C4ISR threat information fusion method and device based on d-s evidence theory
By constructing an open-world threat identification framework and an improved Dempster combination rule, the problem of traditional threat intelligence fusion algorithms failing to identify unknown threats and failing to process highly conflicting evidence is solved, thus achieving effective perception of unknown threats and highly accurate fusion decision-making.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHENZHEN Y& D ELECTRONICS CO LTD
- Filing Date
- 2026-03-27
- Publication Date
- 2026-06-09
Smart Images

Figure CN122179213A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a method and apparatus for fusion of threat information based on the DS evidence theory and C4ISR. Background Technology
[0002] Currently, traditional threat intelligence fusion algorithms mainly rely on rule-based fusion engines or statistical decision-making mechanisms, such as expert systems, weighted voting, and Bayesian networks. Rule-based methods can leverage expert experience to establish relationships between threat entities, but they struggle to handle unknown attack patterns outside of established rules. Bayesian network-based methods can quantify uncertainty and perform probabilistic reasoning, but they depend on a complete threat hypothesis space and accurate prior probabilities, making them ineffective in representing and processing unknown threats. Dempster-Shafer evidence theory (DS evidence theory), as a mathematical framework for handling uncertainty and incomplete information, expresses uncertainty through basic probability assignment functions and can effectively fuse multi-source information, exhibiting unique advantages in handling uncertainty and incompleteness. However, threat intelligence fusion based on DS evidence theory still needs to address the following issues: First, the identification framework is limited by the closed-world assumption, failing to represent unknown threats and causing the system to lose its ability to perceive new threats; second, traditional Dempster combination rules fail when handling highly conflicting evidence, potentially producing erroneous fusion results and affecting the reliability of the fusion decision. Summary of the Invention
[0003] To address the aforementioned technical problems, this invention provides a C4ISR threat information fusion method based on DS evidence theory, employing the following technical solution, including the following steps: Build an open-world threat identification framework; Based on the threat identification framework, the network traffic statistics and security device alarm frequency numerical data are transformed into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory. Transform the unstructured text data of attack description reports and security incident description texts in external threat intelligence into a standardized basic probability allocation function; Quantify the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results; The system receives basic probability assignments from multiple evidence bodies and, based on the conflict measurement results, uses an improved Dempster combination rule to fuse all evidence into a unified confidence assignment function. The unified confidence assignment function is transformed into threat information cognition to generate an interpretable report.
[0004] Preferably, the steps for constructing the open-world threat identification framework specifically include: Define a set of known threat types; Introducing elements of unknown threat type; Based on the set of known threat types and the elements of the unknown threat types, an exponential set of the identification framework is constructed.
[0005] Preferably, the step of converting network traffic statistical features and security device alarm frequency numerical data into a standardized input, i.e., a basic probability allocation function, that can be processed by DS evidence theory based on the threat identification framework specifically includes: Based on the threat identification framework, the confidence level of known threats is calculated; Calculate the novelty of unknown threats; Based on the known threat confidence and the unknown threat novelty, a numerical basic probability assignment function is generated.
[0006] Preferably, the step of converting the unstructured text data of attack description reports and security incident description texts in external threat intelligence into a standardized basic probability allocation function specifically includes: Calculate the known threat confidence level of the text; Calculate the novelty of unknown threats in text; Based on the confidence level of known threats in the text and the novelty level of unknown threats in the text, a basic probability assignment function for the text is generated.
[0007] Preferably, the step of quantifying the consistency and degree of contradiction among multi-source evidence to obtain the conflict measurement result specifically includes: Calculate the conflict coefficient between pairs of evidence from multiple sources; Calculate the average conflict coefficient of the multi-evidence pool; Identify the most conflicting evidence pairs.
[0008] Preferably, the step of receiving basic probability assignments for multiple pieces of evidence and, based on the conflict measurement results, merging all evidence into a unified confidence assignment function using an improved Dempster combination rule specifically includes: Accumulate reliability for consistent portions of evidence; Decompose and redistribute conflicting qualities; The improved combination rule is extended to scenarios with more than two pieces of evidence, and multiple evidence bodies are merged into a final confidence assignment function using streaming processing.
[0009] Preferably, the step of transforming the unified confidence assignment function into threat information cognition and generating an interpretable report specifically includes: Calculate the confidence interval and determine the threat level; Calculate the contribution of key evidence sources; Generate a structured, interpretable source traceability report.
[0010] To address the aforementioned technical problems, this invention also provides a C4ISR threat information fusion device based on DS evidence theory, employing the following technical solution, including: Modules for building open-world threat identification frameworks; The numerical data conversion module is used to convert the numerical data of network traffic statistics and security device alarm frequency into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory, based on the threat identification framework. The unstructured text data conversion module is used to convert unstructured text data such as attack description reports and security incident description texts from external threat intelligence into standardized basic probability allocation functions. The quantification module is used to quantify the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results. The fusion module is used to receive the basic probability assignments of multiple pieces of evidence and, based on the conflict measurement results, use an improved Dempster combination rule to fuse all the evidence into a unified confidence assignment function. The generation module is used to transform the unified confidence assignment function into threat information cognition and generate an interpretable report.
[0011] To address the aforementioned technical problems, the present invention also provides a computer device that employs the technical solution described below, comprising a memory and a processor. The memory stores computer-readable instructions, and the processor, when executing the computer-readable instructions, implements the steps of the aforementioned C4ISR threat information fusion method based on DS evidence theory.
[0012] To address the aforementioned technical problems, the present invention also provides a computer-readable storage medium, which employs the technical solution described below. The computer-readable storage medium stores computer-readable instructions, which, when executed by a processor, implement the steps of the aforementioned C4ISR threat information fusion method based on DS evidence theory.
[0013] Compared with the prior art, the present invention has the following main advantages: (1) By constructing an open-world threat identification framework, a confidence space is assigned to unknown threats in the mathematical model. This allows the system to no longer force unknown attack patterns to be classified into known categories, thereby effectively characterizing and handling uncertainty, and significantly enhancing the C4ISR system's ability to warn and perceive unknown and sudden threats; (2) By introducing a conflict measurement mechanism, the consistency and degree of contradiction among multi-source evidence are quantified before fusion, and an improved Dempster combination rule is adopted based on the measurement results. This method can adaptively handle evidence conflicts, avoid misinterpreting conflicts as support, thereby effectively suppressing interference information, outputting more robust and more objectively realistic fusion results, and improving the accuracy of battlefield situational awareness.
