Security defect analysis method, device, equipment, medium and program product

By adopting a dual-core architecture of large model-driven and dynamic knowledge graph, the entire process of software security defect analysis in fintech scenarios is automated and intelligent, solving the problems of lag and inefficiency in existing technologies and generating high-quality analysis reports.

CN122195797APending Publication Date: 2026-06-12INDUSTRIAL AND COMMERCIAL BANK OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INDUSTRIAL AND COMMERCIAL BANK OF CHINA
Filing Date
2026-03-06
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing technologies for software security defect analysis in fintech scenarios suffer from low automation, limited analytical dimensions, poor report quality, and slow knowledge updates. They are unable to cope with massive, complex, and rapidly changing security threats, resulting in high false alarm rates, a lack of in-depth analytical capabilities, and knowledge silos, making it difficult to generate high-quality analysis reports.

Method used

It adopts a dual-core architecture of large model-driven and dynamic knowledge graph-enhanced verification. It collects heterogeneous defect data from multiple sources, performs multi-dimensional feature fusion processing, decomposes the security defect analysis task, uses a large model for reasoning analysis, and generates a security analysis report by cross-validating the results through a dynamic knowledge graph.

Benefits of technology

It achieves full automation and intelligence from data input to report output, improving analysis efficiency by orders of magnitude, achieving expert-level report quality, meeting the reliability requirements of defect analysis, and solving the problems of lag and inefficiency in existing technologies.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122195797A_ABST
    Figure CN122195797A_ABST
Patent Text Reader

Abstract

The application provides a security defect analysis method, device, equipment, medium and program product, which can be applied to the fields of artificial intelligence and financial technology, and relates to the application of a large model in a software security analysis scene. The method comprises the following steps: collecting multi-source defect heterogeneous data, and performing multi-dimensional feature fusion processing on the multi-source defect heterogeneous data to obtain a multi-dimensional feature vector; decomposing a security defect analysis task to generate m target subtasks, and performing large model inference analysis on the m target subtasks based on the multi-dimensional feature vector to obtain m inference results; wherein m is a positive integer; cross-verification is performed on the m inference results based on a dynamic knowledge graph; and a security analysis report is generated according to the inference results passed by the cross-verification and a preset report template.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the fields of artificial intelligence and fintech, and to the application of large models in software security analysis scenarios. More specifically, it relates to a security defect analysis method, apparatus, equipment, medium, and program product. Background Technology

[0002] In fintech scenarios, software systems not only carry massive amounts of user financial data but also need to connect with various entities such as banks, payment institutions, and regulatory platforms. The impact of security vulnerabilities in these systems far exceeds that of ordinary internet scenarios, thus placing extremely high demands on the accuracy and timeliness of vulnerability analysis within the industry. However, with the rapid iteration of fintech businesses and the continuous upgrading of attack methods, the massive, complex, and rapidly evolving security threats have gradually exceeded the response thresholds of existing systems.

[0003] In terms of security defect analysis and management of software systems, the main reliance is on human experts and automated tools. However, in the face of massive, complex, and rapidly changing security threats, the analysis methods are relatively lagging behind. Therefore, existing security defect analysis technologies suffer from drawbacks such as low automation, single analysis dimensions, poor report quality, and slow knowledge updates. Summary of the Invention

[0004] In view of the above problems, this application provides methods, apparatus, equipment, media and program products for improving the level of intelligence in security defect analysis.

[0005] According to a first aspect of this application, a security defect analysis method is provided, comprising: collecting heterogeneous defect data from multiple sources, and performing multi-dimensional feature fusion processing on the heterogeneous defect data to obtain a multi-dimensional feature vector; decomposing the security defect analysis task to generate m target sub-tasks, and performing large-scale model inference analysis on the m target sub-tasks respectively based on the multi-dimensional feature vectors to obtain m inference results; wherein m is a positive integer; cross-validating the m inference results based on a dynamic knowledge graph; and generating a security analysis report based on the cross-validated inference results and a preset report template.

[0006] According to an embodiment of this application, the step of cross-validating the m inference results based on a dynamic knowledge graph includes: converting the m inference results into corresponding m relation triples; performing matching verification on the m relation triples based on the dynamic knowledge graph to generate matching verification results corresponding to the m inference results; verifying the logical association between the m relation triples based on the dynamic knowledge graph to generate logical verification results; and determining the cross-validation results of the m inference results based on the logical verification results and the matching verification results.

[0007] According to an embodiment of this application, the process of constructing the dynamic knowledge graph includes: acquiring historical security information; structuring the historical security information to generate an entity relationship graph; acquiring cross-validation passed security information in real time; and updating the entity relationship graph based on the cross-validation passed security information to construct the dynamic knowledge graph.

[0008] According to an embodiment of this application, the step of performing large-scale model inference analysis on the m target sub-tasks based on the multi-dimensional feature vector includes: extracting the core feature vector corresponding to the current target sub-task from the multi-dimensional feature vector; and performing security defect inference on the current target sub-task based on the core feature vector using a large model to generate the inference result corresponding to the current target sub-task.

[0009] According to an embodiment of this application, the step of performing multi-dimensional feature fusion processing on the multi-source defect heterogeneous data to obtain a multi-dimensional feature vector includes: cleaning the multi-source defect heterogeneous data to obtain cleaned data; normalizing the cleaned data to obtain normalized data; performing natural language processing on the normalized data to extract semantic element information; and based on the semantic element information, transforming the normalized data into the multi-dimensional feature vector through feature embedding technology.

[0010] According to an embodiment of this application, the collection of multi-source defect heterogeneous data includes: acquiring structured data of the global security defect information source through a built-in interface based on preset collection rules; supplementing the collection of unstructured data of the global security defect information source through a crawler mechanism based on the preset collection rules; and periodically incrementally collecting the structured data and the unstructured data to obtain the multi-source defect heterogeneous data.

