A network security situation intelligent perception method

By constructing an intelligent perception method for network security situation, and using historical attack and defense interaction data to build threat profiles and situation evolution models, the problem of lagging identification of new variant threats and difficulty in identifying the logic of multi-threat collaborative attacks in existing technologies has been solved, thus achieving accurate perception and dynamic defense of network security situation.

CN122226367APending Publication Date: 2026-06-16FUJIAN RUISHIDA INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
FUJIAN RUISHIDA INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-03-16
Publication Date
2026-06-16

Smart Images

  • Figure CN122226367A_ABST
    Figure CN122226367A_ABST
Patent Text Reader

Abstract

The application discloses a kind of network security situation intelligent perception methods, it is related to network security technical field, and its technical solution points include the following steps: obtaining network cross-period history attack-defense interaction data, threat behavior portrait construction is obtained history threat portrait data set to history attack-defense interaction data, reference threat prototype is determined based on the key threat features of history threat portrait data set;Identify the associated threat portrait set of history threat portrait data set with reference threat prototype there is behavior coordination or resource dependence relationship;Attack chain integrity analysis and threat evolution cycle measurement are carried out to the key threat features and auxiliary threat features of history threat portrait data set, and history threat coordination evolution data are obtained;Effect is to accurately capture the evolution track and variation law of threat, not only can known threat be efficiently identified, but also the appearance of new variant threat can be predicted by history evolution model, solve the problem of new threat identification lag.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and more specifically, to a method for intelligent perception of network security situation. Background Technology

[0002] With the deepening of digital transformation, cyberspace has become a core carrier of critical infrastructure, economic activities, and social operations. Consequently, the complexity, coordination, and dynamism of cyber attack and defense have also escalated dramatically. Currently, cyber threats exhibit characteristics of multi-entity collaboration, multi-stage penetration, and multi-form mutation. For example, APT attacks often involve multiple related threat actors completing initial probing, vulnerability exploitation, lateral movement, and data theft in stages, and dynamically adjusting attack methods based on defense strategies. Ransomware threats, on the other hand, can iterate from basic forms to variant forms in a short period.

[0003] However, existing cybersecurity situational awareness technologies mostly focus on identifying single threats in real-time data, relying on preset rule bases to match and alert on current attack behaviors. This not only lacks in-depth utilization of historical attack and defense data across time periods, failing to capture the evolutionary patterns of threats from baseline to related and variant forms, leading to a lag in the identification of new variant threats; but also lacks a mechanism for analyzing the correlation between threats, treating each threat event as an independent entity, making it difficult to discover the collaborative attack logic of multiple threat actors, and easily creating blind spots in situational awareness when facing multi-stage collaborative attacks. At the same time, the linkage between situational awareness and defense control is insufficient, with perception results mostly remaining at the threat alert level, unable to output accurate defense strategies based on historical evolution patterns, resulting in weak targeting and timeliness of defense responses. Summary of the Invention

[0004] In view of the shortcomings of existing technologies, the purpose of this invention is to provide a method for intelligent perception of network security situation.

[0005] To achieve the above objectives, the present invention provides the following technical solution: A method for intelligent perception of network security situation, comprising the following steps: Historical attack and defense interaction data across time periods is obtained from the network. Threat behavior profiles are constructed from the historical attack and defense interaction data to obtain a historical threat profile dataset. Based on the key threat features of the historical threat profile dataset, a baseline threat prototype is determined. Identify the set of related threat profiles in the historical threat profile dataset that have behavioral synergy or resource dependency with the baseline threat prototype; Attack chain integrity analysis and threat evolution cycle calculation are performed on key threat features and auxiliary threat features of historical threat profile datasets to obtain historical threat co-evolution data; based on historical threat co-evolution data, target related threat profiles with high evolutionary correlation are screened from the related threat profile set; Based on a preset threat mutation threshold, extract mutation-related threat profiles with mutation characteristics from historical network attack and defense data; Integrate the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles to establish a historical security situation evolution model library; The system acquires the current attack and defense interaction data stream of the network, identifies the current baseline threat and its potential co-existing immediate related threats, extracts the real-time behavioral characteristics of the current baseline threat and the immediate related threats to form a situation feature set, and obtains the perception and dynamic defense control of the network security situation based on the pattern matching of the situation feature set and the historical security situation evolution model library.

[0006] Preferably, historical attack and defense interaction data across network time periods is acquired, and threat behavior profiles are constructed from the historical attack and defense interaction data to obtain a historical threat profile dataset. Based on the key threat features of the historical threat profile dataset, a baseline threat prototype is determined, specifically including the following steps: Network attack traffic data, defense response logs, threat source information, and attacked asset data from different time periods are collected to form cross-time historical attack and defense interaction data. The historical attack and defense interaction data is processed by behavioral feature extraction algorithms to extract information on threat behavior, attack methods, attack frequency, target preferences, technical characteristics, and harmful consequences, and to construct a historical threat profile dataset. Threat profile records that meet the key threat characteristics are selected from the historical threat profile dataset and identified as the baseline threat prototypes.

[0007] Preferably, identifying the associated threat profile set in the historical threat profile dataset that has behavioral synergy or resource dependency with the baseline threat prototype specifically includes the following steps: The threat profiles in the historical threat profile dataset that have a cooperative relationship with the baseline threat prototype in terms of attack timing and operation steps are identified to form a behavioral cooperative threat set. By using a resource dependency analysis model, we can identify threat profiles in historical threat profile datasets that have dependency relationships with baseline threat prototypes in terms of attack tools, vulnerability exploits, and control servers, thus forming a resource-dependent threat set. Combine the behaviorally coordinated threat set with the resource-dependent threat set to form a related threat profile set.

