A deep learning-based penetration testing automation system and method

By using a deep learning-based penetration testing automation system, terminal code data is collected and analyzed in real time, a deep learning model is built, and a comprehensive risk index is generated. This solves the problem of risk assessment that cannot be dynamically monitored in existing technologies, and enables efficient and accurate assessment of the security status of terminals.

CN122247762APending Publication Date: 2026-06-19WUXI UNIV +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUXI UNIV
Filing Date
2026-05-21
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing penetration testing techniques cannot perform dynamic and continuous risk monitoring under real-world operating conditions, making it difficult to cope with real-time virus attacks and vulnerability exploitation behaviors, resulting in risk assessment results that do not match the actual security status of the endpoint.

Method used

By using a deep learning-based penetration testing automation system, terminal code data is collected in real time, historical and real-time data are analyzed, a deep learning model is built, and a comprehensive risk index is generated, enabling multi-dimensional and dynamic continuous monitoring of the terminal's security status.

Benefits of technology

It improves the targeting and accuracy of risk assessment, enabling it to respond to real-time attacks and potential vulnerability exploits, and reducing the deviation between assessment results and the actual security situation.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247762A_ABST
    Figure CN122247762A_ABST
Patent Text Reader

Abstract

This invention provides an automated penetration testing system and method based on deep learning, relating to the field of cybersecurity technology. It includes: a data acquisition module that collects historical and real-time code data from the terminal; a data analysis module that determines the basic vulnerability score, time score, virus indicator parameters, and a baseline value for the virus attack coefficient; a model building and simulation module that outputs a real-time vulnerability risk index; a data processing module that integrates the baseline value for the virus attack coefficient, the real-time attack coefficient, and the real-time vulnerability risk index to generate a comprehensive risk index; and a risk determination module that determines the risk level through threshold comparison. This invention does not rely on a simulation environment, uses the terminal's own historical data as a baseline to calibrate risk, achieves multi-dimensional dynamic security monitoring, solves the problems of data distortion and large evaluation bias in traditional detection methods, and improves the real-time performance, accuracy, and automation level of penetration testing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of cybersecurity technology, specifically to an automated penetration testing system and method based on deep learning. Background Technology

[0002] Deep learning-based penetration testing automation systems and methods are automated penetration testing solutions implemented using deep learning algorithms and models. By analyzing and understanding the characteristics of the target system, they automatically generate and execute penetration test cases, identify potential security vulnerabilities, and provide remediation suggestions. The core idea of ​​this system is to apply deep learning technology to all aspects of penetration testing, thereby improving the efficiency, accuracy, and coverage of penetration testing.

[0003] Most existing penetration testing techniques rely on manual operation or traditional machine learning methods. While these can identify and classify network and vulnerability information of target objects to a certain extent, they often fail to comprehensively and efficiently assess the overall security status of a system. For example, a machine learning-based penetration testing method, apparatus, device, and storage medium, authorized by CN112733146B, acquires network and vulnerability information of target objects; analyzes the network information of target objects to obtain an initial set of penetration test case rules and a target machine learning model; uses the target machine learning model to identify and classify the initial set of penetration test case rules and vulnerability information to obtain target penetration test cases that conform to the penetration testing scenario; sends the target penetration test cases to a test terminal, enabling the test terminal to execute the target penetration test cases in a preset simulation environment, obtain penetration test results, and generate a penetration test report based on the penetration test results.

[0004] However, the following shortcomings still exist: Existing penetration testing methods need to execute test cases in a preset simulation environment, and cannot directly obtain and analyze historical and real-time code data generated by the test terminal in the real running state. Therefore, they can only complete phased and offline security testing, and cannot perform dynamic and continuous risk monitoring of the terminal's running state. They are unable to cope with real-time virus attacks and vulnerability exploitation behaviors, and the risk assessment results deviate from the actual security status of the terminal.

[0005] The information disclosed in the background section is only intended to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention

[0006] The purpose of this invention is to provide an automated penetration testing system and method based on deep learning to solve the problems mentioned in the background art.

[0007] To achieve the above objectives, the present invention provides the following technical solution: A deep learning-based penetration testing automation system includes: The data acquisition module is used to collect code data from the test terminal in real time and filter out historical code data from multiple historical time periods as well as real-time code data of the same duration before the current moment. The data analysis module is used to analyze historical and real-time code data, obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Based on the expert scoring method, the vulnerability risk index corresponding to the historical code data is determined, and based on the virus indicator parameters corresponding to the historical code data, the baseline value of the virus attack coefficient is determined. The model building and simulation module is used to build a deep learning network model. It takes the base score and time score of vulnerabilities in historical code data as input and the corresponding vulnerability risk index as the label output to train the deep learning network model. It takes the base score and time score of vulnerabilities in real-time code data as input to the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. The data processing module is used to process the virus indicator parameters corresponding to the real-time code data, generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. The risk determination module is used to compare the comprehensive risk index with a preset comprehensive risk index threshold, and determine the risk level of the test terminal code data based on the comparison result.

