A method of communication surveying

By assessing the integrity of security incidents and establishing interactive data collection standards, and by constructing evidence chains using a large language model, the shortcomings of existing forensic investigations are addressed. This approach enables the structuring of user statements and the integration of system data, thereby improving the comprehensiveness and accuracy of investigations.

CN122247655APending Publication Date: 2026-06-19CHINA ELECTRONICS CLOUD DIGITAL INTELLIGENCE TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA ELECTRONICS CLOUD DIGITAL INTELLIGENCE TECH CO LTD
Filing Date
2026-02-24
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies have significant shortcomings in forensic investigations and responses involving human involvement, especially when telephone/instant messaging is used for alarm notifications or simple verification, where there is a lack of effective investigation and response methods.

Method used

This paper provides a communication investigation method. By conducting a completeness assessment of a security incident, the method determines the set of investigation targets and response actions. Based on the interaction collection standard, it collects the interaction content of the target user, generates an evidence chain, and uses a large language model to extract entity keywords and semantic relationships, constructs an entity relationship graph with temporal logic, and forms a complete evidence chain.

Benefits of technology

It enables the transformation of users' unstructured verbal information into structured evidence and integrates it with system log data to form a complete chain of evidence, significantly improving the comprehensiveness, accuracy, and efficiency of security incident investigations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247655A_ABST
    Figure CN122247655A_ABST
Patent Text Reader

Abstract

This application discloses a communication investigation method, belonging to the field of information security technology. It includes: responding to a received security event, performing an integrity assessment of the security event to determine the external configuration execution content; determining interaction collection standards based on the external configuration execution content and a preset disclosure strategy; collecting interaction content with the target user based on the interaction collection standards to determine the evidence chain; and generating communication investigation results based on the external configuration execution content and the evidence chain. By combining security event data and communication content to construct the evidence chain, the investigation process is automated and intelligent, effectively improving the comprehensiveness, accuracy, and efficiency of security event investigations.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and in particular to a communication investigation method. Background Technology

[0002] In the field of enterprise security operations, Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms can connect to multi-source security logs to achieve rule / model-driven alarm aggregation, preliminary classification and automated handling orchestration. Large language models are also often used for log-based analysis to improve operational intelligence.

[0003] In existing related technologies, the use of telephone / instant messaging to contact relevant personnel is mainly for alarm notification or simple verification, and there are significant deficiencies in the evidence-gathering investigation and response of relevant personnel. Summary of the Invention

[0004] This application provides a communication investigation method to at least address the significant shortcomings in the forensic investigation and response methods involving relevant personnel in related technologies.

[0005] Firstly, this application provides a communication survey method, the method comprising: In response to received security incidents, conduct a completeness assessment of the security incidents and determine the investigation objectives and set of response actions; Based on the set of investigation objectives and actions, and the pre-set disclosure strategy, the standards for interactive data collection are determined; Based on the interaction collection standard, the interaction content with the target user is collected to determine the chain of evidence. The target user is used to indicate the user who is related to the security incident and needs to be investigated. Based on the set of investigation objectives, actions taken, and evidence chains, communication investigation results are generated.

[0006] In one possible implementation, based on the set of investigation objectives and actions and a pre-defined disclosure strategy, interactive data collection criteria are identified, including: Based on the set of investigation objectives and response actions, determine the minimum question sequence; Based on a pre-defined disclosure strategy, a freeze context is generated, which is used to limit the scope of information that can be disclosed to respondents during the survey process. Based on the minimum question sequence and the frozen context, the interactive data collection criteria are determined.

[0007] In one possible implementation, the method further includes: When a target user is identified as committing to a time-delayed action during a multi-turn dialogue, the action and its corresponding estimated completion time are determined. Upon reaching the expected completion time, a review and confirmation process is initiated with the target user to obtain the review results, which are used to confirm the execution of the action. Obtain an updated chain of evidence, which is achieved by updating the chain of evidence with the review results; If the review result indicates that the action was not executed, the security incident will be escalated to manual follow-up.

[0008] Secondly, this application also provides a computer-readable storage medium storing at least one piece of program code, which is loaded and executed by a processor to implement the operations performed by the communication survey method.

[0009] Thirdly, this application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of any of the above-described communication survey methods.

[0010] Compared with the prior art, the technical solution provided by the embodiments of the present invention has the following advantages: The present invention performs integrity assessment processing in response to received security events to determine the set of investigation targets and handling actions, and determines the interaction collection standard based on the content and the preset disclosure strategy. Then, it collects the call content of the target user based on the standard, extracts entity keywords and semantic relationships by parsing the answers, and constructs an entity relationship graph with temporal logic by combining timestamps to obtain evidence items. The evidence items are associated with security event data to form an evidence chain, and finally, the communication investigation results are generated. This technical means realizes the effect of transforming unstructured verbal information of users into structured evidence and integrating it with system log data to form a complete evidence chain. The beneficial effect is that it effectively solves the problem of insufficient evidence collection investigation involving personnel in the prior art. By obtaining the missing user intent and behavioral details in the logs, it significantly improves the comprehensiveness, accuracy and handling efficiency of security event investigation. Attached Figure Description

[0011] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.

[0012] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, those skilled in the art can obtain other drawings based on these drawings without creative effort.

[0013] Figure 1 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 1 ; Figure 2 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 2 ; Figure 3 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 3 ; Figure 4 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 4 ; Figure 5 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 5 ; Figure 6 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 6 ; Figure 7 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 7 ; Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application; Figure 9 A flowchart illustrating a communication survey method provided in this application embodiment. Figure 8 . Detailed Implementation

[0014] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the protection scope of this application.

[0015] It should be noted that, in the description of this application, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. The terms "first," "second," etc., in this application are used to distinguish similar objects and are not used to describe a specific order or sequence.

[0016] In order to illustrate the technical solutions provided in the embodiments of this application, some terms and vocabulary involved in the embodiments of this application will be introduced below.

[0017] SIEM: Security Information and Event Management, Chinese name: Security Information and Event Management.

[0018] SOAR: Security Orchestration, Automation and Response, Chinese name: Security Orchestration, Automation and Response.

[0019] DSP, full English name: Digital Signal Processing, Chinese name: Digital Signal Processing.

[0020] FPGA: full English name: Field-Programmable Gate Array, Chinese name: Field Programmable Gate Array.

