A method and system for automated analysis and response to security incidents based on large language model intelligent agents

By adopting an automated security incident analysis and response method based on a large language model intelligent agent, this approach addresses issues such as inefficient alarm handling, difficulty in integrating heterogeneous data, and over-reliance on senior experts in enterprise security operations systems. It enables the identification and rapid response to complex attack chains, improves the accuracy of threat detection and the security controllability of the system, and reduces talent costs.

CN122316752APending Publication Date: 2026-06-30JINLING INST OF TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JINLING INST OF TECH
Filing Date
2026-04-14
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing enterprise security operation systems are unable to adapt to complex network attacks, and suffer from problems such as inefficient alarm handling, difficulty in integrating heterogeneous data, over-reliance on senior experts, and weak ability to deal with unknown threats. Furthermore, existing solutions lack human-machine collaboration mechanisms, making it difficult to balance automation efficiency with security controllability.

Method used

An automated security event analysis and response method based on a large language model intelligent agent is adopted. The method realizes automated collection and standardized conversion of multi-source heterogeneous logs through plug-in collection adapters. It combines ReAct pattern reasoning decision-making and state machine constraints with memory management module and MITREATT&CK knowledge base for attack behavior classification. It supports human-machine collaboration mechanism and full-link security control to achieve closed-loop handling of security events.

Benefits of technology

It improves the accuracy and completeness of threat detection, reduces talent costs, enables the identification and rapid response of complex attack chains, ensures the security, controllability and automation efficiency of the system, supports multiple deployment modes and data source expansion, and provides comprehensive security operation support.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122316752A_ABST
    Figure CN122316752A_ABST
Patent Text Reader

Abstract

This invention relates to the field of network security technology and discloses a method and system for automated analysis and response to security events based on a large language model intelligent agent. The invention constructs an end-to-end intelligent security operation system encompassing standardized data collection, intelligent agent reasoning and decision-making, automated tool execution, and human-machine collaborative handling. It achieves standardization and semantic enhancement of multi-source heterogeneous logs through plug-in-based data collection and three-stage processing; it constructs a large language model intelligent agent based on the ReAct pattern, combining state machine constraints and memory management to achieve human-like expert reasoning and analysis; it innovatively designs a skill management system to accumulate expert knowledge, and achieves secure and controllable automated response through a full-link security guardrail and human-machine loop mechanism; the system adopts a layered architecture design with high cohesion and low coupling among modules, solving the problems of inefficiency, reliance on experts, and weak ability to cope with unknown threats in traditional security operation alarm processing, and realizing automated judgment and closed-loop handling of security events.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, specifically to a method and system for automated analysis and response to security events based on a large language model intelligent agent. Background Technology

[0002] As digital transformation deepens and enterprise business systems migrate fully to the cloud, cyberattack methods are becoming increasingly complex, automated, and covert. The number of cybersecurity threats facing enterprises is growing exponentially, placing extremely high demands on the efficiency and intelligence of security operations. The technical systems and operational models of traditional enterprise security operations centers are no longer adequate for current security needs, revealing significant technical deficiencies in multiple dimensions, including alarm handling, talent reliance, data integration, and technology application, severely hindering the effectiveness of security protection.

[0003] At the alert handling level, various security devices within an enterprise, such as firewalls, intrusion detection systems, and web application firewalls, generate hundreds of millions of log data and tens of thousands of alert messages daily. Under traditional security operation models, security analysts must manually screen and analyze these alerts, which is not only extremely labor-intensive but also prone to "alert fatigue," leading to the overlooking of truly high-risk attack events and resulting in critical vulnerabilities in security protection. While existing security orchestration and automated response technologies can replace some repetitive tasks, they rely on predefined static response scripts and can only handle known typical security incidents. They lack the flexible analytical capabilities to deal with unknown threats and complex attack chains. When faced with zero-day attacks or multi-step composite attacks, the system cannot autonomously complete source tracing analysis and still requires the intervention of senior security experts, making it difficult to achieve rapid response to security incidents.