[0014] (3) By designing a standardized conversion process, the underlying network traffic logs / alarm data and the upper-level external threat intelligence reports / security incident description text can be uniformly converted into a standardized basic probability allocation function. Through this unified formal expression, the system can deeply explore the intrinsic relationship between multi-source heterogeneous data (quantitative evidence and qualitative knowledge), realize the transformation from data to information to threat cognition, and finally generate interpretable reports to provide more comprehensive and understandable support for command and decision-making. Attached Figure Description
[0015] To more clearly illustrate the solutions in this invention, the accompanying drawings used in the description of the embodiments of this invention will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0016] Figure 1 This is a flowchart of an embodiment of the C4ISR threat information fusion method based on DS evidence theory of the present invention; Figure 2 This is a schematic diagram of the architecture used in the C4ISR threat information fusion method based on DS evidence theory in this invention; Figure 3 This is a schematic diagram of the structure of an embodiment of the C4ISR threat information fusion device based on DS evidence theory of the present invention; Figure 4 This is a schematic diagram of another embodiment of the C4ISR threat information fusion device based on DS evidence theory of the present invention; Figure 5 This is a schematic diagram of the structure of the C4ISR threat information fusion device based on DS evidence theory of the present invention in a large enterprise application scenario; Figure 6 This is a schematic diagram of the structure of an embodiment of the computer device of the present invention. Detailed Implementation
[0017] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains; the terminology used herein in the specification is for the purpose of describing particular embodiments only and is not intended to limit the invention; the terms "comprising" and "having," and any variations thereof, in the specification, claims, and foregoing drawings are intended to cover non-exclusive inclusion. The terms "first," "second," etc., in the specification, claims, or foregoing drawings are used to distinguish different objects and not to describe a particular order.
[0018] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of the invention. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0019] To enable those skilled in the art to better understand the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings.
[0020] It should be noted that the C4ISR threat information fusion method based on DS evidence theory provided in the embodiments of the present invention is generally executed by a server / terminal device, and correspondingly, the C4ISR threat information fusion device based on DS evidence theory is generally installed in the server / terminal device.
[0021] It should be understood that the number of terminal devices, networks, and servers is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be used.
[0022] Example 1 Figure 1 A flowchart of an embodiment of the C4ISR threat information fusion method based on DS evidence theory of the present invention is shown. Figure 2 A schematic diagram of the architecture used in the C4ISR threat information fusion method based on DS evidence theory of the present invention is shown. Please refer to... Figure 1 , Figure 2 The C4ISR threat information fusion method based on DS evidence theory includes the following steps: Step S1: Construct an open-world threat identification framework.
[0023] In this embodiment, the electronic device (e.g., a server / terminal device) running on the DS evidence theory-based C4ISR threat information fusion method can receive DS evidence theory-based C4ISR threat information fusion requests via wired or wireless connection. It should be noted that the aforementioned wireless connection methods may include, but are not limited to, 3G / 4G / 5G connections, WiFi connections, Bluetooth connections, WiMAX connections, Zigbee connections, UWB (ultra wideband) connections, and other currently known or future-developed wireless connection methods.
[0024] In this embodiment, step S1 may specifically include the following steps: S11, Define the set of known threat types.
[0025] By analyzing the main cybersecurity risks faced by enterprise networks and critical information infrastructure, known threats are summarized into eight typical, mutually exclusive attack patterns, thus constructing a set of known threat types. The set is represented as: .in: This indicates an Advanced Persistent Threat (APT). This indicates a ransomware attack; This indicates a distributed denial-of-service (DDoS) attack. This indicates a web application attack; This refers to phishing and social engineering attacks; This indicates that internal personnel violated regulations; This indicates the spread of malware; This category represents false alarms / normal behavior (erroneous alerts from security devices or harmless user and system behavior). These eight threat categories cover the main current attack patterns, and the categories are mutually exclusive, ensuring that any given attack event can be attributed to one and only one type at a given analytical granularity. This set is dynamic; new typical threats (such as supply chain attacks) may emerge. When adding, you can add it. .
[0026] The purpose of step S11 is to summarize and abstract typical attack patterns in the current cybersecurity field, forming a mutually exclusive and complete known threat hypothesis space, and providing a standardized classification system for the judgment of known threats based on evidence.
[0027] S12 introduces elements of unknown threat types.
[0028] In the known set of threat types Building upon this foundation, a special single-element proposition—the unknown threat—is explicitly introduced. . Semantically interpreted as all that was not... arrive The term encompasses all threats covered, including any novel, unknown, or zero-day attacks. A complete identification framework supporting the open-world assumption. Defined as: .
[0029] By introducing Recognition framework The shift from closed to open systems allows evidence to be legitimately assigned credibility. or contain Compound propositions, such as (This indicates it could be an APT attack or an unknown threat.) When new types of attacks emerge, the credibility of the evidence shifts towards... Or related complex propositions, the fusion results can output early warning of potential unknown threats, fundamentally solving the pain point that traditional methods cannot perceive unknown threats.
[0030] The purpose of step S12 is to break through the limitations of the closed-world assumption, reserve a clear position for unknown threats within the mathematical framework, and enable the system to characterize any suspicious behavior or event that does not conform to the known pattern as unknown.
[0031] S13, construct the power set of the identification framework based on the set of known threat types and elements of unknown threat types.
[0032] Based on the established open-world identification framework Calculate its power set . This scheme encompasses all possible subsets (propositions), specifically manifested in four types of propositional forms: Single-element propositions: such as (Confirmed as an APT attack) (Confirmed as an unknown threat).
[0033] Given compound propositions among threats: such as (A vague expression within the category of known threats, falling between APTs and ransomware).
[0034] Complex propositions that include unknown threats: such as (It could be an APT or an unknown threat, representing a vague expression between the known and the unknown).
[0035] The complete set of propositions: namely In itself, it indicates complete uncertainty; the evidence is insufficient to make any concrete judgment. (Power set) It provides a rich language to express various states of cognition, ranging from certain to ambiguous to uncertain. This allows the subsequently generated Body of Evidence (BPA) to finely characterize the intelligence source's different levels of understanding of a security incident. For example, it can explicitly support a specific threat, express hesitation among several threats, or even admit complete ignorance, greatly enhancing the realism and flexibility of evidence presentation. The framework's operations follow classical Data Structures (DS) theory, ensuring mathematical rigor.
[0036] The purpose of step S13 is to generate all possible propositions (i.e., various conclusions that the evidence can support), providing a complete universe of discourse for the definition of the basic probability assignment (BPA) function in DS evidence theory.
[0037] Step S1 lays the foundation for the entire fusion methodology. Traditional DS evidence theory is based on the closed-world assumption, which predefines all possible threat types. This prevents the system from identifying and characterizing any unknown or novel cyberattacks. This step, by introducing the open-world assumption, explicitly constructs an identification framework that includes unknown threats. This provides the system with the mathematical basis for perceiving and reasoning about unknown threats, and offers logical space for the expression and fusion of all subsequent evidence.
[0038] Step S2: Based on the threat identification framework, the network traffic statistics and security device alarm frequency data are transformed into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory.
[0039] In this embodiment, step S2 may include the following steps: S21, based on the threat identification framework, calculate the confidence level of known threats.
[0040] For each known threat in the identification framework (in (Values range from 1 to 8), and an isolated forest model is trained based on historical samples of this type of threat. For a single numerical intelligence input, after feature extraction and standardization, the following values are obtained: 3D feature vector In its first Anomaly scores in isolated forests of threat-like entities Defined as: .in: It is a sample In the The average path length on all isolated trees in an isolated forest with similar threats. Given a number of training samples The path length normalization constant at that time.
[0041] The abnormal score The value range is (0,1). The closer the value is to 1, the easier it is for the sample to be isolated (i.e., the more anomalous it is), meaning that it does not conform to the normal behavior pattern of this type of known threat; the closer the value is to 0, the harder it is for the sample to be isolated (i.e., the more normal it is), meaning that it conforms to the behavior pattern of this type of known threat. Since Isolation Forest is essentially anomaly detection, in order to obtain the confidence that a sample belongs to this type of threat, it is necessary to perform an inverse mapping of the anomaly score.