[0011] According to an embodiment of this application, generating a security analysis report based on the cross-validated inference results and a preset report template includes: writing the cross-validated inference results into the preset report template based on the field information corresponding to the preset report template to obtain analysis results; and visualizing the analysis results to generate the security analysis report.

[0012] A second aspect of this application provides a security defect analysis device, comprising: a fusion processing module for collecting multi-source defect heterogeneous data and performing multi-dimensional feature fusion processing on the multi-source defect heterogeneous data to obtain a multi-dimensional feature vector; a task analysis module for decomposing a security defect analysis task to generate m target sub-tasks, and performing large-model inference analysis on the m target sub-tasks based on the multi-dimensional feature vectors to obtain m inference results; wherein m is a positive integer; a cross-validation module for cross-validating the m inference results based on a dynamic knowledge graph; and a report generation module for generating a security analysis report based on the cross-validated inference results and a preset report template.

[0013] A third aspect of this application provides an electronic device comprising: one or more processors; and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method described above.

[0014] A fourth aspect of this application also provides a computer-readable storage medium having a computer program or instructions stored thereon, which, when executed by a processor, implement the steps of the above-described method.

[0015] The fifth aspect of this application also provides a computer program product, including a computer program or instructions that, when executed by a processor, implement the steps of the above-described method.

[0016] In the embodiments of this application, a dual-core architecture of large model-driven and dynamic knowledge graph-enhanced verification is used to achieve full-process automation and intelligence from data input to report output. Multi-dimensional feature vectors are generated by fusing multi-source heterogeneous data, and the analysis task is decomposed and deconstructed by the large model. Combined with the cross-validation of the dynamic knowledge graph, the accuracy of the analysis is significantly improved, knowledge is updated rapidly, the analysis efficiency is increased by orders of magnitude, the report quality reaches the expert level, and the reliability requirements of defect analysis are met. Attached Figure Description

[0017] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0018] Figure 1 The illustrations depict application scenarios of security defect analysis methods, apparatus, devices, media, and program products according to embodiments of this application.

[0019] Figure 2 A flowchart illustrating a security defect analysis method according to an embodiment of this application is shown schematically.

[0020] Figure 3This illustration schematically shows a feature fusion processing flowchart of a security defect analysis method according to an embodiment of this application;

[0021] Figure 4 This illustration schematically shows the architecture of a security defect analysis system according to an embodiment of this application;

[0022] Figure 5 This schematic diagram illustrates the structural block diagram of a security defect analysis apparatus according to an embodiment of the present application;

[0023] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a security defect analysis method according to an embodiment of this application. Detailed Implementation

[0024] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.

[0025] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0026] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0027] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).

[0028] In the fintech sector, the analysis and management of software security vulnerabilities has long relied on a collaborative model of human expert assessment and automated tools. However, with the increasing complexity of financial business scenarios and the iterative evolution of cyberattack methods, the massive and dynamically changing security threats have far exceeded the response capabilities of existing systems. Current tools primarily output reports that list basic vulnerability data, lacking risk quantification and classification, as well as assessments of their correlation with business impact, thus failing to provide decision-makers with precise action guidelines. Furthermore, the security knowledge base lags behind the updates of new vulnerability variants, making it difficult to adapt to the highly sensitive and compliant protection needs of the financial industry, severely restricting the effectiveness of the overall security system.

[0029] With the development of digitalization, the software supply chain is becoming increasingly complex, and the widespread use of open-source components has led to an exponential increase in the number of defects, posing unprecedented challenges to cybersecurity. Currently, the industry mainly relies on human experts and automated tools for defect analysis and management, but both methods have insurmountable bottlenecks, resulting in the following industry pain points that urgently need to be addressed:

[0030] Extreme human and time costs: Traditional defect analysis is a typical knowledge-intensive and labor-intensive task. A senior security expert identifying and analyzing a moderately complex defect, from understanding the principles and setting up a reproduction environment to writing verification code, takes an average of more than two man-hours. When facing nuclear-level software security vulnerabilities such as remote code execution flaws, encryption protocol flaws, and supply chain attacks, enterprises must mobilize the entire security team to conduct investigations, verifications, remediation, and reviews that can take weeks or even months. This severely impacts IT resources available for normal business operations and can potentially cause huge economic losses due to response delays.

[0031] The High Noise and Shallow Understanding Dilemma of Existing Tools: The core technologies of mainstream static / dynamic application security testing tools still primarily rely on signature matching and rule engines. This leads to two prominent problems:

[0032] High false positive / false negative rate: As academic research has generally pointed out, traditional tools have a high false positive rate, forcing security teams to invest a lot of effort in manual verification, which greatly offsets the efficiency advantages brought by automation.

[0033] Lack of in-depth analysis capabilities: These tools typically only answer the question of whether a defect exists, but cannot delve into key questions such as "what is the root cause of the defect?", "can it be exploited in a specific business scenario?", and "what are the potential attack paths?". The analysis results remain superficial and cannot provide sufficient support for accurate risk assessment and remediation decisions.

[0034] Knowledge silos and outdated information: Critical information such as vulnerability knowledge, attack methods, and remediation solutions are scattered across global security toolkits, security bulletins, technical blogs, and code repositories, exhibiting heterogeneous and unstructured characteristics. Existing systems lack effective mechanisms to automatically aggregate and connect this dispersed knowledge, forming "knowledge silos." Furthermore, their built-in knowledge bases rely on manual updates, resulting in a response speed far slower than the disclosure of new vulnerabilities, causing their analytical capabilities to quickly become obsolete.