[0004] In terms of human resources, security operations rely excessively on senior security analysis experts. However, the training cycle for senior experts is long and the training cost is high, resulting in a significant talent gap in the industry. The core capabilities of security analysis are highly dependent on the personal experience of experts. This experience and knowledge are difficult to solidify and pass on through standardized methods. When key personnel leave, the company's security operations capabilities will decline significantly, making it impossible to form a stable security protection system. At the same time, the enterprise security environment contains various heterogeneous data sources such as web logs, system logs, firewall logs, and traffic logs. These logs have different formats and inconsistent field definitions. Traditional technical methods lack effective data integration capabilities and cannot correlate scattered log data to form a complete attack view. This significantly reduces the accuracy and completeness of threat detection and makes it difficult to trace the source and propagation path of attacks.

[0005] At the application level, while existing research has applied machine learning to cybersecurity, most solutions are optimized only for single security tasks, such as anomaly detection in network traffic and malware classification and identification. They lack engineering practices that integrate data collection, intelligent analysis, operational execution, and result feedback into a closed-loop system, failing to achieve end-to-end automated handling of security incidents. Furthermore, existing solutions generally lack effective human-machine collaboration mechanisms and fail to consider the "illusion" characteristics of large language models during automation, making them prone to misjudgments or incorrect execution of high-risk operations. This makes it difficult to strike a balance between automation efficiency and security controllability, significantly limiting the practical application of large language models in security operations.

[0006] In summary, current enterprise security operation systems are no longer adequate for complex cyberattack environments. The industry urgently needs an intelligent security operation method and system that integrates large language model capabilities to achieve a shift from rule-driven to intelligent cognitive operation models. This would solve technical problems such as inefficient alarm handling, difficulty in integrating heterogeneous data, over-reliance on senior experts, and weak ability to deal with unknown threats. It would improve the efficiency of automated handling of security incidents while ensuring the security and controllability of the system. Summary of the Invention

[0007] To address the shortcomings of existing technologies, this invention provides a method and system for automated analysis and response to security events based on a large language model intelligent agent, thus solving the problems mentioned in the background section.

[0008] To achieve the above objectives, the present invention provides the following technical solution: an automated analysis and response method for security events based on a large language model intelligent agent, comprising the following steps:

[0009] S1. Collect and normalize multi-source heterogeneous security logs. Obtain different types of security log data through plug-in acquisition adapters. Use a three-stage processing chain of parsing, mapping, and verification to standardize the original logs. After the data enhancement module supplements the context information, it generates structured log data in a unified JSON format, providing standardized input for intelligent analysis.

[0010] S2. The large language model intelligent agent based on the ReAct pattern performs reasoning and decision-making on structured log data. The intelligent agent alternately executes the cyclical reasoning process of thinking, acting, and observing. Combined with state machine constraints, the reasoning process is divided into five states: initialization, analysis, execution, judgment, and response. The memory management module retains the context and case status information. The built-in MITREATT&CK knowledge base realizes the standardized classification of attack behaviors and generates attack chain analysis results and handling strategies.

[0011] S3. The agent calls the tool execution component to complete capability expansion and operation execution based on the reasoning results. It accesses multi-source threat intelligence through the intelligence adaptation layer and combines it with the Redis caching layer to achieve efficient query of threat indicators. It calls the log analysis tool to complete the secondary processing and accurate retrieval of logs. It calls the response operation tool to execute atomic security response operations. Through the skill management system, it transforms security expert knowledge into callable skills to supplement the agent with professional analysis capabilities.

[0012] S4. Based on the human-machine collaboration mechanism and full-link security control, a closed-loop handling of security incidents is achieved. For high-risk response operations, a human-machine loop manual confirmation process is implemented. A role-based access control model is used to implement hierarchical management of permissions. The entire process operation is audited and recorded. The analysis results and handling status are displayed through a visual interactive platform to complete the closed loop of security incident assessment, execution, and feedback.

[0013] Optionally, the plug-in acquisition adapter described in step S1 supports dynamically loading log acquisition plugins, adapting to heterogeneous data sources such as web server access logs, host system logs, firewall and intrusion detection system logs, and application logs, and realizing automated acquisition of logs from Nginx, Apache, Linuxsyslog, WindowsEventLog, etc. In the three-stage processing chain, the parsing stage identifies the log format and extracts key fields such as IP address, username, and URL while retaining the original text; the mapping stage maps the extracted fields to a unified namespace in the style of ElasticCommonSchema and records the mapping version number; the verification stage verifies the required fields, data types, and value ranges, and performs downgrade processing on abnormal fields; the data enhancement module supplements the original logs with contextual information such as GeoIP geographical location, asset ownership, historical behavior baseline, and threat intelligence tags.