[0008] Furthermore, the basic score of a vulnerability is specifically quantified by assessing its impact and difficulty of exploitation, based on the following formula: in, As the base score for vulnerabilities, To determine the scope of the vulnerability, The difficulty of exploiting the vulnerability; The time score for a vulnerability is specifically quantified using the duration of vulnerability exposure and the time required to patch it, based on the following formula: in, Rate the time of the vulnerability. For the duration of vulnerability exposure, For vulnerability remediation time, The weighting coefficient for vulnerability exposure duration. As a weighting factor for vulnerability remediation time, Under the condition that, let .

[0009] Furthermore, based on the virus indicator parameters corresponding to historical code data, a baseline value for the virus attack coefficient is determined, according to the following logic: Among them, virus indicator parameters include attack frequency, average duration of a successful attack, and attack success rate. in, This represents the historical attack coefficient. The attack frequency of historical code data. The average duration of a successful attack based on historical code data. The attack success rate based on historical code data. The weighting coefficient for attack frequency. This is a weighting factor for the average duration of a successful attack. As a weighting coefficient for the attack success rate, in Under the condition that, let .

[0010] Furthermore, based on historical attack coefficients, a baseline value for the virus attack coefficient is obtained, using the following formula: in, This serves as the baseline value for the virus attack coefficient. The normalization coefficient is... .

[0011] Furthermore, the virus indicator parameters corresponding to the real-time code data are processed to generate real-time attack coefficients, based on the following formula: in, This represents the real-time attack coefficient. The attack frequency is based on real-time code data. The average duration of a successful attack based on real-time code data. This refers to the attack success rate based on real-time code data.

[0012] Furthermore, by combining the baseline value of the virus attack coefficient, the real-time attack coefficient, and the real-time vulnerability risk index, a comprehensive risk index is obtained, based on the following formula: in, As a comprehensive risk index, This is a real-time vulnerability risk index.

[0013] Furthermore, the comprehensive risk index is compared with a preset comprehensive risk index threshold, and the risk level of the test terminal code data is determined based on the comparison result. The specific logic is as follows: like If the comprehensive risk index is less than or equal to the comprehensive risk index threshold, then the test terminal code data is at a low risk level. when If the comprehensive risk index is greater than the comprehensive risk index threshold, then the test terminal code data is at a high risk level. in, This is the threshold for the comprehensive risk index.

[0014] To achieve the above objectives, the present invention also provides the following technical solution: A deep learning-based penetration testing automation method, wherein the method is executed by any of the aforementioned deep learning-based penetration testing automation systems, and the specific steps include: S1. Collect code data from the test terminal in real time, and filter out historical code data from multiple historical time periods and real-time code data of the same duration before the current moment; S2. Analyze historical and real-time code data to obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Determine the vulnerability risk index corresponding to the historical code data based on the expert scoring method, and determine the benchmark value of the virus attack coefficient based on the virus indicator parameters corresponding to the historical code data. S3. Construct a deep learning network model, take the basic score and time score of the vulnerability in the historical code data as input, and the corresponding vulnerability risk index as the label output, train the deep learning network model, and input the basic score and time score of the vulnerability in the real-time code data into the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. S4. Process the virus indicator parameters corresponding to the real-time code data to generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. S5. Compare the comprehensive risk index with the preset comprehensive risk index threshold, and determine the risk level of the test terminal code data based on the comparison results.

[0015] Compared with the prior art, the beneficial effects of the present invention are: This invention collects real-time code data from the terminal through a data acquisition module, filters out historical and real-time code data, and directly obtains real-time running data without relying on a simulation environment. This overcomes the limitations of traditional offline phased detection and improves the authenticity and timeliness of the data. By using the data analysis module to determine the baseline value of the virus attack coefficient based on its own historical data, the real-time attack intensity and vulnerability risk level are calibrated, forming an assessment system of "personalized baseline + real-time dynamic assessment". This solves the problem of misjudgment caused by the mismatch between general security standards and the actual protection capabilities of the terminal, and significantly improves the pertinence and accuracy of risk assessment. By training a deep learning model through model building and simulation modules, the real-time vulnerability risk index is dynamically predicted and then integrated with the benchmark values ​​of real-time attack coefficient and virus attack coefficient to generate a comprehensive risk index. This enables multi-dimensional, dynamic, and continuous monitoring of the terminal security status, and can simultaneously respond to real-time attack behaviors and potential vulnerability exploitation, significantly reducing the deviation between the assessment results and the actual security situation. Attached Figure Description

[0016] Figure 1 This is a block diagram of the modules of the present invention; Figure 2 This is a schematic diagram of the overall method flow of the present invention. Detailed Implementation

[0017] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to specific embodiments.