[0035] The superficial application of Artificial Intelligence (AI) and the black-box problem: Although some leading companies have begun to introduce AI technology, its applications are mostly concentrated in peripheral areas such as log analysis and anomaly detection of user behavior, which are AI enhancements rather than AI-driven. These systems still cannot escape their reliance on traditional rules in the core analysis of defect mechanisms. More importantly, their machine learning models are often black boxes, making it impossible to explain their judgment criteria. This is fatal in the security field, which requires high certainty and strong logic, leading security teams to be unwilling to trust and use them.

[0036] The Productivity Black Hole of High-Quality Analysis Reports: Transforming technical analysis results into high-quality reports for different audiences (such as developers, operations, and management) is a long-overlooked productivity black hole in the defect management process. Security engineers spend a significant amount of time manually compiling, translating, and writing reports. This work is repetitive, tedious, and has low added value, yet it consumes their valuable work energy.

[0037] In summary, a significant technological gap exists in the current field of security vulnerability analysis: on the one hand, there is a massive, complex, and rapidly changing number of vulnerability threats; on the other hand, analytical methods are relatively lagging behind. The emergence of Large Language Models (LLMs) offers a glimmer of hope for solving this problem. Their powerful natural language understanding and logical reasoning capabilities make truly intelligent vulnerability analysis possible. However, overcoming the model illusion inherent in LLMs, integrating domain-specific knowledge, and applying them in an engineered and systematic manner throughout the entire vulnerability analysis process remain key technological challenges.

[0038] This application provides a security defect analysis method. It collects heterogeneous defect data from multiple sources and performs multi-dimensional feature fusion processing on this data to obtain multi-dimensional feature vectors. The security defect analysis task is decomposed into m target sub-tasks. Based on the multi-dimensional feature vectors, each of the m target sub-tasks undergoes large-model inference analysis to obtain m inference results, where m is a positive integer. The m inference results are cross-validated using a dynamic knowledge graph. Finally, a security analysis report is generated based on the cross-validated inference results and a preset report template. In this application's embodiments, a dual-core architecture of large-model-driven and dynamic knowledge graph-enhanced verification achieves full automation and intelligence from data input to report output. By fusing heterogeneous data from multiple sources to generate multi-dimensional feature vectors, decomposing the analysis task using a large model, and combining this with dynamic knowledge graph cross-validation, the accuracy of the analysis is significantly improved. Knowledge is updated rapidly, analysis efficiency is increased by orders of magnitude, and report quality reaches expert levels, meeting the reliability requirements of defect analysis.

[0039] It should be noted that the security defect analysis method and apparatus of this application can be used in the fields of artificial intelligence and fintech, as well as in any field other than artificial intelligence and fintech. The application fields of the security defect analysis method and apparatus of this application are not limited.

[0040] Figure 1 The illustration shows an application scenario of the security defect analysis method, apparatus, device, medium, and program product according to embodiments of this application.

[0041] like Figure 1 As shown, application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 serves as a medium for providing a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired or wireless communication links, or fiber optic cables, etc.

[0042] Users can use the first terminal device 101, the second terminal device 102, and the third terminal device 103 to interact with the server 105 via the network 104 to receive or send messages, etc. Various communication client applications can be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social media platform software, etc. (for example only).

[0043] The first terminal device 101, the second terminal device 102, and the third terminal device 103 can be various electronic devices with displays and support web browsing, including but not limited to smartphones, tablets, laptops, and desktop computers.

[0044] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using the first terminal device 101, the second terminal device 102, and the third terminal device 103 (this is just an example). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.

[0045] It should be noted that the security defect analysis method provided in this application embodiment can generally be executed by server 105. Correspondingly, the security defect analysis device provided in this application embodiment can generally be located in server 105. The security defect analysis method provided in this application embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105. Correspondingly, the security defect analysis device provided in this application embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105.

[0046] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0047] The following will be based on Figure 1 The described scene, through Figures 2-4 The security defect analysis method according to the embodiments of this application will be described in detail.

[0048] Figure 2 A flowchart illustrating a security defect analysis method according to an embodiment of this application is shown schematically.

[0049] like Figure 2 As shown, the security flaw analysis method of this embodiment includes operations S210 to S240. This security flaw analysis method is not limited to a specific executing entity. The executing entity can be any electronic device, such as a terminal device or a server device, etc. The executing entity can also be any software application or client.

[0050] During operation S210, heterogeneous data of multi-source defects are collected, and multi-dimensional feature fusion processing is performed on the heterogeneous data of multi-source defects to obtain multi-dimensional feature vectors.

[0051] Multi-source heterogeneous defect data includes, but is not limited to, natural language defect descriptions, code proof-of-concept code, configuration files, and web logs. Through built-in crawlers and application programming interfaces (APIs), it continuously monitors and collects the latest defect information from publicly available multi-source information sources globally (such as security community announcements and defect databases), thus acquiring multi-source heterogeneous defect data.

[0052] Multidimensional feature fusion is performed through a multidimensional feature fusion engine. This engine standardizes data from different sources and formats (such as text, code, and network traffic) and extracts key features to achieve deep fusion and correlation analysis of cross-modal information.

[0053] Multidimensional feature vectors are used as preprocessed core data input into the core analysis engine of the large model. After the sub-tasks are broken down, LLM will perform inference based on these feature vectors (which include information such as semantics, code structure, and dependencies) (e.g., identifying defect types and analyzing the scope of impact).

[0054] In operation S220, the security defect analysis task is decomposed into m target sub-tasks, and based on multi-dimensional feature vectors, the m target sub-tasks are subjected to large model inference analysis to obtain m inference results; where m is a positive integer.