[0014] Optionally, the reasoning process of the ReAct mode in step S2 is as follows: the agent first analyzes the current alarm or task and generates a reasoning trajectory in the thinking phase; then, in the action phase, it selects and calls the corresponding tool based on the reasoning result; next, in the observation phase, it obtains the tool execution result as new input; and finally, it continues to think and iterates until a conclusion is reached based on the observation result. The memory management module is built on a memory database and uses a sliding window or digest mechanism to optimize the use of tokens, ensuring the logical coherence of multi-round interactions and multi-step investigations. The MITREATT&CK knowledge base realizes the automatic mapping of attack behaviors with standardized tactics and technical classifications, and generates a structured attack chain analysis report.

[0015] Optionally, the threat intelligence query in step S3 integrates multi-source intelligence results and calculates confidence levels. The confidence level is calculated using the following formula:

[0016] ;

[0017] in For the first The weighting coefficient of each intelligence source For the first The credibility score of each intelligence source for this threat indicator. The number of intelligence sources; the log analysis tool performs secondary processing on logs by compression, merging, and filtering, and supports atomic parameter filtering such as time period, IP, and keywords; the response operation tool encapsulates atomic operations such as alarm sending, IP blocking, host isolation, and account disabling, and triggers a manual confirmation mechanism for high-risk operations; the skill management system transforms security analysis knowledge documents into callable skills through retrieval enhancement generation technology, and supports dynamic loading and version management of skills;

[0018] The manual confirmation process in step S4 involves the intelligent agent generating a disposal plan, which is then reviewed and authorized by a security analyst. The execution results are then fed back and recorded in the audit log. The role-based access control model predefines four types of roles: administrator, analyst, operator, and observer, to achieve hierarchical control of permissions. The audit traceability covers the entire process of authentication, authorization, execution, and feedback, and all operational behaviors generate traceable audit logs.

[0019] An automated security incident analysis and response system based on a large language model intelligent agent adopts a layered architecture design, including a data storage layer, a data perception layer, an intelligent decision-making layer, an automatic execution layer, and a visualization layer. Each layer's modules are highly cohesive and loosely coupled, enabling orderly data interaction and command transmission between layers. Security guardrail components are deployed throughout the entire chain. The core innovations include a built-in ReAct-based large language model intelligent agent, a skill management system capable of accumulating expert knowledge, a high-risk operation confirmation mechanism based on human-machine feedback, and a three-stage log paradigm processing module. These innovative modules work collaboratively to achieve automated analysis, intelligent decision-making, and secure and controllable response to security incidents. The data storage layer provides data persistence and caching services for the entire system. The data perception layer collects, standardizes, and semantically enhances multi-source heterogeneous security logs. The intelligent decision-making layer, the core of the system, uses the large language model intelligent agent to perform reasoning and attack chain analysis of security incidents. The automatic execution layer provides the intelligent agent with tool calls and capability extensions to execute specific security response operations. The visualization layer enables human-machine interaction, situational awareness, and audit log management.

[0020] Optionally, the data storage layer includes a relational database, a file storage module, and a Redis caching module. The relational database is used to store structured data such as structured logs, audit logs, and attack chain analysis reports. The file storage module is used to store unstructured data such as raw logs, knowledge documents, and skill documents. The Redis caching module is used to cache threat intelligence query results, frequently accessed log data, and context memory information of intelligent agents, reducing the number of external API calls and improving the system's query and inference efficiency.

[0021] Optionally, the data awareness layer includes a pluggable acquisition adapter, a three-stage processing engine, a data enhancement module, and a message queue component. The pluggable acquisition adapter is one of the core innovative modules, supporting the dynamic loading and unloading of different types of log acquisition plugins, adapting to the automated acquisition of various heterogeneous data sources, and providing a unified acquisition interface to achieve standardized access to log data. The three-stage processing engine consists of a parsing module, a mapping module, and a verification module, realizing the extraction of key fields from the original logs, unified namespace mapping, and downgrade processing of abnormal fields. The data enhancement module supplements the logs with multi-dimensional contextual information to enhance the semantic value of the logs. The message queue component realizes asynchronous transmission of log data, alleviates system peak pressure, and ensures the stability of data transmission.