[0018] It should be noted that, unless otherwise defined, the technical or scientific terms used in this invention should have the ordinary meaning understood by one of ordinary skill in the art to which this invention pertains. The terms "first," "second," and similar terms used in this invention do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed following the word and their equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect. Terms such as "upper," "lower," "left," and "right" are used only to indicate relative positional relationships; when the absolute position of the described object changes, the relative positional relationship may also change accordingly.

[0019] Example: Please see Figure 1 The present invention provides a technical solution: A deep learning-based penetration testing automation system includes: The data acquisition module is used to collect code data from the test terminal in real time and filter out historical code data from multiple historical time periods as well as real-time code data of the same duration before the current moment. Real-time code data refers to code execution data collected in real-time from the actual operating environment of the test terminal, with the current detection time as the cutoff time and a backward selection of the same duration as the historical time period. It is used to reflect the latest vulnerability status and virus attack behavior of the terminal.

[0020] The data analysis module is used to analyze historical and real-time code data, obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Based on the expert scoring method, the vulnerability risk index corresponding to the historical code data is determined, and based on the virus indicator parameters corresponding to the historical code data, the baseline value of the virus attack coefficient is determined. Based on the above embodiments, the basic score of a vulnerability is specifically quantified using the vulnerability's impact scope and exploitation difficulty, according to the following formula: in, The basic score is used to quantify the inherent risk of a vulnerability by combining two indicators: the scope of its impact and the difficulty of its exploitation. The higher the basic score, the wider the potential harm of the vulnerability and the easier it is for attackers to exploit it, resulting in a higher overall risk.

[0021] In the formula, To determine the scope of the vulnerability, The difficulty of exploiting the vulnerability; Based on the above, it should be noted that: The scope of impact of a vulnerability refers to the number of system modules, data range, business functions, and user privilege coverage that may affect the test terminal after the vulnerability is successfully exploited. It is used to characterize the breadth of the potential harm caused by the vulnerability.

[0022] The vulnerabilities are categorized into three levels based on their impact: If only a single non-core function or local module is affected, corresponding to Level 1, then the impact scope of the vulnerability is assigned a value of 0.1; If the vulnerability affects multiple ordinary modules or parts of the business process, corresponding to level 2, then the impact scope of the vulnerability is assigned a value of 0.2. If the vulnerability affects core systems, sensitive data, or global privileges, corresponding to level three, then the impact scope is assigned a value of 0.3.

[0023] The exploitation difficulty of a vulnerability refers to the technical threshold, operational steps, and environmental dependence required for an attacker to successfully trigger and exploit the vulnerability to carry out an attack under normal conditions. It is used to measure how easy or difficult it is for a vulnerability to be actually exploited.

[0024] Based on the difficulty of exploiting the vulnerabilities, they are divided into three levels: If no special privileges, complex operations, or specific environment are required, ordinary attackers can easily trigger and exploit the vulnerability, which corresponds to level 1, and the exploitation difficulty of the vulnerability is assigned a value of 0.3. If it requires standard operating procedures, ordinary user privileges, or a specific configuration environment, and a certain technical threshold is required to exploit it, it corresponds to level 2, and the exploit difficulty of the vulnerability is assigned a value of 0.2. If advanced administrative privileges, professional attack techniques, or a demanding system environment are required, making it difficult to exploit using conventional methods, it corresponds to Level 3, and the exploit difficulty of the vulnerability is assigned a value of 0.1.

[0025] Based on the above, it should be noted that: The larger the impact range value, the wider the vulnerability's harm and the higher the base score; the larger the exploit difficulty value, the easier the vulnerability is for attackers to exploit, and the higher the base score. Therefore, the base score is positively correlated with both the impact range and the exploit difficulty.

[0026] The inherent risk of a vulnerability is not simply the sum of its scope of impact and the difficulty of exploitation, but rather the two are coupled and jointly determined. The scope of impact of a vulnerability represents the "breadth of harm," while the difficulty of exploitation represents the "ease of being exploited." The two are linked, so multiplication can be used to accurately reflect the impact of this linkage on the inherent risk of a vulnerability.