[0055] For security defect analysis tasks in software, a security defect analysis task refers to a specialized analysis of a system security defect that has not yet undergone in-depth analysis, initiated by a unique identifier. Its core is to complete a comprehensive technical and risk assessment of the security defect from scratch. The task is initiated when a new security defect number is detected as publicly available, a security defect investigation request is received from the business side, or an emergency response is triggered. It retrieves the security defect analysis task corresponding to that number and intelligently breaks down the complex task into a series of target sub-tasks, such as identifying the defect type, analyzing the scope of impact, finding exploit code, and assessing the difficulty of remediation.

[0056] During the task decomposition phase, intelligent breakdown is performed based on the fundamental attributes of the security defect number (such as the system it belongs to and the defect type) and an industry-standard analysis framework. First, publicly available basic information about the security defect number is retrieved to define the decomposition dimensions. The first subtask is basic information verification, used to confirm the software version corresponding to the defect and the officially disclosed cause of the defect. Next, a technical principle analysis subtask is developed, requiring reverse engineering to locate the defect in the code and reconstruct the defect triggering logic. Then, an impact scope definition subtask is developed to identify the affected hardware and software models, user groups, and business scenarios. Simultaneously, exploitation probability assessment (finding publicly available proof-of-concept code and verifying exploitation conditions), remediation solution evaluation (analyzing official patch logic and assessing the difficulty of adapting to self-developed systems), and risk level determination subtasks are generated to ensure the analysis process is comprehensive and feasible.

[0057] For each target subtask, LLM leverages its powerful zero-shot / few-shot learning capabilities to perform preliminary analysis and inference on the data of the target subtask, forming preliminary hypotheses. For example, by reading the defect description, LLM might infer that it is a "Structured Query Language (SQL) injection defect" and may affect a specific software version.

[0058] Large Learning Models (LLMs) are deep learning models trained on massive amounts of text data, possessing powerful natural language understanding, generation, and reasoning capabilities. They are the core of AI used for deep understanding of defect descriptions and analysis of exploitation chains. LLMs can learn with zero or few samples, enabling them to perform task reasoning even with little or no training samples for specific tasks. Leveraging the generalization capabilities of LLMs, they can analyze, assess, and respond to novel and rare defects. LLMs can also be specialized models fine-tuned for the software security field.

[0059] In operation S230, based on dynamic knowledge graph, m inference results are cross-validated.

[0060] Dynamic knowledge graphs are continuously evolving graph-structured databases used to store and associate entities (such as vulnerabilities, software, attack patterns, and remediation solutions) and their relationships in the cybersecurity field. Unlike static knowledge graphs, they can continuously update and expand themselves by learning new information. The underlying storage of dynamic knowledge graphs can be either a relational database or a document database, and the graph relationships can be simulated through upper-layer application logic.

[0061] It should be noted that for resource-constrained environments, model distillation or quantization techniques can be used to generate a lightweight LLM version. Furthermore, the knowledge graph can be trimmed into subgraphs containing only specific domains (such as cybersecurity or IoT security), thereby enabling lightweight deployment of the system.

[0062] To circumvent the illusion problem of LLM, each inference result of LLM is submitted to a dynamic knowledge graph for querying and cross-validation. For example, if LLM infers SQL injection, it queries the dynamic knowledge graph for information on the software's historical defects, common frameworks, code structure, etc., looking for corroborating or contradictory evidence.

[0063] According to embodiments of this application, the process of constructing a dynamic knowledge graph includes: acquiring historical security information; structuring the historical security information to generate an entity relationship graph; acquiring cross-validated security information in real time; and updating the entity relationship graph based on the cross-validated security information to construct a dynamic knowledge graph.

[0064] A dynamic knowledge graph is not a static database, but a continuously evolving knowledge system. It structures fragmented security information (such as vulnerabilities, hosts, software, and attack patterns) into entities and relationships. When new, verified vulnerability information (security information that has passed cross-validation) is acquired, the knowledge graph automatically updates, establishing new nodes and connections, thus enabling continuous knowledge growth.

[0065] Dynamic knowledge graphs can be used to fine-tune the training of large models, thereby continuously optimizing model performance. By leveraging this advantage of LLM and combining it with the structured knowledge of knowledge graphs, its capabilities can be extended from in-program analysis to the analysis of complex attack chains across programs.

[0066] In the embodiments of this application, a basic entity relationship graph is constructed based on historical security information, and the security information that has passed cross-validation is updated in real time. This allows the knowledge graph to be continuously supplemented with defect-related entities and relationships, ensuring the timeliness and accuracy of knowledge, providing a high-quality, dynamically updated dataset, providing comprehensive knowledge support for subsequent reasoning and verification, and significantly improving the reliability of defect analysis in financial technology scenarios.

[0067] In operation S240, a security analysis report is generated based on the inference results obtained from cross-validation and the preset report template.

[0068] After all analysis and cross-validation are completed, all structured conclusions, chains of evidence, and reasoning results of risk assessments are sent to the report generation and presentation layer, where a security analysis report is generated based on a preset report template.

[0069] In the embodiments of this application, a dual-core architecture of large model-driven and dynamic knowledge graph-enhanced verification is used to achieve full-process automation and intelligence from data input to report output. Multi-dimensional feature vectors are generated by fusing multi-source heterogeneous data, and the analysis task is decomposed and deconstructed by the large model. Combined with the cross-validation of the dynamic knowledge graph, the accuracy of the analysis is significantly improved, knowledge is updated rapidly, the analysis efficiency is increased by orders of magnitude, the report quality reaches the expert level, and the reliability requirements of defect analysis are met.

[0070] According to an embodiment of this application, the process of collecting heterogeneous multi-source defect data in operation S210 includes: acquiring structured data of the entire domain security defect information source through a built-in interface based on preset acquisition rules; supplementing the collection of unstructured data of the entire domain security defect information source through a crawler mechanism based on preset acquisition rules; and periodically incrementally collecting structured data and unstructured data to obtain heterogeneous multi-source defect data.