[0042] Confidence score The calculation is as follows: .therefore, The larger the value, the more likely the sample is to be compared with the first sample. The more closely the behavioral patterns of known threats match.
[0043] The purpose of step S21 is to quantify the degree of agreement between a numerical sample and the behavior patterns of each known threat in history, thereby providing a basis for judging known threats in the evidence body.
[0044] S22, calculate the novelty of the unknown threat.
[0045] A one-class support vector machine (SVM) model is trained based on historical samples containing various known threats and normal behaviors. For the input feature vector... Decision function of One-Class SVM Defined as: .in, It's a kernel function. These are Lagrange multipliers obtained through training. They are support vectors. It is the decision threshold.
[0046] sample Signed distance to the higher-dimensional hyperplane It can be represented as: .
[0047] The sign of this distance indicates whether the sample lies inside or outside the decision boundary. To transform it into a novelty score in the interval [0,1], the Sigmoid function is used for mapping: .in, This is a scaling parameter used to adjust the steepness of the mapping curve. Novelty score. The larger the value, the larger the sample size. The greater the deviation from the known distribution, the more likely it is to originate from an unknown threat that has never been seen before.
[0048] The purpose of step S22 is to quantify the degree to which a numerical sample deviates from all known patterns (including various known threats and normal behavior), providing a basis for the evidence to judge unknown threats.
[0049] S23, based on the confidence level of known threats and the novelty level of unknown threats, a numerical basic probability assignment function is generated.
[0050] First, it is necessary to determine the uncertainty factor of the source of evidence. It consists of two parts: baseline uncertainty and dynamic uncertainty, and adopts a dynamic calibration method. .in: As the baseline uncertainty, it is pre-calibrated based on static information such as the equipment type, model, and deployment location of the evidence source, with a value range of [0, 0.3]. To account for dynamic uncertainty, calculations are based on data quality metrics within the most recent time window: .in, This represents the packet loss rate within the current window. This is the packet loss rate threshold; For average transmission delay, Delay threshold. Weighting coefficients. and satisfy Based on the combined confidence levels of known threats ( Novelty of Unknown Threats and uncertainty coefficient Constructing the BPA function First, calculate the normalization factor. : .
[0051] The basic probability distribution of each proposition is as follows: For each known threat single-element proposition Reliability: .
[0052] Single-element propositions regarding unknown threats Reliability: .
[0053] propositions for the whole collection Reliability (i.e., global uncertainty): .
[0054] The judgment of a security event from a numerical intelligence source is fully expressed using a triple (known threat confidence distribution, unknown threat confidence, and global uncertainty confidence). Normalization ensures that the sum of all confidence levels is 1, satisfying the basic requirements of probability allocation. When the uncertainty coefficient... When the confidence level is low, confidence is primarily assigned to specific threats; when... When it is large, An increase in the number of cases indicates that the source of evidence itself is unreliable, and the system should be skeptical of its conclusions.
[0055] The purpose of step S23 is to generate a numerical BPA and form a complete, normalized basic probability allocation function.
[0056] The purpose of step S2 is to generate evidence of numerical structured intelligence. This step uses quantitative calculations to integrate the support of the original data for known threats, the novelty of the data for unknown threats, and the reliability of the data source itself into a structured confidence expression.
[0057] Step S3: Transform the unstructured text data of attack description reports and security incident description texts in external threat intelligence into a standardized basic probability allocation function.
[0058] In this embodiment, step S3 may specifically include the following steps: S31, Calculate the confidence level of known threats in the text.
[0059] A pre-trained BERT model is used to map the text into a high-dimensional semantic vector space. First, for each class of known threats... Construct a prototype description vector Take the centroid of the semantic vector of all historical text samples of this type of threat: .in, It is the first A collection of historical text samples representing known threats. Indicates text The semantic vector is obtained by encoding using the BERT model. For the new input text... Similarly, its semantic vector is obtained through the BERT model. .
[0060] calculate With each prototype vector Cosine similarity: The cosine similarity value ranges from -1 to 1. This needs to be converted into a confidence score that conforms to the requirements of evidence theory. Normalization is performed: .in, For a very small positive number (e.g.) This formula is used to avoid division by zero errors. It ensures that the confidence level approaches 0 when all similarity values are negative. The larger the value, the more semantically relevant the input text is to the first character. The closer the historical description of a known threat is to that of the threat, the better.
[0061] The purpose of step S31 is to quantify the semantic similarity of a text description to each type of known threat, thereby providing the evidence body with a basis for judging the known threats mentioned in the text.
[0062] S32, calculate the novelty of unknown threats in the text.
[0063] Build a known threat text library containing historical text samples of all known threats. For the semantic vector of the input text Calculate the minimum distance from the target text to a known threat text database. A distance-based mapping is used here: .
[0064] The Gaussian kernel function is used to map this distance to a novelty score in the interval [0,1]. : .in, This is a bandwidth parameter that controls the sensitivity of the distance mapping. The novelty score... The larger the value, the further the semantic vector of the input text is from the semantic vector of any sample in the known threat database, meaning that its content is more likely to describe an unknown threat that has never been seen before.
[0065] The purpose of step S32 is to quantify the degree to which a text description deviates semantically from the knowledge base of all known threats, thus providing a basis for the evidence body to judge whether the text may describe an unknown threat.
[0066] S33, based on the confidence level of known threats in the text and the novelty level of unknown threats in the text, generates a text-based basic probability assignment function.
[0067] First, the determinism coefficient of the text needs to be calculated. By constructing a dictionary of deterministic modifiers, a deterministic weight is pre-assigned to each modifier (such as confirmed, suspected, possible). For input text Extract all deterministic modifiers that appear in it. Calculate the determinism coefficient of the text: .
[0068] You can choose to take the maximum value as the overall determinism of the text, or take the average value. If no deterministic modifiers are detected in the text, the default value will be used. This indicates moderate certainty. (Based on the combined confidence levels of known threats) Novelty of Unknown Threats and textual certainty coefficient Constructing the BPA function First, calculate the normalization factor. : .
[0069] The basic probability distribution of each proposition is as follows: For each known threat single-element proposition Reliability: .
[0070] Single-element propositions regarding unknown threats Reliability: .
[0071] propositions for the whole collection Reliability: .
[0072] The basic probability allocation formulas for each proposition are structurally symmetrical with the formula for numerical BPA, reflecting the consistency of this method in processing different types of data. (Textual Determinism Coefficient) The higher, The smaller the size, the more likely it is to be allocated to the entire set. The lower the uncertainty confidence level, the more certain the conclusion of the textual evidence source is. In this way, seemingly subjective textual descriptions are transformed into an objective, quantitative confidence distribution.
[0073] The purpose of step S33 is to integrate the known threat confidence, unknown threat novelty, and the certainty coefficient extracted from the text to form a complete and normalized BPA function for the text evidence body.
[0074] Step S3 transforms unstructured text data, such as external threat intelligence reports and security incident descriptions, into a standardized BPA function. This step utilizes natural language processing techniques to extract semantic information and deterministic clues from the text, constructing a reliability expression that can be integrated with numerical evidence within the same framework.
[0075] Step S4: Quantify the consistency and degree of contradiction among multiple sources of evidence to obtain the conflict measurement results.