[0027] Based on the above embodiments, the vulnerability time score is specifically quantified using the vulnerability exposure duration and vulnerability remediation time, according to the following formula: in, The vulnerability time score combines two indicators: vulnerability exposure time and vulnerability remediation time, to quantify the cumulative risk of the vulnerability over time. The higher the vulnerability time score, the longer the vulnerability has been exposed and the longer the remediation time is, resulting in a higher cumulative risk over time and a greater likelihood of it being detected and exploited.

[0028] In the formula, For the duration of vulnerability exposure, This is the time allotted for vulnerability remediation. Based on the above, it should be noted that: Vulnerability exposure time refers to the time interval from the emergence of a vulnerability to its first discovery. It is used to characterize the duration during which a vulnerability remains unidentified and in an exploitable state for an extended period.

[0029] Based on version control systems, system build logs, or vulnerability scanning records, locate the timestamp of the first introduction of the vulnerability and record it as the vulnerability occurrence time; then, obtain the timestamp of the first discovery of the vulnerability by security tools, manual audits, or third-party public disclosure from vulnerability management platforms, security alert logs, or vulnerability databases and record it as the vulnerability discovery time; the difference between the two is the vulnerability exposure duration. Vulnerability remediation time refers to the time interval from the discovery of a vulnerability to its remediation. It is used to characterize the efficiency of vulnerability remediation from identification to elimination and the duration of ongoing risk.

[0030] Starting from the vulnerability discovery time, obtain the timestamps from the vulnerability ticket system, patch submission records, or system deployment logs when the vulnerability patch is merged, deployed and takes effect, or the vulnerability status is marked as "fixed". Record these timestamps as the vulnerability fix completion time; the difference between the two timestamps is the vulnerability fix time.

[0031] Among them, the longer the vulnerability is exposed, the longer the vulnerability remains undiscovered and unaddressed in the system, giving attackers a longer window of opportunity to probe and exploit it, thus resulting in a higher cumulative risk over time. The longer it takes to patch a vulnerability, the longer it remains exploitable after it has been discovered, and the greater the potential for malicious exploitation and risk. The risk increases accordingly over time.

[0032] Therefore, both vulnerability exposure duration and vulnerability remediation time are positively correlated with vulnerability time score. That is, the larger the values ​​of both, the higher the time score and the more significant the cumulative risk over time.

[0033] The exposure duration and the remediation time correspond to two consecutive and non-overlapping risk stages in the vulnerability lifecycle. Their risk contributions are independent of each other. Although they are sequential in time and have different sources of risk, their effects can be linearly accumulated. Therefore, by linearly adding the exposure duration and the remediation time, we can simultaneously quantify the contribution of the exposure duration and the remediation time to the cumulative risk over time.

[0034] In the formula, The weighting coefficient for vulnerability exposure duration. Weighting coefficient for vulnerability remediation time; The exposure time of a vulnerability corresponds to an undiscovered, hidden risk. During this stage, the vulnerability remains in the system for a long time without any protection or monitoring measures. Attackers can perform indiscriminate scanning, detection, and exploitation. The risk is hidden, uncontrollable, and highly uncertain. Once exploited, it often causes serious consequences.

[0035] The vulnerability patching time corresponds to the existing risks that have been discovered. The vulnerability has been identified and is usually accompanied by temporary protective measures, monitoring alerts or special handling procedures. The difficulty for attackers to exploit it has increased significantly, the risk is under control, and the probability of exploitation and potential impact are lower than in the exposure stage.

[0036] Therefore, in Under the condition that, let ; As one implementation method, The value range is an open interval of 0.5-1.0. The value range is an open interval of 0-0.5. The specific value is set by technical personnel according to the actual situation and is not restricted here.

[0037] Based on the above embodiments, a baseline value for the virus attack coefficient is determined based on the virus indicator parameters corresponding to historical code data. The logic behind this is as follows: Among them, virus indicator parameters include attack frequency, average duration of a successful attack, and attack success rate. in, The historical attack coefficient is used to quantitatively characterize the overall activity, persistence, and success rate of virus attacks in a historical environment by combining three indicators: attack frequency, average duration of successful attacks, and attack success rate. The larger the historical attack coefficient, the higher the overall intensity of virus attacks in the historical environment.

[0038] In the formula, The attack frequency of historical code data. The average duration of a successful attack based on historical code data. The attack success rate based on historical code data; Based on the above, it should be noted that: Attack frequency refers to the total number of virus attacks against the test terminal within a statistical period, used to characterize the activity level of the attack. Based on security logs, firewall logs, and intrusion detection system alarm logs, the attack frequency is obtained by counting all events that trigger virus attack characteristics according to statistical periods, such as 1 hour / 1 day.

