A network security vulnerability data analysis method, device and computer equipment
By extracting and injecting causal metadata at the time of event generation, the problem of event order and causal relationship in distributed computing environment is solved, enabling efficient and accurate attack chain reconstruction and improving the real-time performance and throughput of network security analysis.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BAIRUNHONG TECH CO LTD
- Filing Date
- 2026-03-25
- Publication Date
- 2026-06-09
Smart Images

Figure CN122179207A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to a network security vulnerability data analysis method, apparatus, and computer device. Background Technology
[0002] In today's complex and ever-changing network environment, enterprises face increasingly severe cybersecurity threats. To address these threats, enterprises typically deploy a variety of advanced security tools, such as next-generation firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), endpoint detection and response (EDR) tools, vulnerability scanners, and security information and incident management (SIEM) platforms. These tools generate massive amounts of security incident data daily, reaching terabytes or even petabytes in volume. How to efficiently process and analyze this data, and promptly detect and respond to complex cyberattacks, has become a significant challenge in the field of cybersecurity.
[0003] Especially in distributed computing systems, the diverse sources of security events, their potentially chaotic arrival order, and the subtle differences in the timing of various processing nodes make it extremely difficult to accurately connect these scattered events and identify multi-stage attack chains. Traditional analysis methods often struggle to balance real-time performance with accuracy and efficient resource utilization.
[0004] To address this issue, existing technologies have introduced complex event correlation logic, such as extending event windows and synchronizing state between nodes. However, these methods introduce new problems: extending the window increases memory consumption and sacrifices real-time performance; state synchronization increases system complexity and communication overhead, reduces processing throughput and real-time response capabilities, and can easily lead to system overload, event backlog, and data loss under high traffic, thus failing to provide accurate threat intelligence.
[0005] Therefore, in distributed computing architectures, there is an urgent need to design a new event processing and correlation mechanism. This mechanism needs to accurately establish the temporal sequence and causal relationships of events in massive security event streams to reliably reconstruct the attack chain, while avoiding the latency and resource consumption caused by excessive caching, complex synchronization, or distributed transactions, ensuring high system real-time performance and throughput, and providing accurate threat assessment results. Summary of the Invention
[0006] In view of the shortcomings of the prior art, this application provides a network security vulnerability data analysis method, apparatus and computer equipment, which solves the problem that it is difficult to accurately establish the precise time sequence and causal relationship of events in a distributed computing environment, and can reliably reconstruct the complete attack chain, thus improving the accuracy and efficiency of network security vulnerability data analysis.
[0007] Firstly, a method for analyzing cybersecurity vulnerability data, the method comprising the following steps: S1: When a security event is generated, extract causal metadata from the security event and inject the causal metadata into the message of the security event, and send it to the downstream computing node; the causal metadata includes at least key entities, core behaviors, and potential causal chains; S2: When the computing node receives the message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; S3: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; S4: Aggregate all the local attack chain fragments, extract the summary information, and reconstruct the complete multi-stage attack chain based on the summary information.
[0008] Furthermore, the method is at least applied to the event source module, which is used to maintain a hierarchical parsing rule base. The hierarchical parsing rule base includes general pattern rules and specific scenario pattern rules. Step S1 includes: S11: When a security event is generated, the event source module selects and applies the parsing rules in the hierarchical parsing rule base according to the preliminary characteristics of the security event; S12: Within a limited time window, the event source module reconstructs the fragmented entity information parsed from the security event according to the entity types defined in the parsing rules and the contextual relationships between the entity types, and normalizes the polymorphically represented entities to obtain the key entity. S13: Based on the preliminary characteristics of the key entities and the security events, the security events are classified into core behaviors through a semantic mapping table, and potential causal chains are generated; S14: Encapsulate the key entity, the core behavior, and the potential causal chain into causal metadata, inject the causal metadata into the message of the security event, and send it to the downstream computing node.
[0009] Furthermore, step S12 includes: S121: Within the defined time window, the event source module will use the fragmented entity information parsed from the security event as graph nodes, and the entity types defined in the parsing rules and the preset contextual relationships between the entity types as graph edges to construct an entity association graph. S122: Based on the connection relationship of the entity association graph, the event source module identifies and connects fragmented entity information to form the key entity; The event source module also maintains an entity alias mapping table. Based on the entity alias mapping table, the event source module maps different representations of the key entities to their normalized representations, thereby normalizing the key entities.
[0010] Furthermore, the semantic mapping table has a hierarchical structure, and step S13 includes: S131: Based on the general characteristics of the security incident, the security incident is classified into a high-level core behavior category; S132: Combining the key entities and the detailed event characteristics of the security events, the semantic mapping table is used to refine the classification in the sub-level corresponding to the core behavior category at the high level, so as to determine the core behavior of the security events; S133: Generate the potential causal chain based on the hierarchical relationship of the core behavior in the semantic mapping table.