[0022] Optionally, the intelligent decision-making layer is the core brain of the system, comprising a large language model intelligent agent core, a ReAct inference engine, a state machine constraint module, a memory management module, and a MITREATT&CK knowledge base. The large language model intelligent agent core is built based on the LangChain and LangGraph frameworks, and combined with the ReAct inference engine to realize cyclical reasoning of thinking, acting, and observing, which is one of the core innovative modules. The state machine constraint module divides the reasoning process into five states: initialization, analysis, execution, judgment, and response, and defines the input-output contract for each state to ensure the stability of the reasoning process. The memory management module is built based on an in-memory database to maintain the contextual coherence of multi-turn interactions of the intelligent agent. The MITREATT&CK knowledge base realizes the standardized classification of attack behaviors and the structured generation of attack chains.

[0023] Optionally, the automated execution layer includes a toolbox manager, a threat intelligence interface, a log analyzer, a response operator, and a skill management system. The skill management system, a core innovative module, consists of a skill loader, a skill storage module, a skill retrieval module, and a skill executor. It uses retrieval-enhanced generation technology to transform security experts' knowledge documents into callable intelligent agent skills, supporting dynamic loading, version management, and semantic retrieval of skills, thus enabling the accumulation and reuse of expert knowledge. The threat intelligence interface accesses multi-source threat intelligence through an intelligence adaptation layer, combining Redis caching to achieve efficient querying and multi-source result fusion. The log analyzer performs secondary processing and accurate retrieval of logs. The response operator encapsulates various atomic security response operations and incorporates a built-in manual confirmation mechanism for high-risk operations, making it a core innovative module that ensures secure and controllable operation execution.

[0024] Optionally, the visualization layer includes a web front-end interface, a security dashboard, a dialogue interaction window, a human-machine confirmation component, and a log management module. The web front-end interface is built using React and TypeScript technology stacks, following a layered structure of pages, components, and services to reduce interaction coupling. The security dashboard displays core indicators such as security status, number of alarms, attack type distribution, and handling progress in real time. The dialogue interaction window visualizes the agent's reasoning process, tool calls, observation results, and conclusions in chronological order, supporting analyst follow-up questions and corrections, and strategically anonymizing sensitive fields. The human-machine confirmation component, a core innovative module, enables secondary confirmation of high-risk operations, clearly displays the operation content and scope of impact, sets countdowns to prevent misoperation, and includes confirmation records in the audit log. The log management module enables querying, filtering, exporting, and tracing of audit logs, security event logs, and tool call logs, providing complete data support for security operations and maintenance.

[0025] This invention provides a method and system for automated analysis and response to security events based on a large language model intelligent agent, which has the following beneficial effects:

[0026] Firstly, through pluggable acquisition adapters and three-stage log paradigm processing, automated collection and standardized conversion of multi-source heterogeneous security logs are achieved. Simultaneously, a data augmentation module supplements logs with contextual information, linking scattered log data to form a complete attack view, significantly improving the accuracy and completeness of threat detection and enabling clear tracing of the attack's source and propagation path. Based on the ReAct pattern, a large language model intelligent agent, combined with state machine constraints and memory management, achieves cyclical reasoning of thinking, acting, and observing, endowing the system with human-like expert reasoning and analysis capabilities, enabling it to understand alarm context and identify complex attack chains.

[0027] Secondly, the skill management system of this invention transforms security experts' knowledge documents into skills that can be invoked by intelligent agents through retrieval-enhanced generation technology. This achieves standardized accumulation and reuse of expert experience and knowledge, enabling junior analysts to handle complex security incidents with the assistance of AI, significantly reducing the talent costs of enterprise security operations. Through threat intelligence integration and the encapsulation of various tools, it provides intelligent agents with rich professional capability extensions, achieving seamless integration between reasoning analysis and practical operation. Simultaneously, the introduction of a Redis caching layer improves the system's query and execution efficiency, freeing security analysts from tedious repetitive tasks and allowing them to focus on more valuable in-depth analysis and adversarial strategy formulation.