[0039] Average successful attack duration refers to the average duration of each successful virus attack from start to finish within a statistical period, used to characterize the persistence and depth of harm of the attack. Extract all events marked as "attack successful" from the logs, record the start and end timestamps of each attack, calculate the duration of each attack, and then take the arithmetic mean of the durations of all successful attacks.

[0040] Attack success rate refers to the proportion of successful virus attacks to the total number of attacks within a statistical period. It is used to characterize the effectiveness of attack behavior and the weakness of system protection capabilities. The success rate is the ratio of the number of successful attacks to the total number of attacks within the statistical period.

[0041] Based on the above, it should be noted that: A higher attack frequency indicates more frequent virus attacks against the target system within the statistical period, higher attack activity, greater attack pressure on the system, and higher overall attack intensity. Therefore, attack frequency is positively correlated with historical attack coefficients.

[0042] The longer the average duration of a successful attack, the longer the impact of a single successful attack on the system and the deeper the damage. Attackers are able to perform operations such as data theft, privilege escalation, or lateral movement for a longer period, resulting in more severe actual harm. Therefore, the longer the duration, the greater the actual impact of the attack and the higher the historical attack coefficient; the two are positively correlated.

[0043] A higher attack success rate indicates a weaker ability of the target system's protection mechanisms to intercept virus attacks, making it easier for attackers to succeed. This results in poorer overall system protection effectiveness and a greater actual threat from the attack. Therefore, a higher attack success rate correlates with a higher actual risk to the system and a higher historical attack coefficient.

[0044] Among them, attack frequency, average successful attack duration, and attack success rate represent attack intensity from three independent dimensions: "attack activity", "harm persistence", and "attack effectiveness". The risk sources of the three do not overlap, and their contributions to the overall attack intensity can be linearly superimposed without nonlinear coupling effects. Therefore, the linear model can truly reflect the independent influence of each dimension.

[0045] Therefore, the above linear function is used to express the functional relationship between historical attack coefficients, attack frequency, average successful attack duration, and attack success rate.

[0046] In the formula, The weighting coefficient for attack frequency. This is a weighting factor for the average duration of a successful attack. This is a weighting coefficient for the attack success rate; Among these factors, the attack success rate directly reflects the effectiveness of the system's protection mechanisms, determining whether an attack can cause actual harm to the system. A higher success rate indicates a weaker protection system, and a greater probability that the attack threat transforms from "potential possibility" into "actual damage," making it the most critical factor determining the overall attack strength. Therefore, to reflect its core impact, it is assigned... Highest weight.

[0047] The average duration of a successful attack determines the actual scale of harm caused by a single attack: the longer the duration, the greater the space for attackers to steal data, escalate privileges, and perform lateral movement, resulting in higher depth of harm and potential losses. This metric is directly related to the actual destructive power of an attack, and its importance is second only to the attack success rate; therefore, it is given significant weight. Second highest weight.

[0048] Attack frequency only reflects the activity level of attack behavior and is not directly equivalent to actual harm: frequent attacks that are all blocked have limited actual impact on the system. Therefore, its contribution to the overall attack strength is weaker than the attack success rate and the average duration of a successful attack, hence it is assigned... Lowest weight.

[0049] Therefore, in Under the condition that, let .

[0050] As one implementation method, The value range is an open interval of 0.1-0.3. The value range is an open interval of 0.3-0.4. The value range is an open interval of 0.4-0.6. The specific value is set by the technical personnel according to the actual situation and is not restricted here.

[0051] Based on the above embodiments, the vulnerability risk index corresponding to historical code data is determined using an expert scoring method. The specific logic is as follows: Based on the baseline scores of each vulnerability in historical code data and time rating Security experts comprehensively score the risk level of each vulnerability based on its actual hazard scenarios and industry protection standards. Then, through weighted aggregation, a vulnerability risk index corresponding to the historical code data is calculated to quantify the overall risk level of vulnerabilities in historical environments.

[0052] Based on the above embodiments, a baseline value for the virus attack coefficient is obtained based on historical attack coefficients, using the following formula: in, This serves as the baseline value for the virus attack coefficient. The normalization coefficient is... ; Based on the above, it should be noted that: The historical attack coefficient is a comprehensive attack strength value calculated based on historical data. It reflects the average attack risk level of the system in long-term operation and is the core basis for constructing the benchmark value. Therefore, the benchmark value must be calculated directly based on the historical attack coefficient.