[0076] In this embodiment, step S4 may specifically include the following steps: S41, calculate the conflict coefficient between pairs of evidence from multiple sources.
[0077] Let the two pieces of evidence to be merged be... and Their basic probability allocation functions are all defined in the recognition framework. power set Above. According to the DS evidence theory, the degree of conflict between two pieces of evidence is measured by the sum of the products of their credibility assigned to completely contradictory propositions. Conflict coefficient. The calculation formula is: .in, and Traversing the power set All proposition pairs in the set whose intersection is empty. Conflict coefficient. The value range is [0,1].
[0078] when When the two pieces of evidence are completely consistent, all proposition pairs that have obtained confidence have a non-empty intersection.
[0079] when When this occurs, it indicates that there is a conflict between the two pieces of evidence to varying degrees.
[0080] when When the two pieces of evidence completely conflict, all pairs of propositions that have gained confidence have no intersection. This formula precisely measures the degree of contradiction between pieces of evidence, providing a quantitative basis for subsequent conflict resolution.
[0081] The purpose of step S41 is to quantitatively measure the degree of opposition between any two pieces of evidence.
[0082] S42, calculate the average conflict coefficient of the entire multi-evidence set.
[0083] When there are multiple pieces of evidence When, define the average conflict coefficient. The arithmetic mean of the conflict coefficients of all evidence: .in, It is evidence and The conflict coefficient between them Total number of pieces of evidence. Average conflict coefficient. Similarly, the value range is [0,1]. It provides a macro-level indicator to judge the overall harmony of the current evidence set. A high conflict threshold is set. (For example ).when When a significant conflict is found in the current evidence set, subsequent fusion requires the use of a specially designed, improved combination rule capable of robustly handling high-conflict situations; when When the evidence is generally harmonious, the more computationally efficient classic Dempster combinatorial rule can be directly applied.
[0084] The purpose of step S42 is to assess the overall conflict level of the entire set of evidence to be fused in order to determine whether the current fusion scenario requires special handling.
[0085] S43, Identify the pair of most conflicting pieces of evidence.
[0086] Calculate the conflict coefficient between all pairwise pieces of evidence. Based on this, define the maximum conflict evidence pair for: .
[0087] By identifying the pair of pieces of evidence with the highest degree of conflict, the two most contradictory intelligence sources can be precisely pinpointed. This information will be recorded and used in subsequent steps to explain to security analysts why the fusion result is uncertain, primarily because the evidence from intelligence source A and intelligence source B completely contradict each other on core judgments. This greatly enhances the transparency and explainability of the fusion process.
[0088] The purpose of step S43 is to locate the core contradiction that leads to the difficulty in fusion and provide key traceability information for the final generation of an interpretability report.
[0089] The purpose of step S4 is to quantify the degree of consistency and contradiction among multiple pieces of evidence before fusing them. This step is a crucial preliminary judgment in determining which fusion strategy to adopt subsequently, and it is also the basis for providing interpretability analysis.
[0090] Step S5: Receive the basic probability assignments of multiple evidence bodies, and based on the conflict measurement results, use the improved Dempster combination rule to merge all evidence into a unified confidence assignment function.
[0091] In this embodiment, step S5 may specifically include the following steps: S51, accumulate reliability for the consistent parts of the evidence.
[0092] Regarding the two pieces of evidence and They are related to a certain proposition Part of the support comes from the fact that both pieces of evidence clearly support it. A subset of. This portion of the reliability can be expressed as: .in and Traversing the power set All propositions in the equation. This summation term is the foundation of all evidence fusion methods; it reflects the degree of consensus among different sources of evidence on a particular conclusion. The improved rule of this scheme retains this part because it represents reliable, undisputed fusion information.
[0093] The purpose of step S51 is to inherit the reasonable core of the classic DS combination rule, that is, to accumulate confidence in the consistent and uncontradictory parts among the evidence.
[0094] S52 decomposes and redistributes conflicting mass.
[0095] The core of the improved rules is to improve the quality of conflict. Decompose into three parts for refined redistribution: Define three configurable allocation parameters. ,satisfy Each control manages the proportion of conflict quality allocated to specific propositions, unknown threats, and the entire set.
[0096] The conflicting part assigned to a specific proposition ( Let the set of all conflicting proposition pairs be . For each conflict pair Its contribution to conflict quality is A portion of the quality of this conflict should be returned to the union of these two propositions. Therefore, assigned to Additional reliability for: .
[0097] That is, the proportion of each conflict's contribution to the conflict quality is... The portion is directly returned to the union of the conflicting pairs.
[0098] Conflict component assigned to unknown threats ( This part of the conflict quality Directly assign to a single-element proposition of an unknown threat : .
[0099] Conflicting portions allocated to the entire set ( ): Remaining conflict quality Directly assigned to the entire set of propositions : .
[0100] Then for any proposition Improved combinatorial rules The complete expression is: .
[0101] in It is the redistribution term defined above, when It is a certain union , or At that time, it takes the corresponding , or Value. This improved rule has profound semantics.
[0102] This part corresponds to a kind of cognition: although two pieces of evidence are contradictory, they may each see different aspects of the same event, so it is reasonable to assign credibility to their union (a compound proposition).
[0103] Part of this solution is an original design based on the open-world assumption, which directly embodies the core idea that high conflict may foreshadow unknown threats.
[0104] Some parts retain unexplained residual conflicts, acknowledging the limitations of cognition. This refined redistribution effectively avoids the erroneous conclusions caused by the forced normalization of conflicts in the classic Dempster rule, significantly improving the robustness and rationality of the fusion results.
[0105] Step S52 aims to address the failure of the classic Dempster rule when handling highly conflicting evidence (resulting in counterintuitive results). This is achieved by improving the conflict quality (i.e.,...) The components are decomposed and redistributed, and given reasonable semantic interpretations, thereby obtaining robust fusion results.
[0106] S53 extends the improved combination rule to scenarios with more than two pieces of evidence and uses streaming processing to merge multiple evidence bodies into a final confidence assignment function.
[0107] A sequential fusion approach is adopted. Let the current set of evidence to be fused be... First, we combine the first two pieces of evidence to obtain an intermediate result. Then the intermediate result With the third piece of evidence The process of fusion continues until all evidence is fused. The recursive relationship is defined as follows: .
[0108] in, The specific implementation of the function is dynamically selected based on the conflict measurement results: If the average conflict coefficient of the current set of evidence to be fused (or the intermediate results of partial fusion and new evidence) Lower ( To pursue computational efficiency, the classic Dempster combinatorial rule can be used.
[0109] like Then, the improved combinatorial rule based on the open-world assumption is activated to ensure the robustness of the fusion result. After... After each pairwise fusion, a unified confidence assignment function that integrates all intelligence information is obtained. The sequential fusion mode perfectly matches the streaming and continuous arrival characteristics of cybersecurity intelligence. The system can update its understanding while receiving new intelligence, without having to wait for all the data to arrive before processing it all at once, and has good real-time performance and scalability.
[0110] The purpose of step S53 is to perform sequential fusion of multiple pieces of evidence.
[0111] The purpose of step S5 is to receive the BPA of multiple evidence bodies and, based on the conflict measurement results of the previous step, use a specially designed improved Dempster combination rule that can properly handle high conflict and open-world assumptions to robustly fuse all the evidence into a unified confidence assignment function.