[0008] Preferably, attack chain integrity analysis and threat evolution cycle calculation are performed on key threat features and auxiliary threat features of the historical threat profile dataset to obtain historical threat co-evolution data, specifically including the following steps: The attack chain is disassembled based on the threat behaviors corresponding to the key threat characteristics, and the integrity and connection of each node in the attack chain are judged to obtain the key attack chain integrity coefficient. The attack chain of the threat behavior corresponding to the auxiliary threat characteristics is disassembled, and the integrity and connection of each node in the attack chain are judged to obtain the auxiliary attack chain integrity coefficient. Calculate the evolution cycle of threat behaviors corresponding to key threat features and auxiliary threat features from their emergence to their disappearance or mutation, the duration of each stage, and the evolution rate, and form an evolution cycle parameter set; By fusing the critical attack chain integrity coefficient, the auxiliary attack chain integrity coefficient, and the evolution cycle parameter set, historical threat co-evolution data are obtained.

[0009] Preferably, target related threat profiles with high evolutionary correlation are selected from the related threat profile set based on historical threat co-evolution data, specifically including the following steps: The pre-defined evolutionary correlation evaluation indicators include attack chain fit threshold, evolutionary cycle synchronization rate threshold, and behavioral synergy coefficient threshold. From the associated threat profile set, we select associated threat profiles that have an attack chain fit higher than the attack chain fit threshold, an evolution cycle synchronization rate higher than the evolution cycle synchronization rate threshold, and a behavior coordination coefficient higher than the behavior coordination coefficient threshold from the historical threat co-evolution data, and mark them as target associated threat profiles.

[0010] Preferably, the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles are integrated to establish a historical security situation evolution model library, which specifically includes the following steps: Extract the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model set; Extract the variant behavior characteristics, long-term evolution paths and environmental adaptation patterns of the variant-related threat profile, and construct a set of long-term situational evolution models; A historical security situation evolution model library is generated by combining the short-term situation evolution model group and the long-term situation evolution model group.

[0011] Preferably, the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile are extracted to construct a short-term situation evolution model set; the variant behavior characteristics, long-term evolution paths, and environmental adaptation rules of the variant-related threat profile are extracted to construct a long-term situation evolution model set, specifically including the following steps: Extract the coordinated attack sequence, operational coordination mode, technical parameters of key nodes in the attack chain, and short-term evolution direction and rate from the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model group. Extract behavioral variation points, technological iteration characteristics, long-term evolution path planning, and adaptation and adjustment patterns to network environment and defense strategies from the variant-related threat profile at different stages, and construct a long-term situational evolution model set.

[0012] Preferably, the process involves acquiring the current network attack and defense interaction data stream, identifying the current baseline threat and its potential co-existing real-time related threats, and extracting the real-time behavioral characteristics of the current baseline threat and the real-time related threats to form a situational feature set. This specifically includes the following steps: The system acquires current network attack traffic, defense alerts, asset status, and threat interaction data to form a current attack and defense interaction data stream. Identify immediately relevant threats that have the potential for behavioral collaboration or resource dependence with the current baseline threats; Extract the real-time attack methods, propagation speed, scope of impact, technical characteristics, and defense response status of the current baseline threat and immediately related threats to form a situational feature set.

[0013] Preferably, the perception and dynamic defense control of network security situation are obtained based on pattern matching between the situation feature set and the historical security situation evolution model library, specifically including the following steps: Calculate the similarity between the situation feature set and each evolution model in the historical security situation evolution model library, and select the evolution model with the highest similarity as the adaptation evolution model; Based on the adaptive evolution model, the subsequent evolution path, impact range expansion trend and mutation direction of the current security threat are predicted. Combined with the current network defense resource configuration and security status, situational awareness results and dynamic defense control schemes are generated. The dynamic defense control scheme includes instructions for dynamically adjusting defense rules, optimization schemes for threat interception strategies, and suggestions for strengthening asset protection, thereby forming a perception of network security situation and dynamic defense control.

[0014] Compared with existing technologies, this invention has the following advantages: By acquiring historical attack and defense interaction data across time periods to construct a threat profile dataset, extracting baseline threat prototypes and mining related and mutated threat profiles, and finally integrating them to form a historical security situation evolution model library, it can accurately capture the evolution trajectory and mutation patterns of threats. This not only efficiently identifies known threats but also predicts the emergence of new mutated threats through historical evolution models, solving the problem of delayed identification of new threats. Using baseline threat prototypes as anchors, it accurately identifies related threat profiles with behavioral synergy or resource dependencies. Then, through attack chain integrity analysis and evolution cycle calculation, it filters threats with high evolutionary correlation, forming a complete threat correlation network that can clearly identify... The collaborative attack logic of multiple threat actors effectively identifies complex attack behaviors involving multiple stages and multiple actors, solving the blind spot problem in the perception of collaborative attacks caused by treating threats as independent entities, and significantly improving the comprehensiveness of situational awareness in complex network environments. Through pattern matching between situational feature sets and historical evolution model libraries, it achieves accurate perception of the current security situation and directly outputs dynamic defense and control strategies. The defense and control schemes generated based on historical evolution patterns can accurately adapt to the current evolution stage and related characteristics of threats, enabling dynamic adjustment of defense rules, optimization of threat interception strategies, and precise protection of key assets, significantly improving the pertinence and timeliness of defense response, and achieving an upgrade from passive response to proactive defense. Attached Figure Description

[0015] Figure 1 This is a schematic diagram illustrating the steps of an intelligent network security situation awareness method provided in an embodiment of the present invention; Figure 2 This is a schematic diagram illustrating the steps of obtaining historical threat co-evolution data in a network security situation intelligent perception method provided by an embodiment of the present invention; Figure 3 This is a schematic diagram illustrating the steps of forming a situation feature set in a network security situation intelligent perception method provided by an embodiment of the present invention. Detailed Implementation

[0016] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0017] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.

[0018] Secondly, the term "an embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places throughout this specification does not necessarily refer to the same embodiment, nor is it a single embodiment or an embodiment selectively excluded from other embodiments.

[0019] Reference Figures 1-3 As shown.

[0020] This embodiment further illustrates the intelligent perception method for network security situation proposed in this invention.