[0053] There may be statistical discrepancies between historical data and the current system environment, necessitating the introduction of correction factors for calibration. Using a multiplicative approach allows for direct proportional scaling of the overall attack strength, preserving the risk distribution characteristics of historical data while allowing for adjustments. It can quickly adapt to the current environment and avoid the interpretability problems caused by complex nonlinear correction models.

[0054] when At this time, the baseline value is equal to the historical attack coefficient, which is suitable for scenarios where the system environment does not change significantly; when When the baseline value is higher than the historical level, it is suitable for scenarios where the system's protection capabilities are reduced and the risk of attacks is increased, and can improve the sensitivity of security warnings; when When the baseline value is lower than the historical level, it is suitable for scenarios where system protection is upgraded and attack risks are reduced, and can avoid unnecessary false alarms.

[0055] Normalization coefficient The purpose of this is to correct minor deviations between historical data and the current system environment, rather than completely reconstructing the baseline value. According to the principle of statistical significance, deviations within ±10% can be considered normal fluctuations caused by adjustments to system configuration and security policies; if the deviation exceeds ±10%, it indicates that the system has undergone structural changes, at which point historical data is no longer valuable. Therefore, the normalization coefficient... The value range is set to .

[0056] The model building and simulation module is used to build a deep learning network model. It takes the base score and time score of vulnerabilities in historical code data as input and the corresponding vulnerability risk index as the label output to train the deep learning network model. It takes the base score and time score of vulnerabilities in real-time code data as input to the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. Based on the above embodiments, the deep learning network model is constructed using a deep learning network based on a multilayer perceptron. The deep neural network of the multilayer perceptron includes an input layer, a first hidden layer, a second hidden layer, a third hidden layer, and an output layer. The first hidden layer, the second hidden layer, and the third hidden layer each have at least two neurons and all use ReLU (Rectified Linear Unit) as the activation function. The basic score and time score of vulnerabilities in historical code data are collected, along with the corresponding vulnerability risk index. Multiple sets of samples are constructed and divided into a training set, a validation set, and a test set in a 7:2:1 ratio. The training set is used for learning model parameters; the validation set is used to adjust hyperparameters during training to prevent overfitting; and the test set is used to evaluate the generalization ability of the model after training. The structure of a deep learning network using a multilayer perceptron is as follows: Input layer: receives the base score and time score of vulnerabilities in the code data; First hidden layer: has 128 neurons, using ReLU as the activation function; Second hidden layer: has 64 neurons, also using ReLU activation function; Third hidden layer: has 32 neurons, using ReLU activation function; Output layer: has 1 neuron, outputting the vulnerability risk index. The training process of the deep learning network model is as follows: using the base score and time score of vulnerabilities in historical code data as input, and the corresponding vulnerability risk index as the label output, the mean absolute error loss function is selected, and the deep learning network model is iteratively updated through the backpropagation algorithm. When the model loss value is within the range and the loss does not decrease significantly for 20 consecutive training epochs, the deep learning network model is considered to have converged and training is stopped.

[0057] The data processing module is used to process the virus indicator parameters corresponding to the real-time code data, generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. Based on the above embodiments, the virus indicator parameters corresponding to the real-time code data are processed to generate real-time attack coefficients, using the following formula: in, This represents the real-time attack coefficient. The attack frequency is based on real-time code data. The average duration of a successful attack based on real-time code data. The success rate of attacks based on real-time code data; Based on the correlation between the historical attack coefficient and attack frequency, average successful attack duration, and attack success rate, the calculation logic of the real-time attack coefficient is consistent with that of the historical attack coefficient: attack frequency, average successful attack duration, and attack success rate are all positively correlated with the real-time attack coefficient, and the three represent the intensity of real-time virus attacks from three independent dimensions: "attack activity", "persistence of harm", and "attack effectiveness". The risk contributions can be linearly superimposed, and there is no nonlinear coupling effect.

[0058] Based on the above embodiments, a comprehensive risk index is obtained by combining the baseline value of the virus attack coefficient, the real-time attack coefficient, and the real-time vulnerability risk index. The formula used is as follows: in, The comprehensive risk index combines three indicators: the baseline value of the virus attack coefficient, the real-time attack coefficient, and the real-time vulnerability risk index. It comprehensively assesses the overall security risk status of the test terminal. The higher the comprehensive risk index, the higher the overall security risk faced by the test terminal, and the greater the probability of security incidents such as successful virus attacks, exploitation of vulnerabilities leading to data leaks, and system crashes.

[0059] In the formula, This is a real-time vulnerability risk index; Based on the above, it should be noted that: The virus attack coefficient benchmark is a historical attack strength benchmark calculated based on virus attack behaviors (attack frequency, duration, success rate) in historical code data. It represents the average level of virus attacks on the test terminal under normal and historical conditions.