[0011] Furthermore, step S2 includes: S21: When the computing node receives the message, it will parse the causal metadata first; S22: Determine whether the core behavior in the causal metadata is ambiguous; S23: When the core behavior is ambiguous, determine the precise attack pattern of the security event based on the key entities and potential causal chains in the causal metadata; S24: Direct the security event to the router corresponding to the precise attack pattern; S25: When the core behavior is not ambiguous, the security event is directly directed to the corresponding router based on the core behavior.
[0012] Furthermore, step S23 includes: S231: Obtain the type of the core behavior and select a subset of rules from a preset rule set; S232: Combining the key entities and potential causal chains in the causal metadata, perform conditional matching on the selected rule subset to obtain the successfully matched rules; S233: When there are multiple successfully matched rules, a matching rule is selected from the multiple successfully matched rules according to the preset rule priority; S234: Based on the selected matching rules, deduce the precise attack pattern of the security event.
[0013] Furthermore, the existing causal information is stored as a causal relationship graph, including existing entities and the causal relationships between existing entities. The existing entities are graph nodes, and the causal relationships between existing entities are graph edges. Step S3 includes: S31: In the router, path traversal is performed in the causal relationship graph based on the key entity and the potential causal chain; S32: Based on the path traversal results, discover and connect events with causal relationships to form the local attack chain fragment.
[0014] Furthermore, step S4 includes: S41: Establish a global attack graph; S42: Add the key entities and potential causal chains in all the local attack chain segments as graph nodes and graph edges to the global attack graph; S43: Perform graph traversal and path analysis on the global attack graph to identify the causal paths of the connections; S44: Based on the causal path, extract the key entity sequence, affected entities, and attack intent as summary information; S45: Based on the summary information, generate a complete multi-stage attack chain.
[0015] Secondly, a network security vulnerability data analysis device, the device comprising: Causal metadata extraction module: When a security event is generated, causal metadata is extracted from the security event and injected into the message of the security event, which is then sent to the downstream computing node; the causal metadata includes at least key entities, core behaviors, and potential causal chains; Event-oriented module: When the computing node receives the message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; Local attack chain generation module: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; Complete the attack chain generation module: aggregate all the local attack chain fragments, extract the summary information, and reconstruct the complete multi-stage attack chain based on the summary information.
[0016] Thirdly, a computer device includes a processor and a memory storing computer-readable instructions that, when executed by the processor, perform the steps of any of the methods described above.
[0017] Beneficial effects: The network security vulnerability data analysis method, apparatus, and computer device proposed in this application extract and inject causal metadata when a security event is generated. The causal metadata is parsed first at the computing node and directed to the router. In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments. Finally, all local attack chain fragments are aggregated and the complete multi-stage attack chain is reconstructed. This solves the problem of accurately establishing the precise time sequence and causal relationship of events in a distributed computing environment. It can reliably reconstruct the complete attack chain and has the advantage of improving the accuracy and efficiency of network security vulnerability data analysis. Attached Figure Description
[0018] Figure 1 This is a flowchart of a network security vulnerability data analysis method proposed in this application.
[0019] Figure 2 This is a structural diagram of a network security vulnerability data analysis system proposed in this application.
[0020] Figure 3 This is a structural diagram of a computer device proposed in this application.
[0021] Labeling Explanation: 201, Causal Metadata Extraction Module; 202, Event-Oriented Module; 203, Local Attack Chain Generation Module; 204, Complete Attack Chain Generation Module; 301, Processor; 302, Memory; 303, Communication Bus; 3, Computer Equipment. Detailed Implementation
[0022] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of the embodiments. The components of the embodiments of this application described and marked in the accompanying drawings can be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of this application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely to illustrate selected embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.
[0023] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0024] In today's complex network environment, various security tools generate massive amounts of security incident data daily. To promptly detect and respond to complex, multi-stage attacks from this data, distributed computing systems are typically used for real-time analysis. However, in a distributed architecture, due to the diverse sources of events, unpredictable network transmission latency, and slight differences in the clocks of various computing nodes, the order in which events arrive at processing nodes can be chaotic. Accurately connecting these temporally and logically related, scattered events to reconstruct a complete attack chain is an extremely challenging task. Traditional analysis methods often require extensive caching, sorting, and complex state synchronization in the backend, which not only consumes enormous computing and storage resources but also introduces significant processing latency, making it difficult to balance real-time performance and accuracy.
[0025] To address the aforementioned issues, this application proposes a network security vulnerability data analysis method. The core idea of this method is to pre-process some intelligent semantic understanding and causal correlation at the source of event generation. By extracting and injecting structured causal metadata in real-time when a security event occurs, each event carries rich, self-describing causal context information before entering the distributed analysis platform. This design significantly reduces the computational burden on the downstream distributed stream processing cluster, enabling it to directly utilize this pre-processed metadata for efficient classification, routing, and causal correlation matching. This allows for more accurate and faster reconstruction of multi-stage attack chains when facing massive, out-of-order security event streams, while significantly reducing reliance on backend computing resources and complex state synchronization mechanisms.