[0021] A method for intelligent perception of network security situation, comprising the following steps: Historical attack and defense interaction data across time periods is obtained from the network. Threat behavior profiles are constructed from the historical attack and defense interaction data to obtain a historical threat profile dataset. Based on the key threat features of the historical threat profile dataset, a baseline threat prototype is determined. Identify the set of related threat profiles in the historical threat profile dataset that have behavioral synergy or resource dependency with the baseline threat prototype; Attack chain integrity analysis and threat evolution cycle calculation are performed on key threat features and auxiliary threat features of historical threat profile datasets to obtain historical threat co-evolution data; based on historical threat co-evolution data, target related threat profiles with high evolutionary correlation are screened from the related threat profile set; Based on a preset threat mutation threshold, a profile of mutation-related threats with mutation characteristics is extracted from historical network attack and defense data.

[0022] The criteria for determining threat mutation are a series of quantified thresholds, such as the magnitude of change in threat characteristics, the degree of difference in behavioral patterns, or the percentage reduction in the evolution cycle. For example, in a real-world scenario, if the attack payload characteristics of a threat differ from its original form by more than 30%, or if its attack completion cycle is shortened by 40%, these specific values ​​form the standard for judging whether a threat has mutated.

[0023] After determining the threshold, threat profiles that are related to the baseline threat prototype are selected from existing historical threat profile data. This relationship is usually reflected in behavioral coordination or resource dependence. For example, some threats may be linked to the baseline threat in terms of attack timing or share the same type of malware resources. These related profiles are the objects of subsequent analysis.

[0024] The actual characteristic parameters of the associated threat profile are compared one by one with the set thresholds. When the parameters of the associated threat profile reach or exceed any threshold, it is determined that it has mutation characteristics. For example, if the latest version of the associated threat profile of a malware family uses a completely different control server address than the original version, and the exploit target has shifted from an older operating system to a newer one, and the magnitude of these two changes exceeds the preset threshold, then the profile is identified as a mutated associated threat profile. This effectively captures the mutation state of threats, providing mutation samples for building a more comprehensive security posture evolution model, thereby helping to improve the ability to perceive and respond to new threats.

[0025] Integrate the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles to establish a historical security situation evolution model library; The system acquires the current attack and defense interaction data stream of the network, identifies the current baseline threat and its potential co-existing immediate related threats, extracts the real-time behavioral characteristics of the current baseline threat and the immediate related threats to form a situation feature set, and obtains the perception and dynamic defense control of the network security situation based on the pattern matching of the situation feature set and the historical security situation evolution model library.

[0026] The process involves acquiring historical attack and defense interaction data across different time periods, constructing a historical threat profile dataset by profiling the historical attack and defense interaction data, and determining a baseline threat prototype based on the key threat features of the historical threat profile dataset. This process includes the following steps: Network attack traffic data, defense response logs, threat source information, and attacked asset data from different time periods are collected to form cross-time historical attack and defense interaction data. The historical attack and defense interaction data is processed by behavioral feature extraction algorithms to extract information on threat behavior, attack methods, attack frequency, target preferences, technical characteristics, and harmful consequences, and to construct a historical threat profile dataset. Threat profile records that meet the key threat characteristics are selected from the historical threat profile dataset and identified as the baseline threat prototypes.

[0027] First, various types of data from different time periods must be collected, including network attack traffic data, defense response logs, threat source information, and attacked asset data. This data, scattered across different time periods, is then integrated to form historical attack and defense interaction data across different time periods. Next, key information corresponding to threat behaviors is extracted from this historical attack and defense interaction data, such as specific attack methods, attack frequency, target preferences of attack tendencies, technical characteristics used in the attacks, and the harmful consequences caused by the attacks. Finally, a historical threat profile dataset is constructed.

[0028] The criteria for defining key threat characteristics specifically cover four dimensions: innovative attack methods, targeting of core assets, severe consequences of the attack, or representative technical features of the attack. Based on these criteria, threat profile records that meet these key threat characteristics are selected from the existing historical threat profile dataset and designated as baseline threat prototypes. For example, in an enterprise network environment, if a certain period of historical data contains an attack that employs a novel encrypted tunneling method rarely seen in the industry, consistently targets core assets such as the enterprise's financial servers and core business databases, and has resulted in a large-scale leak of core data causing serious economic losses, then the corresponding threat profile record will be selected as a baseline threat prototype because it simultaneously meets the key characteristics of innovative attack methods, targeting core assets, and severe consequences. This allows for the extraction of representative core threat templates from massive amounts of historical attack and defense data, providing a foundational reference for subsequent threat correlation analysis and evolution research.

[0029] Identifying related threat profiles in historical threat profile datasets that exhibit behavioral synergy or resource dependency with baseline threat prototypes involves the following steps: The threat profiles in the historical threat profile dataset that have a cooperative relationship with the baseline threat prototype in terms of attack timing and operation steps are identified to form a behavioral cooperative threat set. By using a resource dependency analysis model, we can identify threat profiles in historical threat profile datasets that have dependency relationships with baseline threat prototypes in terms of attack tools, vulnerability exploits, and control servers, thus forming a resource-dependent threat set. Combine the behaviorally coordinated threat set with the resource-dependent threat set to form a related threat profile set.

[0030] The coordination between historical threat profiles and baseline threat prototypes in terms of attack timing and operational steps is determined to form a behaviorally coordinated threat set. Specifically, coordination in attack timing refers to the sequential nature of attack behaviors corresponding to different threat profiles over time; for example, after the baseline threat prototype completes its exploit, another threat profile immediately initiates a lateral movement operation. Coordination in operational steps refers to the complementary nature of the operational processes of different threats; for example, the baseline threat is responsible for breaching perimeter defenses, while another threat is responsible for internal asset reconnaissance. Threat profiles exhibiting coordination in timing or steps are included in the behaviorally coordinated threat set.

