavior event chain is a malicious chain-breaking behavior.
[0146] S904 defines the target process chain for malicious disconnection behavior, including:
[0147] Identify the target process interrupted by the malicious disconnection behavior and obtain the upstream process corresponding to the target process; repair the target process to determine the downstream process corresponding to the target process; and obtain the target process chain based on process association processing of the upstream process, target process, and downstream process.
[0148] Specifically, after identifying malicious disconnection behavior, the target process to be interrupted is determined. There can be one or more target processes. For example, in a call process from process A to process B, if process A is interrupted, then process A is the target process; if process B is interrupted, then process B is the target process; if the call process between processes A and B is interrupted, then both processes A and B are the target processes. The upstream processes corresponding to the target processes are one or more processes that directly or indirectly call the target processes, and the downstream processes corresponding to the target processes are one or more processes that the target processes directly or indirectly call.
[0149] Finally, the target process chain is determined based on the original call relationships between the upstream process, the target process, and the downstream process.
[0150] S906: During the forward reasoning phase, the control security processing big model determines attack evidence against the target process chain from the abnormal behavior log.
[0151] Specifically, S906 identifies attack evidence against the target process chain from abnormal behavior logs, including:
[0152] Obtain process operation information targeting upstream, target, and downstream processes in the target process chain from abnormal behavior logs; perform anomaly identification processing on the process operation information to obtain abnormal process operation information; determine attack evidence against the target process chain based on the abnormal process operation information.
[0153] S908: During the evidence chain association phase, the control security processing big model performs association processing on attack evidence to generate an associated network kill chain.
[0154] Specifically, S908 performs correlation processing on attack evidence to generate a correlation network kill chain, including:
[0155] Identify at least one attack target corresponding to each piece of attack evidence, and obtain all attack targets corresponding to all attack evidence; perform clustering and association processing on the attack evidence based on the attack targets to obtain the associated network kill chain corresponding to each attack target.
[0156] Specifically, the associated network kill chain can refer to a series of links and steps that an attacker goes through when carrying out a network attack, from the starting point of the attack to the target, involving multiple stages and behaviors.
[0157] S910: During the attack graph matching phase, the control security processing big model obtains the network kill chain database, and performs similarity matching on related network kill chains based on the network kill chain database to obtain the target network kill chain, so that the security processing big model can use the target network kill chain to sequentially execute the content review phase and the report generation phase.
[0158] In this process, by combining family group information and knowledge graphs, the network kill chain database is used to perform similarity matching on related network kill chains to obtain the target network kill chain. Then, based on the target network kill chain obtained by matching, the attacker's complete attack intent and attack organization information are discovered, thereby providing the true attack intent and relevant handling suggestions.
[0159] Furthermore, in the embodiments provided in this application, during the content review stage, the control security processing big model determines the reference processing strategy content for the target network kill chain, and performs content review on the target processing strategy content based on preset review rules to obtain the reviewed and qualified target processing strategy content; during the report generation stage, the control security processing big model generates a target processing strategy report based on the target processing strategy content.
[0160] Please see Figure 10 , Figure 10 This is a schematic diagram of a security threat handling device provided in an embodiment of this application. Figure 10 As shown, the security threat handling device 1000 includes:
[0161] Monitoring module 1010 is suitable for monitoring abnormal behavior logs and determining the large-scale workflow for security handling of abnormal behavior logs;
[0162] Processing module 1020 is suitable for processing security threats on abnormal behavior logs according to the workflow of the security processing big model.
[0163] The output module 1030 is suitable for monitoring the current security processing stage of the security processing big model in the security processing big model workflow, and outputs the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0164] Optionally, the security threat handling device 1000 further includes:
[0165] The first determining module is adapted to determine a wake-up command for the smart security digital object service, and wake up the smart security digital object service based on the wake-up command;
[0166] The second determination module, after determining the large-scale workflow for security processing of abnormal behavior logs, also includes:
[0167] The service output module is suitable for outputting a large-scale security processing workflow through the intelligent security digital object service in the security threat alarm interface.
[0168] Optionally, the processing module 1020 includes:
[0169] The prompt input unit is suitable for generating workflow processing prompts based on the security processing large model workflow and inputting the workflow processing prompts into the security processing large model.
[0170] The execution unit is suitable for receiving workflow processing prompts based on the security processing big model, and for performing security processing operations corresponding to each security processing stage in the security processing big model workflow step by step, so as to handle security threats in abnormal behavior logs.
[0171] Optionally, the prompt word input unit includes:
[0172] The description generates sub-units suitable for generating workflow processing descriptions based on the large-scale security processing model workflow, as well as generating phase implementation status feedback descriptions for the large-scale security processing model.
[0173] The prompt word generation subunit is suitable for generating workflow processing prompt words for a large-scale security processing model based on workflow processing descriptions and stage implementation status feedback descriptions.