[0026] Please refer to Figure 1 A method for analyzing cybersecurity vulnerability data, the method includes the following steps: S1: When a security event is generated, extract causal metadata from the security event and inject the causal metadata into the security event message, and send it to the downstream computing node; the causal metadata includes at least key entities, core behaviors and potential causal chains; S2: When a compute node receives a message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; S3: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; S4: Aggregate all local attack chain fragments, extract digest information, and reconstruct the complete multi-stage attack chain based on the digest information.
[0027] The execution flow of this method can be understood as a distributed, multi-stage event processing and analysis process. First, at the source of the event, such as on security devices like intrusion detection systems, endpoint detection and response tools, or firewalls, when a raw security event is captured—for example, a raw log record—it is not immediately sent directly to the backend analysis cluster. Instead, processing logic deployed in the event source module immediately performs preliminary parsing and semantic extraction of the event.
[0028] At this stage, causal metadata is a structured collection of information used to describe the core semantics and potential causal relationships of an event. Key entities refer to the core objects involved in the event and are the cornerstone of constructing the attack narrative. For example, in an event representing a failed user login, key entities might include the username attempting to log in, the source Internet Protocol address, the address of the target server, and the timestamp of the login attempt. In an event representing a file write operation, key entities might include the name of the process performing the write operation, the full path of the file being written, and the user account performing the operation. This entity information is precisely extracted from unstructured log text.
[0029] Core behavior is a high-level semantic summary of the main operation or intent represented by an event. For example, a network traffic log containing specific scanning characteristics can be categorized as a port scan as its core behavior. Multiple consecutive login failures from the same source can be categorized as brute-force attacks. This categorization provides a basis for subsequent event routing and prioritization.
[0030] Potential causal chains are preliminary predictions or clues about possible causal relationships between a current event and other events. This forward-looking information provides crucial guidance for piecing together downstream attack chains. For example, after identifying a port scanning activity, a potential causal chain can be generated, indicating that the subsequent activity may be an exploit. After a successful privilege escalation event, its potential causal chain might point to subsequent data access or lateral movement activities.
[0031] The extracted key entities, core behaviors, and potential causal chains are encapsulated into a standardized data structure, such as a JSON object or a Protobuf message body, and then injected into the original security event message. This injection can be achieved by adding a dedicated metadata field to the message header, or by using the original event as a carrier and appending the metadata to it. After injection, this enhanced event message, carrying rich contextual information, is sent to downstream distributed computing nodes, for example, via a message queue system.
[0032] When a compute node in a distributed computing cluster, such as a worker process of a stream processing framework, receives this enhanced event message from the message queue, the execution process enters the second phase. The compute node prioritizes parsing the causal metadata injected into the message. Because the metadata is structured, its parsing process is much faster than parsing raw, complex log text. After obtaining the metadata, the compute node primarily uses the core behavioral information to direct the security event to one or more specialized routers. These routers are not physical network devices, but rather logical components in the stream processing topology, responsible for in-depth analysis of specific types of events. For example, an event with port scanning as its core behavior is directed to a reconnaissance activity analysis router, while an event with malware execution as its core behavior is directed to an endpoint threat analysis router. This semantic-based intelligent routing mechanism avoids all events going through a unified and complex processing logic, achieving efficient allocation of processing resources and parallelization of the analysis process.
[0033] In the third stage, the event reaches the designated router. The router maintains a state regarding existing causal information. This information could be recently processed related events, a knowledge base of known attack patterns, or a dynamically updated entity relationship graph. The router matches the key entities and potential causal chains carried by the current event against this existing causal information. For example, a router receives an event indicating that process P on host A created file F. If the router's state records that process P was recently started by a network connection from external IP address B, then these two events can be linked to form a fragment of a local attack chain containing two steps: the external connection triggers process startup, and the process creates the file after startup. Although this fragment is incomplete, it reveals a small section of attack behavior with a clear causal relationship.
[0034] Finally, in the fourth stage, all fragments of the local attack chain generated by different routers are aggregated into an aggregation node. This aggregation node is responsible for piecing together these fragmented pieces of information into a complete attack narrative. Because each fragment contains clearly defined key entities and causal relationships, the aggregation process can more accurately identify the connection points between them. For example, the ending entity of one fragment may be the starting entity of another. In this way, even if the events constituting the complete attack chain arrive out of physical time or are processed by different routers distributed across different computing nodes, they can still be accurately connected. After aggregation, summary information is extracted from the complete attack chain, such as the attack's starting point, final target, key assets involved, and the main techniques used by the attacker. Based on this highly condensed summary information, a complete multi-stage attack chain is finally reconstructed and presented for security analysts to analyze and respond to.