[0112] Step S6: Transform the unified confidence assignment function into threat information cognition and generate an interpretability report.
[0113] In this embodiment, step S6 may specifically include the following steps: S61, calculate the confidence interval and make a threat assessment.
[0114] According to the DS evidence theory, for any proposition (For example or ), calculate its reliability function and similarity function .
[0115] Belief function : This indicates that the evidence directly supports the proposition. The overall confidence level for true is all The sum of the confidence of subset propositions: .
[0116] It is a proposition This is the lower bound of true support.
[0117] plausibility function : This indicates that the evidence does not contradict the proposition. The overall confidence level for true is the sum of all values that are true and true. The sum of the confidence scores of propositions with non-empty intersections: .
[0118] It is a proposition This represents the upper bound of true support. (By...) and Constitute a proposition Reliability interval The maximum confidence criterion is used for preliminary threat assessment. Let the candidate proposition set be all single-element propositions. and Preliminary determination of threat type for: .
[0119] To improve decision robustness, a minimum uncertainty criterion is introduced as a supplement. If multiple candidate propositions have confidence values that satisfy... (in (to approach the threshold), then in these candidate proposition sets The proposition with the smallest confidence interval width is selected as the final judgment result: .
[0120] Simultaneously, an unknown threat early warning mechanism is designed, which triggers an early warning flag when any of the following conditions are met. : (High confidence level in unknown threats); (Overall uncertainty is too high); and This is for a known threat (unknown threats have a higher potential probability). This series of calculations will abstract... The function is transformed into a decision output with explicit semantics. Confidence interval. It provides richer information than a single probability value, reflecting the boundaries of cognitive certainty. The maximum confidence criterion ensures the intuitiveness of the judgment, while the minimum uncertainty criterion selects the clearest cognitive conclusion when confidence levels are similar, guaranteeing the robustness of decision-making. The unknown threat early warning mechanism provides security analysts with crucial risk alerts.
[0121] The purpose of step S61 is to: based on the fusion result Calculate the confidence interval for each threat hypothesis. And based on a set of robust decision-making criteria, the final threat type and warning status are determined.
[0122] S62, Calculate the contribution of key evidence sources.
[0123] For the Original evidence Define its role in the final determination of threat type. Contribution A formula that comprehensively considers both the direct support of evidence and the certainty of the evidence itself is as follows: .
[0124] in: It is the first Each piece of evidence relates to the final determination type. The direct reliability.
[0125] It is the first Information entropy of each piece of evidence . Entropy is used to measure the certainty of evidence; the lower the entropy, the more certain the evidence, and the higher its contribution weight.
[0126] The denominator is normalized to the product of all evidence, ensuring that the sum of all contributions equals 1. This contribution formula considers not only what a piece of evidence "says" (the degree to which it supports the final conclusion), but also how "certainly" it states it (its certainty). Evidence with high reliability and high certainty contributes far more than evidence with high reliability but high uncertainty (i.e., diffuse reliability). This helps identify truly high-quality, high-impact key evidence.
[0127] The purpose of step S62 is to trace which original intelligence sources played a decisive role in the final judgment, providing the first dimension of information—supporting evidence—for the interpretability of the result.
[0128] S63 generates a structured, interpretable source traceability report.
[0129] Based on all the aforementioned calculation results, construct a structured report that can include the following: a summary of the judgment results, and the final determination of the threat type: Determine the confidence level: The difference between the second-highest confidence level and the highest confidence level indicates an unknown threat warning. Key evidence tracing: by contribution Sort in descending order, before displaying Each piece of evidence contains: percentage of contribution, type of intelligence source (e.g., intrusion detection system alert), original intelligence digest (e.g., source IP 192.168.1.10 initiating a large number of SYN connections), and the main components of the evidence's BPA (e.g., ...). ).
[0130] A conflict analysis report can also be generated, showing the strongest conflict evidence pairs identified in step S4. Its conflict coefficient Core contradiction analysis: Based on the calculation results of step S43 (finding the contradiction that makes...) The biggest conflict proposition This generates readable analyses, such as evidence A strongly supporting... (APT attack), and evidence B strongly supports this. (Ransomware), the two are completely contradictory; Credibility index: final determination of type Reliability interval The reliability of propositions in the entire set. This reflects the overall level of uncertainty. The likelihood of an unknown threat... .
[0131] This report represents a transformation from data to knowledge, and from black-box models to explainable decision-making. It not only tells analysts what the outcome is, but also explains why it is (key supporting evidence) and why it isn't something else (the core contradiction), providing a confidence level (confidence interval). This significantly enhances human-machine trust, enabling security analysts to quickly understand the logic behind machine reasoning, assess the reliability of the results, and take effective response measures accordingly.
[0132] The purpose of step S63 is to integrate the judgment results, key evidence, conflict analysis and other information into a well-structured and detailed report, and deliver it to the security analyst as the basis for their in-depth investigation and final decision.
[0133] The purpose of step S6 is to: integrate the unified confidence assignment function obtained after fusion. This process transforms machine-generated threat intelligence into intuitive and actionable insights. This step not only outputs the final threat assessment but also provides detailed attribution information and credibility metrics, enabling human experts to understand and trust the results of machine reasoning.
[0134] The beneficial effects of implementing this embodiment are: (1) By constructing an open-world threat identification framework, a confidence space is assigned to unknown threats in the mathematical model. This allows the system to no longer force unknown attack patterns to be classified into known categories, thereby effectively characterizing and handling uncertainty, and significantly enhancing the C4ISR system's ability to warn and perceive unknown and sudden threats; (2) By introducing a conflict measurement mechanism, the consistency and degree of contradiction among multi-source evidence are quantified before fusion, and an improved Dempster combination rule is adopted based on the measurement results. This method can adaptively handle evidence conflicts, avoid misinterpreting conflicts as support, thereby effectively suppressing interference information, outputting more robust and more objectively realistic fusion results, and improving the accuracy of battlefield situational awareness.
[0135] (3) By designing a standardized conversion process, the underlying network traffic logs / alarm data and the upper-level external threat intelligence reports / security incident description text can be uniformly converted into a standardized basic probability allocation function. Through this unified formal expression, the system can deeply explore the intrinsic relationship between multi-source heterogeneous data (quantitative evidence and qualitative knowledge), realize the transformation from data to information to threat cognition, and finally generate interpretable reports to provide more comprehensive and understandable support for command and decision-making.
[0136] This invention can be used in a wide variety of general-purpose or special-purpose computer system environments or configurations. Examples include: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, and distributed computing environments including any of the above systems or devices. This invention can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform specific tasks or implement specific abstract data types. This invention can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0137] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing related hardware through computer-readable instructions. These computer-readable instructions can be stored in a computer-readable storage medium. When the program is executed, it can include the processes of the embodiments of the above methods. The aforementioned storage medium can be a non-volatile storage medium such as a magnetic disk, optical disk, or read-only memory (ROM), or random access memory (RAM).
[0138] It should be understood that although the steps in the flowcharts of the accompanying figures are shown sequentially as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the accompanying figures may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times, and their execution order is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the sub-steps or stages of other steps.
