An agent-based security auditing method and system
By employing a security auditing method based on a multi-agent collaborative architecture, control flow graphs and data flow graphs are generated. Combined with a large language model for vulnerability discovery, this approach solves the problems of high false positive rates and low efficiency in existing technologies, achieving efficient and accurate security auditing.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HANGZHOU ANQUAN DIGITAL INTELLIGENCE TECH CO LTD
- Filing Date
- 2026-06-05
- Publication Date
- 2026-07-03
AI Technical Summary
Existing security auditing technologies rely on static tools and manual auditing, which suffer from high false alarm rates, low efficiency, high costs, and difficulty in adapting to dynamic security threats in large-scale complex systems. They also cannot identify logical vulnerabilities that are deeply integrated with business logic.
A security auditing method based on a multi-agent collaborative architecture is adopted, including agents for coordination, information collection, analysis and verification. By generating control flow graphs, data flow graphs and function call relationship graphs, and combining them with a large language model, vulnerability mining and verification testing are carried out, and a standardized security audit report is generated.
It enables automated and accurate security auditing, reduces labor costs, improves auditing efficiency, can identify logical vulnerabilities in complex systems, reduces false alarms, and adapts to the auditing needs of large-scale systems.
Smart Images

Figure CN122333488A_ABST
Abstract
Description
Technical Field
[0001] One or more embodiments of this specification relate to the field of artificial intelligence security technology, specifically to a security auditing method and system based on intelligent agents. Background Technology
[0002] With the rapid development of digital technology and the increasing complexity of network systems, various security threats are becoming more diversified, covert, and dynamic. Security auditing, as a crucial link in ensuring system security, is increasingly important. Existing security auditing technologies mainly rely on static application security testing tools or manual auditing, which have many limitations in practical applications. While static application security testing tools can effectively detect patterned vulnerabilities such as SQL injection and XSS, they rely excessively on preset rules and pattern matching, lacking the ability to understand business logic and failing to identify logical vulnerabilities deeply tied to specific task scenarios, such as payment bypass, unauthorized access, and coupon abuse. Furthermore, due to the inability to accurately understand code context and developer intent, static application security testing tools generally suffer from high false positive rates, with numerous invalid alerts consuming auditors' time and energy. Manual auditing relies on the experience of professional security personnel, which can compensate for the shortcomings of tool auditing to some extent, but it suffers from low efficiency and high costs, making it difficult to meet the auditing needs of large-scale, complex systems. In addition, manual auditing is susceptible to subjective factors, carries the risk of audit omissions, and cannot achieve real-time dynamic auditing, making it difficult to cope with constantly changing security threats. Therefore, there is an urgent need for an automated security auditing method that can achieve high efficiency, accuracy, and security. Summary of the Invention
[0003] This specification provides a security auditing method and system based on intelligent agents, the technical solution of which is as follows:
[0004] Firstly, embodiments of this specification provide a security auditing method based on intelligent agents. This method utilizes a multi-agent collaborative architecture, comprising a coordinating agent, an information gathering agent, an analysis agent, a verification agent, and a reporting agent. The method includes: the coordinating agent receiving a security audit task, determining the type characteristics of the target system based on the task, loading audit rule templates corresponding to the type characteristics based on a preset audit strategy library, generating several strategy nodes with execution order dependencies, and instantiating the strategy nodes into atomic instructions; the information gathering agent acquiring multi-dimensional information about the target system based on the atomic instructions, generating control flow graphs, data flow graphs, and function call relationship graphs based on the target system's source code from the multi-dimensional information, and merging them into a code attribute graph before storing it in a vector knowledge base; the analysis agent acquiring system knowledge representations of the target system from the vector knowledge base based on a retrieval-enhanced generation service, and performing vulnerability mining analysis using a large language model to generate vulnerability analysis data; the verification agent determining verification test scripts for potential vulnerabilities based on the vulnerability analysis data, executing the verification test scripts based on a security sandbox to obtain vulnerability verification data; and the reporting agent acquiring vulnerability information based on the vulnerability verification data, and generating a standardized security audit report based on the vulnerability information and a preset report template.