[0035] By pre-injecting causal metadata at the event source and performing efficient routing, matching, and aggregation downstream, the method proposed in this application can effectively overcome the challenges posed by event out-of-order delivery and clock drift in a distributed environment, accurately reconstructing complex attack chains while ensuring high real-time performance and throughput.
[0036] Furthermore, to ensure accurate and efficient extraction of high-quality causal metadata from the original security event at the event source end, this method is at least applied to the event source end module, which maintains a hierarchical parsing rule base containing general pattern rules and scenario-specific pattern rules. Step S1 includes: S11: When a security event is generated, the event source module selects and applies parsing rules from the hierarchical parsing rule base based on the preliminary characteristics of the security event; S12: Within a limited time window, the event source module reconstructs the fragmented entity information parsed from the security event based on the entity types defined in the parsing rules and the contextual relationships between entity types, and normalizes the polymorphically represented entities to obtain the key entities. S13: Based on the preliminary characteristics of key entities and security events, security events are categorized into core behaviors and potential causal chains are generated through a semantic mapping table; S14: Encapsulate key entities, core behaviors, and potential causal chains into causal metadata, inject the causal metadata into the security event message, and send it to downstream computing nodes.
[0037] Specifically, this event source module can be a lightweight agent, a software library, or a microservice deployed at the network edge. Its core responsibility is to perform high-quality preprocessing before events enter the large-scale distributed processing pipeline. The hierarchical parsing rule base maintained by this module is the foundation for accurate information extraction. The general pattern rule base stores universal parsing logic applicable to various log sources, such as rules for parsing standard Syslog and JSON format logs, or regular expressions for extracting common indicators such as IP addresses, domain names, and file hashes from arbitrary text. Specific scenario pattern rules, on the other hand, are deeply customized for logs from specific security tools, operating systems, or applications. For example, a specific set of rules will be used to parse the unique fields and encoding methods of the logs from a particular brand of firewall.
[0038] When a security event, such as a raw log string, is generated, the event source module first selects one or more matching parsing rules from the hierarchical parsing rule base based on some preliminary characteristics, such as the IP address of the source device that generated the log, the log format identifier, or specific keywords contained in the log. This dynamic selection mechanism avoids trying all rules for every event, thereby improving processing efficiency.
[0039] After applying the selected parsing rules, the event source module extracts fragmented entity information from security events. However, the information of a logically complete critical entity may be scattered across multiple logs generated consecutively within a short period. To address this issue, the event source module aggregates security events from the same source within a defined time window, such as 500 milliseconds. Within this window, the event source module reconstructs this fragmented entity information based on the predefined entity types and their contextual relationships within the parsing rules.
[0040] To more clearly illustrate this reconstruction process, this application further provides a specific implementation method based on graph construction, wherein step S12 includes: S121: Within a limited time window, the event source module will use the fragmented entity information parsed from the security event as graph nodes, and the entity types defined in the parsing rules and the preset contextual relationships between entity types as graph edges to construct an entity association graph. S122: Based on the connection relationship of the entity association graph, the event source module identifies and connects fragmented entity information to form key entities; The event source module also maintains an entity alias mapping table. Based on the entity alias mapping table, the event source module maps different representations of key entities to their normalized representations, thereby normalizing the key entities.
[0041] As a specific example, suppose that within a 100-millisecond time window, the event source module receives two logs from the same web server. The first is an application log, recording that user "testuser" accessed the file " / var / www / html / config.php" through the web application process with process ID "PID1234". The second is a system audit log, recording that the process with process ID "PID1234" initiated a network connection to port 443 of the external IP address "10.20.30.40".
[0042] At this point, the event source module will create nodes in a graph from the parsed fragmented entity information, such as "user:testuser", "process:PID1234", "file: / var / www / html / config.php", "ip:10.20.30.40", and "port:443". The parsing rules define contextual relationships, such as: a user can start a process, a process can access a file, and a process can initiate a network connection. These contextual relationships are used as edges in the graph, connecting the corresponding fragmented entity information. The final entity relationship graph clearly shows that "user:testuser" started "process:PID1234", which, on the one hand, accessed the sensitive configuration file "file: / var / www / html / config.php", and on the other hand, established a connection with the external IP "ip:10.20.30.40". By analyzing this connected subgraph, the module can reconstruct a complete key entity that describes the complete behavior of "user testuser's process initiating an external network connection after reading a sensitive file".
[0043] Furthermore, the process of reconstructing key entities also requires addressing the polymorphism of entity representations. Different log sources may use different naming conventions for the same entity; for example, an administrator account might be recorded as "admin," "administrator," or "root." To ensure consistency in subsequent analysis, the event source module maintains an entity alias mapping table. After a key entity is formed, the module uses this mapping table to map the different representations of the entity's name to its unique, normalized representation. For example, regardless of whether the original log contains "admin" or "administrator," after normalization, it will be uniformly represented as "account_type:administrator" in the key entity.
