Network security risk trend multidimensional correlation data analysis prediction method
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- 广州云峰信息科技有限公司
- Filing Date
- 2026-05-11
- Publication Date
- 2026-07-07
AI Technical Summary
Traditional cybersecurity methods are unable to identify and respond to new attack patterns in a timely manner, lack adaptability to dynamic environments, resulting in decreased timeliness and accuracy of predictions, inability to effectively protect information assets, and failure to provide real-time risk monitoring and early warning mechanisms.
Through multi-dimensional data analysis, behavioral entropy values are calculated to filter abnormal time slices, generate risk profiles, compare them with the threat intelligence database to identify attack chains, construct risk correlation networks, dynamically train risk trend prediction models, and generate risk prediction reports.
It improves the accuracy and flexibility of the prediction model, enabling it to adapt to changes in attack patterns in real time, achieve real-time monitoring and early warning of risk events, optimize defense strategies, and reduce potential losses.
Smart Images

Figure CN122174228B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data analysis technology, specifically a method for multi-dimensional correlation data analysis and prediction of cybersecurity risk trends. Background Technology
[0002] Currently, traditional methods typically rely on static rules and signatures for threat detection, lacking adaptability to dynamically changing environments and new attack patterns. This results in an inability to identify and respond to emerging threats in a timely manner. Furthermore, traditional predictive models are usually trained based on historical data. If they are not updated and adjusted in real time, they cannot adapt to new attack patterns and behavioral characteristics, leading to a decrease in the timeliness and accuracy of prediction results. Due to the lag in data processing and analysis, traditional methods react slowly when security incidents occur, which may lead to increased losses and fail to effectively protect the organization's information assets.
[0003] Furthermore, traditional methods perform poorly in identifying complex attack chains and cannot accurately correlate different attack behaviors, affecting the overall understanding of attacker behavior and the formulation of protection strategies. Moreover, many traditional methods fail to provide real-time risk monitoring and early warning mechanisms, failing to issue timely alerts before risk events occur, causing organizations to miss the best defense opportunities. Summary of the Invention
[0004] To achieve the above objectives, the present invention provides the following technical solution: a method for multi-dimensional correlation data analysis and prediction of network security risk trends, comprising:
[0005] Identify the target risk events to be analyzed and their corresponding prediction periods, and collect multi-source heterogeneous security logs related to the target risk events in the target network environment;
[0006] Multi-source heterogeneous security logs are cleaned and standardized to obtain raw security data. The raw security data is then sliced into time windows to obtain multiple consecutive time slices of data.
[0007] Calculate the behavioral entropy value of each time slice of data, filter out abnormal time slices whose behavioral entropy value is greater than the preset entropy threshold from each time slice of data, and extract attack behavior characteristics and asset vulnerability characteristics from the abnormal time slices.
[0008] Based on the characteristics of attack behavior and asset vulnerability, a corresponding risk profile is generated. The risk profile is then compared with a pre-set threat intelligence database to determine the attack chain that matches the risk profile.
[0009] Construct a risk correlation network corresponding to the attack chain, and input the risk correlation network into the initial risk trend prediction model for deduction; wherein, the initial risk trend prediction model includes at least two cascaded risk propagation modules; train the initial risk trend prediction model according to the dynamic characteristics of the risk correlation network to obtain the target risk trend prediction model;
[0010] The risk trend prediction value of the target risk event is determined based on the target risk trend prediction model during the target prediction period, and a risk prediction report is generated based on the risk trend prediction value.
[0011] Preferably, calculating the behavioral entropy value of data for each time slice includes:
[0012] For any given time slice of data, calculate the frequency of occurrence of each event type in that time slice and then calculate the negative logarithm of each frequency.
[0013] The sum is obtained by weighting and summing based on the frequency of occurrence and the corresponding negative logarithm.
[0014] The behavioral entropy value of any time slice data is determined based on the summation result and the total number of events in any time slice data.
[0015] Preferably, the risk profile is compared with a pre-set threat intelligence database to determine the attack chain that matches the risk profile, including:
[0016] Obtain the feature vectors corresponding to each attack chain in the preset threat intelligence database, and calculate the cosine similarity between the risk profile and each feature vector.
[0017] If any feature vector has a cosine similarity greater than a preset similarity threshold with the risk profile, then the attack chain corresponding to any feature vector will be used as the attack chain to match the risk profile.
[0018] Preferably, a risk association network corresponding to the attack chain is constructed, including:
[0019] Obtain the vulnerability score corresponding to each asset node at present, and determine whether each vulnerability score is lower than the preset security score threshold;
[0020] If there are target asset nodes with vulnerability scores lower than the preset security score threshold, then a directed edge is constructed based on the causal relationship between the target asset node and the attack behavior;
[0021] By connecting each target asset node and attack behavior node with directed edges, a risk association network corresponding to the attack chain is generated; the node weights in the risk association network are dynamically adjusted according to the severity of the risk profile.