[0031] By leveraging resource dependency analysis models, threat profiles that exhibit dependency relationships with baseline threat prototypes within historical threat profile datasets in terms of attack tools, exploits, and control servers are identified, forming a resource-dependent threat set. Attack tool dependency refers to different threats using the same or related malware tools; exploit dependency refers to different threats targeting the same type of system vulnerability; and control server dependency refers to different threats transmitting commands to the same set of remote control servers. Threat profiles meeting these resource dependency conditions are categorized into the resource-dependent threat set.

[0032] By integrating the behaviorally coordinated threat set with the resource-dependent threat set, a set of related threat profiles can be formed.

[0033] Taking a new type of encrypted tunnel attack baseline threat prototype as an example, if the attack behavior corresponding to a certain threat profile always launches a password brute-force operation against the internal server within 5 minutes after the baseline threat completes the encrypted tunnel setup, and the two coordinate in terms of timing and steps, then this threat will be included in the behavior coordination threat set. Simultaneously, if another threat profile uses the same encrypted tunneling tool as the baseline threat and exploits the same type of unauthorized access vulnerability, then this threat will be included in the resource dependency threat set. Merging these two threat sets yields the associated threat profile set corresponding to the baseline threat prototype.

[0034] When quantitatively analyzing behavioral synergy, the attack timing coupling degree can be calculated using the formula: Attack Timing Coupling Degree = (Number of times the time difference between the end time of the baseline threat behavior and the start time of the associated threat behavior is ≤ preset coordination duration) / Total number of associated threat behaviors. When this coupling degree is ≥ preset threshold (e.g., 0.7), it can be determined that there is a behavioral synergy between the two. For example, if the baseline threat prototype's behavior is to build an encrypted tunnel, and its single behavior end time is denoted as T1; the associated threat's behavior is to brute-force internal passwords, and its single behavior start time is denoted as T2, with a preset coordination duration of 10 minutes, and the associated threat launches a total of 8 attack behaviors, then 6 of these 8 behaviors meet the condition T2-T1≤10 minutes. Therefore, the attack timing coupling degree = 6 / 8 = 0.75. Since 0.75 ≥ preset threshold 0.7, it is determined that the associated threat and the baseline threat prototype have a behavioral synergy relationship.

[0035] Resource dependencies can be calculated using the resource overlap ratio, which is: Resource overlap ratio = (Number of resource types shared with the baseline threat) / Total number of resource types of the baseline threat. When the overlap ratio is greater than or equal to a preset threshold (e.g., 0.5), a resource dependency relationship is determined to exist. For example, the baseline threat prototype has three resource types: encrypted tunneling tools, unauthorized access vulnerabilities, and control server A; the associated threat has the following resources: encrypted tunneling tools, unauthorized access vulnerabilities, and control server B; the two share two resource types, so the resource overlap ratio = 2 / 3 ≈ 0.67; since 0.67 ≥ the preset threshold 0.5, it is determined that the associated threat has a resource dependency relationship with the baseline threat prototype.

[0036] The attack chain integrity analysis and threat evolution cycle calculation are performed on the key threat features and auxiliary threat features of the historical threat profile dataset to obtain historical threat co-evolution data. The specific steps include: The attack chain is disassembled based on the threat behaviors corresponding to the key threat characteristics, and the integrity and connection of each node in the attack chain are judged to obtain the key attack chain integrity coefficient. The attack chain of the threat behavior corresponding to the auxiliary threat characteristics is disassembled, and the integrity and connection of each node in the attack chain are judged to obtain the auxiliary attack chain integrity coefficient. Calculate the evolution cycle of threat behaviors corresponding to key threat features and auxiliary threat features from their emergence to their disappearance or mutation, the duration of each stage, and the evolution rate, and form an evolution cycle parameter set; By fusing the critical attack chain integrity coefficient, the auxiliary attack chain integrity coefficient, and the evolution cycle parameter set, historical threat co-evolution data are obtained.

[0037] The attack chain is disassembled to identify the threat behaviors corresponding to key threat characteristics. An attack chain typically includes nodes for initial probing, vulnerability exploitation, privilege escalation, lateral movement, and data theft or destruction. Each node must be checked for completeness, and the smoothness of connections between nodes must be evaluated to obtain the critical attack chain integrity coefficient. The formula for calculating the critical attack chain integrity coefficient is: Critical Attack Chain Integrity Coefficient = (Number of complete critical attack chain nodes + Number of nodes with smooth connections) / (Total number of attack chain nodes × 2). The closer the coefficient is to 1, the better the integrity and connectivity of the critical attack chain.

[0038] The same attack chain decomposition is performed on the threat behaviors corresponding to auxiliary threat features. Auxiliary threat features are usually supporting operations that complement key threat behaviors, such as information gathering before an attack and traffic masquerading during an attack. The integrity and connectivity of each node in the attack chain are also judged to obtain the auxiliary attack chain integrity coefficient, and its calculation formula is consistent with that of the key attack chain integrity coefficient.

[0039] Next, calculate the evolution cycle parameters related to the threat behaviors corresponding to the key threat features and auxiliary threat features. The evolution cycle refers to the duration from the first appearance of a threat behavior to its disappearance or mutation. The duration of each stage refers to the time the threat stays at a single node in the initial detection and exploitation attack chain. The evolution rate = evolution cycle ÷ number of attack chain nodes. These parameters are integrated to form the evolution cycle parameter set.

[0040] Finally, by integrating the critical attack chain integrity coefficient, the auxiliary attack chain integrity coefficient, and the evolution cycle parameter set, we can obtain historical threat co-evolution data.