[0139] Example 2 Further reference Figure 3 As a response to the above Figure 1 The present invention provides an embodiment of a C4ISR threat information fusion device based on DS evidence theory, which is similar to the implementation of the method shown. Figure 1 Corresponding to the method embodiments shown, this device can be specifically applied to various electronic devices.
[0140] like Figure 3As shown, the C4ISR threat information fusion device 40 based on DS evidence theory described in this embodiment includes: a construction module 71, a numerical data conversion module 72, an unstructured text data conversion module 73, a quantization module 74, a fusion module 75, and a generation module 76. Wherein: Module 71 is used to build an open-world threat identification framework; The numerical data conversion module 72 is used to convert the numerical data of network traffic statistics and security device alarm frequency into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory, based on the threat identification framework. The unstructured text data conversion module 73 is used to convert unstructured text data such as attack description reports and security incident description texts in external threat intelligence into standardized basic probability allocation functions. Quantization module 74 is used to quantify the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results; The fusion module 75 is used to receive the basic probability assignments of multiple evidence bodies and, based on the conflict measurement results, use an improved Dempster combination rule to fuse all the evidence into a unified confidence assignment function. The generation module 76 is used to transform the unified confidence allocation function into threat information cognition and generate an interpretable report.
[0141] The beneficial effects of implementing this embodiment are: breaking through the closed-world assumption and possessing the ability to perceive unknown threats; solving the problem of failure in the fusion of highly conflicting evidence and improving the reliability of decision-making; and realizing unified representation and deep correlation of multimodal heterogeneous data.
[0142] Example 3 Further reference Figure 4 As a response to the above Figure 1 The present invention provides another embodiment of a C4ISR threat information fusion device based on DS evidence theory, which is similar to the method shown. Figure 1 Corresponding to the method embodiments shown, this device can be specifically applied to various electronic devices.
[0143] like Figure 4As shown in this embodiment, the C4ISR threat information fusion device based on DS evidence theory is based on the C4ISR theory and includes an evidence generation subsystem, an intelligence fusion subsystem, a fusion decision subsystem, and a C4ISR communication bus. The evidence generation subsystem is responsible for transforming multi-source heterogeneous raw intelligence into standardized evidence; the intelligence fusion subsystem, as the core engine, performs conflict measurement and robust fusion of multi-source evidence; the fusion decision subsystem is responsible for calculating confidence intervals, determining threats, and outputting interpretable attribution reports; and the C4ISR communication bus enables efficient data flow and collaboration between the subsystems. The overall architecture of the system adopts a modular design, with each subsystem decoupled and interacting through the C4ISR communication bus.
[0144] The evidence generation subsystem corresponds to the surveillance, reconnaissance, and intelligence functions within the C4ISR theoretical framework. It is responsible for connecting with various intelligence sources and standardizing and transforming multi-source heterogeneous data into evidence. The evidence generation subsystem further includes a multi-source intelligence gathering module, a numerical evidence generation module, and a text-based evidence generation module.
[0145] The multi-source intelligence gathering module deploys a lightweight collection agent and integrates with existing security data platforms to collect four core intelligence sources covering the main dimensions of cyberspace defense in real time: network traffic logs (from core switches, traffic probes, etc.), security device alarms (from intrusion detection systems, web application firewalls, etc.), endpoint detection data (from endpoint response detection platforms, host intrusion detection systems, etc.), and external threat intelligence (from open-source or commercial intelligence platforms). The module supports multiple data access protocols and features data buffering, compressed transmission, and breakpoint resumption mechanisms to ensure the integrity and reliability of data collection in multi-source, high-concurrency scenarios.
[0146] The numerical evidence generation module is responsible for processing numerical structured intelligence. For each input numerical feature vector, it calculates the confidence score of the sample for each known threat class in the identification framework based on a pre-trained isolated forest model; simultaneously, it calculates the novelty score of the unknown threat deviating from the known normal distribution based on a single-class support vector machine model. The module also dynamically calibrates the uncertainty coefficient based on real-time quality indicators such as the historical packet loss rate and transmission delay of the evidence source, and outputs the basic probability allocation function corresponding to the numerical intelligence by combining the above three parts.
[0147] The text-based evidence generation module is responsible for processing unstructured text intelligence. For the input threat intelligence text, the module first performs text cleaning, word segmentation, and named entity recognition. Then, it uses a pre-trained BERT model to encode the text into semantic vectors. By calculating the similarity with the prototype vectors of various known threats, it generates the confidence level of known threats; by calculating the minimum distance with a known threat text library, it generates the novelty level of unknown threats. The module has a built-in dictionary of deterministic modifiers, which calculates the text's determinism coefficient by matching modifiers representing the degree of confidence in the text. Finally, it synthesizes the above calculation results to generate the basic probability assignment function for unstructured text intelligence.
[0148] The intelligence fusion subsystem corresponds to the computer and control functions in the C4ISR theoretical framework. It is the core fusion engine of this device, responsible for receiving multiple BPA functions from the evidence generation subsystem. Through conflict measurement and improved combination rules, it fuses multi-source evidence into a unified trust structure capable of representing open-world threats. The intelligence fusion subsystem further includes an evidence conflict measurement module and an evidence fusion module.
[0149] The evidence conflict measurement module receives the set of evidence to be fused. First, it calculates the conflict coefficient between each pair of pieces of evidence and the average conflict coefficient of the entire evidence set, quantitatively assessing the consistency and contradictions among the multi-source intelligence. Then, the module compares the average conflict coefficient with a preset high conflict threshold. When the average conflict coefficient exceeds the threshold, it determines that there is a significant conflict in the current evidence set, and the subsequent fusion module uses improved combination rules. Simultaneously, the module identifies and records the most conflicting evidence pairs for subsequent interpretability analysis.
[0150] The evidence fusion module is the core execution unit of the C4ISR system, implementing an improved Dempster combinatorial rule based on the open-world assumption. It decomposes conflict quality into three parts for refined redistribution: the first part is returned to the union of the conflicting propositions, reflecting the evidence' support for the composite proposition; the second part is specifically allocated to unknown threats, reflecting the possibility of unknown threats existing in high-conflict scenarios; and the third part is allocated to the entire set, preserving unexplained residual uncertainties. This refined allocation effectively avoids the counterintuitive results produced by the classic Dempster rule in high-conflict scenarios. The module supports the sequential fusion of multiple evidence bodies, can process continuously arriving intelligence data in a streaming manner, and ultimately outputs a unified confidence allocation function that fuses all evidence information.
[0151] The fusion decision-making subsystem corresponds to the command function in the C4ISR theoretical framework. It is responsible for analyzing the fusion results and outputting decisions, including threat assessment results and interpretable attribution reports. The fusion decision-making subsystem further includes a threat assessment module and a report generation module.
[0152] The threat assessment module receives the fused unified confidence assignment function. First, it calculates the confidence intervals for various key propositions based on DS evidence theory, forming lower and upper bounds for the support of each threat hypothesis. Then, the module employs a decision-making mechanism combining the maximum confidence criterion and the minimum uncertainty criterion to assess threats, selecting the threat type with the highest confidence and lowest uncertainty as the final assessment result. Simultaneously, the module monitors the confidence level of unknown threats in real time, triggering an unknown threat warning when conditions are met, alerting security operations personnel to potential new attack risks. Finally, it outputs the threat assessment type, assessment confidence level, confidence interval, and warning indicator.