[0022] Preferably, the initial risk trend prediction model is trained based on the dynamic characteristics of the risk association network to obtain the target risk trend prediction model, including:
[0023] Acquire attack behavior sequence data and system vulnerability data, embed features into the attack behavior sequence data and system vulnerability data respectively to obtain at least two single-source feature sequences, perform topological fusion on all single-source feature sequences to obtain dynamic risk map structure sequences under multiple first monitoring time windows;
[0024] The dynamic risk graph structure sequence is decomposed according to the node dimension of the dynamic risk graph structure sequence to obtain at least two dynamic risk subgraphs. The evolution calculation of all dynamic risk subgraphs is performed through the risk propagation module to obtain the inferred risk feature sequence under the target prediction period.
[0025] Based on the inferred risk characteristic sequence, predictive risk trend data is determined, and the loss value between the predicted risk trend data and the historical sample correlation data is calculated.
[0026] The parameters of the initial risk trend prediction model are adjusted based on the loss value to obtain the target risk trend prediction model.
[0027] Preferably, after extracting attack behavior characteristics and asset vulnerability characteristics from the anomalous time slices, the method further includes:
[0028] If there are multiple attack behavior features, attack pattern clustering is performed on each attack behavior feature, and the clustering results are used to determine whether there is a common attack relationship among the attack behavior features.
[0029] If multiple attack behavior characteristics satisfy the same source attack relationship, then a cross-network association bridge is established between the risk association networks corresponding to the multiple attack behavior characteristics.
[0030] Preferably, before determining the predicted risk trend value of the target risk event within the target prediction period based on the target risk trend prediction model, the method further includes:
[0031] Determine the prediction period type corresponding to the associated dimension index, and determine the period database corresponding to the prediction period type from the index library;
[0032] Index the related dimension index in the periodic database to obtain the analysis model corresponding to the related dimension index;
[0033] The periodic database stores the topological data of historical risk-related networks and the corresponding analysis model parameters, while the index library pre-establishes multiple association dimension indexes and index relationships between the analysis models using association mining algorithms.
[0034] Preferably, determining the predicted risk trend value of the target risk event within the target prediction period based on the target risk trend prediction model includes:
[0035] Determine the periodic unit in which the target risk event falls within the target prediction period, and the unit ranking of the periodic unit within the target prediction period;
[0036] The risk level of the target risk event in the target forecast period is determined based on the risk probability and the scope of impact, and the forecast trend value of the target risk event in the target forecast period is determined based on the trend slope, risk level and unit sorting.
[0037] Risk trend forecast values are generated based on risk level and predicted trend value; the analysis model includes risk probability, scope of impact and trend slope.
[0038] Preferably, after generating a risk prediction report based on the risk trend forecast value, the method further includes:
[0039] A risk warning threshold is generated based on real-time network traffic data, and the risk warning threshold is inserted into the starting position of the target prediction period to obtain the warning component;
[0040] When generating risk trend prediction values in a target prediction period where an early warning component exists, the risk trend prediction values of the target risk event in the target prediction period are determined based on the risk warning threshold of the early warning component and the analysis model of the target risk event to be analyzed.
[0041] Compared with the prior art, the beneficial effects of the present invention are:
[0042] (1) By using behavioral entropy and attack behavior characteristics for analysis, this invention can more accurately identify abnormal time slices and generate corresponding risk profiles, providing a solid data foundation for subsequent risk chain comparison and prediction, and improving the accuracy of the prediction model; and by training the initial risk trend prediction model and adjusting the parameters according to the dynamic characteristics of the risk association network, the risk trend prediction model can adapt to new attack modes and network environment changes in real time, improving the flexibility and reaction speed of the model.
[0043] (2) By calculating the cosine similarity between the risk profile and the attack chain feature vector, this invention can quickly identify the degree of matching with the attack chain in the existing threat intelligence database, which helps the security team to take timely defensive measures. Under the judgment of the same source attack relationship, it can establish the correlation between multiple attack behavior features, enabling the security team to better understand the attacker's attack pattern and thus optimize the defense strategy. Furthermore, by generating risk warning thresholds and integrating them into the target prediction cycle, it can realize real-time monitoring and warning of risk events, helping organizations to take preventive measures before risks occur and reduce potential losses. Attached Figure Description
[0044] Figure 1 This is a schematic flowchart of the overall method in one embodiment of the present invention. Detailed Implementation
[0045] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0046] Example 1, please refer to Figure 1 This invention provides a technical solution: a method for multi-dimensional correlation data analysis and prediction of network security risk trends, comprising:
[0047] S1. Determine the target risk event to be analyzed and the corresponding target prediction period, and collect multi-source heterogeneous security logs related to the target risk event in the target network environment;
[0048] S2. Clean and standardize the multi-source heterogeneous security logs to obtain raw security data. Then, slice the raw security data into time windows to obtain multiple consecutive time slice data.