[0021] PLA full English name: Programmable Logic Array, CPU: full English name: Central Processing Unit, Chinese name: Central Processing Unit.

[0022] GPU: full English name: Graphics Processing Unit, Chinese name: Graphics Processing Unit.

[0023] AI: full English name: Artificial Intelligence, Chinese name: Artificial Intelligence.

[0024] The application scenarios of the technical solution provided by the embodiments of the present application are introduced below.

[0025] Application scenario 1: Automated investigation and response to enterprise phishing email incidents: In the enterprise security operation scenario, the SIEM platform detected that a highly malicious phishing email was received by an employee's mailbox, triggering a security alert. However, the existing logs only record the receiving status of the email, lacking key information such as whether the employee clicked on the link in the email, whether the attachment was downloaded, or whether the account password was entered, resulting in the inability to determine the risk level.

[0026] Applying the method provided by the embodiments of the present application, first, an integrity assessment of the security event is performed to identify the information gap of "user operation behavior". Subsequently, a "freeze context" is generated according to the disclosure policy (for example: when asking, only mention that an abnormal email is detected, without revealing the specific details of the malicious payload analysis to prevent information leakage). Determine the interactive acquisition standard and generate a minimum question column sequence (such as: "Did you click on the link in the email?").

[0027] The system automatically contacts the target employee via phone or enterprise instant messaging to conduct multiple rounds of forensic dialogue. The employee answers, "I clicked the link and entered my password." This answer is extracted through voice recognition or text parsing and structured into evidence items such as "user confirmed click behavior" and "user confirmed credential leakage," which are then linked with the original alert to form a complete chain of evidence. Based on this, a communication investigation result is generated, triggering a forced account shutdown and password reset process.

[0028] Application Scenario 2: Source tracing and investigation of malware on internal network hosts: In an office network environment, the EDR (Endpoint Detection and Response) system detected remote control Trojan activity on a host. Although the system obtained the Trojan's hash value and process information, it could not determine how the Trojan entered the internal network (e.g., whether it was brought in via USB drive, downloaded from an illegal website, or through a supply chain attack), which is crucial for preventing subsequent attacks.

[0029] Applying the method provided in the embodiments of this application, upon receiving a security incident, based on historical investigation experience (RAG retrieval), key information that needs to be investigated with the host user is determined. Interactive data collection criteria containing targeted questions are generated (e.g., "Have you downloaded any unfamiliar software in the last three days? What was the source?").

[0030] The system establishes dialogues with target users via enterprise instant messaging. During the dialogue, user responses are evaluated in real time. If a user mentions "downloading a cracked tool from an unofficial forum," entity keywords ("forum," "cracking tool") are immediately extracted, and a temporally logical entity relationship graph is constructed as a chain of evidence. This chain of evidence is then used to guide the security team in blocking relevant websites and conducting a comprehensive investigation of similar threats across the entire internet.

[0031] Application Scenario 3: Closed-loop review of actions with time delays: During the handling of a security incident, multiple rounds of dialogue were used to identify the target user's commitment to perform a time-delayed action. For example, the user said, "I need to go to the meeting room for a meeting and will come back in about 10 minutes to manually disconnect the office network cable."

[0032] Applying the method provided in this application's embodiments, the commitment is identified, and the action is determined to be "disconnecting the office network," with an estimated completion time of "current time + 10 minutes." The investigation is not immediately terminated; instead, a scheduled task is initiated. When the estimated completion time is reached, a verification inquiry is sent to the user through the original communication channel: "Have you disconnected the network cable yet?" If the user replies "disconnected," the verification result is updated to the evidence chain, confirming successful handling. If the user replies "not yet" or "cannot find the disconnect button," indicating a failed action, the security incident is immediately escalated to manual follow-up, a work order is created to notify a senior security analyst to intervene, ensuring that security risks are controlled in a timely manner.

[0033] After introducing the implementation environment and application scenarios of the embodiments of this application, the technical solutions provided by the embodiments of this application are described below. (See also...) Figure 1 The communication survey method provided in this embodiment can be executed by a server or a cloud platform, and specifically includes the following steps: Step 101: In response to the received security incident, perform an integrity assessment of the security incident and determine the investigation objectives and the set of actions to take.

[0034] Specifically, security event summaries are received from SIEM (Security Information and Event Management), EDR (Endpoint Detection and Response), or email security gateways, such as "Account A received a phishing email" or "Host B detected a suspicious Trojan running." The received security events undergo an information completeness assessment. For example, regarding a suspicious Trojan alert on Host B, the hash value and process ID in the logs have been obtained, but the source information of the Trojan file is lacking (e.g., where the user downloaded it from, whether they clicked on an unfamiliar link). If it is determined that the current information is insufficient for qualitative analysis or action, i.e., there is an information gap, then an external investigation is required, generating a set of investigation objectives and action plans. This configuration execution includes the specific matters to be investigated (e.g., "verify file source," "confirm click behavior") and the action plans that require user cooperation (e.g., "disconnect from network").

[0035] Step 102: Determine the interactive data collection standards based on the set of investigation objectives and actions and the pre-set disclosure strategy.

[0036] Before contacting target users, it is necessary to develop a "script" for the investigation, namely, interactive data collection standards, in order to ensure information security.

[0037] Specifically, this includes: determining the minimum question sequence, generating necessary question sequences based on the configured execution content and historical survey experience analyzed using a large model. For example: "Did you download a file named xx.exe around 10 AM today?" or "What was the source of the download?". Prioritizing mandatory information to avoid disturbing the user. Next, a frozen context is generated. According to a preset disclosure policy, the original context of the security event is anonymized and trimmed. For example, the original context might include "A high-risk vulnerability exists on the company's intranet," but in external communication, only "Abnormal network activity was detected." The frozen context restricts the large model from actively or passively (e.g., through leading questions) disclosing untrimmed sensitive information during the conversation. The minimum question sequence and the frozen context are combined to form the standard for this call's data collection.

[0038] Step 103: Based on the interaction collection standard, collect the interaction content with the target user to determine the chain of evidence.

[0039] Based on the target user associated with the security incident (e.g., the holder of account A), multi-round dialogues are initiated via telephone or enterprise instant messaging (e.g., DingTalk, WeChat Work). During the dialogue, questions are asked based on a frozen context, and the user's answers (voice or text) are analyzed in real time. Entity keywords (e.g., "yesterday afternoon," "a certain forum," "compressed file") are extracted from the analyzed answers, and a temporal logical entity relationship graph is constructed through semantic relation extraction. Subsequently, the structured evidence items are associated with the security incident data to form an evidence chain. For example, evidence items include: "User confirmed click time: 14:00," and "File source: unknown forum link."