[0174] Optionally, the security threat handling device 1000 further includes:
[0175] The feedback information determination module is suitable for determining the current security processing stage in the security processing big model workflow during the security threat handling process, and generating the corresponding stage implementation status feedback information.
[0176] The information output module is suitable for transmitting phase implementation status feedback information to the intelligent security digital object service through the security processing big model, so that the intelligent security digital object service can output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
[0177] Optionally, the output module 1030 includes:
[0178] The current security processing stage determination unit is suitable for obtaining the stage implementation status feedback information transmitted by the security processing big model through the intelligent security digital object service, and determining the current security processing stage of the security processing big model in the security processing big model workflow based on the stage implementation status feedback information;
[0179] The current security processing stage output unit is suitable for outputting the current security processing stage in the security processing big model workflow through the intelligent security digital object service on the security threat alarm interface.
[0180] Optionally, the output module 1030 includes:
[0181] The large-scale workflow execution explanation prompt generation unit is suitable for obtaining preset security processing stage information templates and generating large-scale workflow execution explanation prompts based on the current security processing stage.
[0182] The control unit is suitable for obtaining the workflow execution prompts, security processing stage information templates, and stage implementation status feedback information of the large model based on the intelligent security digital object service control object service large model;
[0183] The fill unit is suitable for using the large model workflow to execute explanatory prompts. It fills the templates of the phase implementation status feedback information and the safety processing phase information templates through the object service large model to obtain the large model workflow explanation information corresponding to the current safety processing phase.
[0184] The large model workflow explanation information output unit is suitable for obtaining large model workflow explanation information based on intelligent security digital object service, and outputting the large model workflow explanation information corresponding to the current security processing stage.
[0185] Optionally, the security processing large model workflow includes, in sequence, the data acquisition analysis stage, the reverse linking stage, the forward reasoning stage, the evidence chain association stage, the attack graph matching stage, the content review stage, and the report generation stage.
[0186] Optionally, during the data acquisition phase of the analysis, control the security processing of large models to acquire abnormal behavior logs;
[0187] During the reverse chaining phase, the control security processing big model determines malicious chain breaking behavior based on abnormal behavior logs, as well as the target process chain targeted by the malicious chain breaking behavior.
[0188] During the forward reasoning phase, the control security processing big model identifies attack evidence against the target process chain from the abnormal behavior logs;
[0189] During the evidence chain association phase, the control security processing big model performs association processing on attack evidence to generate an associated network kill chain.
[0190] During the attack graph matching phase, the control security processing big model acquires the network kill chain database. Based on the network kill chain database, it performs similarity matching on related network kill chains to obtain the target network kill chain, so that the security processing big model can use the target network kill chain to sequentially perform the content review phase and the report generation phase.
[0191] Optionally, during the content review stage, the control security processing big model determines the reference processing strategy content for the target network kill chain, and conducts content review on the target processing strategy content based on preset review rules to obtain the approved target processing strategy content.
[0192] During the report generation phase, the control security processing big model generates a target processing strategy report based on the target processing strategy content.
[0193] Please see Figure 11 , Figure 11 This is a schematic diagram of the structure of a terminal provided in an embodiment of this application. Figure 11As shown, terminal 1100 may include: at least one processor 1101, at least one network interface 1104, user interface 1103, memory 1105, and at least one communication bus 1102.
[0194] The communication bus 1102 is used to realize the connection and communication between these components.
[0195] The user interface 1103 may include a display screen and a camera. Optionally, the user interface 1103 may also include a standard wired interface and a wireless interface.
[0196] The network interface 1104 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface).
[0197] The processor 1101 may include one or more processing cores. The processor 1101 connects to various parts within the terminal 1100 using various interfaces and lines, and performs various functions and processes data by running or executing instructions, programs, code sets, or instruction sets stored in the memory 1105, and by calling data stored in the memory 1105. Optionally, the processor 1101 may be implemented using at least one hardware form of DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), or PLA (Programmable Logic Array). The processor 1101 may integrate one or more of the following: CPU (Central Processing Unit), GPU (Graphics Processing Unit), and modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the content required for display; and the modem handles wireless communication. It is understood that the modem may also be implemented as a separate chip without being integrated into the processor 1101.
[0198] The memory 1105 may include RAM (Random Access Memory) or ROM (Read-Only Memory). Optionally, the memory 1105 may include a non-transitory computer-readable storage medium. The memory 1105 can be used to store instructions, programs, code, code sets, or instruction sets. The memory 1105 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function (such as touch function, sound playback function, image playback function, etc.), instructions for implementing the above-described method embodiments, etc.; the data storage area may store data involved in the above-described method embodiments, etc. Optionally, the memory 1105 may also be at least one storage device located remotely from the aforementioned processor 1101. Figure 11 As shown, the memory 1105, which serves as a computer storage medium, may include an operating system, a network communication module, a user interface module, and a security threat handling program.