[0153] The report generation module is responsible for constructing a structured and interpretable source tracing report. First, it calculates the contribution of each original evidence source to the final judgment, identifies the key evidence with the highest contribution, and displays its intelligence source type and original intelligence summary. Then, based on the conflict information recorded by the conflict measurement module, it identifies the core evidence pairs that caused high conflict during the fusion process and analyzes their core contradictions. The module has a built-in report template that integrates the above information to generate a complete report including a judgment result summary, a list of key evidence sources, a conflict analysis report, and credibility indicators.
[0154] The C4ISR communication bus corresponds to the communication function in the C4ISR theoretical framework, providing a unified, efficient, and reliable data exchange service between subsystems. It is designed based on message queues and a publish-subscribe pattern, achieving decoupling and asynchronous communication between modules. The bus defines a standard data exchange format, uniformly encapsulating the inputs and outputs of each module, including various data objects such as raw intelligence, basic probability allocation functions, conflict coefficients, fusion results, and decision reports. Simultaneously, the bus provides a quality of service guarantee mechanism, including message persistence, priority queues, and failover, ensuring that core data is not lost and critical tasks are not blocked under high load and high concurrency scenarios.
[0155] Example 4 Further reference Figure 5 As a response to the above Figure 1 The implementation of the method shown in this invention provides an application of a C4ISR threat information fusion device based on DS evidence theory in large enterprises. The device implementation is similar to... Figure 1 Corresponding to the method embodiments shown, this device can be specifically applied to various electronic devices.
[0156] The solution of this invention was deployed in a large enterprise network. This enterprise network covers the Internet egress area, the office intranet area, and the core business area, and various security devices such as firewalls, intrusion detection systems, endpoint detection and response platforms, web application firewalls, database auditing systems, and threat intelligence platforms are deployed in a distributed manner. Figure 5As shown, the working principle of the C4ISR threat information fusion device based on DS evidence theory described in this embodiment is as follows: 1. System initialization and recognition framework construction.
[0157] First, a threat identification framework based on the open-world assumption is constructed. The set of known threat types covers eight typical threats faced by enterprise networks: advanced persistent threats, ransomware attacks, distributed denial-of-service attacks, web application attacks, phishing and social engineering attacks, insider breaches, malware propagation, and false positives / normal behavior. Building upon this foundation, unknown threat types are explicitly introduced to characterize any novel, unknown, or zero-day attacks that have not yet been defined.
[0158] A C4ISR threat intelligence fusion system is deployed in the enterprise headquarters data center. The system consists of an evidence generation subsystem, an intelligence fusion subsystem, a fusion decision-making subsystem, and a C4ISR communication bus. All subsystems are deployed on the same server cluster and communicate and exchange data internally through the C4ISR communication bus. Raw logs and alarm data generated by various security devices are aggregated in real time through a data acquisition agent and uniformly accessed through the C4ISR communication bus. The bus then distributes the data to the corresponding subsystems for processing according to a preset route.
[0159] 2. Generation of evidence from multi-source heterogeneous intelligence.
[0160] After the system is running, each evidence generation module begins processing multi-source intelligence.
[0161] Numerical intelligence processing example: An intrusion detection system detected an abnormal outbound connection from a database server in the core business area to multiple external IPs. Simultaneously, the endpoint detection platform reported abnormal process creation behavior on the server. The numerical evidence generation module calculates the confidence level of known threats based on the isolated forest model, with malware propagation having the highest confidence level, followed by internal personnel violations. It calculates the novelty of unknown threats using a single-class support vector machine, assigning it a moderate to low level. The uncertainty coefficient is dynamically calibrated based on the historical packet loss rate and transmission delay of the evidence source. The final generated evidence allocates the majority of its confidence level to malware propagation and a smaller portion to internal personnel violations and unknown threats.
[0162] Example of text-based intelligence processing: At the same time, a threat intelligence platform pushes an external report describing a hacker group using a new phishing technique to target corporate employees, with email attachments containing unknown malicious documents. The text-based evidence generation module extracts key entities and calculates similarity to known threat prototypes based on the BERT model, with phishing and social engineering attacks showing the highest similarity. It also calculates the novelty of the unknown threat and calculates the text certainty coefficient based on modifiers such as "new" and "unknown" in the report. The final generated evidence body assigns confidence scores to phishing / social engineering attacks and the unknown threat.
[0163] 3. Multi-source evidence fusion and conflict resolution.
[0164] After receiving two evidence sets, the intelligence fusion subsystem first calculates the conflict coefficient between each pair of evidence sets using the evidence conflict measurement module. Numerical evidence sets mainly support the propagation of malware, while textual evidence sets mainly support phishing attacks. There is a certain degree of conflict between the two. If the calculated conflict coefficient exceeds the preset high conflict threshold, it is determined that there is a significant conflict in the current evidence set, and an improved combination rule based on the open-world assumption needs to be used for fusion.
[0165] After the evidence fusion module is activated, the conflict quality is decomposed into three parts for fine-grained redistribution: one part is returned to the union of the proposition combinations that generate the conflict (i.e., the composite proposition of malware propagation and phishing attack), one part is specifically allocated to the single-element proposition of unknown threat, and the remaining part is allocated to the entire set of propositions.
[0166] Based on the redistribution of conflict quality, and combining the consistency reliability of the two pieces of evidence, a unified reliability allocation function was obtained through sequential fusion calculation. In the final reliability distribution, the single-element proposition of phishing attacks had the highest reliability, followed by the single-element propositions of malware propagation and unknown threats. The composite proposition and the universal proposition also obtained a certain degree of reliability, comprehensively reflecting the degree of support of the two pieces of evidence for various threats and the probability of unknown threats under the open-world assumption.
[0167] 4. Integrate decision-making with interpretable output.
[0168] After receiving the unified confidence assignment function, the threat assessment module first calculates the confidence intervals for various key propositions, including single-element propositions such as phishing attacks, malware propagation, and unknown threats, as well as the lower and upper bounds of the confidence level for all propositions. A preliminary assessment is made using the maximum confidence criterion, with the phishing attack single-element proposition having the highest confidence level, which is then used as the preliminary assessment result. Simultaneously, an unknown threat warning is triggered: if the likelihood of an unknown threat exceeds a preset threshold, and the current assessment result is a known threat, the warning conditions are met, triggering an unknown threat warning and alerting security analysts to the possibility of new attack types.
[0169] The report generation module calculates the contribution of key evidence sources, identifying the external threat intelligence report and intrusion detection system alerts as the most contributing key evidence, and displays their intelligence source type and original intelligence summary. It also identifies the two pieces of evidence with the most serious conflict during the fusion process, analyzing that their core contradiction lies in the fact that the numerical evidence supports malware propagation while the textual evidence supports phishing attacks.
[0170] The final structured and interpretable attribution report includes: a summary of the determination results (final threat type, determination confidence level, and unknown threat warning indicators); a list of key evidence sources (the evidence with the highest contribution and its percentage contribution, intelligence source type, and original summary); a conflict analysis report (conflict evidence pairs, core contradiction analysis); and credibility indicators (confidence intervals for major threats, confidence level of the entire set of propositions, and likelihood of unknown threats). This report is then pushed to the security operations platform for security analysts to manually review and make decision-making decisions.