[0028] Furthermore, the human-machine loop mechanism and end-to-end security safeguards constructed in this invention implement manual confirmation processes for high-risk operations, achieve hierarchical control of permissions based on a role-based access control model, and audit and record the entire process, achieving a balance between automation efficiency and security controllability. The system's layered architecture design ensures high cohesion and low coupling among modules. The plug-in-based data collection method and unified tool interface support dynamic expansion of data sources and tool types. The system also provides cloud, local, and hybrid deployment modes to adapt to different enterprise technical architectures and data compliance requirements, exhibiting high scalability and adaptability. In addition, the visual interactive platform intuitively displays the agent's reasoning process and handling results, supporting analyst questioning and correction, realizing a closed loop of security incident assessment, execution, and feedback, improving the transparency and reproducibility of security operations, and providing comprehensive support for enterprise security protection. Attached Figure Description

[0029] Figure 1 This is a diagram of the overall system architecture in this invention;

[0030] Figure 2 This is a diagram showing the system module division in this invention;

[0031] Figure 3 This is a diagram of the data acquisition module architecture in this invention;

[0032] Figure 4 This is a flowchart of the log parsing process in this invention;

[0033] Figure 5 This is a diagram illustrating the intelligent agent architecture and process design in this invention;

[0034] Figure 6 This is a flowchart of the threat intelligence process in this invention;

[0035] Figure 7 This is a flowchart of the response operation tool in this invention;

[0036] Figure 8 This is a diagram of the skills management system architecture in this invention;

[0037] Figure 9 This is a diagram of the front-end architecture in this invention;

[0038] Figure 10 This is a flowchart of the dialogue interaction process in this invention;

[0039] Figure 11 This is a flowchart of the secondary confirmation mechanism in this invention;

[0040] Figure 12 This is a security architecture diagram of the present invention;

[0041] Figure 13 This is a diagram of the permission model in this invention. Detailed Implementation

[0042] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.

[0043] like Figures 1 to 13 As shown, the automated analysis and response method and system for security events based on large language model intelligent agents of the present invention can be deployed in enterprise security operations centers, adapting to enterprise security operations scenarios in various industries such as finance, e-commerce, government affairs, and manufacturing. It supports seamless integration with existing enterprise security devices such as firewalls, intrusion detection systems, and web application firewalls. The specific implementation steps are as follows:

[0044] Step 1: System Deployment and Initialization Configuration. Based on the enterprise's data compliance requirements and technical architecture, select cloud API, local, or hybrid deployment mode to complete the system deployment. Build the relational database, file storage, and Redis caching modules for the data storage layer, and complete the joint debugging and testing of each layer to ensure the stability of data interaction and command transmission between layers. Initialize the data awareness layer by dynamically loading the corresponding log collection plugin based on the type of security devices within the enterprise, and configuring the frequency and scope of log collection. Configure the intelligent decision-making layer by selecting an appropriate large language model, loading the MITREATT&CK knowledge base, and setting the token optimization strategy for the memory management module. Configure the automatic execution layer by connecting to the threat intelligence sources specified by the enterprise, setting the weight coefficients of the intelligence sources, encapsulating commonly used security response operations, and completing the uploading and skill conversion of security expert knowledge documents. Configure the visualization layer by setting the display indicators for the security dashboard, defining the anonymization strategy for sensitive fields, and configuring the storage period and export permissions for audit logs. Simultaneously, complete the role-based access control configuration, assigning corresponding roles and operation permissions to enterprise security operations personnel, deploying the full-link security guardrail component, and setting the judgment criteria for high-risk operations.

[0045] Step Two: Collection and Normalization of Multi-Source Heterogeneous Logs. The pluggable collection adapter in the data awareness layer automatically acquires heterogeneous log data generated by devices such as web servers, hosts, firewalls, and intrusion detection systems within the enterprise through corresponding collection plugins, and realizes asynchronous transmission of log data through a message queue component. The three-stage processing engine standardizes the raw logs. The parsing module identifies the log format and extracts key fields such as IP address, username, and URL, while retaining a backup of the original text. The mapping module maps the extracted fields to a unified namespace and records the mapping version number. The verification module verifies the fields and performs downgrade processing on abnormal fields. The data enhancement module supplements the standardized logs with contextual information such as GeoIP geographical location, asset ownership, and historical behavior baselines, and finally generates structured log data in a unified JSON format, which is stored in the relational database of the data storage layer to provide analytical input for the intelligent decision-making layer.