[0199] exist Figure 11 In the terminal 1100 shown, the user interface 1103 is mainly used to provide an input interface for the user and to obtain the user's input data; while the processor 1101 can be used to call the security threat handling program stored in the memory 1105 and specifically perform the following operations:
[0200] Detect abnormal behavior logs and determine a large-scale security handling workflow for these logs.
[0201] A comprehensive security processing model is adopted, and the abnormal behavior logs are processed for security threats according to the workflow of the comprehensive security processing model.
[0202] Monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
[0203] Optionally, after the processor 1101 detects the abnormal behavior log, it is also suitable to execute:
[0204] Determine the wake-up command for the Smart Secure Digital Object Service, and wake up the Smart Secure Digital Object Service based on the wake-up command;
[0205] After defining the overall workflow for security handling of abnormal behavior logs, the following steps are also included:
[0206] The security threat alert interface outputs a large-scale security processing workflow through the intelligent security digital object service.
[0207] Optionally, when processor 1101 performs security threat processing on abnormal behavior logs according to the security processing big model workflow, it specifically executes:
[0208] Based on the security processing big model workflow, generate workflow processing prompts and input the workflow processing prompts into the security processing big model.
[0209] Based on the security processing big model, the system receives workflow processing prompts and executes security processing operations corresponding to each security processing stage in the security processing big model workflow step by step to handle security threats in response to abnormal behavior logs.
[0210] Optionally, when processor 1101 executes the workflow processing prompt words generated based on the security processing large model workflow, it specifically performs the following:
[0211] Based on the security processing big model workflow, a workflow processing description is generated, as well as a phase implementation status feedback description for the security processing big model.
[0212] Workflow processing prompts are generated based on workflow processing descriptions and stage implementation status feedback descriptions for the large-scale security processing model.
[0213] Optionally, the processor 1101 is also adapted to execute
[0214] During the security threat handling process, determine the current security handling stage in the large security handling model workflow, and generate the corresponding stage implementation status feedback information for the current security handling stage.
[0215] The security processing big model transmits phase implementation status feedback information to the intelligent security digital object service, so that the intelligent security digital object service can output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
[0216] Optionally, when the processor 1101 executes the monitoring security processing big model at the current security processing stage in the security processing big model workflow, it specifically performs the following:
[0217] The system obtains the phase implementation status feedback information of the security processing big model through the intelligent security digital object service, and determines the current security processing phase of the security processing big model in the security processing big model workflow based on the phase implementation status feedback information.
[0218] The security threat alert interface outputs the current security processing stage in the security processing big model workflow through the intelligent security digital object service.
[0219] Optionally, when processor 1101 executes the output of the large model workflow explanation information corresponding to the current security processing stage through the intelligent secure digital object service, it specifically executes:
[0220] Obtain a preset security processing stage information template, and generate a large-scale model workflow execution prompt based on the current security processing stage;
[0221] Based on the intelligent security digital object service control object service big model, obtain the big model workflow execution explanation prompts, security processing stage information templates and stage implementation status feedback information;
[0222] The large model workflow is used to execute the explanation prompts. The large model of object service is used to fill in the phase implementation status feedback information and security processing phase information templates to obtain the large model workflow explanation information corresponding to the current security processing phase.
[0223] The system acquires large model workflow explanation information based on the intelligent security digital object service and outputs the large model workflow explanation information corresponding to the current security processing stage.
[0224] Optionally, the security processing large model workflow includes, in sequence, the data acquisition analysis stage, the reverse linking stage, the forward reasoning stage, the evidence chain association stage, the attack graph matching stage, the content review stage, and the report generation stage.
[0225] Optionally, the processor 1101 is also adapted to control the security processing of large models to acquire abnormal behavior logs during the data acquisition phase of the analysis;
[0226] During the reverse chaining phase, the control security processing big model determines malicious chain breaking behavior based on abnormal behavior logs, as well as the target process chain targeted by the malicious chain breaking behavior.
[0227] During the forward reasoning phase, the control security processing big model identifies attack evidence against the target process chain from the abnormal behavior logs;
[0228] During the evidence chain association phase, the control security processing big model performs association processing on attack evidence to generate an associated network kill chain.
[0229] During the attack graph matching phase, the control security processing big model acquires the network kill chain database. Based on the network kill chain database, it performs similarity matching on related network kill chains to obtain the target network kill chain, so that the security processing big model can use the target network kill chain to sequentially perform the content review phase and the report generation phase.
[0230] Optionally, the processor 1101 is also suitable for
[0231] During the content review phase, the control security processing big model determines the reference processing strategy content for the target network kill chain, and conducts content review on the target processing strategy content based on preset review rules to obtain the target processing strategy content that passes the review.