[0049] S3. Calculate the behavioral entropy value of each time slice of data, filter out abnormal time slices whose behavioral entropy value is greater than the preset entropy value threshold from each time slice of data, and extract attack behavior characteristics and asset vulnerability characteristics from the abnormal time slices.
[0050] S4. Generate corresponding risk profiles based on attack behavior characteristics and asset vulnerability characteristics, compare the risk profiles with the preset threat intelligence database, and determine the attack chain that matches the risk profile.
[0051] S5. Construct the risk correlation network corresponding to the attack chain, and input the risk correlation network into the initial risk trend prediction model for deduction; wherein, the initial risk trend prediction model includes at least two cascaded risk propagation modules; train the initial risk trend prediction model according to the dynamic characteristics of the risk correlation network to obtain the target risk trend prediction model;
[0052] S6. Determine the risk trend prediction value of the target risk event in the target prediction period based on the target risk trend prediction model, and generate a risk prediction report based on the risk trend prediction value.
[0053] It is important to note that the specific security risk event to be analyzed needs to be clearly defined, such as a DDoS attack or a data breach; at the same time, a time frame (prediction period) needs to be set, such as the risk trend over the next 30 days; security logs related to the target risk event need to be collected, and these logs may come from different sources such as firewalls, intrusion detection systems, and network traffic monitoring; these data are usually in different formats and have diverse content.
[0054] The collected security logs are preprocessed, including removing duplicate data, filling in missing values, and standardizing the data format; this step ensures that subsequent analysis is based on clean and consistent data; the raw security data is divided into multiple small time slices by time to analyze the behavioral characteristics of each time period; for example, the data can be sliced by hour or minute.
[0055] The data for each time slice is analyzed to calculate its behavioral entropy value. The behavioral entropy value reflects the complexity and uncertainty of activities within that time period. The higher the entropy value, the more abnormal the behavior. Based on a preset entropy value threshold, abnormal time slices with entropy values greater than the threshold are selected from the time slices. These time slices may indicate the existence of security threats.
[0056] Features are extracted from tagged abnormal time slices, such as the IP addresses of abnormal access, the type of attack, and the affected assets; a risk profile is generated based on the extracted features, which is a comprehensive model describing risk characteristics; then, it is compared with a threat intelligence database to identify whether there are known attack chains;
[0057] A risk correlation network is constructed based on the identified attack chain to reflect the relationship between different risk factors; the risk correlation network is then input into an initial risk trend prediction model for dynamic analysis; these models typically contain multiple modules that can simulate the risk propagation process.
[0058] Based on the changes in the risk association network, the prediction model is continuously trained to eventually generate a target risk trend prediction model. Based on the final risk trend prediction value, a detailed risk prediction report is generated and provided to relevant decision-makers.
[0059] In an optional embodiment, calculating the behavioral entropy value of data for each time slice includes:
[0060] For any given time slice of data, calculate the frequency of occurrence of each event type in that time slice and then calculate the negative logarithm of each frequency.
[0061] The sum is obtained by weighting and summing based on the frequency of occurrence and the corresponding negative logarithm.
[0062] The behavioral entropy value of any time slice data is determined based on the summation result and the total number of events in any time slice data.
[0063] It should be noted that within a specific time slice, it is first necessary to identify all recorded security events and count the frequency of each event type. For example, suppose multiple security events are recorded within a certain hour, such as login attempts, file access, and network connections. For example: login attempts: 50 times; file access: 30 times; network connection: 20 times.
[0064] For each event type, their frequency of occurrence is converted to a negative logarithm; the purpose of this conversion is to emphasize the importance of low-frequency events relative to high-frequency events, because in security analysis, rare events may indicate potential anomalies or attacks;
[0065] For example: the frequency of login attempts is 50, calculate its negative logarithm; the frequency of file access is 30, calculate its negative logarithm; the frequency of network connections is 20, calculate its negative logarithm; no specific mathematical operations are involved here, but it can be imagined that higher frequencies will result in smaller negative logarithms, while lower frequencies will result in larger negative logarithms.
[0066] The frequency of each event type is weighted and summed with its corresponding negative logarithm; the purpose of this step is to comprehensively consider the frequency and importance of each event type in order to form an overall evaluation index.
[0067] Based on the summation results and the total number of events within the time slice, the behavioral entropy value can be calculated. The behavioral entropy value reflects the diversity of activities within this time slice. The higher the entropy value, the greater the diversity and complexity of the events, and it may also indicate a potential security threat.
[0068] In an optional embodiment, the risk profile is compared with a preset threat intelligence database to determine the attack chain that matches the risk profile, including:
[0069] Obtain the feature vectors corresponding to each attack chain in the preset threat intelligence database, and calculate the cosine similarity between the risk profile and each feature vector.
[0070] If any feature vector has a cosine similarity greater than a preset similarity threshold with the risk profile, then the attack chain corresponding to any feature vector will be used as the attack chain to match the risk profile.