[0040] Step 104: Generate communication investigation results based on the set of investigation objectives and actions and the chain of evidence.

[0041] Based on the previously configured execution content (investigation target) and the collected chain of evidence, generate the communication investigation results. For example: "Investigation confirms that the user accidentally downloaded malware, and it is recommended to isolate the host."

[0042] This embodiment receives multi-source security event data, uses a large model for integrity assessment to identify information gaps, and combines retrieval enhancement generation and disclosure strategies to generate interactive collection standards including a minimum question sequence and frozen context. Then, it collects user responses through multi-round dialogues, constructs an evidence chain using entity extraction and temporal relationship graphs, and finally generates investigation results based on configuration and the evidence chain. This achieves fully automated investigation from log analysis to manual evidence collection, forming a closed-loop fusion of system-side data and user-side verbal evidence. The beneficial effects are that it effectively compensates for the information blind spots of traditional log evidence collection, reduces interference to users through the minimum question strategy, and ensures compliant information disclosure by freezing the context, significantly improving the efficiency, comprehensiveness, and accuracy of security event investigations.

[0043] It should be noted that steps 101-104 above are a simplified description of the communication survey method provided in the embodiments of this application.

[0044] The communication survey method provided in this application will be described in more detail below with some examples.

[0045] In some embodiments, step 101 is further refined to include, in response to a received security event, performing an integrity assessment of the security event to determine the investigation objectives and a set of response actions, as shown in the figure, specifically including: Step 201: In response to the received security event, obtain the alarm context of the security event.

[0046] Natural language processing (NLP) techniques are used to perform in-depth analysis of raw security incident data, extracting key alarm context information. This context information includes, but is not limited to: the type of attack method (e.g., C2 remote control, phishing attacks, ransomware, etc.), affected system assets (e.g., Windows hosts, Linux servers, databases, etc.), alarm characteristic descriptions, and affected user accounts or device identifiers. This extracted key information serves as input parameters for subsequent retrieval of historical experience and analysis of information gaps, ensuring the accuracy of subsequent processing.

[0047] Step 202: Based on the alarm context, obtain the associated historical investigation cases.

[0048] The associated historical investigation cases are retrieved from the historical case database and matched with the security event using retrieval enhancement generation (RAG) technology. The "event type" of the security event (e.g., "malware infection") is combined with the "alarm context" extracted in step 201 as the search query conditions. Retrieval enhancement generation (RAG) technology is used to perform a semantic search in a vector database that pre-stores historically successfully handled cases. The system performs class vector retrieval to find associated historical investigation cases that are highly similar to the current security event in terms of semantics and features. For example, if the current event is a C2 remote control incident, the system will retrieve similar C2 event cases handled in the past.

[0049] Step 203: Determine historical survey elements based on relevant historical survey cases.

[0050] A thorough analysis is conducted on the relevant historical investigation cases recalled in step 202 to extract and identify effective historical investigation elements. This includes identifying investigation points and evidence-gathering directions that have proven to be critical in similar incident investigations. For example, by analyzing historical C2 remote control cases, the system may identify a key pattern: in such incidents, "obtaining the download source of files on the host" is crucial for tracing the source and blocking attacks; therefore, "file download source" is identified as an important historical investigation element.

[0051] Step 204: Compare the historical investigation elements with the currently acquired security incident data to obtain the comparison results.

[0052] The historical investigation elements identified in step 203 (such as "file source," "user intent," and "whether a link was clicked") are compared one by one with the currently acquired security event log data (such as hash values, process IDs, and network connection logs recorded by SIEM / EDR). Check whether the current logs contain these key investigation elements. For example, the current logs may have recorded the Trojan's "hash value" and "process ID," but may completely lack information about "how the Trojan file entered the internal network" (i.e., lacking "file source" information). The comparison results show the gap between the current data and the requirements of historical experience.

[0053] Step 205: Based on the comparison results, determine that there is an information gap in the security incident.

[0054] The "information gap" in security incidents indicates missing investigative elements within identified security incidents. Based on the comparison results from step 204, if the existing security incident data is insufficient to cover key information from historical investigative elements, or if the information is insufficient to characterize or address the security incident, an "information gap" is identified. This information gap explicitly indicates the specific investigative elements missing from the currently identified security incident (e.g., missing "document source," "user operation confirmation," etc.). This step aims to quantify the completeness of information and identify factual blind spots that must be supplemented manually or through other means.

[0055] Step 206: Based on the information gaps in the security incident, determine the set of investigation objectives and response actions.

[0056] For the information gaps identified in step 205, a specific set of investigation objectives and corresponding actions is automatically generated. This set includes specific matters requiring external investigation (i.e., investigation objectives, such as "verifying the source of the document" or "confirming whether the user clicked on a malicious link") and actions requiring the target user's cooperation (such as "immediately disconnecting from the office network" or "manually changing the password"). This set will serve as the basis for subsequently developing interactive data collection standards, initiating multi-round dialogues, and generating the final investigation results.

[0057] This embodiment utilizes natural language processing technology to extract the alarm context of security events, combines retrieval enhancement generation technology to obtain related historical investigation cases to determine historical investigation elements, and compares historical elements with currently acquired security event data to identify information gaps. Based on these gaps, it generates a set of investigation targets and response actions. This achieves the technical effect of intelligently identifying key information missing in existing logs (such as file source and user intent) and generating accurate investigation targets and response actions based on historical experience. The beneficial effect is that it effectively compensates for the blind spots of traditional automated log analysis in personnel evidence collection, ensuring the comprehensiveness and accuracy of the investigation. Furthermore, by integrating investigation and response actions, it significantly improves the efficiency and compliance of event response.

[0058] In some embodiments, step 102 is further refined, see [link to relevant documentation]. Figure 3 Through intelligent questioning strategies and strict information disclosure controls, the investigation process is ensured to be both efficient and safe and compliant. Based on the investigation objectives, the set of actions to be taken, and the pre-set disclosure strategy, the interactive data collection standards are confirmed, specifically including: Step 301: Based on the set of investigation objectives and action measures, determine the minimum question sequence.