[0044] After accurately identifying the key entities, the next step is to determine the core behaviors of the event and generate potential causal chains. To achieve this goal, this application proposes an implementation based on a hierarchical semantic mapping table. This semantic mapping table has a hierarchical structure, and step S13 includes:
[0045] S131: Based on the common characteristics of security incidents, classify security incidents into high-level core behavior categories; S132: Combining the detailed event characteristics of key entities and security events, the semantic mapping table is used to refine the classification in the sub-level corresponding to the core behavior category at the high level to determine the core behavior of the security event; S133: Generate potential causal chains based on the hierarchical relationship of core behaviors in the semantic mapping table.
[0046] Specifically, this semantic mapping table can be designed as a tree-like or directed acyclic graph structure. The top-level nodes are broad behavior categories, such as "reconnaissance," "resource exploitation," "initial access," "execution," "persistence," "privilege escalation," "defense evasion," "credential access," "discovery," "lateral movement," "collection," "command and control," and "impact," etc. These categories can refer to mature attack framework models in the industry.
[0047] When an event and its associated key entities are processed, they are first mapped to one or more of the aforementioned high-level categories based on the event's general characteristics, such as its source (e.g., traffic logs from a firewall, process creation logs from an endpoint) and some basic attributes. For example, a blocked inbound connection log from a firewall, whose general characteristic is an external-to-internal network connection attempt, can be initially categorized into the high-level category of "initial access".
[0048] Next, we proceed with a more detailed classification. This step incorporates more detailed information, particularly the reconstructed and normalized key entities. Continuing with the example above, if a deeper analysis of the firewall logs reveals that the target port is 3389, and the key entity contains a source IP address belonging to a known malicious IP address range, then within the "Initial Access" sub-level, we can further refine the classification using a semantic mapping table based on the detailed characteristics of the target port being a Remote Desktop Protocol port and the source IP being malicious. This will determine its core behavior as: a brute-force attempt to crack the Remote Desktop Protocol.
[0049] Once the precise core behavior is identified, the hierarchical relationships of the semantic mapping table can be used to generate potential causal chains. This hierarchy itself contains the evolutionary logic of the attack stages. For example, in the mapping table, the "reconnaissance" category is often a preceding stage to the "initial access" category. Therefore, if the core behavior of the current event is determined to be a brute-force attempt at a remote desktop protocol, belonging to the "initial access" category, then the generated potential causal chain could contain a clue pointing to the preceding behavior, i.e., a possible preceding behavior is port scanning, and it could also contain a clue pointing to the subsequent behavior, i.e., a possible subsequent behavior is persistent login after successful login. These potential causal chains provide invaluable context for downstream correlation analysis.
[0050] When an event message carrying causal metadata arrives at a downstream compute node, it needs to be directed to the corresponding router based on the core behavior. However, some core behaviors may be ambiguous, and a single behavior label is insufficient for accurate routing. For example, a PowerShell script executing this core behavior could be a normal maintenance operation by an administrator or a critical step in a fileless attack. To address this issue, this application further optimizes the event-oriented process. Step S2 includes:
[0051] S21: When a compute node receives a message, it should prioritize parsing causal metadata; S22: Determine whether the core behavior in causal metadata is ambiguous; S23: When the core behavior is ambiguous, determine the precise attack pattern of the security event based on the key entities and potential causal chains in the causal metadata; S24: Direct the security incident to the router corresponding to the precision attack pattern; S25: When the core behavior is not ambiguous, the security event is directly directed to the corresponding router based on the core behavior.
[0052] To specifically derive precise attack patterns, this application provides a mechanism based on rule matching and priority selection. When disambiguation of a core behavior with ambiguity is required, the type of the core behavior is first obtained, and a subset of rules related to that type is selected from a preset rule set. This narrows the matching scope and improves efficiency. Next, by combining key entities and potential causal chains in the causal metadata of the current event, conditional matching is performed on the selected rule subset, filtering out all successfully matching rules.
[0053] That is: S231: Obtain the type of the core behavior and select a subset of rules from the preset rule set; S232: Combine key entities and potential causal chains in the causal metadata to perform conditional matching on the selected subset of rules to obtain the successfully matched rules; S233: When there are multiple rules that match successfully, select a matching rule from the multiple successfully matched rules according to the preset rule priority; S234: Based on the selected matching rules, deduce the precise attack pattern of the security event.
[0054] As a specific example, suppose the core behavior is PowerShell script execution. The compute node will filter all PowerShell-related rules from the rule set. One rule might be defined as: if the executing user in the critical entity is a system administrator, and the executed script content, after hash verification, matches a script in a known legitimate operations and maintenance script library, then the precise attack pattern is legitimate system administration. Another rule might be defined as: if the critical entity contains Base64-encoded command-line arguments with obfuscated characteristics, and its potential causal chain's preceding behavior is Office macro execution, then the precise attack pattern is fileless malware execution.