[0071] It should be noted that the threat intelligence database contains feature vectors of known attack chains; feature vectors are a mathematical representation of attack behavior, and usually include multiple dimensions, such as attack steps, tools, target assets, attacker behavior patterns, etc.; these feature vectors provide security analysts with a standard for comparison.
[0072] For example, the signature vector of attack chain A may include: network scanning, intrusion through vulnerability exploitation, and data theft; the signature vector of attack chain B may include: brute-force attacks against specific services, privilege escalation, and malware implantation.
[0073] It is necessary to calculate the cosine similarity between the current risk profile and the feature vector of each attack chain in the threat intelligence database; the risk profile is generated based on observed events and behaviors, and it reflects the security status and potential risks within a specific time period.
[0074] Cosine similarity is a commonly used metric to assess the similarity between two vectors. The value ranges from -1 to 1, with a larger value indicating greater similarity between the two vectors.
[0075] For example: Suppose the current risk profile has the following characteristics, such as access patterns and activity frequency, and compares them with attack chains A and B: The feature vector of the risk profile: frequent network scanning activity, multiple abnormal login attempts, and abnormal data access patterns; During calculation, the analysis system will evaluate the similarity between the feature vectors of the risk profile and attack chains A and B; If the cosine similarity between the feature vector of attack chain A and the risk profile is high (e.g., 0.85), while the similarity between attack chain B and attack chain B is low (e.g., 0.3), then attack chain A is more likely to match the risk profile;
[0076] The judgment is made based on a preset similarity threshold; if the cosine similarity of any feature vector exceeds this threshold, it can be considered that the attack chain matches the current risk profile, which may indicate the existence of corresponding network attack activities.
[0077] In an optional embodiment, constructing a risk association network corresponding to the attack chain includes:
[0078] Obtain the vulnerability score corresponding to each asset node at present, and determine whether each vulnerability score is lower than the preset security score threshold;
[0079] If there are target asset nodes with vulnerability scores lower than the preset security score threshold, then a directed edge is constructed based on the causal relationship between the target asset node and the attack behavior;
[0080] By connecting each target asset node and attack behavior node with directed edges, a risk association network corresponding to the attack chain is generated; the node weights in the risk association network are dynamically adjusted according to the severity of the risk profile.
[0081] It should be noted that for each asset node in the network, such as servers, workstations, and applications, a corresponding vulnerability score needs to be obtained. These scores are usually obtained by assessing factors such as known vulnerabilities, misconfigurations, and missing security patches, and are intended to quantify the security risk of each asset.
[0082] For example:
[0083] Asset A (a database server) has a vulnerability score of 8.5 (high risk).
[0084] Asset B (an employee workstation) has a vulnerability score of 4.0 (medium risk).
[0085] Asset C (a web application) has a vulnerability score of 2.0 (low risk).
[0086] A preset security score threshold needs to be set to determine which asset nodes have excessively high vulnerability scores that may cause security issues; for example, suppose the security score threshold is set to 5.0; at this stage, analysts will check the vulnerability score of each asset node and determine whether it is below the threshold.
[0087] For example:
[0088] Asset A (8.5) > 5.0 → Does not meet the requirements;
[0089] Asset B (4.0) < 5.0 → Meets the requirements;
[0090] Asset C (2.0) < 5.0 → Meets the requirements;
[0091] Based on the above assessment, assets B and C are marked as target asset nodes with higher risks.
[0092] For asset nodes whose vulnerability scores are below the security score threshold, it is necessary to analyze the causal relationship between them and attack behaviors; attack behaviors may include network scanning, malware propagation, data leakage, etc.; based on this relationship, directed edges can be established between asset nodes and attack behavior nodes in the network;
[0093] For example: Suppose asset B (workstation) may be affected by malware propagation attacks, so a directed edge can be established from asset B to malware propagation; similarly, asset C (web application) may be affected by SQL injection attacks, so a directed edge can also be established from asset C to SQL injection.
[0094] By connecting asset nodes and attack behavior nodes, a risk association network can be constructed; in this network, each node represents an asset or attack behavior, and directed edges represent potential attack paths.
[0095] To better reflect the risk situation, the weights of nodes in the network can be dynamically adjusted according to the severity of the risk profile; for example, if a certain attack has occurred frequently in the recent period or has caused significant losses, the weight of the node that is attacking the attack can be increased to highlight its risk level.
[0096] For example, the weight of malware propagation attacks may increase from 1 to 2 due to several recent successful cases; the weight of SQL injection attacks may also increase to 3 due to the discovery of new vulnerabilities. Through such dynamic adjustments, the risk association network not only shows the relationship between asset nodes and attack behaviors, but also reflects the current security situation more accurately.