[0059] The dialogue strategy engine generates a minimal question sequence. The engine prioritizes essential questions (critical information affecting security incident analysis and handling) to facilitate communication of this information first. During the communication process, the large model continuously assesses whether new critical questions arise based on the collected information. If so, supplementary communication is conducted based on the completion of existing objectives, ensuring the completion of the investigation task with as few questions as possible and minimizing disruption to employees. The engine also anticipates respondents' workload and emotional state, dynamically adjusting the questioning pace accordingly.

[0060] Step 302: Generate a freeze context based on the preset disclosure strategy.

[0061] To meet minimum disclosure and compliance requirements, a freeze context is generated. Even if the investigated party uses methods such as jailbreaking with prompt words to question the model, the large model can only respond based on the existing security context. The freeze context ensures that no excessive information is disclosed during the investigation. Every external output is bound to a specific disclosure rule ID and recorded with audit metadata, achieving conversational traceability.

[0062] Step 303: Determine the interactive collection criteria based on the minimum question column sequence and the frozen context.

[0063] By combining the minimum question sequence with the frozen context, the final interactive data collection standard (zz) is formed. This standard guides AI in efficiently acquiring evidence during multi-turn dialogues while strictly adhering to compliance boundaries.

[0064] This embodiment generates a minimum question sequence that includes a dynamic supplementation mechanism and user perception through a dialogue strategy engine, and combines it with a frozen context generated based on disclosure strategy pruning to finally determine the interaction collection standard. This technical approach achieves the effect of efficiently obtaining evidence with the fewest questions while strictly limiting the boundaries of information disclosure during the investigation process. The beneficial effects are that it significantly improves investigation efficiency and reduces disturbance to employees. At the same time, the frozen context mechanism effectively prevents information leakage and jailbreak attacks, ensuring the compliance and security of the investigation process.

[0065] In some embodiments, the processes of "determining the chain of evidence" and "obtaining evidence items" in step 103 are further refined. This embodiment describes in detail how to extract key information from unstructured user dialogues and transform it into a structured chain of evidence. Based on interaction collection standards, the interaction content with the target user is collected to determine the chain of evidence; see [link to relevant documentation]. Figure 4 Specifically, it includes: Step 401: Based on the minimum question sequence and frozen context of the interaction collection standard, collect the interaction content with the target user and obtain the answer parsing.

[0066] During the investigation, connections are established with target users through an integrated communication platform based on the interactive data collection standards generated in the aforementioned steps. Multi-channel access is supported, including but not limited to internal enterprise instant messaging software (such as WeChat Work and DingTalk) and VoIP phone lines. Questions are posed to users according to the order in the "Minimum Question Sequence," combined with the "frozen context" (i.e., compliance-trimmed external information). For example, in an instant messaging system, the question might be: "Hello, we detected abnormal login activity on your account. Did you perform any actions from another location yesterday afternoon?" The user answers via voice or text input. For example, the user might answer: "I received an email around 3 PM, and a pop-up window appeared on my computer after I opened the attachment."

[0067] If the user uses voice, the Automatic Speech Recognition (ASR) engine is first invoked to convert the audio stream into text in real time. The converted text is then cleaned (interjections are removed, and typos are corrected) to obtain a standard "answer parsing," which serves as the raw corpus for subsequent information extraction.

[0068] Step 402: Obtain evidence items by performing structured processing on the answer analysis.

[0069] This step is central to evidence generation, leveraging the powerful semantic understanding capabilities of Large Language Models (LLMs) to transform natural language into structured data that machines can process. A pre-trained named entity recognition model is loaded to scan the response parsing, extracting entity keywords strongly relevant to the security event. In the example above, the following are extracted: Time entity: "3 PM" (normalized to 3:00 PM); Object entities: "email", "attachment", "computer"; Action entities: "Received", "Open", "Pop-up window".

[0070] Further analysis of the syntactic and semantic dependencies between entities reveals their logical connections. For example, "receiving an email" is identified as the cause, "opening the attachment" as the intermediate action, and "the pop-up window" as the result, with the "attachment" being the recipient of the action. These entities and their relationships, combined with the timestamps of the dialogue (or specific extracted time points), are used to construct an entity relationship graph with temporal logic. This graph uses nodes to represent entities and directed edges to represent actions and time sequences, clearly depicting the timeline of [15:00] receiving the email, [15:00+Δt] opening the attachment, and [15:00+Δt] the pop-up window. Based on this graph, key information is extracted to generate evidence items according to a pre-defined evidence template (such as JSON or XML format). Finally, structured evidence items are extracted from the graph, such as: {Time: 15:00, Action: Open email attachment, Result: See pop-up window}.

[0071] Step 403: Associate the evidence items with the security incident data to determine the chain of evidence.

[0072] To form a complete and traceable audit chain, newly extracted evidence items were deeply integrated with existing security incident data. The Event_ID from the evidence items was automatically associated with the original alarm ID in the SIEM (Security Information and Event Management) system, the action records in the SOAR (Security Orchestration Automation and Response) platform, and the detection report from the sandbox system. At this point, the evidence chain not only included verbal evidence from the user side (generated in step 402) but also objective log evidence from the system side (such as alarm trigger time, malicious file hash value, IP address, etc.). The integrated evidence chain, along with the "external context version number" from this investigation (ensuring traceability of disclosed content) and the complete session transcript (used for reviewing audio / text records), was stored in a blockchain or tamper-proof database. This evidence chain structure supported the final judgment of this security incident (such as determining that "phishing software was successfully executed") and provided a solid data foundation for subsequent compliance audits, evidence collection, and experience review.

[0073] This embodiment collects user responses based on interactive data collection standards, uses a large model to extract entity keywords and semantic relationships, and constructs an entity relationship graph with temporal logic by combining timestamps to obtain evidence items. At the same time, it associates the evidence items with the original alarm and system handling data. This achieves the technical effect of transforming unstructured user dialogues into structured evidence and deeply integrating them with system-side data to form a complete evidence chain. The beneficial effects are that it significantly improves the accuracy, completeness, and traceability of evidence, effectively supports the accurate judgment of security incidents, and provides a solid and reliable data foundation for subsequent compliance audits, evidence collection, and experience review.