[0071] All data collection processes strictly adhere to collection rules, which include accessing only publicly available data sources, complying with the robot exclusion protocols (web crawler protocols) of each platform, and ensuring that valid authorization is obtained for API interfaces that require authentication.

[0072] Focusing on comprehensive security vulnerability information sources such as global information security vulnerability databases, vendor security bulletins, security communities, and open-source component configuration libraries, the system categorizes and covers heterogeneous data including vulnerability descriptions, verification code, configuration files, and network logs. When collecting data, the crawler first parses the target site's protocol, controls the crawling frequency and scope, pre-configures valid authorization credentials for APIs requiring authentication, strictly adheres to rate limiting rules, and collects data from publicly available data sources.

[0073] All data is collected in parallel. The API interface prioritizes batch acquisition of structured data, and data is synchronized incrementally on a regular basis. The crawler supplements the crawling of unstructured content, extracts key information and removes duplicates. For downloaded reports and log files, effective data is extracted by parsing using dedicated tools.

[0074] In the embodiments of this application, the system uses an interface combined with a crawler to collaboratively collect structured and unstructured data across the entire domain, comprehensively collects multi-source defect information, ensures the timeliness and integrity of the data, and realizes automated parsing and structured extraction of multi-source heterogeneous, structured / unstructured defect information.

[0075] Figure 3 A flowchart illustrating the feature fusion process of a security defect analysis method according to an embodiment of this application is shown.

[0076] like Figure 3 As shown, in operation S210, multi-source defect heterogeneous data is subjected to multi-dimensional feature fusion processing to obtain a multi-dimensional feature vector including operations S310 to S340.

[0077] By operating S310, multi-source defect heterogeneous data is cleaned to obtain cleaned data;

[0078] Rigorous data cleaning is performed on the collected multi-source defect heterogeneous data (such as natural language defect descriptions, proof-of-concept code, configuration files, web logs, etc.), including removing invalid characters, handling missing values, correcting format errors, and filtering noisy data.

[0079] In operation S320, the cleaned data is normalized to obtain normalized data;

[0080] Normalization processing includes standardizing timestamps, Internet Protocol address formats, and numerical normalization. The cleaned data is categorized by type, and timestamps are uniformly converted to a standard format to eliminate time zone and format differences. Internet Protocol addresses are standardized to a standard format, removing redundant prefixes. Then, a linear scaling method is used to map numerical data to the [0,1] interval. Finally, format consistency is verified, completing the normalization of all data and generating unified normalized data.

[0081] When operating the S330, natural language processing is performed on the normalized data to extract semantic element information.

[0082] By leveraging advanced natural language processing and code analysis techniques, multimodal semantic information can be extracted. This not only extracts the semantic information of the text but also parses the code structure and identifies key function calls and dependencies.

[0083] Natural language processing (NLP) for normalized data requires a hierarchical approach to accurately extract semantic elements. First, textual data undergoes preprocessing. Basic operations such as word segmentation, stop word removal, and part-of-speech tagging are used to remove redundant information and identify core nouns, verbs, and technical terms. Simultaneously, a code analysis module is invoked to parse embedded code snippets, identifying function definitions, parameter passing rules, and API call logic. Next, a pre-trained multimodal NLP model is used to map textual semantics to code structure. This not only extracts semantic information such as business intent and logical relationships from the text but also analyzes the functional module divisions, key dependent components, and function call chains in the code. Finally, entity linking and relation extraction techniques are used to integrate discrete semantic units into structured elements, laying a unified semantic foundation for subsequent feature transformation.

[0084] In operation of S340, based on semantic element information, normalized data is transformed into multidimensional feature vectors through feature embedding technology.

[0085] Cleaned and standardized structured data is transformed into unified, standardized, and multi-dimensional feature vectors through feature embedding technology.

[0086] First, the normalized data is classified into feature subsets, dividing textual semantic elements, code structure elements, and business attribute elements into different feature subsets. For textual semantics, a word embedding model is used to transform them into low-dimensional dense vectors, preserving semantic relationships. For code structure, quantitative indicators such as function complexity and dependency depth are extracted and transformed into numerical features. Second, a multimodal feature fusion strategy is introduced, using an attention mechanism to assign weights to features of different dimensions, eliminating information redundancy and conflicts between modalities. Finally, a normalization mapping layer is used to project the fused features into a unified dimensional space, generating multi-dimensional feature vectors with business semantics, code logic, and data attributes, ensuring that the vectors retain the core value of the original data while meeting the standardization requirements of subsequent model calculations.

[0087] In the embodiments of this application, semantic element associations between defects are dynamically and deeply mined from massive defect data through data cleaning, normalization, and natural language processing. Multidimensional feature vectors are generated by feature embedding based on semantic element context, which helps to construct a complete attack chain, achieve accurate assessment of the harm of defects, effectively integrate the value of multi-source heterogeneous data, remove redundant noise, and improve feature quality.

[0088] According to an embodiment of this application, in operation S220, which performs large-scale model inference analysis on m target sub-tasks based on multi-dimensional feature vectors, the method includes: extracting the core feature vector corresponding to the current target sub-task from the multi-dimensional feature vectors; and performing security defect inference on the current target sub-task based on the core feature vectors using a large model to generate the inference result corresponding to the current target sub-task.

[0089] First, based on the analysis requirements of each target subtask, extract the corresponding dimensional information from the fused feature vector. For example, for the defect type identification subtask, extract core feature vectors from dimensions such as semantic description and dangerous functions in the code; for the impact scope assessment subtask, extract core feature vectors from dimensions such as software version and dependent components, ensuring that each subtask only obtains the required core features and reducing redundant interference.