[0097] In an optional embodiment, an initial risk trend prediction model is trained based on the dynamic characteristics of the risk association network to obtain a target risk trend prediction model, including:
[0098] Acquire attack behavior sequence data and system vulnerability data, embed features into the attack behavior sequence data and system vulnerability data respectively to obtain at least two single-source feature sequences, perform topological fusion on all single-source feature sequences to obtain dynamic risk map structure sequences under multiple first monitoring time windows;
[0099] The dynamic risk graph structure sequence is decomposed according to the node dimension of the dynamic risk graph structure sequence to obtain at least two dynamic risk subgraphs. The evolution calculation of all dynamic risk subgraphs is performed through the risk propagation module to obtain the inferred risk feature sequence under the target prediction period.
[0100] Based on the inferred risk characteristic sequence, predictive risk trend data is determined, and the loss value between the predicted risk trend data and the historical sample correlation data is calculated.
[0101] The parameters of the initial risk trend prediction model are adjusted based on the loss value to obtain the target risk trend prediction model.
[0102] It should be noted that attack sequence data records various attack events that occur within a certain time frame, such as network scanning, malware attacks, and data breaches; system vulnerability data contains information about vulnerabilities in the system, such as unpatched services and misconfigurations.
[0103] For example, attack behavior sequence data may include timestamps recording events such as SQL injection attempts, DDoS attacks, and brute-force attacks; system vulnerability data may show records of SQL injection vulnerabilities in a web server and records of an operating system not being updated to the latest version.
[0104] The process of feature embedding for these two types of data involves transforming the raw data into more readable feature vectors; these feature vectors can help the model understand the relationships between the data; attack behavior features: features such as attack type, attack frequency, and attack source IP address can be extracted; system vulnerability features: features such as vulnerability score, vulnerability type, and remediation status of each asset can be extracted.
[0105] After feature embedding, at least two single-source feature sequences can be obtained, for example: single-source feature sequence A: number and type of attacks; single-source feature sequence B: vulnerability score and repair status.
[0106] These single-source feature sequences are topologically fused to form a dynamic risk graph structure sequence; this graph structure shows the dynamic changes of assets, attack behaviors and their relationships; for example, within a certain time window, asset A (a vulnerable web server) is connected to the attack behavior SQL injection, indicating the risk faced by the asset during that period;
[0107] Based on the node dimension of the dynamic risk graph structure sequence, at least two dynamic risk subgraphs are obtained; each subgraph represents the risk situation of a specific attack behavior or a specific asset; for example: dynamic risk subgraphs Figure 1 : Focusing on all nodes related to SQL injection, including assets and attack behaviors; Dynamic Risk Subgraph 2: Focusing on all asset nodes with high vulnerability scores;
[0108] Evolutionary calculations are performed on all dynamic risk subgraphs to simulate the propagation of risk in the network. This process can reveal how risk spreads in the network and affects other nodes at different points in time. For example, if asset A is attacked by SQL injection, this may lead to the exploitation of the vulnerability of the asset, thereby affecting asset B connected to it, and ultimately forming a wider spread of risk.
[0109] Through evolutionary calculations, a sequence of inferred risk characteristics is obtained under the target prediction period. These characteristic sequences can be used to describe the future risk status. For example, the inferred risk characteristic sequence may show that in the next week, the risk level of asset A will decrease from high to medium, but the risk level of asset B will increase from low to high.
[0110] Based on the inferred risk characteristic sequence, the predicted risk trend data is determined; at the same time, the loss value between these predicted data and the historical sample correlation data is calculated to assess the accuracy of the prediction; for example, the predicted risk trend data may indicate that the number of attack events is expected to increase in the next month, while the historical sample shows that only a small number of attacks occurred in the past month; this inconsistency will lead to a higher loss value.
[0111] Based on the calculated loss value, the parameters of the initial risk trend prediction model are adjusted to improve the model's accuracy. After adjustment, the target risk trend prediction model is obtained. For example, if it is found that the model's accuracy in identifying SQL injection attacks is insufficient, the parameters related to that attack type in the model can be adjusted to improve future risk prediction capabilities.
[0112] In an optional embodiment, after extracting attack behavior features and asset vulnerability features from the anomalous time slices, the method further includes:
[0113] If there are multiple attack behavior features, attack pattern clustering is performed on each attack behavior feature, and the clustering results are used to determine whether there is a common attack relationship among the attack behavior features.
[0114] If multiple attack behavior characteristics satisfy the same source attack relationship, then a cross-network association bridge is established between the risk association networks corresponding to the multiple attack behavior characteristics.
[0115] It should be noted that this assumes multiple different attack behavior characteristics have been collected, for example:
[0116] SQL injection;
[0117] Cross-site scripting (XSS) attacks;
[0118] DDoS attack;
[0119] Phishing;
[0120] Brute force attack;
[0121] Because these attack behavior characteristics have different properties and targets, they can be clustered. Clustering is an unsupervised learning method that aims to group similar data points together. By clustering attack behavior characteristics, features with similar properties, attack targets, or attack methods can be grouped into one category.