[0041] Taking the baseline threat prototype of a new type of encrypted tunnel attack as an example, the attack chain nodes corresponding to its key threat characteristics include encrypted tunnel construction, backdoor implantation, and data theft, while the attack chain nodes corresponding to the auxiliary threat characteristics include target asset information collection and traffic encryption spoofing. If all three nodes of the key attack chain are complete and smoothly connected, then the key attack chain integrity coefficient = (3+3) / (3×2) = 1; if both nodes of the auxiliary attack chain are complete and smoothly connected, then the auxiliary attack chain integrity coefficient = (2+2) / (2×2) = 1. Looking at the evolution cycle, if the threat behavior takes 60 days from its emergence to mutation, with the information collection phase lasting 5 days, the encrypted tunnel construction phase lasting 3 days, the backdoor implantation phase lasting 2 days, and the data theft phase lasting 50 days, then the evolution cycle is 60 days, and the evolution rate = 60 / (3+2) = 12 days / node. Integrating these coefficients with the evolution parameters forms the historical threat co-evolution data corresponding to this threat.

[0042] Based on historical threat co-evolution data, target related threat profiles with high evolutionary correlation are selected from the related threat profile set. The specific steps include: The pre-defined evolutionary correlation evaluation indicators include attack chain fit threshold, evolutionary cycle synchronization rate threshold, and behavioral synergy coefficient threshold. From the associated threat profile set, we select associated threat profiles that have an attack chain fit higher than the attack chain fit threshold, an evolution cycle synchronization rate higher than the evolution cycle synchronization rate threshold, and a behavior coordination coefficient higher than the behavior coordination coefficient threshold from the historical threat co-evolution data, and mark them as target associated threat profiles.

[0043] First, it is necessary to pre-define evaluation indicators for evolutionary correlation, specifically including attack chain fit threshold, evolution cycle synchronization rate threshold, and behavioral synergy coefficient threshold. These thresholds will serve as the criteria for subsequent screening. Attack chain fit refers to the degree of overlap and connection between the attack chain of the associated threat profile and the attack chain of the baseline threat. The calculation formula is: Attack chain fit = (Number of attack chain nodes overlapping between the associated threat and the baseline threat + Number of nodes with consistent connection rhythm) / (Total number of nodes in the baseline threat attack chain × 2). Evolution cycle synchronization rate refers to the degree of time matching between the evolution cycle of the associated threat and the evolution cycle of the baseline threat. The calculation formula is: Evolution cycle synchronization rate = 1 - |Evolution cycle duration of the associated threat - Evolution cycle duration of the baseline threat| / Evolution cycle duration of the baseline threat. The behavioral synergy coefficient is a value calculated based on the previous attack sequence coupling degree and resource overlap degree. The calculation formula is: Behavioral synergy coefficient = (Attack sequence coupling degree + Resource overlap degree) / 2.

[0044] Historical threat co-evolution data corresponding to each profile is extracted from the associated threat profile set. Attack chain fit, evolution cycle synchronization rate, and behavioral coordination coefficient are calculated for each profile, and these values ​​are compared with preset thresholds. A profile is marked as a target associated threat profile only when its attack chain fit is higher than the attack chain fit threshold, its evolution cycle synchronization rate is higher than the evolution cycle synchronization rate threshold, and its behavioral coordination coefficient is higher than the behavioral coordination coefficient threshold.

[0045] Taking a prototype threat of a novel encrypted tunnel attack as an example, the preset attack chain fit threshold is 0.8, the evolution cycle synchronization rate threshold is 0.7, and the behavioral coordination coefficient threshold is 0.75. If the attack chain of the associated threat profile has 3 overlapping nodes with the benchmark threat and 3 nodes with consistent connection rhythm, and the benchmark threat attack chain has a total of 3 nodes, then its attack chain fit = (3+3) / (3×2) = 1, which is higher than the threshold of 0.8; the evolution cycle of the benchmark threat is 60 days, and the evolution cycle of this associated threat is 55 days, so the evolution cycle synchronization rate = 1-|55-60| / 60≈0.92, which is higher than the threshold of 0.7; at the same time, the attack timing coupling degree of this associated threat is 0.8, the resource overlap degree is 0.7, and the behavioral coordination coefficient = (0.8+0.7) / 2 = 0.75, reaching the threshold of 0.75. Therefore, this associated threat profile will be marked as the target associated threat profile.

[0046] By integrating the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles, a historical security situation evolution model library is established, which specifically includes the following steps: Extract the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model set; Extract the variant behavior characteristics, long-term evolution paths and environmental adaptation patterns of the variant-related threat profile, and construct a set of long-term situational evolution models; A historical security situation evolution model library is generated by combining the short-term situation evolution model group and the long-term situation evolution model group.

[0047] Based on the baseline threat prototype and the profile of the target related threats, we extract their collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends to construct a short-term situational evolution model set. The collaborative behavior pattern refers to the way the baseline threat and the target related threats cooperate during the attack process, such as the fixed process of the target related threat simultaneously initiating lateral movement after the baseline threat completes a vulnerability exploit. Attack chain node characteristics refer to the behavioral parameters of each threat at the initial probing and privilege acquisition attack chain nodes, such as the average time spent by the baseline threat at the vulnerability exploit node and the operation frequency of the target related threat at the data theft node. The short-term evolution trend refers to the magnitude of characteristic changes of these threats within 1 to 3 months, such as the monthly growth rate of attack frequency.

[0048] Based on the profile of mutated and related threats, we extract their mutated behavior characteristics, long-term evolution paths, and environmental adaptation patterns to construct a long-term situational evolution model set. Mutated behavior characteristics refer to the differences between the threat and the baseline form, such as the change from encrypted tunnel transmission to covert channel transmission. Long-term evolution paths refer to the trajectory of the threat from its first mutation to multiple iterations, such as the process of expanding from single vulnerability exploitation to multi-vulnerability combination exploitation. Environmental adaptation patterns refer to the adjustment strategies of the threat for different network environments, such as reducing the attack frequency in heavily protected environments to avoid detection.

[0049] Finally, by integrating the completed short-term situation evolution model group with the long-term situation evolution model group, a historical security situation evolution model library covering different time dimensions and different threat types can be formed.