[0090] A large model is used to configure an appropriate inference strategy for each subtask. For technical subtasks such as finding code exploits, the concept verification code structure and function call relationships in the input feature vector are used to trigger the model's code analysis capabilities and infer attack paths. For comprehensive subtasks such as assessing repair difficulty, features such as the code complexity associated with defects and historical repair records are input, and the model's empirical knowledge is combined to infer the difficulty level. Each subtask generates an inference conclusion independently.

[0091] The reasoning conclusions of each subtask are transformed into a unified format, such as "Device type: SQL injection; Confidence level: 92%" and "Affected scope: all releases from version 9.0.0 to 9.0.70; Basis: version dependency records in feature vectors; Remediation suggestion: add request parameter filtering rules to the gateway layer", thus forming a structured and verifiable reasoning result.

[0092] In the embodiments of this application, core feature vectors are extracted for each target sub-task, and targeted reasoning is carried out with the help of a large model to avoid interference from redundant information. This not only improves the efficiency and accuracy of defect analysis, but also enables efficient implementation after task decomposition and rapid output of reliable reasoning results.

[0093] According to an embodiment of this application, in operation S230, which cross-validates m inference results based on a dynamic knowledge graph, the steps include: converting the m inference results into corresponding m relation triples; performing matching verification on the m relation triples based on the dynamic knowledge graph to generate matching verification results corresponding to the m inference results; verifying the logical association between the m relation triples based on the dynamic knowledge graph to generate logical verification results; and determining the cross-validation results of the m inference results based on the logical verification results and the matching verification results.

[0094] The reasoning results are transformed into relational triples of "subject-relation-object". For example, "number 11-XXXX is an SQL injection defect" is transformed into (number 11-XXXX, defect type, SQL injection), which provides a standardized basis for graph query.

[0095] Single-conclusion evidence matching verification: Generate a graph query command for each triple to retrieve related entity data. For example, when verifying the "SQL injection" conclusion, query the software's historical defect types, common vulnerabilities in the framework used, and whether the core code contains SQL concatenation logic. Statistically analyze supporting and opposing evidence to form an evidence chain and obtain the matching verification result.

[0096] Cross-subtask logical relationship verification: Verify the logical relationship between the inference results of different subtasks to obtain the logical verification result. For example, if it is determined to be SQL injection, it is necessary to simultaneously verify whether the code affecting the version contains SQL processing module and whether the exploitation method involves SQL statement construction. If there is a logical contradiction, mark it as suspicious.

[0097] Result determination: Based on the matching verification results and logical verification results, each reasoning result is given a conclusion such as passed verification, questionable and needs to be corrected, or rejected. Questionable reasoning results will be fed back to LLM for re-reasoning, and finally a set of credible conclusions verified by the graph will be output.

[0098] In the embodiments of this application, the reasoning results of the large model are cross-validated based on the dynamic knowledge graph, and the matching verification and logical association verification are combined to overcome the knowledge blind spots and model illusion of the large model in the professional field, so as to ensure the accuracy and reliability of the defect analysis results. The accuracy of the analysis is significantly improved. Through the closed-loop mechanism of large model reasoning combined with knowledge graph verification, model illusion is effectively suppressed. In key analysis tasks such as defect characterization and impact assessment, its accuracy has achieved a qualitative leap compared with traditional tools.

[0099] According to an embodiment of this application, in operation S240, a security analysis report is generated based on the cross-validated inference results and a preset report template, including: writing the cross-validated inference results into the preset report template based on the field information corresponding to the preset report template to obtain the analysis results; and visualizing the analysis results to generate a security analysis report.

[0100] It includes built-in preset report templates (such as technical analysis reports, management summary reports, and repair suggestion reports), which users can choose according to their needs.

[0101] The analysis results are written into the report template, which automatically extracts the cross-validated inference results, completes data adaptation and filling according to the field format of the preset report template, without human intervention. At the same time, the matching degree between the results and the template fields is verified to ensure that the content is compliant and the structure is complete, and finally the standardized analysis results are automatically generated.

[0102] The final analysis results report can be visualized through an interface, or it can be seamlessly integrated into the enterprise's existing security operations platform or work order system through an API interface to achieve an automated closed loop from analysis to response.

[0103] In the embodiments of this application, the inference results after cross-validation are automatically filled in according to the preset template fields, and a high-quality defect analysis report that is highly readable, detailed, clear and interpretable is automatically generated. This ensures that the report format is uniform and the information is accurate, while also reducing the burden on personnel in the report writing work.

[0104] For example, a security defect analysis system is constructed using security defect analysis methods. Figure 4 The diagram illustrates the architecture of a security defect analysis system according to an embodiment of this application.

[0105] like Figure 4 As shown, the technical architecture of the security defect analysis system is divided into a data input layer, a data processing and feature fusion layer, a core analysis engine, and a report generation and display layer.

[0106] Data input layer: Collects heterogeneous defect data, including structured and unstructured data, from multiple sources such as security bulletin repositories, general security defect disclosure repositories, professional technical blogs, and public code repositories, providing basic data for subsequent analysis.

[0107] Data processing and feature fusion layer: First, the data is cleaned and standardized through a multi-dimensional feature fusion engine. Then, natural language processing (semantic element extraction) is performed on the normalized data. Finally, feature embedding technology is used to transform it into a unified multi-dimensional feature vector to achieve standardized representation of heterogeneous data.

[0108] The core analysis engine, the Task Decomposition and Planning module, breaks down the overall security defect analysis task into sub-tasks. For each sub-task, it extracts the corresponding core feature vectors, which are then passed to the LLM inference module to call the large language model to complete the inference, resulting in m preliminary inference results. Then, through the knowledge graph query and verification module, the inference results are transformed into relation triples. Combined with the dynamic knowledge graph (built from historical security information and updated in real time after cross-validation), the matching verification and logical association verification of the results are completed to ensure the accuracy of the inference results.