[0055] In complex situations, multiple rules may match successfully simultaneously. To resolve such conflicts, a final matching rule is selected from the multiple successful matches based on preset rule priorities. Generally, rules with more specific conditions and clearer threats have higher priority. For example, an event that simultaneously satisfies both administrator execution and containing obfuscated commands would have a higher priority rule corresponding to the latter. Ultimately, based on the selected unique matching rule, the precise attack pattern of the security event is derived, and precise routing is performed according to this pattern. For example, an event with a fileless malware execution pattern might be directed to a high-priority router requiring in-depth memory analysis and behavioral forensics.
[0056] Once a security event is precisely directed to the corresponding router, the router needs to correlate the current security event with existing information to form a fragment of a local attack chain. To efficiently store and retrieve this existing causal information, this application proposes storing it in the form of a causal relationship graph. In this causal relationship graph, existing entities serve as nodes, and the causal relationships between existing entities serve as edges. Step S3 includes:
[0057] S31: In the router, path traversal is performed in the causal relationship graph based on key entities and potential causal chains; S32: Based on the path traversal results, discover and connect events with causal relationships to form a local attack chain fragment.
[0058] For example, a router maintains a dynamically updated causal graph. The graph already contains a node representing user Zhang and another node representing the host financial server, connected by an edge indicating that Zhang successfully logged into the financial server at time T1. Now, the router receives a new event whose core action is a database export operation, with key entities including user Zhang and the source host financial server. The router will traverse the graph starting from these two key entities. The traversal will immediately discover the existing login event. Therefore, the router can connect these two events to form a fragment of a local attack chain: Zhang logs into the financial server -> Zhang performs a database export on the financial server. This fragment reveals a potential data theft.
[0059] Finally, in order to integrate all the scattered local attack chain fragments into a global and complete attack view, this application proposes a method for aggregation and reconstruction based on a global attack graph. Step S4 includes:
[0060] S41: Establish a global attack graph; S42: Add key entities and potential causal chains in all local attack chain segments as graph nodes and graph edges to the global attack graph; S43: Perform graph traversal and path analysis on the global attack graph to identify causal paths of connection; S44: Based on the causal path, extract the key entity sequence, affected entities, and attack intent as summary information; S45: Generate a complete multi-stage attack chain based on the digest information.
[0061] Establishing a global attack graph refers to constructing a unified view that can accommodate information on all local attack chain fragments. This can be implemented using a graph database, which is characterized by its efficient storage and retrieval of graph structure data, supporting complex graph traversal and path analysis operations. Nodes in the graph can represent various entities in the attack, such as IP addresses, user accounts, files, and processes, while edges represent the causal relationships or interactions between these entities.
[0062] By mapping key entities and potential causal chains to nodes and edges in a graph, scattered local information can be brought together. For example, a local attack chain fragment might contain a malware downloader (key entity) downloading a malicious payload (key entity) from a C2 server (key entity) via the HTTP protocol (potential causal chain). In the global attack graph, these entities would be treated as nodes, and the HTTP download behavior would be treated as edges connecting these nodes.
[0063] Next, algorithms are used to explore nodes and edges to discover the complete attack path. Graph traversal can employ algorithms such as Depth-First Search (DFS) or Breadth-First Search (BFS), starting from one or more initial nodes and exploring all reachable nodes along causal edges. Path analysis, based on traversal, identifies paths with specific patterns or satisfying specific conditions. For example, it can find a complete path from an external attack source to internal critical assets, or identify attack chains involving multiple stages. For instance, starting from a known malicious IP node, it can traverse to find all processes, files, users, and other nodes directly or indirectly related to it, recording the causal sequence connecting these nodes to construct a complete attack path.
[0064] The critical entity sequence refers to a list of important entities arranged chronologically or causally along the attack path, such as: attacker IP -> malicious process -> sensitive file -> data leakage IP. Affected entities refer to systems, data, or users that are damaged or exploited in the attack, such as infected hosts, stolen data, or misused accounts. Attack intent refers to the attacker's intended ultimate goal, such as data theft, system destruction, or privilege escalation, which can be inferred by analyzing behavioral patterns and target entities along the attack path. For example, if a path shows that an attacker gained database administrator privileges and accessed a sensitive database, the attack intent might be inferred to be data theft.
[0065] Generating a complete multi-stage attack chain based on digest information refers to using extracted core digest information to present the full picture of the attack in a clear and easy-to-understand way. This can be a structured text description or a visual chart. A multi-stage attack chain clearly shows each stage of the attack, such as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and goal achievement, and points out the key entities, behaviors, and causal relationships involved in each stage. For example, an attack chain description can be generated as follows: Stage 1: Reconnaissance (attacker's IP scans the target network); Stage 2: Initial Access (exploiting vulnerabilities through phishing emails to execute malicious code on host A); Stage 3: Privilege Escalation (malicious code exploits local privilege escalation vulnerabilities to gain administrator privileges); Stage 4: Lateral Movement (attacker uses host A as a springboard to host B); Stage 5: Data Theft (stealing sensitive data from host B and transmitting it to the C2 server).