[0046] Step 3: Reasoning and Judgment by the Large Language Model Agent. The large language model agent in the intelligent decision layer reads structured log data from the data storage layer and enters the ReAct reasoning process: In the thinking phase, it analyzes the core features of the alarm information, generates a preliminary reasoning trajectory based on the MITREATT&CK knowledge base, and determines the tool components that need to be called; in the action phase, it sends tool call instructions to the automatic execution layer based on the reasoning results; in the observation phase, it receives the tool execution results from the automatic execution layer and uses them as new analysis input; the agent advances the reasoning process according to the initialization, analysis, execution, judgment, and response states through the state machine constraint module, and the memory management module saves the context information and case status of the reasoning in real time to ensure the logical coherence of the multi-step investigation; when the reasoning process is completed, the agent maps the detected attack behavior to the tactical and technical classifications of MITREATT&CK, generates a structured attack chain analysis report, and formulates corresponding security incident handling strategies, which are then sent to the automatic execution layer;

[0047] Step 4: Tool Execution and Capability Expansion. After receiving the tool invocation instructions and handling strategies from the agent, the automatic execution layer calls the corresponding tool components according to the instruction type: If it is a threat intelligence query instruction, the threat intelligence interface first checks the Redis cache layer. If the cache is hit, the result is returned directly; if not, the multi-source threat intelligence API is called to complete the result fusion and confidence calculation before returning the result and updating the cache. If it is a log retrieval instruction, the log analyzer performs secondary processing and precise retrieval of the log data and feeds the results back to the agent. If it is a security response instruction, the response operator first determines the risk level of the operation. Low-risk operations are executed directly, while high-risk operations trigger a human-machine confirmation mechanism, pushing the operation plan to the human-machine confirmation component in the visualization layer. During the agent's reasoning process, the skill management system provides the agent with corresponding security analysis skills through semantic retrieval, supplementing the agent's professional analysis capabilities and enabling the reuse of expert knowledge.

[0048] Step 5: Human-Machine Collaboration and Safe and Controllable Handling. Upon receiving a confirmation request for a high-risk operation, the human-machine confirmation component in the visualization layer displays the operation content, scope of impact, and handling basis to the corresponding security analyst, setting a countdown to prevent accidental operation. The analyst reviews the operation plan; if approved, execution is authorized; otherwise, modification suggestions are returned, and the intelligent agent re-formulates the handling strategy based on these suggestions. The response operator in the automatic execution layer executes the authorized response operation, feeding back the execution results to the intelligent decision-making layer and visualization layer in real time. Simultaneously, the log management module records a complete audit log of the operation, including information such as the operator, operation time, operation content, and execution result. The security analyst can view the complete reasoning process of the intelligent agent through a dialogue interaction window, questioning and correcting key steps. The intelligent agent re-analyzes based on the analyst's instructions, achieving accurate judgment through human-machine collaboration.

[0049] Step Six: Visualization and Closed-Loop Feedback. The security dashboard in the visualization layer displays the enterprise's security posture in real time, including core data such as the number of alarms, attack type distribution, handling progress, and top threat indicators. Security operations personnel can use the dashboard to keep track of the enterprise's security status in real time. The dialogue interaction window visualizes the agent's thought process, tool calls, observation results, and final conclusions in chronological order, supporting analysts' multi-dimensional retrieval and review. The log management module provides security operations personnel with the functions of querying, filtering, and exporting audit logs, security event logs, and tool call logs. Analysts can review the handling process of security events based on log data, summarize attack characteristics and handling experience, and upload new knowledge and experience to the skills management system to achieve continuous knowledge accumulation and iterative upgrades of system capabilities, forming a closed loop for security event analysis and response.

[0050] In the specific implementation of this invention, the inference parameters of the large language model, the weight coefficients of threat intelligence sources, the judgment criteria for high-risk operations, and the retrieval strategies of the skill management system can be adjusted according to the actual security operation needs of the enterprise. At the same time, new log collection plugins and tool components can be dynamically loaded to expand the system's collection scope and execution capabilities, so that the system can better adapt to the enterprise's security operation scenarios.