[0122] For example, SQL injection and cross-site scripting attacks are grouped together because they are both attacks targeting web applications; DDoS attacks and brute-force attacks are grouped into another category because they are both attacks targeting system availability and resources.
[0123] Once the clustering of attack behavior characteristics is completed, it is necessary to determine whether there is a common attack relationship among the various attack behavior characteristics. A common attack relationship usually means that these attacks have the same source or attacker, or they may be launched by the same group of malicious actors. By analyzing the clustering results, we can identify which attack behaviors have common characteristics or patterns, and thus infer whether they come from the same attack source.
[0124] For example, if SQL injection and cross-site scripting attacks are found to have similar attack periods and the same attacking IP address in the cluster, and these two attacks often occur within the same time window, then it can be determined that these two attacks may have a common origin attack relationship; if DDoS attacks and phishing attacks do not have similarities in time and origin, then it can be determined that they do not belong to the same origin attack.
[0125] Once multiple attack behavior characteristics that satisfy the same-origin attack relationship are confirmed, the next step is to establish cross-network association bridges; here, cross-network refers to different risk association networks, which can represent different assets, systems or applications that may face similar attacks.
[0126] The purpose of establishing cross-network bridging is to gain a more comprehensive understanding of the potential impact of attacks and to be able to react promptly when attacks in one network affect another.
[0127] For example, suppose that within an organization, SQL injection and cross-site scripting attacks are found to occur simultaneously on both the web server and the application server. This means that attackers may exploit vulnerabilities in the web server and then attack the application server. Therefore, establishing a connection bridge between the two servers can help the security team better monitor and respond to potential cascading attacks.
[0128] If attack behavior A (SQL injection) is discovered in network 1 and attack behavior B (DDoS attack) is discovered in network 2, and they both point to the same attack source IP, then a connection bridge can be established between network 1 and network 2 to ensure that network 2 can also adjust its defenses when network 1 is attacked.
[0129] In an optional embodiment, before determining the predicted risk trend value of the target risk event within the target prediction period based on the target risk trend prediction model, the method further includes:
[0130] Determine the prediction period type corresponding to the associated dimension index, and determine the period database corresponding to the prediction period type from the index library;
[0131] Index the related dimension index in the periodic database to obtain the analysis model corresponding to the related dimension index;
[0132] The periodic database stores the topological data of historical risk-related networks and the corresponding analysis model parameters, while the index library pre-establishes multiple association dimension indexes and index relationships between the analysis models using association mining algorithms.
[0133] It should be noted that related dimension indexes refer to metrics used in data analysis to describe certain features or dimensions; for example, in cybersecurity, these dimensions may include:
[0134] Attack types, such as SQL injection, DDoS, etc.;
[0135] The source of the attack, such as IP address, geographical location, etc.;
[0136] Affected assets, such as servers and databases;
[0137] Temporal characteristics, such as the time period during which the attack occurred;
[0138] Predicting cycle type;
[0139] The forecast period type refers to the way potential risks are predicted for a certain period of time in the future; this can be different periods such as short-term (days), medium-term (weeks), or long-term (months); for example, short-term forecasts may focus on the upcoming peak of attacks, while long-term forecasts may focus on the changing trends of the overall security situation.
[0140] Once these dimensions and periods are determined, the analysis team can select the appropriate data and models for analysis for each prediction period type; the period database contains topology data of historical risk-related networks and corresponding analysis model parameters; this data helps to understand past network attack patterns and provides a basis for future predictions;
[0141] For example, suppose a periodic database stores attack data from the past three years, including the frequency of each attack type and the associated network topology at different times. This data can help analytical models understand the dynamic changes of a certain attack within a specific time period, for example, discovering that DDoS attacks are more frequent in certain months.
[0142] In the periodic database, the analytics team retrieves the relevant dimension indexes identified from the index repository; this process involves building analytical models using historical data in order to make predictions based on the current risk profile.
[0143] By using association mining algorithms, the analysis team can determine the relationship between different association dimension indices and analysis models; for example, these algorithms may reveal the association between the occurrence of a specific type of attack and certain network activities (such as traffic spikes, system maintenance, etc.).
[0144] Through this process, security teams can obtain analytical models that match the associated dimension indexes and prediction cycle types, and use these models for risk assessment and early warning. This multi-dimensional analysis can not only help teams identify potential security threats, but also guide the allocation of security resources and the formulation of response strategies.
[0145] In an optional embodiment, determining the predicted risk trend value of the target risk event within the target prediction period based on the target risk trend prediction model includes:
[0146] Determine the periodic unit in which the target risk event falls within the target prediction period, and the unit ranking of the periodic unit within the target prediction period;
[0147] The risk level of the target risk event in the target forecast period is determined based on the risk probability and the scope of impact, and the forecast trend value of the target risk event in the target forecast period is determined based on the trend slope, risk level and unit sorting.