[0171] Example 5 To address the aforementioned technical problems, embodiments of the present invention also provide a computer device. Please refer to [link / reference needed]. Figure 6 , Figure 6 This is a basic structural block diagram of the computer device in this embodiment.
[0172] The aforementioned computer device 8 includes a memory 81, a processor 82, and a network interface 83 that are interconnected via a system bus. It should be noted that only the computer device 8 with components 81, 82, and 83 is shown in the figure; however, it should be understood that it is not required to implement all the shown components, and more or fewer components can be implemented alternatively. Those skilled in the art will understand that the computer device described herein is a device capable of automatically performing numerical calculations and / or information processing according to pre-set or stored instructions, and its hardware includes, but is not limited to, microprocessors, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), embedded devices, etc.
[0173] The aforementioned computer devices can be desktop computers, laptops, handheld computers, and cloud servers, among other computing devices. These devices can facilitate human-computer interaction with users through keyboards, mice, remote controls, touchpads, or voice-activated devices.
[0174] The aforementioned memory 81 includes at least one type of readable storage medium, including flash memory, hard disk, multimedia card, card-type memory (e.g., SD or DX memory), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the aforementioned memory 81 may be an internal storage unit of the aforementioned computer device 8, such as the hard disk or memory of the computer device 8. In other embodiments, the aforementioned memory 81 may also be an external storage device of the aforementioned computer device 8, such as a plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, etc., equipped on the computer device 8. Of course, the aforementioned memory 81 may also include both the internal storage unit and its external storage device of the aforementioned computer device 8. In this embodiment, the aforementioned memory 81 is typically used to store the operating system and various application software installed on the aforementioned computer device 8, such as computer-readable instructions based on the DS evidence theory C4ISR threat information fusion method. In addition, the aforementioned memory 81 can also be used to temporarily store various types of data that have been output or will be output.
[0175] In some embodiments, the processor 82 may be a central processing unit (CPU), controller, microcontroller, microprocessor, or other data processing chip. The processor 82 is typically used to control the overall operation of the computer device 8. In this embodiment, the processor 82 is used to execute computer-readable instructions stored in the memory 81 or to process data, for example, to execute the computer-readable instructions based on the DS evidence theory-based C4ISR threat information fusion method.
[0176] The network interface 83 may include a wireless network interface or a wired network interface, which is typically used to establish a communication connection between the computer device 8 and other electronic devices.
[0177] Example 6 The present invention also provides another embodiment, namely, providing a computer-readable storage medium storing computer-readable instructions that can be executed by at least one processor to cause the at least one processor to perform the steps of the C4ISR threat information fusion method based on DS evidence theory as described above.
[0178] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods of the various embodiments of the present invention.
[0179] Obviously, the embodiments described above are merely some embodiments of the present invention, not all embodiments. The accompanying drawings show preferred embodiments of the present invention, but do not limit the patent scope of the present invention. The present invention can be implemented in many different forms; rather, these embodiments are provided to provide a more thorough and complete understanding of the disclosure of the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing specific embodiments, or make equivalent substitutions for some of the technical features. Any equivalent structures made using the content of this specification and drawings, directly or indirectly applied to other related technical fields, are similarly within the patent protection scope of this invention.
Claims
1. A C4ISR threat information fusion method based on DS evidence theory, characterized in that, Includes the following steps: Build an open-world threat identification framework; Based on the threat identification framework, the network traffic statistics and security device alarm frequency numerical data are transformed into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory. Transform the unstructured text data of attack description reports and security incident description texts in external threat intelligence into a standardized basic probability allocation function; Quantify the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results; The system receives basic probability assignments from multiple evidence bodies and, based on the conflict measurement results, uses an improved Dempster combination rule to fuse all evidence into a unified confidence assignment function. The unified confidence assignment function is transformed into threat information cognition to generate an interpretable report.
2. The C4ISR threat information fusion method based on DS evidence theory according to claim 1, characterized in that, The specific steps involved in constructing the open-world threat identification framework include: Define a set of known threat types; Introducing elements of unknown threat type; Based on the set of known threat types and the elements of the unknown threat types, an exponential set of the identification framework is constructed.
3. The C4ISR threat information fusion method based on DS evidence theory according to claim 1, characterized in that, The step of transforming network traffic statistical features and security device alarm frequency numerical data into a standardized input, namely a basic probability allocation function, that can be processed by DS evidence theory, based on the threat identification framework, specifically includes: Based on the threat identification framework, the confidence level of known threats is calculated; Calculate the novelty of unknown threats; Based on the known threat confidence and the unknown threat novelty, a numerical basic probability assignment function is generated.
4. The C4ISR threat information fusion method based on DS evidence theory according to claim 1, characterized in that, The step of converting unstructured text data, including attack description reports and security incident description texts from external threat intelligence, into a standardized basic probability allocation function specifically includes: Calculate the known threat confidence level of the text; Calculate the novelty of unknown threats in text; Based on the confidence level of known threats in the text and the novelty level of unknown threats in the text, a basic probability assignment function for the text is generated.
5. The C4ISR threat information fusion method based on DS evidence theory according to claim 1, characterized in that, The steps for quantifying the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results specifically include: Calculate the conflict coefficient between pairs of evidence from multiple sources; Calculate the average conflict coefficient of the multi-evidence pool; Identify the most conflicting evidence pairs.
6. The C4ISR threat information fusion method based on DS evidence theory according to claim 1, characterized in that, The steps of receiving multiple pieces of evidence with basic probability assignments, and then, based on the conflict measurement results, merging all evidence into a unified confidence assignment function using an improved Dempster combination rule, specifically include: Accumulate reliability for consistent portions of evidence; Decompose and redistribute conflicting qualities; The improved combination rule is extended to scenarios with more than two pieces of evidence, and multiple evidence bodies are merged into a final confidence assignment function using streaming processing.
7. The C4ISR threat information fusion method based on DS evidence theory according to any one of claims 1 to 6, characterized in that, The step of transforming the unified confidence assignment function into threat information cognition and generating an interpretable report specifically includes: Calculate the confidence interval and determine the threat level; Calculate the contribution of key evidence sources; Generate a structured, interpretable source traceability report.
8. A C4ISR threat information fusion device based on DS evidence theory, characterized in that, include: Modules for building open-world threat identification frameworks; The numerical data conversion module is used to convert the numerical data of network traffic statistics and security device alarm frequency into a standardized input, namely the basic probability allocation function, that can be processed by the DS evidence theory, based on the threat identification framework. The unstructured text data conversion module is used to convert unstructured text data such as attack description reports and security incident description texts from external threat intelligence into standardized basic probability allocation functions. The quantification module is used to quantify the consistency and degree of contradiction among multi-source evidence to obtain conflict measurement results. The fusion module is used to receive the basic probability assignments of multiple pieces of evidence and, based on the conflict measurement results, use an improved Dempster combination rule to fuse all the evidence into a unified confidence assignment function. The generation module is used to transform the unified confidence assignment function into threat information cognition and generate an interpretable report.
9. A computer device, characterized in that, The method includes a memory and a processor, wherein the memory stores computer-readable instructions, and the processor executes the computer-readable instructions to implement the steps of the C4ISR threat information fusion method based on DS evidence theory as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-readable instructions, which, when executed by a processor, implement the steps of the C4ISR threat information fusion method based on DS evidence theory as described in any one of claims 1 to 7.