[0060] The baseline value of the virus attack coefficient reflects the long-term attack exposure and protection level of the endpoint, determining the inherent vulnerability baseline of the system. The higher the baseline, the higher the inherent probability of the system being compromised under the same attack and vulnerability conditions, and the higher the risk.

[0061] The real-time attack coefficient is calculated based on the virus attack behavior in the current real-time code data, which is the current attack strength.

[0062] The real-time attack coefficient quantifies the frequency, success rate, and duration of the current attack, representing the "energy input intensity" of the attack. The more intense and effective the attack, the higher the probability of the system being breached and damaged, and the greater the risk.

[0063] The real-time vulnerability risk index is generated by a trained deep learning network model, based on the base score and time score of vulnerabilities in the current real-time code data, to output the current vulnerability risk level.

[0064] The real-time vulnerability risk index quantifies the impact scope, exploitation difficulty, and exposure duration of current vulnerabilities, representing the "internal vulnerability carrier" of a system. The higher the vulnerability risk, the lower the threshold for attack and the larger the window for exploitation, the higher the probability of the system being compromised, and the greater the risk.

[0065] in addition, It is a linearly weighted assessment of the current risk, which adds the "severity of the attack" and the "danger level of the vulnerability" according to their weights to obtain the "current risk potential value," and then multiplies it by... The "current risk potential value" is calibrated using historical attack levels. If the terminal is in a high-attack environment for a long time, the same current risk will be judged as a higher threat; and vice versa.

[0066] In the formula, This is a weighting factor for the real-time attack coefficient. The weighting coefficients for the real-time vulnerability risk index; The real-time vulnerability risk index directly characterizes the inherent vulnerability of a system and is a prerequisite for successful attack exploitation, making a more fundamental contribution to the overall risk index; while the real-time attack coefficient characterizes the intensity of external attacks, and its risk contribution depends on the vulnerability vector, thus assigning... Higher weighting allows for a more accurate quantification of the actual security risks of a terminal.

[0067] Therefore, in On this basis, let ; As one implementation method, The value range is 0 to 0.5. The value range is 0.5 to 1.0, and the specific value is determined according to the actual situation.

[0068] The risk assessment module compares the comprehensive risk index with a preset comprehensive risk index threshold, and determines the risk level of the test terminal code data based on the comparison result. The specific logic is as follows: like If the comprehensive risk index is less than or equal to the comprehensive risk index threshold, then the test terminal code data is at a low risk level. when If the comprehensive risk index is greater than the comprehensive risk index threshold, then the test terminal code data is at a high risk level. in, This is the threshold for the comprehensive risk index.

[0069] The comprehensive risk index threshold is a pre-set risk threshold, determined based on the historical security operation data of the test terminal, the importance level of the business, and industry security standards, and is used to distinguish between low-risk and high-risk states.

[0070] Please see Figure 2 The present invention also provides a technical solution: A deep learning-based method for automating penetration testing, wherein the method is applied to any of the aforementioned deep learning-based penetration testing automation systems, and the specific steps include: S1. Collect code data from the test terminal in real time, and filter out historical code data from multiple historical time periods and real-time code data of the same duration before the current moment; S2. Analyze historical and real-time code data to obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Determine the vulnerability risk index corresponding to the historical code data based on the expert scoring method, and determine the benchmark value of the virus attack coefficient based on the virus indicator parameters corresponding to the historical code data. S3. Construct a deep learning network model, take the basic score and time score of the vulnerability in the historical code data as input, and the corresponding vulnerability risk index as the label output, train the deep learning network model, and input the basic score and time score of the vulnerability in the real-time code data into the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. S4. Process the virus indicator parameters corresponding to the real-time code data to generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. S5. Compare the comprehensive risk index with the preset comprehensive risk index threshold, and determine the risk level of the test terminal code data based on the comparison results.

[0071] The above formulas are all dimensionless calculations. The formulas are derived from software simulations based on a large amount of collected data to obtain the most recent real-world results. The preset parameters in the formulas are set by those skilled in the art according to the actual situation.

[0072] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented in software, the above embodiments can be implemented, in whole or in part, as a computer program product. Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution.

[0073] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment, depending on actual needs.

[0074] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any changes or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application.