[0232] During the report generation phase, the control security processing big model generates a target processing strategy report based on the target processing strategy content.
[0233] This application also provides a computer-readable storage medium that stores one or more programs, which, when executed by a processor, implement the method described in any one of the above-described embodiments.
[0234] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or modules may be electrical, mechanical, or other forms.
[0235] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; that is, they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.
[0236] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The integrated modules described above can be implemented in hardware or as software functional modules.
[0237] If the integrated module is implemented as a software functional module and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application embodiment, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0238] It should be noted that, for the sake of simplicity, the foregoing method embodiments are all described as a series of actions. However, those skilled in the art should understand that the embodiments of this application are not limited to the described order of actions, because according to the embodiments of this application, some steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily essential to the embodiments of this application.
[0239] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions in other embodiments.
[0240] The above is a description of a security threat handling method, apparatus, terminal, and computer-readable storage medium provided in the embodiments of this application. For those skilled in the art, based on the ideas of the embodiments of this application, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation on the embodiments of this application.
Claims
1. A method for handling security threats, wherein, The method includes: Detect abnormal behavior logs and determine the large-scale security handling workflow for the abnormal behavior logs; The abnormal behavior logs are processed for security threats according to the workflow of the security processing big model. Monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
2. The method according to claim 1, wherein, After detecting abnormal behavior logs, the following is also included: Determine a wake-up command for the smart secure digital object service, and wake up the smart secure digital object service based on the wake-up command; After determining the large-scale workflow for security processing of the abnormal behavior logs, the process also includes: The security threat alert interface outputs a large-scale security processing workflow through the intelligent security digital object service.
3. The method according to claim 1, wherein, The process of handling security threats in the abnormal behavior logs using the security processing big model and its workflow includes: Based on the security processing big model workflow, generate workflow processing prompts and input the workflow processing prompts into the security processing big model. Based on the security processing big model, the workflow processing prompts are received, and the security processing operations corresponding to each security processing stage in the security processing big model workflow are executed step by step through the security processing big model to handle security threats in response to the abnormal behavior logs.
4. The method according to claim 3, wherein, The process of generating workflow processing prompts based on the security processing big model workflow includes: Based on the aforementioned security processing big model workflow, a workflow processing description is generated, as well as a phase implementation status feedback description for the security processing big model. Based on the workflow processing description and the stage implementation status feedback description, workflow processing prompts are generated for the security processing big model.
5. The method according to claim 3, wherein, The method further includes: During the security threat handling process, the current security handling stage in the security handling big model workflow is determined, and the stage implementation status feedback information corresponding to the current security handling stage is generated. The security processing big model transmits the phase implementation status feedback information to the intelligent security digital object service, so that the intelligent security digital object service can output the big model workflow explanation information corresponding to the current security processing phase based on the phase implementation status feedback information.
6. The method according to claim 1, wherein, The monitoring of the current security processing stage of the security processing big model in the security processing big model workflow includes: The system obtains the phase implementation status feedback information transmitted by the security processing big model through the intelligent security digital object service, and determines the current security processing phase of the security processing big model in the security processing big model workflow based on the phase implementation status feedback information. On the security threat alert interface, the current security processing stage in the security processing big model workflow is output through the intelligent security digital object service.
7. The method according to claim 6, wherein, The step of outputting the large model workflow explanation information corresponding to the current security processing stage through the intelligent secure digital object service includes: Obtain a preset security processing stage information template, and generate a large model workflow execution prompt based on the current security processing stage; Based on the intelligent security digital object service control object service big model, obtain the big model workflow execution explanation prompts, the security processing stage information templates, and the stage implementation status feedback information; The large model workflow execution prompts are used, and the object service large model is used to fill in the stage implementation status feedback information and the security processing stage information template to obtain the large model workflow explanation information corresponding to the current security processing stage. Based on the intelligent secure digital object service, the large model workflow explanation information is obtained, and the large model workflow explanation information corresponding to the current security processing stage is output.
8. A security threat handling device, wherein, The device includes: The monitoring module is suitable for detecting abnormal behavior logs and determining a large-scale security processing workflow for the abnormal behavior logs. The processing module is adapted to perform security threat processing on the abnormal behavior logs according to the workflow of the security processing big model; The output module is adapted to monitor the current security processing stage of the security processing big model in the security processing big model workflow, and output the big model workflow explanation information corresponding to the current security processing stage through the intelligent security digital object service.
9. A terminal, wherein, The terminal includes: Processor; and A memory configured to store computer-executable instructions, which, when executed, cause the processor to perform the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, wherein, The computer-readable storage medium stores one or more programs that, when executed by a processor, implement the method of any one of claims 1 to 7.