[0051] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A method for automated analysis and response to security events based on a large language model intelligent agent, characterized in that, Includes the following steps: S1. Collect and normalize multi-source heterogeneous security logs. Obtain different types of security log data through plug-in collection adapters. Use a three-stage processing chain of parsing, mapping, and verification to standardize the original logs. After the data enhancement module supplements the context information, generate structured log data in a unified JSON format. S2. The large language model intelligent agent based on the ReAct pattern performs reasoning and decision-making on structured log data. The intelligent agent alternately executes the cyclical reasoning process of thinking, acting, and observing. Combined with state machine constraints, the reasoning process is divided into five states: initialization, analysis, execution, judgment, and response. The memory management module retains the context and case status information. The built-in MITREATT&CK knowledge base realizes the standardized classification of attack behaviors and generates attack chain analysis results and handling strategies. S3. The intelligent agent calls the tool execution component to complete capability expansion and operation execution based on the reasoning results. It accesses multi-source threat intelligence through the intelligence adaptation layer and combines it with the Redis caching layer to achieve efficient query of threat indicators. It calls the log analysis tool to complete the secondary processing and accurate retrieval of logs. It calls the response operation tool to execute atomic security response operations. It transforms security expert knowledge into callable skills through the skill management system. S4. Based on the human-machine collaboration mechanism and full-link security control, a closed-loop handling of security incidents is achieved. For high-risk response operations, a human-machine loop manual confirmation process is implemented. A role-based access control model is used to implement hierarchical management of permissions. The entire process operation is audited and recorded. The analysis results and handling status are displayed through a visual interactive platform to complete the closed loop of security incident assessment, execution, and feedback.

2. The method as described in claim 1, characterized in that, The plug-in acquisition adapter described in step S1 supports dynamically loading log acquisition plugins; in the three-stage processing chain, the parsing stage identifies the log format and extracts key fields such as IP address, username, and URL while retaining the original text; the mapping stage maps the extracted fields to a unified namespace in the style of ElasticCommonSchema and records the mapping version number; the verification stage verifies the required fields, data types, and value ranges, and performs downgrade processing on abnormal fields; the data enhancement module supplements the original logs with GeoIP geographical location, asset ownership, historical behavior baseline, and threat intelligence tag context information.

3. The method as described in claim 1, characterized in that, The reasoning process of the ReAct pattern described in step S2 is as follows: The agent first analyzes the current alarm or task and generates a reasoning trajectory during the thinking phase. Then, during the action phase, it selects and calls the corresponding tool based on the reasoning results. Next, during the observation phase, it obtains the tool execution results as new input. Finally, it continues to think and iterates until a conclusion is reached based on the observation results. The memory management module is built on an in-memory database and uses a sliding window or summary mechanism to optimize token usage, ensuring the logical coherence of multi-round interactions and multi-step investigations. The MITREATT&CK knowledge base realizes automatic mapping between attack behaviors and standardized tactics and technical classifications, generating structured attack chain analysis reports.

4. The method as described in claim 1, characterized in that, The threat intelligence query described in step S3 integrates multi-source intelligence results and calculates confidence levels. The confidence level is calculated using the following formula: ; in For the first The weighting coefficient of each intelligence source For the first The credibility score of each intelligence source for this threat indicator. The number of intelligence sources; The log analysis tool performs secondary processing on logs, including compression, merging, and filtering, and supports atomic parameter filtering by time period, IP address, and keywords. The response operation tool encapsulates atomic operations for alarm sending, IP blocking, host isolation, and account disabling, with high-risk operations triggering a manual confirmation mechanism. The skill management system uses retrieval-enhanced generation technology to transform security analysis knowledge documents into callable skills, supporting dynamic loading and version management of skills. The manual confirmation process in step S4 involves the intelligent agent generating a disposal plan, which is then reviewed and authorized by a security analyst. The execution results are then fed back and recorded in the audit log. The role-based access control model predefines four types of roles: administrator, analyst, operator, and observer, to achieve hierarchical control of permissions. The audit traceability covers the entire process of authentication, authorization, execution, and feedback, and all operational behaviors generate traceable audit logs.

5. A security event automated analysis and response system based on a large language model intelligent agent as described in claims 1 to 4, characterized in that, It adopts a layered architecture design, including a data storage layer, a data perception layer, an intelligent decision-making layer, an automatic execution layer, and a visualization layer. Each layer has high cohesion and low coupling, and orderly data interaction and command transmission are achieved between layers. Security guardrail components are deployed throughout the entire chain. The core innovations are the built-in large language model intelligent agent based on the ReAct pattern, a skill management system that can accumulate expert knowledge, a high-risk operation confirmation mechanism for human-machine loop, and a three-stage log paradigm processing module. The innovative modules work together to achieve automated analysis, intelligent decision-making, and safe and controllable response and handling of security incidents. The data storage layer provides data persistence and caching services for the entire system; The data perception layer realizes the collection, standardization, and semantic enhancement of multi-source heterogeneous security logs; the intelligent decision-making layer is the core of the system, which completes the reasoning and judgment of security events and the analysis of attack chains through a large language model intelligent agent; the automatic execution layer provides the intelligent agent with tool calls and capability expansion to execute specific security response operations; and the visualization display layer realizes human-computer interaction, situation display, and audit log management.