[0148] Risk trend forecast values are generated based on risk level and predicted trend value; the analysis model includes risk probability, scope of impact and trend slope.
[0149] It should be noted that a target risk event refers to a specific event that needs attention in a cybersecurity environment, such as a data breach, malware attack, or phishing attack. The prediction period can be divided into multiple time periods, which are called cycle units. For example, assuming the target prediction period is one month, it can be divided into weekly units, resulting in four cycle units (week 1, week 2, week 3, and week 4).
[0150] Unit sorting refers to the order of units within a target forecast period; for example, units from the first week are placed at the beginning, and units from the last week are placed at the end; this sorting helps in analyzing trends and changes.
[0151] After identifying the cycle units, the next step is to assess the risk level of the target risk event within these cycle units. This is typically based on two key factors: risk probability: the likelihood of the event occurring; and impact scope: the extent of the impact on the organization if the event occurs. Based on these two factors, the target risk event can be scored to determine its risk level, which is usually categorized as low, medium, or high.
[0152] Trend slope is an indicator that measures the rate of change of a risk event; if past data shows that the frequency of a certain attack is gradually increasing, then its trend slope may be high; by combining risk level, trend slope and unit ranking, the predicted trend value of the target risk event in the target prediction period can be calculated; this value reflects the expected increase or decrease of future risk events.
[0153] Based on the risk level and the predicted trend value, an overall risk trend forecast value can be generated; this value can be used to guide decision-making, such as strengthening defensive measures or adjusting resource allocation to cope with impending risks.
[0154] In an optional embodiment, after generating a risk prediction report based on the risk trend forecast value, the method further includes:
[0155] A risk warning threshold is generated based on real-time network traffic data, and the risk warning threshold is inserted into the starting position of the target prediction period to obtain the warning component;
[0156] When generating risk trend prediction values in a target prediction period where an early warning component exists, the risk trend prediction values of the target risk event in the target prediction period are determined based on the risk warning threshold of the early warning component and the analysis model of the target risk event to be analyzed.
[0157] It should be noted that real-time network traffic data refers to data collected from the network in real time, including information such as user activity, data transmission rate, and abnormal traffic; this data can reflect the normal operating status of the network and potential security threats.
[0158] The risk warning threshold is a set standard used to determine whether network traffic is abnormal. When network traffic exceeds this threshold, it may mean that there is a potential security risk. For example, a sudden surge in traffic may indicate that a DDoS attack is taking place.
[0159] For example: Suppose that by analyzing network traffic data from the past few days, it is found that the normal data transmission rate is approximately between 1000 and 1500 requests per minute; in order to set a risk warning threshold, the threshold can be set at 1600 requests per minute. If the network traffic exceeds this value, a risk warning will be triggered.
[0160] Once the risk warning threshold is determined, it needs to be incorporated into the starting point of the target forecast period. This means that when conducting risk trend analysis within the period, all analyses will begin from this threshold. For example, assuming the target forecast period is one month, record the risk warning threshold at the beginning of this period, such as 1600 requests per minute. In future traffic data analysis, this value will be used as a reference point to monitor whether network traffic exceeds this threshold.
[0161] The early warning component is a tool or mechanism applied during the target prediction period to monitor network traffic in real time and issue alerts based on set risk warning thresholds; when network traffic exceeds the warning threshold, the early warning component can promptly notify relevant personnel to take measures.
[0162] For example, in a network security system, a real-time monitoring tool can be deployed to continuously monitor traffic data. If the tool detects that the traffic exceeds 1600 requests per minute, it will automatically send an alert to the network security team, alerting them that an attack may be taking place.
[0163] Within the target prediction period where an early warning component exists, when it is necessary to generate a risk trend prediction value, an assessment can be made based on the risk warning threshold of the early warning component and the analysis model of the target risk event to be analyzed.
[0164] The embodiments of the present invention have been described in detail above with reference to the accompanying drawings. However, the present invention is not limited thereto. Various changes can be made within the scope of knowledge possessed by those skilled in the art without departing from the spirit of the present invention.