[0074] In some embodiments, see Figure 5 The process of "determining the minimum question sequence" is further refined. This process aims to generate the most concise and efficient survey question list by establishing mapping relationships, setting dialogue termination conditions, and leveraging historical experience, thereby reducing employee disruption and improving survey accuracy. Based on the survey objectives and the set of actions to be taken, the minimum question sequence is determined, including: Step 501: Based on the set of investigation objectives and actions, establish a mapping table between objectives and evidence.

[0075] A "target-evidence mapping table" is established for each investigation objective. For example, the evidence requirement for "whether a file was downloaded from an untrusted third-party source" is "the fact that the download occurred + time window + source type + filename / hash". This mapping table is used to indicate the correspondence between the investigation objective and the required verification evidence, serving as the basic data structure for subsequent dialogue logic judgments and clarifying the core information fields to be obtained.

[0076] Step 502: Based on the mapping table, obtain the dialogue termination criteria.

[0077] To avoid lengthy and ineffective dialogues, based on the aforementioned mapping table, we define dialogue termination and switching criteria for each survey objective, known as the "Dialogue Termination Criteria." These criteria identify which information must be provided (hard indicators) and which should be recalled as much as possible (supplementary indicators). These criteria guide when the dialogue can stop on the current topic and move to the next survey objective. For example, for the objective of "obtaining the file source," the termination criterion is set as follows: as long as the user can provide either the "filename" or the "download source," the objective is considered to have met the initial termination criterion. At this point, further follow-up questions on this objective will cease (e.g., no longer focusing on specific download time details), and the dialogue logic will automatically switch to the next survey objective (e.g., asking "Was it installed?" or "Are there any abnormalities?"), thus ensuring the efficiency of the dialogue.

[0078] Step 503: Obtain the alarm context by extracting key information from the security event.

[0079] Natural language processing (NLP) techniques are used to perform in-depth analysis of raw security events, extracting key alarm context information. This context includes, but is not limited to: attack methods (such as C2 remote control, phishing attacks), affected systems (such as Windows hosts, Linux servers), and alarm characteristic descriptions. This extracted key information will serve as input parameters for subsequent retrieval of historical experience, ensuring the accuracy of the search.

[0080] Step 504: Based on the event type and alarm context of the security event, perform class vector retrieval using retrieval enhancement generation to obtain the associated historical investigation experience.

[0081] As the system continues to operate, successfully handled security investigation cases from the past are archived and stored quantitatively. When a new incident occurs, based on the current incident type (e.g., "malware infection") and the extracted alert context, Retrieval Enhancement Generation (RAG) technology is used to perform semantically similar class vector searches in the vector database. For example, suppose the current case is a "C2 (Command and Control) remote control" security incident. Through vector search, multiple similar historical investigation experiences are discovered and recalled in the historical case library. After analyzing these experiences, a key pattern is identified: in C2 remote control incidents, contacting the user based on host file path information to obtain the "file download source" is crucial for attribution. This historical experience is extracted to guide the formulation of the current questioning strategy.

[0082] Step 505: Based on the dialogue termination criteria and related historical survey experience, determine the minimum question column sequence.

[0083] Finally, combining the "dialogue cessation criteria" determined in step 502 and the "related historical investigation experience" obtained in step 504, an optimal "minimum question sequence" is generated using a large language model. The questions in the list not only cover the necessary evidence requirements in the mapping table but also incorporate the most effective questioning angles from historical experience. Simultaneously, the question sequence design strictly adheres to the dialogue cessation criteria, ensuring that the most crucial information is obtained with the fewest question rounds. The generated minimum question sequence might include: "Hello, an abnormal connection has been detected on your host. Have you recently downloaded a file named 'xxx'?" (a targeted question incorporating historical experience) and "Where was this file downloaded from?" (corresponding source evidence). This list will be used to drive subsequent multi-round dialogue investigations.

[0084] This embodiment defines the dialogue termination criteria by establishing a mapping table between targets and evidence, and uses retrieval enhancement based on alarm context to obtain relevant historical investigation experience, thereby comprehensively generating a minimum question sequence. This technical approach achieves the technical effect of constructing a precise questioning strategy that combines necessity and experience guidance. The beneficial effects are that it can effectively control the number of communication rounds, avoid invalid and redundant inquiries, thereby reducing disturbance to users, and at the same time improve the efficiency of obtaining key information and the accuracy of investigation by leveraging historical experience, thus optimizing the response process of security operations.

[0085] In some embodiments, see Figure 6 The process of "generating a freeze context" is further refined. This process aims to ensure the compliance and security of information during external investigations and prevent the leakage of sensitive data through a strict hierarchical and selective mechanism. Based on a preset disclosure strategy, a freeze context is generated, including: Step 601: Based on the preset disclosure strategy, determine the information classification and constraint rules of the candidate information.

[0086] During the investigation preparation phase, the first step is to acquire candidate information. Candidate information refers to the raw set of information containing all sensitive details of the security incident and not subject to disclosure policy pruning before external interaction. For example, this might include highly sensitive data such as the specific internal IP address of the affected host, the name of the specific vulnerability attacked, and the internal network topology.

[0087] Based on a pre-defined disclosure strategy, the candidate information is categorized and marked as "Top Secret," "Confidential," "Internal Public," or "Public." Simultaneously, constraint rules are established for different information levels. For example, for "Top Secret" level internal IP addresses, the constraint rule is set to "prohibit the display of specific IP ranges to users"; for specific exploit code, the rule is set to "prohibit the disclosure of code logic or details."

[0088] Step 602: Based on information classification and constraint rules, the candidate information is pruned and generalized to obtain the pruned security external context.

[0089] Based on the rules determined in step 601, candidate information is automatically processed using natural language processing technology. This includes two methods: trimming and generalization. Trimming directly deletes content that does not conform to the disclosure rules, such as employee IDs or specific database table names. Generalization replaces specific sensitive information with general or abstract descriptions. For example, the specific internal network IP address "192.168.1.X" is generalized to "office internal network segment"; specific vulnerability names (such as CVE-2023-XXXX) are hidden, retaining only descriptions of "high-risk threat" or "abnormal network behavior".

[0090] Through the above processing, the original information containing all details is transformed into a "tailored security external context" suitable for external communication. This retains the necessary background for the investigation while avoiding the leakage of core secrets. The information is tailored, for example, by generalizing the specific internal network IP "192.168.1.X" to "office internal network segment," and by hiding the vulnerability name and retaining only "high-risk threat."