[0050] Taking the threat of novel encrypted tunnel attacks as an example, the short-term model group records the collaborative patterns of the baseline threat and the target-related threat. Within 5 minutes of the baseline threat establishing a tunnel, the target-related threat initiates a password brute-force attack. The time taken for each node in the attack chain is also recorded: the baseline threat's tunnel establishment takes an average of 8 minutes, while the target-related threat's brute-force attack takes 12 minutes, along with a short-term trend of a 20% monthly increase in attack frequency over the past two months. The long-term model group records the threat's mutation characteristics, including changing the encrypted tunnel to segmented transmission, the long-term evolution path (expanding from solely exploiting web vulnerabilities to simultaneously exploiting system vulnerabilities), and environmental adaptation patterns, with the attack frequency in financial networks decreasing to once every 24 hours. Integrating this content forms a model library containing the short-term collaborative patterns and long-term mutation patterns of this threat.

[0051] Extracting the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile, and constructing a short-term situation evolution model set; extracting the variant behavior characteristics, long-term evolution paths, and environmental adaptation rules of the variant-related threat profile, and constructing a long-term situation evolution model set, specifically including the following steps: Extract the coordinated attack sequence, operational coordination mode, technical parameters of key nodes in the attack chain, and short-term evolution direction and rate from the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model group. Extract behavioral variation points, technological iteration characteristics, long-term evolution path planning, and adaptation and adjustment patterns to network environment and defense strategies from the variant-related threat profile at different stages, and construct a long-term situational evolution model set.

[0052] First, based on the baseline threat prototype and the profile of the target-related threats, a short-term situational evolution model group is constructed by extracting the coordinated attack sequence, operational coordination mode, technical parameters of key nodes in the attack chain, and short-term evolution direction and rate. The coordinated attack sequence refers to the temporal connection between the two attack behaviors, such as the interval between the baseline threat completing a certain attack node and the target-related threat initiating a corresponding operation. The operational coordination mode refers to the functional division of labor between the two in the attack process, such as the baseline threat being responsible for breaching perimeter defenses and the target-related threat being responsible for internal asset reconnaissance. The technical parameters of key nodes in the attack chain refer to the quantitative indicators of the behavior of each node, such as the average number of attempts by the baseline threat at the exploit node and the success rate of the target-related threat at the privilege escalation node. The short-term evolution direction and rate refer to the characteristic changes of the threat within 1-3 months, such as the update frequency of attack tools and the expansion speed of the attack target range. Integrating these features forms a model group reflecting the short-term coordinated attack patterns.

[0053] Next, based on the threat profile associated with mutations, behavioral mutation points, technological iteration characteristics, long-term evolution path planning, and adaptation adjustment patterns to network environment defense strategies at different stages are extracted to construct a long-term situational evolution model set. Behavioral mutation points at different stages refer to the differences between the threat and its original form during the iteration process, such as the shift from single-channel transmission to multi-channel switching; technological iteration characteristics refer to the upgrading methods of threat techniques, such as the shift from exploiting a single vulnerability to combining multiple vulnerabilities; long-term evolution path planning refers to the overall trajectory of the threat from initial mutation to subsequent iterations, such as the shift from targeting only a certain type of system to covering multiple system types; and adaptation adjustment patterns to network environment defense strategies refer to the behavioral adjustments of the threat according to different protection levels, such as reducing attack frequency and shortening attack duration in high-protection environments. Integrating these characteristics forms a model set reflecting the long-term mutation and adaptation patterns of threats.

[0054] Taking a novel encrypted tunnel attack as an example, when constructing the short-term model group, its coordinated attack sequence is extracted: 6 minutes after the baseline threat establishes the encrypted tunnel, the target-related threat initiates data theft; operational coordination mode: the baseline threat is responsible for tunnel maintenance, and the target-related threat is responsible for batch data export; key technical parameters of the attack chain nodes: the baseline threat's tunnel establishment success rate is 90%, and the target-related threat's data theft rate is 10MB per second; short-term evolution direction and rate: the attack frequency has increased by 15% per month in the past two months. When constructing the long-term model group, its behavioral variation points are extracted: from fixed encryption keys to dynamic keys; technical iteration characteristics: from only exploiting web vulnerabilities to simultaneously exploiting system vulnerabilities; long-term evolution path planning: from attacks on enterprise office networks to attacks on business servers; environmental adaptation rules: the attack duration in financial networks has shortened from 30 minutes to 10 minutes. These characteristics correspond to the content of the short-term and long-term model groups, fully covering the coordination and variation rules of threats.

[0055] Acquire the current network attack and defense interaction data stream, identify the current baseline threat and its potential co-existing real-time related threats, and extract the real-time behavioral characteristics of the current baseline threat and the real-time related threats to form a situational feature set. The specific steps include: The system acquires current network attack traffic, defense alerts, asset status, and threat interaction data to form a current attack and defense interaction data stream. Identify immediately relevant threats that have the potential for behavioral collaboration or resource dependence with the current baseline threats; Extract the real-time attack methods, propagation speed, scope of impact, technical characteristics, and defense response status of the current baseline threat and immediately related threats to form a situational feature set.

[0056] First, acquire multi-dimensional data about the network, including attack traffic data, defense alarm information, asset operation status data, and threat-system interaction data. Integrate these data to form the current attack and defense interaction data stream, which is the basic material for subsequent analysis.

[0057] Based on the current attack and defense interaction data flow, the current baseline threat is identified, and then further filtered to identify immediately related threats that have the potential for behavioral coordination or resource dependence with the current baseline threat. The potential for behavioral coordination refers to the possibility that the two threats may have a trend of coordinated attack sequences or operational steps, such as when the current baseline threat is exploiting a vulnerability, another threat shows signs of initiating lateral movement. The potential for resource dependence refers to the possibility that the two threats may share attack tools, vulnerabilities, or control servers, such as when the current baseline threat is using a certain malicious tool, another threat also exhibits characteristics of that tool.