Claims

1. A deep learning-based automated penetration testing system, characterized in that, include: The data acquisition module is used to collect code data from the test terminal in real time and filter out historical code data from multiple historical time periods as well as real-time code data of the same duration before the current moment. The data analysis module is used to analyze historical and real-time code data, obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Based on the expert scoring method, the vulnerability risk index corresponding to the historical code data is determined, and based on the virus indicator parameters corresponding to the historical code data, the baseline value of the virus attack coefficient is determined. The model building and simulation module is used to build a deep learning network model. It takes the base score and time score of vulnerabilities in historical code data as input and the corresponding vulnerability risk index as the label output to train the deep learning network model. It takes the base score and time score of vulnerabilities in real-time code data as input to the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. The data processing module is used to process the virus indicator parameters corresponding to the real-time code data, generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. The risk determination module compares the comprehensive risk index with a preset comprehensive risk index threshold and determines the risk level of the test terminal code data based on the comparison result.

2. The deep learning-based automated penetration testing system according to claim 1, characterized in that, The basic score for a vulnerability quantifies its impact and difficulty of exploitation using the following formula: in, As the base score for vulnerabilities, To determine the scope of the vulnerability, The difficulty of exploiting the vulnerability; The time score for a vulnerability is specifically quantified using the duration of vulnerability exposure and the time required to patch it, based on the following formula: in, Rate the time of the vulnerability. For the duration of vulnerability exposure, For vulnerability remediation time, The weighting coefficient for vulnerability exposure duration. As a weighting factor for vulnerability remediation time, Under the condition that, let .

3. The deep learning-based automated penetration testing system according to claim 1, characterized in that, The baseline value for the virus attack coefficient is determined based on the virus indicator parameters corresponding to historical code data, and the logic is as follows: Among them, virus indicator parameters include attack frequency, average duration of a successful attack, and attack success rate. in, This represents the historical attack coefficient. The attack frequency of historical code data. The average duration of a successful attack based on historical code data. The attack success rate based on historical code data. The weighting coefficient for attack frequency. This is a weighting factor for the average duration of a successful attack. As a weighting coefficient for the attack success rate, in Under the condition that, let .

4. The deep learning-based automated penetration testing system according to claim 3, characterized in that, Based on historical attack coefficients, a baseline value for the virus attack coefficient is obtained, using the following formula: in, This serves as the baseline value for the virus attack coefficient. The normalization coefficient is... .

5. The deep learning-based automated penetration testing system according to claim 4, characterized in that, The virus indicator parameters corresponding to the real-time code data are processed to generate real-time attack coefficients, based on the following formula: in, This represents the real-time attack coefficient. The attack frequency is based on real-time code data. The average duration of a successful attack based on real-time code data. This refers to the attack success rate based on real-time code data.

6. The deep learning-based automated penetration testing system according to claim 5, characterized in that, The comprehensive risk index is obtained by combining the baseline value of the virus attack coefficient, the real-time attack coefficient, and the real-time vulnerability risk index. The formula used is as follows: in, As a comprehensive risk index, This is a real-time vulnerability risk index.

7. The deep learning-based automated penetration testing system according to claim 6, characterized in that, The comprehensive risk index is compared with a preset comprehensive risk index threshold, and the risk level of the test terminal code data is determined based on the comparison result. The specific logic is as follows: like If the comprehensive risk index is less than or equal to the comprehensive risk index threshold, then the test terminal code data is at a low risk level. when If the comprehensive risk index is greater than the comprehensive risk index threshold, then the test terminal code data is at a high risk level. in, This is the threshold for the comprehensive risk index.

8. A deep learning-based automated penetration testing method, wherein the method is executed by a deep learning-based automated penetration testing system as described in any one of claims 1-7, characterized in that, The specific steps include: S1. Collect code data from the test terminal in real time, and filter out historical code data from multiple historical time periods and real-time code data of the same duration before the current moment; S2. Analyze historical and real-time code data to obtain the basic score and time score of each vulnerability, and obtain the virus indicator parameters of each vulnerability. Determine the vulnerability risk index corresponding to the historical code data based on the expert scoring method, and determine the benchmark value of the virus attack coefficient based on the virus indicator parameters corresponding to the historical code data. S3. Construct a deep learning network model, take the basic score and time score of the vulnerability in the historical code data as input, and the corresponding vulnerability risk index as the label output, train the deep learning network model, and input the basic score and time score of the vulnerability in the real-time code data into the trained deep learning network model to obtain the corresponding real-time vulnerability risk index. S4. Process the virus indicator parameters corresponding to the real-time code data to generate the real-time attack coefficient, and combine the virus attack coefficient benchmark value, the real-time attack coefficient and the real-time vulnerability risk index to generate a comprehensive risk index. S5. Compare the comprehensive risk index with the preset comprehensive risk index threshold, and determine the risk level of the test terminal code data based on the comparison results.