[0091] Step 603: Based on the trimmed security external context, perform versioned persistence processing and freeze it to generate a frozen context.

[0092] The pruned and generalized security external context is persistently stored and assigned a unique version number. Then, this context is frozen. This means that the context content is locked throughout the entire session of this investigation, serving as the sole information basis for the large model's generated responses.

[0093] Even in subsequent conversations, when the target user (respondent) attempts to ask for more details using leading questions (such as "Could you tell me the specific IP address so I can investigate myself?"), the large model strictly limits its responses to the scope of the frozen context, unable to temporarily retrieve or expand upon any unedited sensitive information from the knowledge base. This mechanism ensures information security during the investigation process and prevents the risk of information leakage due to the large model's illusions or leading questions.

[0094] In some embodiments, see Figure 7 This document details the process of integrating enterprise personnel identity data, managing access permissions, and tracking delayed tasks after defining the interactive data collection standards. This embodiment aims to ensure that employees are reached only within a secure and compliant framework, and to effectively manage time-delayed actions, thus solving the "last mile" problem in automated security operations. Specifically, it includes: Step 701: Based on the security incident, confirm the identity information of the target user.

[0095] It connects to the enterprise's internal employee information database (such as HR systems or LDAP directory services) to obtain basic information about all employees. When a security incident occurs (such as "Account A received a phishing email" or "Host B detected a Trojan"), it queries and associates specific employee information based on the account ID or device ID involved in the incident. This information includes, but is not limited to: employee name, office phone number, mobile phone number, department, and job level. For example, regarding the incident of "Account A received a phishing email," it queries the email account to find the employee "Zhang San" corresponding to that account and obtains their linked WeChat ID and mobile phone number.

[0096] Step 702: Based on the target user's identity information, query the preset permission configuration to verify permissions and confirm the target user to be contacted.

[0097] To ensure security and controllability, automated investigations are not performed on all employees. Based on the obtained employee identification information, strict verification is conducted using preset permission configurations. First, there is contact scope control. Configuration rules may stipulate that the AI ​​model is prohibited from directly contacting senior management or personnel in confidential positions (such as the CFO). If the target user is on the "prohibited contact list," the automated process is automatically skipped, and a work order is generated and dispatched to a human security officer. Second, there are action permission settings (blacklists and whitelists). For users allowed to contact, the scope of permitted actions is further checked. For example, if a "whitelist mode" is configured, the AI ​​is only allowed to request users to perform actions within the whitelist (such as "disconnecting office Wi-Fi"), while prohibiting requests for risky operations such as "uninstalling antivirus software." Finally, there is an approval mechanism. Some high-risk actions can be configured to be executed after human review. That is, the AI ​​model first generates contact suggestions, and after the human security officer confirms their accuracy, the AI ​​model initiates the contact. Through the above verification, the target user to be contacted and the permitted interaction scope are finally confirmed.

[0098] Step 703: Based on the set of investigation objectives and action plans, extract the action plans requested by the target users to be contacted.

[0099] Based on the target user to be contacted and their authorized scope confirmed in step 702, actions requiring the cooperation of that specific target user are selected from the previously generated set of investigation targets and actions. These actions are generated after analyzing the security incident context using a large model and are designed to respond to security threats. For example, for a phishing email incident, the set may include multiple actions such as "Please confirm whether you clicked the link in the email," "Please immediately disconnect from the office network," and "Please change the password of the relevant account." Combining the target user's identity information (such as a regular employee or a key personnel) and the user's network environment, one or more specific action sequences need to be performed for that user.

[0100] Step 704: Based on the preset whitelist of actions, determine whether the action is within the allowed execution range.

[0101] A pre-defined whitelist of actions is maintained, defined and configured by security administrators based on the company's security strategy, compliance requirements, and risk tolerance. The whitelist clearly defines the safe, low-risk operations that automated systems are permitted to request users to perform via phone / IM, such as "disconnecting a specified network connection," "exiting a specific application," and "confirming account ownership." Each action extracted in step 703 is precisely matched against this whitelist. If the extracted action is explicitly in the whitelist, it is determined to be within the permitted execution range; conversely, if the extracted action is not in the whitelist, or if the action type itself has been labeled as a high-risk operation by the system (such as involving critical configuration changes in the production environment, large-scale data export, etc.), it is determined to be outside the permitted execution range. This step acts as a risk control checkpoint, ensuring that all automatically triggered actions remain within controllable security boundaries.

[0102] Step 705: When a handling action is marked as a high-risk operation or is not within the permitted scope, a manual review process is triggered.

[0103] Specifically, if the judgment result of step 704 indicates that the requested action is high-risk or outside the whitelist, the automated process will be automatically paused, and a manual review mechanism will be immediately initiated. This process will automatically generate a review request report, which encapsulates the following key information: a summary and context of the current security incident (e.g., alarm type, affected assets), details of the action to be reviewed, the reason why the action is marked as high-risk or outside the whitelist, and the estimated risks and impacts (possibly based on a preset risk assessment model). This review request report will be instantly pushed to the terminal interface of a human security officer (e.g., a senior analyst or security manager) with the appropriate review permissions through the security operations platform's workflow system. The human security officer must review the report content based on their professional knowledge, company security policies, and past experience, and make a clear decision to "allow execution" or "deny execution." This mechanism ensures that any action that may bring uncertain risks or requires special authorization is reviewed by professionals.

[0104] Step 706: In response to the approval result of the manual review process, obtain the interaction content of the target user.

[0105] The interaction content of the target users is obtained through multi-round dialogues initiated with the target users related to the security incident via at least one of the following channels: telephone or instant messaging. Specifically, after a human security officer makes a decision to allow execution during the review process, they will receive the approval signal and immediately continue to execute the subsequent automated interaction process. Based on the previously determined interaction collection standards (including the "minimum question sequence" and "frozen context" generated for this investigation), the system proactively establishes contact with the target users through one or more of the following channels: telephone (such as VoIP system) or instant messaging (such as WeChat Work, DingTalk, etc.) via an integrated communication interface. During the multi-round dialogue, the system acts as an investigator or instruction executor, asking questions to the user according to a preset sequence, such as: "Hello, we have detected an abnormal login risk to your account. To ensure account security, please cooperate by performing the following operation: immediately manually disconnect the currently connected office Wi-Fi and provide feedback on the result." Users can reply by voice or enter text in the IM. The system uses an integrated automatic speech recognition engine to convert speech to text or directly parse the text input to obtain user feedback (such as confirmation that the operation has been performed, inability to execute, need for help, etc.). All interactions will be recorded and further processed to form structured interaction data, which will serve as part of the chain of evidence.