[0109] Report generation and presentation layer: Based on customizable report templates, the results of cross-validation are written and processed through a visual analysis interface, and finally a structured report / API is output, realizing the practical application of the analysis results.

[0110] It achieves standardized processing of multi-source data, intelligent task decomposition and reasoning, and dynamic knowledge graph verification, ultimately outputting a highly efficient and reliable security analysis report. This significantly improves the accuracy of security analysis. Through a closed-loop mechanism of LLM reasoning + knowledge graph verification, it effectively suppresses model illusions. In key analysis tasks such as defect characterization and impact assessment, its accuracy represents a qualitative leap compared to traditional tools. The efficiency of analysis is increased by orders of magnitude. The entire analysis and report generation process is highly automated, reducing manual analysis work that previously took hours or even days to minutes. This enables enterprises to conduct real-time and comprehensive analysis of massive amounts of defects, greatly shortening the risk exposure window. The report quality reaches expert standards. The automatically generated reports are detailed, logically clear, highly readable, and fully interpretable, greatly saving the security team's time and effort in report writing, allowing them to be directly used for decision support.

[0111] Based on the above-described security defect analysis method, this application also provides a security defect analysis device. The following will be combined with... Figure 5 The device is described in detail.

[0112] Figure 5 A schematic block diagram of a security defect analysis apparatus according to an embodiment of this application is shown.

[0113] like Figure 5 As shown, the security defect analysis device 500 of this embodiment includes a fusion processing module 510, a task analysis module 520, a cross-validation module 530, and a report generation module 540.

[0114] The fusion processing module 510 is used to collect heterogeneous data of multi-source defects and perform multi-dimensional feature fusion processing on the heterogeneous data of multi-source defects to obtain a multi-dimensional feature vector. In one embodiment, the fusion processing module 510 can be used to perform the operation S210 described above, which will not be repeated here.

[0115] The task analysis module 520 is used to decompose the security defect analysis task, generate m target sub-tasks, and perform large-model inference analysis on each of the m target sub-tasks based on the multi-dimensional feature vectors to obtain m inference results; where m is a positive integer. In one embodiment, the task analysis module 520 can be used to execute the operation S220 described above, which will not be repeated here.

[0116] The cross-validation module 530 is used to cross-validate the m inference results based on the dynamic knowledge graph. In one embodiment, the cross-validation module 530 can be used to perform the operation S230 described above, which will not be repeated here.

[0117] The report generation module 540 is used to generate a security analysis report based on the inference results of successful cross-validation and a preset report template. In one embodiment, the report generation module 540 can be used to perform the operation S240 described above, which will not be repeated here.

[0118] According to an embodiment of this application, the cross-validation module 530 includes: a relation transformation unit, used to transform the m inference results into corresponding m relation triples; a matching verification unit, used to perform matching verification on the m relation triples based on the dynamic knowledge graph, generating matching verification results corresponding to the m inference results; a logic verification unit, used to verify the logical association between the m relation triples based on the dynamic knowledge graph, generating logic verification results; and a result confirmation unit, used to determine the cross-validation results of the m inference results based on the logic verification results and the matching verification results.

[0119] According to an embodiment of this application, the device 500 further includes a graph construction module, used to acquire historical security information; structure the historical security information to generate an entity relationship graph; acquire cross-validation passed security information in real time; and update the entity relationship graph based on the cross-validation passed security information to construct the dynamic knowledge graph.

[0120] According to an embodiment of this application, the task analysis module 520 includes: an extraction unit, used to extract the core feature vector corresponding to the current target sub-task from the multi-dimensional feature vector; and an inference unit, used to perform security defect inference on the current target sub-task based on the core feature vector and through a large model, and generate an inference result corresponding to the current target sub-task.

[0121] According to an embodiment of this application, the fusion processing module 510 includes: a cleaning unit for cleaning the multi-source defective heterogeneous data to obtain cleaned data; a normalization unit for normalizing the cleaned data to obtain normalized data; a natural language processing unit for performing natural language processing on the normalized data to extract semantic element information; and a feature embedding unit for converting the normalized data into the multi-dimensional feature vector based on the semantic element information using feature embedding technology.

[0122] According to an embodiment of this application, the fusion processing module 510 further includes: a first data acquisition unit, used to acquire structured data of the global security defect information source through a built-in interface based on preset acquisition rules; a second data acquisition unit, used to supplement the acquisition of unstructured data of the global security defect information source through a crawler mechanism based on the preset acquisition rules; and a third data acquisition unit, used to incrementally and synchronously acquire the structured data and the unstructured data at regular intervals to obtain the multi-source defect heterogeneous data.

[0123] According to an embodiment of this application, the report generation module 540 includes: a result writing unit, used to write the cross-validation passed inference result into the preset report template based on the field information corresponding to the preset report template, to obtain the analysis result; and a visualization unit, used to visualize the analysis result and generate the security analysis report.

[0124] According to embodiments of this application, any multiple modules among the fusion processing module 510, task analysis module 520, cross-validation module 530, report generation module 540, and map construction module can be merged into one module, or any one of these modules can be split into multiple modules. Alternatively, at least some of the functions of one or more of these modules can be combined with at least some of the functions of other modules and implemented in one module. According to embodiments of this application, at least one of the fusion processing module 510, task analysis module 520, cross-validation module 530, report generation module 540, and map construction module can be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), a programmable logic array (PLA), a system-on-a-chip, a system-on-a-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging circuitry, or implemented in software, hardware, or firmware, or in any suitable combination of any of these three implementation methods. Alternatively, at least one of the fusion processing module 510, task analysis module 520, cross-validation module 530, report generation module 540, and graph construction module can be implemented at least partially as a computer program module, which can perform corresponding functions when the computer program module is run.

[0125] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a security defect analysis method according to an embodiment of this application.