[0058] Next, real-time behavioral characteristics of the current baseline threat and related threats are extracted. These include real-time attack methods (currently used attack methods, such as encrypted tunneling); propagation speed (the rate at which the threat spreads within the network, such as infecting two devices per minute); scope of impact (the number or type of assets affected, such as covering three database servers); technical characteristics (the threat's code signature and communication protocol, such as using AES encrypted communication); and defense response status (the current interception and alert status of the defense system against the threat, such as the firewall blocking five attack requests). Integrating these characteristics forms a situational awareness feature set.

[0059] Taking a novel encrypted tunnel attack as an example, the initial data collected from the current attack and defense interactions includes: detected abnormal encrypted traffic, firewall alarms for tunnel connections, abnormal CPU usage on the database server, and communication records between the threat and external IPs. Based on this data, the current baseline threat is identified as a novel encrypted tunnel attack. Simultaneously, another threat is discovered attempting to exploit the same vulnerability, exhibiting resource dependency potential, and is thus identified as an immediately related threat. Subsequently, real-time characteristics are extracted. The current baseline threat's attack method is segmented encrypted tunnel transmission, with a propagation speed of infecting one device per minute and affecting two application servers. Its technical characteristics include the use of dynamic port communication, and the defense response status shows that the intrusion detection system has issued three alarms. The immediately related threat's attack method is brute-force exploitation of the vulnerability, with a propagation speed of infecting one device per minute and affecting one database server. Its technical characteristics include the use of a specific dictionary file, and the defense response status shows that the password protection system has blocked two attempts. These characteristics are integrated to form a situational feature set.

[0060] The perception and dynamic defense control of network security situation are obtained by pattern matching between the situation feature set and the historical security situation evolution model library, which specifically includes the following steps: Calculate the similarity between the situation feature set and each evolution model in the historical security situation evolution model library, and select the evolution model with the highest similarity as the adaptation evolution model; Based on the adaptive evolution model, the subsequent evolution path, impact range expansion trend and mutation direction of the current security threat are predicted. Combined with the current network defense resource configuration and security status, situational awareness results and dynamic defense control schemes are generated. The dynamic defense control scheme includes instructions for dynamically adjusting defense rules, optimization schemes for threat interception strategies, and suggestions for strengthening asset protection, thereby forming a perception of network security situation and dynamic defense control.

[0061] First, it is necessary to calculate the similarity between the situation feature set and each evolutionary model in the historical security situation evolution model library. The formula for calculating pattern similarity is: Pattern Similarity = (Sum of the products of each feature value in the situation feature set and the corresponding feature value in the historical model) / (Mode length of the situation feature set × Mode length of the historical model feature set), where different features are assigned weights according to their importance; for example, the weight of attack methods is set to 0.3, and the weight of technical features is set to 0.2. By calculating the similarity between the current feature set and each model in the model library, the model with the highest similarity is selected as the adapted evolutionary model.

[0062] Next, based on the adaptive evolution model, the subsequent evolution path of the current security threat is predicted, i.e., the attack steps the threat may perform next; the trend of the scope of impact, i.e., the more types or numbers of assets the threat may affect; and the possible direction of mutation, i.e., the subsequent behavioral or technical changes the threat may undergo. Simultaneously, combined with the current network defense resource configuration, such as the number of firewall rules, the computing power of the intrusion detection system, and the current security status, such as the proportion of assets already affected, situational awareness results are generated to clarify the current danger level and the stage of the threat, and dynamic defense and control plans are generated concurrently.

[0063] Finally, the dynamic defense control scheme comprises three categories: first, instructions for dynamically adjusting defense rules, such as updating firewall port blocking rules; second, threat interception strategy optimization schemes, such as adjusting the signature database of the intrusion detection system to cover possible threat mutations; and third, recommendations for strengthening the protection of key assets, such as adding access control policies to core databases. These elements together constitute a complete control scheme, enabling the perception and dynamic defense of the network security situation.

[0064] Taking a novel encrypted tunnel attack as an example, the situational feature set includes the attack method being segmented encrypted tunnels and a propagation speed of one device per minute. The pattern similarity between this attack and models in the historical model library is calculated. If a model's features are an encrypted tunnel attack method and a propagation speed of two devices per minute, and the weighted cosine similarity is 0.85 (the highest value), then this model is the adaptive evolutionary model. Based on this model, the predicted evolutionary path is to complete data theft and then erase traces, with the impact extending to two storage servers. A possible mutation direction is the adoption of more covert communication protocols. Considering the current state of defense resources—firewall rules not covering segmented tunnels and core asset protection at a medium level—the resulting situational awareness is high-risk, indicating a data theft phase. The dynamic defense and control scheme includes adjusting firewall rules to intercept segmented encrypted traffic, upgrading the intrusion detection system's feature library to monitor new communication protocols, and adding a real-time data backup strategy to storage servers, thereby achieving situational awareness and defense control.

[0065] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for intelligent perception of network security situation, characterized in that, The method includes the following steps: Historical attack and defense interaction data across time periods is obtained from the network. Threat behavior profiles are constructed from the historical attack and defense interaction data to obtain a historical threat profile dataset. Based on the key threat features of the historical threat profile dataset, a baseline threat prototype is determined. Identify the set of related threat profiles in the historical threat profile dataset that have behavioral synergy or resource dependency with the baseline threat prototype; Attack chain integrity analysis and threat evolution cycle calculation are performed on key threat features and auxiliary threat features of historical threat profile datasets to obtain historical threat co-evolution data; based on historical threat co-evolution data, target related threat profiles with high evolutionary correlation are screened from the related threat profile set; Based on a preset threat mutation threshold, extract mutation-related threat profiles with mutation characteristics from historical network attack and defense data; Integrate the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles to establish a historical security situation evolution model library; The system acquires the current attack and defense interaction data stream of the network, identifies the current baseline threat and its potential co-existing immediate related threats, extracts the real-time behavioral characteristics of the current baseline threat and the immediate related threats to form a situation feature set, and obtains the perception and dynamic defense control of the network security situation based on the pattern matching of the situation feature set and the historical security situation evolution model library.