[0106] Step 707: When the manual review fails, the security incident is transferred to a human security officer for management.

[0107] Specifically, if a human security officer decides to refuse to execute a response during the review process, it means that the action cannot be performed through automated channels. The automated process initiating interaction with the target user will be immediately terminated. Simultaneously, the security incident will be marked as "requiring human follow-up," automatically creating a work order or escalating alarm event. The complete context, including initial incident information, suggested (but not approved) actions, and the reason for the review failure (if recorded), will be transferred to the responsible human security officer. Afterward, the incident will be entirely handled by the human security officer, who can employ more flexible and targeted methods (such as direct phone communication, on-site verification, and coordination with other departments) to investigate and handle the situation, and develop and implement new response strategies based on the actual circumstances. A record of the entire workflow will be maintained for subsequent auditing and review.

[0108] This embodiment achieves precise and secure control over personnel interaction and the execution of handling instructions in automated security operations by combining multi-layered control techniques, including preset permission configuration (including contact personnel scope and blacklists / whitelists for handling actions), automated decision-making, and mandatory manual review processes. Its technical effect is to ensure that the large-scale model-driven investigation and response system interacts with users only within strict security boundaries and permission limits. Any potentially high-risk operations are automatically intercepted and submitted to manual review, effectively preventing misoperations, information leaks, or undue interference with critical systems that may arise from automated processes. The beneficial effect is that it solves the trust and compliance challenges of the "last mile" in automated security operations. It leverages the advantages of artificial intelligence in improving investigation efficiency and coverage, while ensuring compliance, security, and auditability throughout the process through robust permission management and manual intervention mechanisms. This significantly reduces automation risks, enhances the enterprise's security operations system's control over personnel participation, and improves the overall reliability and security of security incident response.

[0109] In some embodiments, see Figure 9 This section details the process of "obtaining evidence items through structured processing of parsed responses." This process aims to transform unstructured natural language responses provided by users in multi-turn dialogues into rigorously structured, machine-readable evidence that can be audited. See also... Figure 8 Specifically, it includes: Step 901: Based on the answer analysis, extract entity keywords, which represent the limitations of the objects involved in the security incident.

[0110] Natural language processing (NLP) techniques are used to analyze the parsed response text and extract entity keywords strongly related to the security incident. These include, but are not limited to, time-related entities (such as "yesterday afternoon 3 pm"), object-related entities (such as "email", "attachment", "computer"), action-related entities (such as "received", "open", "pop-up"), and phenomenon / result-related entities (such as "a strange window popped up"). These entity keywords are used to define the specific objects and actions involved in the security incident.

[0111] Step 902: Based on the event type of the security incident, determine the corresponding set of investigation elements.

[0112] Based on the type of security incident (such as phishing emails, malware infections, C2 remote control, etc.), the corresponding set of investigation elements is obtained from historical investigation experience. For example, for the "phishing email" incident type, the set of investigation elements may include key information such as "email source," "click time," "attachment name," and "whether credentials were entered." These elements are the basis for determining the nature and scope of the incident.

[0113] Step 903: Compare the entity keywords with the set of survey elements to determine the survey elements missing in the answer analysis.

[0114] The entity keywords extracted in step 901 are compared one by one with the set of survey elements determined in step 902 to identify key survey elements not covered in the current response analysis. For example, if the response mentions "email" and "attachment" but not "email source," then "email source" is a missing survey element that needs to be supplemented.

[0115] Step 904: Based on the missing investigation elements, identify the evidence items that need to be supplemented.

[0116] Based on the importance and context of the missing elements, determine the evidence items that need to be supplemented. For example, if "email source" is missing, the evidence item should include the "email source" field to facilitate subsequent linking and tracing. If the response already covers all key survey elements, generate evidence items directly based on existing entity keywords.

[0117] Step 905: Associate entity keywords with evidence items to form structured evidence items.

[0118] The entity keywords extracted in step 901 are associated with the evidence items determined in step 904 to construct structured evidence items. For example, entity keywords such as "Time: 15:00", "Action: Open email attachment", and "Result: See pop-up window" are combined into structured evidence items, along with metadata such as source (e.g., "user answer"), timestamp (e.g., the time of answer parsing), hash / signature (for verifying integrity), and processor (e.g., AI system). These structured evidence items are then linked with system-side log data (e.g., SIEM alarms, EDR records) to form an evidence chain, achieving evidence solidification and traceability. As shown in Table 1.

[0119] Table 1. Results of Evidence Item Generation

[0120] This embodiment utilizes natural language processing technology to extract entity keywords from response parsing, combines this with a set of investigation elements matched to security incident types to identify missing information, and then supplements and associates these elements to form structured evidence items. This achieves the technical effect of transforming unstructured user dialogue content into structured evidence data containing key entities and time attributes. The beneficial effect is that it can restore the entity relationships and evolution sequence of objects involved in security incidents, effectively improving the accuracy, completeness, and traceability of evidence. It provides a high-quality, auditable data foundation for subsequent security incident analysis, compliance audits, and experience review, solving the problem that traditional unstructured information is difficult to transform into verifiable evidence.

[0121] This application also provides an electronic device. Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.

[0122] Typically, an electronic device 800 includes one or more processors 801 and one or more memories 802.

[0123] Processor 801 may include one or more processing cores, such as a quad-core processor, a hexa-core processor, etc. Processor 801 may be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), and PLA (Programmable Logic Array). Processor 801 may also include a main processor and a coprocessor. The main processor, also known as a CPU (Central Processing Unit), is used to process data in the wake-up state; the coprocessor is a low-power processor used to process data in the standby state. In some embodiments, processor 801 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, processor 801 may also include an AI (Artificial Intelligence) processor, which is used to handle computational operations related to machine learning.

[0124] The memory 802 may include one or more computer-readable storage media, which may be non-transitory. The memory 802 may also include high-speed random access memory and non-volatile memory, such as one or more disk storage devices or flash memory devices. In some embodiments, the non-transitory computer-readable storage media in the memory 802 are used to store at least one computer program, which is executed by the processor 801 to implement the communication investigation method provided in the method embodiments of this application.