[0066] Please refer to Figure 2 To achieve the above method, this application also provides a network security vulnerability data analysis device, the device comprising: Causal metadata extraction module 201: When a security event is generated, causal metadata is extracted from the security event and injected into the security event message, which is then sent to the downstream computing node; the causal metadata includes at least key entities, core behaviors, and potential causal chains; Event-oriented module 202: When a compute node receives a message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; Local attack chain generation module 203: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; Complete attack chain generation module 204: aggregate all local attack chain fragments, extract summary information, and reconstruct a complete multi-stage attack chain based on the summary information.
[0067] The causal metadata extraction module 201 is responsible for identifying and extracting core information from a security incident and structuring it into causal metadata. This can be achieved by performing preliminary semantic and structural processing on the incident at its source, encapsulating the core information in a lightweight and transmissible format. This information is injected into the incident message, avoiding repeated parsing and complex calculations of the original massive incident data by downstream nodes. This significantly reduces the complexity and resource consumption of subsequent processing, laying the foundation for efficient incident processing in a distributed environment.
[0068] The event-oriented module 202, upon receiving an event message, prioritizes processing the causal metadata and routes the event to the appropriate processing unit based on its core behavior. This can be achieved by: parsing the causal metadata first to ensure the system can quickly grasp the core semantics of the event; and routing based on the core behavior, enabling intelligent event routing and distribution. For example, if the core behavior is login failure, the event will be routed to a router specifically handling authentication failure events; if the core behavior is file deletion, it will be routed to a file operation auditing router. This mechanism avoids all events undergoing a uniform and complex processing logic, instead sending them to the most suitable module based on their nature, thereby improving system processing efficiency and response speed while reducing unnecessary computational overhead.
[0069] The local attack chain generation module 203 refers to the process in the router that uses received key entities and potential causal chains, combined with existing causal information, to identify and connect causal relationships between events, forming fragments of a local attack chain. Specifically, this can be implemented as follows: This module uses pre-extracted key entities and potential causal chains, combined with existing causal knowledge (such as causal relationship graphs), to identify causal relationships between events within a local scope. Through matching, scattered event fragments can be connected to form meaningful local attack chains, providing a foundation for subsequent global attack chain reconstruction. This also avoids large-scale, complex correlation calculations on a global scale, reducing computational complexity.
[0070] The attack chain generation module 204 refers to aggregating all local attack chain fragments, extracting summary information, and reconstructing a complete multi-stage attack chain based on the summary information. Specifically, this can be achieved as follows: This module integrates the locally generated attack chain fragments, identifies the causal paths through graph traversal and path analysis, and extracts summary information such as key entity sequences, affected entities, and attack intent. For example, by aggregating the local attack chain fragment of an account brute-force attack attempt with the local attack chain fragment of executing malicious commands after successful login, a complete attack chain can be identified, showing that user A's account was brute-forced and subsequently executed malicious commands. Based on this summary information, a complete and clear multi-stage attack chain can be reconstructed, providing security analysts with high-level, easily understandable threat intelligence, helping enterprises to promptly detect and respond to complex cyberattacks, and improving threat detection and response capabilities.
[0071] Please refer to Figure 3 , Figure 3This application provides a schematic diagram of the structure of a device according to an embodiment of the present application. The application provides a computer device 3, including a processor 301 and a memory 302. The processor 301 and the memory 302 are interconnected and communicate with each other via a communication bus 303 and / or other forms of connection mechanisms (not shown). The memory 302 stores computer-readable instructions executable by the processor 301. When the computer device 3 is running, the processor 301 executes the computer-readable instructions to perform the method in any optional implementation of the above embodiments, thereby achieving the following functions: when a security event is generated, extracting causal metadata from the security event and injecting the causal metadata into the security event message, and sending it to downstream computing nodes; the causal metadata includes at least key entities, core behaviors, and potential causal chains; when a computing node receives a message, it prioritizes parsing the causal metadata and directs the security event to the corresponding router based on the core behaviors in the causal metadata; in the router, the key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; all local attack chain fragments are aggregated, digest information is extracted, and a complete multi-stage attack chain is reconstructed based on the digest information.
[0072] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.
Claims
1. A method for analyzing network security vulnerability data, characterized in that, The method includes the following steps: S1: When a security event is generated, extract causal metadata from the security event, inject the causal metadata into the message of the security event, and send it to the downstream computing node; The causal metadata includes at least key entities, core behaviors, and potential causal chains; S2: When the computing node receives the message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; S3: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; S4: Aggregate all the local attack chain fragments, extract the summary information, and reconstruct the complete multi-stage attack chain based on the summary information.