[0126] like Figure 6 As shown, an electronic device 900 according to an embodiment of this application includes a processor 901, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 902 or a program loaded from a storage portion 908 into a random access memory (RAM) 903. The processor 901 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 901 may also include onboard memory for caching purposes. The processor 901 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this application.

[0127] RAM 903 stores various programs and data required for the operation of electronic device 900. Processor 901, ROM 902, and RAM 903 are interconnected via bus 904. Processor 901 executes various operations of the method flow according to embodiments of this application by executing programs in ROM 902 and / or RAM 903. It should be noted that the programs may also be stored in one or more memories other than ROM 902 and RAM 903. Processor 901 may also execute various operations of the method flow according to embodiments of this application by executing programs stored in said one or more memories.

[0128] According to embodiments of this application, the electronic device 900 may further include an input / output (I / O) interface 905, which is also connected to a bus 904. The electronic device 900 may also include one or more of the following components connected to the input / output (I / O) interface 905: an input section 906 including a keyboard, mouse, etc.; an output section 907 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 908 including a hard disk, etc.; and a communication section 909 including a network interface card such as a LAN card, modem, etc. The communication section 909 performs communication processing via a network such as the Internet. A drive 910 is also connected to the input / output (I / O) interface 905 as needed. A removable medium 911, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 910 as needed so that computer programs read from it can be installed into the storage section 908 as needed.

[0129] This application also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.

[0130] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include ROM 902 and / or RAM 903 and / or one or more memories other than ROM 902 and RAM 903 described above.

[0131] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to enable the computer system to implement the security vulnerability analysis method provided in the embodiments of this application.

[0132] When the computer program is executed by the processor 901, it performs the functions defined in the system / apparatus of this application embodiment. According to the embodiments of this application, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0133] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 909, and / or installed from a removable medium 911. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0134] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 909, and / or installed from the removable medium 911. When the computer program is executed by the processor 901, it performs the functions defined in the system of this application embodiment. According to the embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0135] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages ​​include, but are not limited to, languages ​​such as Java, C++, Python, "C", or similar programming languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0136] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0137] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.

Claims

1. A method for analyzing security defects, characterized in that, The method includes: Collect heterogeneous data of multi-source defects, and perform multi-dimensional feature fusion processing on the heterogeneous data of multi-source defects to obtain multi-dimensional feature vectors; The security defect analysis task is broken down into m target sub-tasks. Based on the multi-dimensional feature vector, each of the m target sub-tasks is subjected to large-scale model inference analysis to obtain m inference results; where m is a positive integer. Based on a dynamic knowledge graph, the m inference results are cross-validated; and Based on the inference results obtained from cross-validation and the preset report template, a security analysis report is generated.

2. The method according to claim 1, characterized in that, The method of cross-validating the m inference results based on a dynamic knowledge graph includes: The m inference results are transformed into m corresponding relation triples; Based on the dynamic knowledge graph, the m relation triples are matched and verified respectively to generate matching and verification results corresponding to the m inference results; Based on the dynamic knowledge graph, the logical relationships between the m relation triples are verified, and a logical verification result is generated; and Based on the logical verification results and the matching verification results, the cross-validation results of the m inference results are determined.

3. The method according to claim 1, characterized in that, The construction process of the dynamic knowledge graph includes: Obtain historical security information; The historical security information is structured to generate an entity relationship graph; Real-time acquisition of security information regarding successful cross-validation; and Based on the security information obtained from the cross-validation, the entity relationship graph is updated to construct the dynamic knowledge graph.

4. The method according to claim 1, characterized in that, The step of performing large-scale model inference analysis on the m target sub-tasks based on the multi-dimensional feature vectors includes: From the multidimensional feature vector, extract the core feature vector corresponding to the current target subtask; and Based on the core feature vector, a large model is used to perform security defect inference on the current target sub-task, generating the inference result corresponding to the current target sub-task.

5. The method according to claim 1, characterized in that, The step of performing multi-dimensional feature fusion processing on the multi-source defect heterogeneous data to obtain a multi-dimensional feature vector includes: The multi-source defect heterogeneous data is cleaned to obtain cleaned data; The cleaned data is then normalized to obtain normalized data. Natural language processing is performed on the normalized data to extract semantic element information; and Based on the semantic element information, the normalized data is transformed into the multidimensional feature vector through feature embedding technology.

6. The method according to claim 1, characterized in that, The collection of heterogeneous multi-source defect data includes: Based on preset collection rules, structured data of security defect information sources across the entire domain are obtained through built-in interfaces; Based on the preset collection rules, unstructured data from the global security vulnerability information source is supplemented by a web crawler mechanism; and The structured data and the unstructured data are collected incrementally at regular intervals to obtain the multi-source defect heterogeneous data.

7. The method according to claim 1, characterized in that, The process of generating a security analysis report based on the inference results obtained from cross-validation and a preset report template includes: Based on the field information corresponding to the preset report template, the inference results that passed the cross-validation are written into the preset report template to obtain the analysis results; and The analysis results are visualized to generate the security analysis report.

8. A security defect analysis device, characterized in that, The device includes: The fusion processing module is used to collect heterogeneous data of multi-source defects and perform multi-dimensional feature fusion processing on the heterogeneous data of multi-source defects to obtain multi-dimensional feature vectors. The task analysis module is used to decompose the security defect analysis task, generate m target sub-tasks, and perform large model inference analysis on each of the m target sub-tasks based on the multi-dimensional feature vectors to obtain m inference results; where m is a positive integer. The cross-validation module is used to cross-validate the m inference results based on a dynamic knowledge graph; and The report generation module is used to generate a security analysis report based on the inference results that have passed cross-validation and a preset report template.

9. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium having a computer program or instructions stored thereon, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 7.

11. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 7.