[0125] Those skilled in the art will understand that Figure 8 The structure shown does not constitute a limitation on the electronic device 800, and may include more or fewer components than shown, or combine certain components, or use different component arrangements.

[0126] In addition, the device electronic equipment provided in the embodiments of this application may be a chip, component or module. The chip may include a connected processor and a memory. The memory is used to store instructions. When the processor calls and executes the instructions, the chip can execute a communication investigation method provided in the above embodiments.

[0127] This embodiment also provides a computer-readable storage medium storing computer program code. When the computer program code is run on a computer, the computer executes the aforementioned method steps to implement the communication survey method provided in the above embodiment.

[0128] This embodiment also provides a computer program product that, when run on a computer, causes the computer to perform the aforementioned steps to implement a communication survey method provided in the above embodiment.

[0129] In this embodiment, the device, computer-readable storage medium, computer program product, or chip are all used to execute the corresponding methods provided above. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods provided above, and will not be repeated here.

[0130] Through the above description of the embodiments, those skilled in the art will understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above.

[0131] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules or units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another apparatus, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0132] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A communication survey method, characterized in that, The method includes: In response to a received security incident, an integrity assessment is performed on the security incident to determine the investigation objectives and the set of response actions; Based on the aforementioned investigation objectives, action plan, and pre-defined disclosure strategy, the interactive data collection standards are determined. Based on the aforementioned interaction collection standard, the interaction content with the target user is collected to determine the chain of evidence. The target user is used to indicate the user who is related to the security incident and needs to be investigated. Based on the set of investigation objectives and actions and the chain of evidence, communication investigation results are generated.

2. The method of claim 1, wherein, The method for determining interactive data collection standards based on the set of investigation objectives and actions, and a pre-defined disclosure strategy, includes: Based on the aforementioned investigation objectives and action set, determine the minimum question sequence; Based on a preset disclosure strategy, a freeze context is generated, which is used to limit the scope of information that is allowed to be disclosed to respondents during the survey process; Based on the minimum question sequence and the frozen context, the interactive acquisition criteria are determined.

3. The method of claim 1, wherein, The process of collecting interaction content with the target user based on the aforementioned interaction collection standard and determining the chain of evidence includes: Based on the minimum question sequence and frozen context of the interaction acquisition standard, the interaction content with the target user is acquired, and the answer is parsed. Evidence items are obtained by performing structured processing on the parsed responses; The evidence items are associated with the security event data to determine the chain of evidence.

4. The method of claim 1, wherein, In response to a received security incident, the system performs an integrity assessment of the security incident to determine the investigation objectives and a set of appropriate actions, including: In response to the received security event data, an integrity assessment is performed on the security event data to obtain the assessment result; When the assessment results indicate the existence of an information gap, the set of investigation objectives and corresponding actions are determined.

5. The method of claim 2, wherein, The step of determining the minimum question sequence based on the set of investigation objectives and actions includes: Based on the set of investigation objectives and actions, a mapping table between objectives and evidence is established. The mapping table is used to indicate the correspondence between investigation objectives and the evidence to be verified. Based on the mapping table, a dialogue termination standard is obtained, which includes a preset evidence sufficiency threshold. The alarm context is obtained by extracting key information from the security event. Based on the event type of the security event and the alarm context, a search enhancement generation method is used to perform class vector retrieval to obtain the associated historical investigation experience. Based on the dialogue termination criteria and the associated historical survey experience, a minimum question column sequence is determined.

6. The method of claim 2, wherein, The generation of a freeze context based on a preset disclosure strategy includes: Based on a preset disclosure strategy, the information classification and constraint rules of candidate information are determined. The candidate information refers to a set of information that contains all the sensitive details of the security event before external interaction and has not been pruned by the disclosure strategy. Based on the information classification and constraint rules, the candidate information is pruned and generalized to obtain the pruned security external context. Based on the trimmed security external context, a version number-included persistence process is performed and the context is frozen to generate a frozen context.

7. The method of claim 1, wherein, After determining the interactive data collection standards, the following is also included: Based on the security incident, the identity information of the target user is confirmed; Based on the target user's identity information, the preset permission configuration is verified to confirm the target user to be contacted; Based on the set of investigation objectives and action plans, extract the action plans requested by the target users to be contacted; Based on a preset whitelist of actions, determine whether the action is within the allowed execution range; When the action is marked as a high-risk operation or is outside the permitted scope, a manual review process is triggered. In response to the passing result of the manual review process, the interaction content of the target user is obtained. The interaction content of the target user is obtained by initiating a multi-round dialogue with the target user related to the security incident through at least one of the telephone channel or instant messaging channel. If the manual review fails, the security incident will be transferred to a human security officer for management.

8. The method of claim 1, wherein, In response to a received security incident, the system performs an integrity assessment of the security incident to determine the investigation objectives and a set of appropriate actions, including: In response to a received security event, obtain the alarm context of the security event; Based on the alarm context, related historical investigation cases are obtained. These related historical investigation cases are retrieved from the historical case database and matched with the security event using retrieval enhancement generation technology. Based on the aforementioned related historical survey cases, the historical survey elements are determined; The historical investigation elements are compared with the currently acquired security incident data to obtain the comparison results; Based on the comparison results, it is determined that there is an information gap in the security incident. The information gap in the security incident is used to indicate the missing investigation elements in the identified security incident. Based on the information gaps in the aforementioned security incident, a set of investigation objectives and response actions were determined.

9. The method according to claim 3, characterized in that, The evidence items are obtained by structuring the parsing of the responses, including: Based on the parsing of the answer, entity keywords are extracted, where the entity keywords represent the limitations of the objects involved in the security incident; Based on the event type of the security incident, determine the corresponding set of investigation elements; The entity keywords are compared with the set of survey elements to determine the missing survey elements in the answer analysis; Based on the missing investigation elements, identify the evidence items that need to be supplemented; The entity keywords are associated with the evidence items to form structured evidence items.

10. The method according to claim 7, characterized in that, The method further includes: When the target user is identified as committing to a time-delayed action during the multi-turn dialogue, the action and the corresponding estimated completion time are determined. In response to the achievement of the estimated completion time, a review confirmation is initiated to the target user, and a review result is obtained, which is used to confirm the execution of the action. Obtain an updated chain of evidence, which is obtained by updating the verification result to the chain of evidence. If the review result indicates that the action has failed, the security incident will be escalated to manual follow-up.