2. The intelligent network security situation awareness method according to claim 1, characterized in that, The process involves acquiring historical attack and defense interaction data across different time periods, constructing a historical threat profile dataset by profiling the historical attack and defense interaction data, and determining a baseline threat prototype based on the key threat features of the historical threat profile dataset. This process includes the following steps: Network attack traffic data, defense response logs, threat source information, and attacked asset data from different time periods are collected to form cross-time historical attack and defense interaction data. The historical attack and defense interaction data is processed by behavioral feature extraction algorithms to extract information on threat behavior, attack methods, attack frequency, target preferences, technical characteristics, and harmful consequences, and to construct a historical threat profile dataset. Threat profile records that meet the key threat characteristics are selected from the historical threat profile dataset and identified as the baseline threat prototypes.

3. The intelligent network security situation awareness method according to claim 2, characterized in that, Identifying related threat profiles in historical threat profile datasets that exhibit behavioral synergy or resource dependency with baseline threat prototypes involves the following steps: The threat profiles in the historical threat profile dataset that have a cooperative relationship with the baseline threat prototype in terms of attack timing and operation steps are identified to form a behavioral cooperative threat set. By using a resource dependency analysis model, we can identify threat profiles in historical threat profile datasets that have dependency relationships with baseline threat prototypes in terms of attack tools, vulnerability exploits, and control servers, thus forming a resource-dependent threat set. Combine the behaviorally coordinated threat set with the resource-dependent threat set to form a related threat profile set.

4. The intelligent network security situation awareness method according to claim 3, characterized in that, The attack chain integrity analysis and threat evolution cycle calculation are performed on the key threat features and auxiliary threat features of the historical threat profile dataset to obtain historical threat co-evolution data. The specific steps include: The attack chain is disassembled based on the threat behaviors corresponding to the key threat characteristics, and the integrity and connection of each node in the attack chain are judged to obtain the key attack chain integrity coefficient. The attack chain of the threat behavior corresponding to the auxiliary threat characteristics is disassembled, and the integrity and connection of each node in the attack chain are judged to obtain the auxiliary attack chain integrity coefficient. Calculate the evolution cycle of threat behaviors corresponding to key threat features and auxiliary threat features from their emergence to their disappearance or mutation, the duration of each stage, and the evolution rate, and form an evolution cycle parameter set; By fusing the critical attack chain integrity coefficient, the auxiliary attack chain integrity coefficient, and the evolution cycle parameter set, historical threat co-evolution data are obtained.

5. The intelligent network security situation awareness method according to claim 4, characterized in that, Based on historical threat co-evolution data, target related threat profiles with high evolutionary correlation are selected from the related threat profile set. The specific steps include: The pre-defined evolutionary correlation evaluation indicators include attack chain fit threshold, evolutionary cycle synchronization rate threshold, and behavioral synergy coefficient threshold. From the associated threat profile set, we select associated threat profiles that have an attack chain fit higher than the attack chain fit threshold, an evolution cycle synchronization rate higher than the evolution cycle synchronization rate threshold, and a behavior coordination coefficient higher than the behavior coordination coefficient threshold from the historical threat co-evolution data, and mark them as target associated threat profiles.

6. The intelligent network security situation awareness method according to claim 5, characterized in that, By integrating the behavioral patterns and evolutionary laws of baseline threat prototypes, target-related threat profiles, and variant-related threat profiles, a historical security situation evolution model library is established, which specifically includes the following steps: Extract the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model set; Extract the variant behavior characteristics, long-term evolution paths and environmental adaptation patterns of the variant-related threat profile, and construct a set of long-term situational evolution models; A historical security situation evolution model library is generated by combining the short-term situation evolution model group and the long-term situation evolution model group.

7. The intelligent network security situation awareness method according to claim 6, characterized in that, Extracting the collaborative behavior patterns, attack chain node characteristics, and short-term evolution trends of the baseline threat prototype and the target-related threat profile, and constructing a short-term situation evolution model set; extracting the variant behavior characteristics, long-term evolution paths, and environmental adaptation rules of the variant-related threat profile, and constructing a long-term situation evolution model set, specifically including the following steps: Extract the coordinated attack sequence, operational coordination mode, technical parameters of key nodes in the attack chain, and short-term evolution direction and rate from the baseline threat prototype and the target-related threat profile, and construct a short-term situation evolution model group. Extract behavioral variation points, technological iteration characteristics, long-term evolution path planning, and adaptation and adjustment patterns to network environment and defense strategies from the variant-related threat profile at different stages, and construct a long-term situational evolution model set.

8. The intelligent network security situation awareness method according to claim 7, characterized in that, Acquire the current network attack and defense interaction data stream, identify the current baseline threat and its potential co-existing real-time related threats, and extract the real-time behavioral characteristics of the current baseline threat and the real-time related threats to form a situational feature set. The specific steps include: The system acquires current network attack traffic, defense alerts, asset status, and threat interaction data to form a current attack and defense interaction data stream. Identify immediately relevant threats that have the potential for behavioral collaboration or resource dependence with the current baseline threats; Extract the real-time attack methods, propagation speed, scope of impact, technical characteristics, and defense response status of the current baseline threat and immediately related threats to form a situational feature set.

9. The intelligent network security situation awareness method according to claim 7, characterized in that, The perception and dynamic defense control of network security situation are obtained by pattern matching between the situation feature set and the historical security situation evolution model library, which specifically includes the following steps: Calculate the similarity between the situation feature set and each evolution model in the historical security situation evolution model library, and select the evolution model with the highest similarity as the adaptation evolution model; Based on the adaptive evolution model, the subsequent evolution path, impact range expansion trend and mutation direction of the current security threat are predicted. Combined with the current network defense resource configuration and security status, situational awareness results and dynamic defense control schemes are generated. The dynamic defense control scheme includes instructions for dynamically adjusting defense rules, optimization schemes for threat interception strategies, and suggestions for strengthening asset protection, thereby forming a perception of network security situation and dynamic defense control.