6. The system as described in claim 5, characterized in that, The data storage layer includes a relational database, a file storage module, and a Redis caching module. The relational database is used to store structured logs, audit logs, and attack chain analysis reports. The file storage module is used to store unstructured data such as raw logs, knowledge documents, and skill documents. The Redis caching module is used to cache threat intelligence query results, frequently accessed log data, and context memory information of intelligent agents, reducing the number of external API calls and improving the system's query and inference efficiency.

7. The system as described in claim 5, characterized in that, The data perception layer includes a pluggable acquisition adapter, a three-stage processing engine, a data enhancement module, and a message queue component. The pluggable acquisition adapter is one of the core innovative modules, which supports dynamic loading and unloading of different types of log acquisition plugins, adapts to the automated acquisition of various heterogeneous data sources, and provides a unified acquisition interface to achieve standardized access to log data. The three-stage processing engine consists of a parsing module, a mapping module, and a verification module, which realizes the extraction of key fields from the original logs, unified namespace mapping, and downgrade processing of abnormal fields; the data enhancement module supplements the logs with multi-dimensional contextual information to enhance the semantic value of the logs; the message queue component realizes asynchronous transmission of log data, alleviates peak system pressure, and ensures the stability of data transmission.

8. The system as described in claim 5, characterized in that, The intelligent decision-making layer is the core brain of the system, which includes a large language model intelligent agent core, a ReAct inference engine, a state machine constraint module, a memory management module, and a MITREATT&CK knowledge base. The large language model intelligent agent core is built on the LangChain and LangGraph frameworks and, combined with the ReAct inference engine, realizes cyclical reasoning of thinking, acting, and observing, which is one of the core innovative modules. The state machine constraint module divides the reasoning process into five states: initialization, analysis, execution, judgment, and response, and defines the input-output contract for each state to ensure the stability of the reasoning process. The memory management module is built based on an in-memory database to maintain the contextual coherence of multi-turn interactions between the agent. The MITREATT&CK knowledge base realizes the standardized classification of attack behaviors and the structured generation of attack chains.

9. The system as described in claim 5, characterized in that, The automated execution layer includes a toolbox manager, a threat intelligence interface, a log analyzer, a response operator, and a skill management system. The skill management system, a core innovative module, consists of a skill loader, a skill storage module, a skill retrieval unit, and a skill executor. Through enhanced retrieval generation technology, it transforms security experts' knowledge documents into callable intelligent agent skills, supporting dynamic loading, version management, and semantic retrieval of skills, thus enabling the accumulation and reuse of expert knowledge. The threat intelligence interface accesses multi-source threat intelligence through an intelligence adaptation layer, combining Redis caching to achieve efficient querying and multi-source result fusion. The log analyzer performs secondary processing and precise retrieval of logs; the response operator encapsulates various atomic and secure response operations and has a built-in manual confirmation mechanism for high-risk operations, which is one of the core innovative modules and enables secure and controllable operation execution.

10. The system as described in claim 5, characterized in that, The visualization layer includes a web front-end interface, a security dashboard, a dialogue interaction window, a human-machine confirmation component, and a log management module. The web front-end interface is built using React and TypeScript technology stacks, following a layered structure of pages, components, and services to reduce interaction coupling. The security dashboard displays core indicators such as security status, number of alarms, attack type distribution, and handling progress in real time. The dialogue interaction window visualizes the agent's reasoning process, tool calls, observation results, and conclusions in chronological order, supporting analyst follow-up questions and corrections, and strategically anonymizing sensitive fields. The human-machine confirmation component, a core innovative module, enables secondary confirmation of high-risk operations, clearly displays the operation content and scope of impact, sets countdowns to prevent misoperation, and includes confirmation records in the audit log. The log management module enables querying, filtering, exporting, and tracing of audit logs, security event logs, and tool call logs, providing complete data support for security operations and maintenance.