Claims
1. A method for multi-dimensional correlation data analysis and prediction of cybersecurity risk trends, characterized in that, include: Identify the target risk events to be analyzed and their corresponding prediction periods, and collect multi-source heterogeneous security logs related to the target risk events in the target network environment; Multi-source heterogeneous security logs are cleaned and standardized to obtain raw security data. The raw security data is then sliced into time windows to obtain multiple consecutive time slices of data. Calculate the behavioral entropy value of each time slice of data, filter out abnormal time slices whose behavioral entropy value is greater than the preset entropy threshold from each time slice of data, and extract attack behavior characteristics and asset vulnerability characteristics from the abnormal time slices. This includes extracting attack behavior characteristics and asset vulnerability characteristics from abnormal time slices, as well as: If there are multiple attack behavior features, attack pattern clustering is performed on each attack behavior feature, and the clustering results are used to determine whether there is a common attack relationship among the attack behavior features. If there are multiple attack behavior characteristics that satisfy the same source attack relationship, then establish a cross-network association bridge between the risk association networks corresponding to the multiple attack behavior characteristics respectively. Based on the characteristics of attack behavior and asset vulnerability, a corresponding risk profile is generated. The risk profile is then compared with a pre-set threat intelligence database to determine the attack chain that matches the risk profile. Construct a risk correlation network corresponding to the attack chain, and input the risk correlation network into the initial risk trend prediction model for deduction; wherein, the initial risk trend prediction model includes at least two cascaded risk propagation modules; train the initial risk trend prediction model according to the dynamic characteristics of the risk correlation network to obtain the target risk trend prediction model; Based on the target risk trend prediction model, the risk trend prediction value of the target risk event in the target prediction period is determined, and a risk prediction report is generated based on the risk trend prediction value. Before determining the predicted risk trend value of the target risk event within the target prediction period based on the target risk trend prediction model, the process also includes: Determine the prediction period type corresponding to the associated dimension index, and determine the period database corresponding to the prediction period type from the index library; Index the related dimension index in the periodic database to obtain the analysis model corresponding to the related dimension index; The periodic database stores the topological data of historical risk-related networks and the corresponding analysis model parameters, while the index library pre-establishes multiple association dimension indexes and index relationships between the analysis models using association mining algorithms.
2. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 1, characterized in that, Calculate the behavioral entropy value of the data for each time slice, including: For any given time slice of data, calculate the frequency of occurrence of each event type in that time slice and then calculate the negative logarithm of each frequency. The sum is obtained by weighting and summing based on the frequency of occurrence and the corresponding negative logarithm. The behavioral entropy value of any time slice data is determined based on the summation result and the total number of events in any time slice data.
3. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 2, characterized in that, The risk profile is compared with a pre-set threat intelligence database to identify attack chains that match the risk profile, including: Obtain the feature vectors corresponding to each attack chain in the preset threat intelligence database, and calculate the cosine similarity between the risk profile and each feature vector. If any feature vector has a cosine similarity greater than a preset similarity threshold with the risk profile, then the attack chain corresponding to any feature vector will be used as the attack chain to match the risk profile.
4. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 3, characterized in that, Construct a risk correlation network corresponding to the attack chain, including: Obtain the vulnerability score corresponding to each asset node at present, and determine whether each vulnerability score is lower than the preset security score threshold; If there are target asset nodes with vulnerability scores lower than the preset security score threshold, then a directed edge is constructed based on the causal relationship between the target asset node and the attack behavior; By connecting each target asset node and attack behavior node with directed edges, a risk association network corresponding to the attack chain is generated; the node weights in the risk association network are dynamically adjusted according to the severity of the risk profile.
5. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 4, characterized in that, The initial risk trend prediction model is trained based on the dynamic characteristics of the risk association network to obtain the target risk trend prediction model, including: Acquire attack behavior sequence data and system vulnerability data, embed features into the attack behavior sequence data and system vulnerability data respectively to obtain at least two single-source feature sequences, perform topological fusion on all single-source feature sequences to obtain dynamic risk map structure sequences under multiple first monitoring time windows; The dynamic risk graph structure sequence is decomposed according to the node dimension of the dynamic risk graph structure sequence to obtain at least two dynamic risk subgraphs. The evolution calculation of all dynamic risk subgraphs is performed through the risk propagation module to obtain the inferred risk feature sequence under the target prediction period. Based on the inferred risk characteristic sequence, predictive risk trend data is determined, and the loss value between the predicted risk trend data and the historical sample correlation data is calculated. The parameters of the initial risk trend prediction model are adjusted based on the loss value to obtain the target risk trend prediction model.
6. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 5, characterized in that, Based on the target risk trend prediction model, the predicted risk trend value of the target risk event in the target prediction period is determined, including: Determine the periodic unit in which the target risk event falls within the target prediction period, and the unit ranking of the periodic unit within the target prediction period; The risk level of the target risk event in the target forecast period is determined based on the risk probability and the scope of impact, and the forecast trend value of the target risk event in the target forecast period is determined based on the trend slope, risk level and unit sorting. Risk trend forecast values are generated based on risk level and predicted trend value; the analysis model includes risk probability, scope of impact and trend slope.
7. The method for multi-dimensional correlation data analysis and prediction of network security risk trends according to claim 6, characterized in that, After generating a risk forecast report based on the predicted risk trend values, the following is also included: A risk warning threshold is generated based on real-time network traffic data, and the risk warning threshold is inserted into the starting position of the target prediction period to obtain the warning component; When generating risk trend prediction values in a target prediction period where an early warning component exists, the risk trend prediction values of the target risk event in the target prediction period are determined based on the risk warning threshold of the early warning component and the analysis model of the target risk event to be analyzed.