2. The network security vulnerability data analysis method according to claim 1, characterized in that, The method is applied at least to the event source module, which maintains a hierarchical parsing rule base. The hierarchical parsing rule base includes general pattern rules and specific scenario pattern rules. Step S1 includes: S11: When a security event is generated, the event source module selects and applies the parsing rules in the hierarchical parsing rule base according to the preliminary characteristics of the security event; S12: Within a limited time window, the event source module reconstructs the fragmented entity information parsed from the security event according to the entity types defined in the parsing rules and the contextual relationships between the entity types, and normalizes the polymorphically represented entities to obtain the key entity. S13: Based on the preliminary characteristics of the key entities and the security events, the security events are classified into core behaviors through a semantic mapping table, and potential causal chains are generated; S14: Encapsulate the key entity, the core behavior, and the potential causal chain into causal metadata, inject the causal metadata into the message of the security event, and send it to the downstream computing node.
3. The network security vulnerability data analysis method according to claim 2, characterized in that, Step S12 includes: S121: Within the defined time window, the event source module will use the fragmented entity information parsed from the security event as graph nodes, and the entity types defined in the parsing rules and the preset contextual relationships between the entity types as graph edges to construct an entity association graph. S122: Based on the connection relationship of the entity association graph, the event source module identifies and connects fragmented entity information to form the key entity; The event source module also maintains an entity alias mapping table. Based on the entity alias mapping table, the event source module maps different representations of the key entities to their normalized representations, thereby normalizing the key entities.
4. The network security vulnerability data analysis method according to claim 3, characterized in that, The semantic mapping table has a hierarchical structure, and step S13 includes: S131: Based on the general characteristics of the security incident, the security incident is classified into a high-level core behavior category; S132: Combining the key entities and the detailed event characteristics of the security events, the semantic mapping table is used to refine the classification in the sub-level corresponding to the core behavior category at the high level, so as to determine the core behavior of the security events; S133: Generate the potential causal chain based on the hierarchical relationship of the core behavior in the semantic mapping table.
5. The network security vulnerability data analysis method according to claim 1, characterized in that, Step S2 includes: S21: When the computing node receives the message, it will parse the causal metadata first; S22: Determine whether the core behavior in the causal metadata is ambiguous; S23: When the core behavior is ambiguous, determine the precise attack pattern of the security event based on the key entities and potential causal chains in the causal metadata; S24: Direct the security event to the router corresponding to the precise attack pattern; S25: When the core behavior is not ambiguous, the security event is directly directed to the corresponding router based on the core behavior.
6. The network security vulnerability data analysis method according to claim 5, characterized in that, Step S23 includes: S231: Obtain the type of the core behavior and select a subset of rules from a preset rule set; S232: Combining the key entities and potential causal chains in the causal metadata, perform conditional matching on the selected rule subset to obtain the successfully matched rules; S233: When there are multiple successfully matched rules, a matching rule is selected from the multiple successfully matched rules according to the preset rule priority; S234: Based on the selected matching rules, deduce the precise attack pattern of the security event.
7. The network security vulnerability data analysis method according to claim 1, characterized in that, The existing causal information is stored in a causal relationship graph, including existing entities and the causal relationships between existing entities. The existing entities are graph nodes, and the causal relationships between existing entities are graph edges. Step S3 includes: S31: In the router, path traversal is performed in the causal relationship graph based on the key entity and the potential causal chain; S32: Based on the path traversal results, discover and connect events with causal relationships to form the local attack chain fragment.
8. The network security vulnerability data analysis method according to claim 1, characterized in that, Step S4 includes: S41: Establish a global attack graph; S42: Add the key entities and potential causal chains in all the local attack chain segments as graph nodes and graph edges to the global attack graph; S43: Perform graph traversal and path analysis on the global attack graph to identify the causal paths of the connections; S44: Based on the causal path, extract the key entity sequence, affected entities, and attack intent as summary information; S45: Based on the summary information, generate a complete multi-stage attack chain.
9. A network security vulnerability data analysis device, characterized in that, The device includes: Causal metadata extraction module: When a security event is generated, causal metadata is extracted from the security event and injected into the message of the security event, which is then sent to the downstream computing node; the causal metadata includes at least key entities, core behaviors, and potential causal chains; Event-oriented module: When the computing node receives the message, it first parses the causal metadata and directs the security event to the corresponding router based on the core behavior in the causal metadata; Local attack chain generation module: In the router, key entities and potential causal chains are matched with existing causal information to form local attack chain fragments; Complete the attack chain generation module: aggregate all the local attack chain fragments, extract the summary information, and reconstruct the complete multi-stage attack chain based on the summary information.
10. A computer device, characterized in that, It includes a processor and a memory, the memory storing computer-readable instructions that, when executed by the processor, perform the steps of the method as described in any one of claims 1-8.