[0005] Secondly, embodiments of this specification provide a security audit system based on intelligent agents. This system is based on a multi-agent collaborative architecture, which includes a coordinating agent, an information gathering agent, an analysis agent, a verification agent, and a reporting agent. The system includes: a coordinating agent, used to receive security audit tasks, determine the type characteristics of the target system based on the security audit tasks, load audit rule templates corresponding to the type characteristics based on a preset audit strategy library, generate several strategy nodes with execution order dependencies, and instantiate the strategy nodes into atomic instructions; and an information gathering agent, used to obtain multi-dimensional information about the target system based on atomic instructions, and based on multi-dimensional... The system generates control flow graphs, data flow graphs, and function call relationship graphs from the source code of the target system, merges them into a code attribute graph, and stores it in a vector knowledge base. An analysis agent retrieves system knowledge representations of the target system from the vector knowledge base based on retrieval enhancement generation services, performs vulnerability mining analysis using a large language model, and generates vulnerability analysis data. A verification agent determines verification test scripts for potential vulnerabilities based on the vulnerability analysis data, executes the verification test scripts in a security sandbox, and obtains vulnerability verification data. A reporting agent obtains vulnerability information based on the vulnerability verification data and generates a standardized security audit report based on the vulnerability information and a preset report template.
[0006] The beneficial effects of the technical solutions provided in some embodiments of this specification include at least the following:
[0007] The embodiments in this specification adopt a multi-agent collaborative architecture, in which each agent cooperates to automatically complete the entire audit process of information collection, vulnerability discovery, verification and report generation without human intervention, significantly reducing labor costs and improving audit efficiency, and can meet the audit needs of large-scale complex systems.
[0008] The embodiments in this specification can receive security audit tasks through a coordinating agent, determine the type characteristics of the target system, load audit rule templates based on a preset audit strategy library, generate policy nodes, and instantiate the policy nodes into atomic instructions; thereby decomposing the audit plan into multiple sub-tasks and assigning them to the information collection agent. The sub-tasks correspond to the policy nodes, realizing the formulation of personalized audit plans based on security audit tasks.
[0009] Furthermore, the embodiments of this specification can acquire multi-dimensional information of the target system through an information-gathering intelligent agent. Based on the source code of the target system in the multi-dimensional information, control flow graphs, data flow graphs, and function call relationship graphs are generated and merged into a code attribute graph and stored in a vector knowledge base. The embodiments of this specification achieve integrated representation of multi-dimensional information of the code by constructing a code attribute graph, providing complete data support for the identification of core functional modules, the proposal of potential attack hypotheses, and the verification of code paths in the subsequent vulnerability analysis stage. Moreover, a structured knowledge system that supports semantic retrieval and can accurately empower vulnerability analysis is formed through the vector knowledge base.
[0010] Furthermore, the embodiments of this specification can obtain system knowledge representations of the target system from the vector knowledge base through the analysis agent based on the retrieval enhancement generation service, and perform vulnerability mining analysis through the large language model to generate vulnerability analysis data. The analysis agent of the embodiments of this specification uses the structured information in the vector knowledge base as the core support, retrieves the system knowledge representations of the target system from the vector knowledge base based on the retrieval enhancement generation service, and combines the task scenario understanding ability of the large language model to accurately identify core functional modules and generate scenario-based attack hypotheses. It can effectively detect task logic vulnerabilities such as payment bypass, unauthorized access, and coupon abuse, fill the detection blind spots of traditional tools, and improve audit security.
[0011] Furthermore, the embodiments in this specification can not only verify the code path of attack hypotheses by analyzing the intelligent agent based on the code attribute graph, but also combine the security sandbox to execute verification test scripts to perform secondary confirmation of potential vulnerabilities, effectively eliminate false alarms, and greatly reduce the interference of invalid alarms to auditors. Attached Figure Description
[0012] To more clearly illustrate the technical solutions in the embodiments of this specification, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0013] Figure 1 This is a schematic diagram illustrating the application scenario of the agent-based security auditing method provided in this manual.
[0014] Figure 2 This is a flowchart illustrating the agent-based security auditing method provided in this manual.
[0015] Figure 3 This is a flowchart illustrating the process of instantiating a policy node into atomic instructions, as provided in this manual.
[0016] Figure 4 This is a schematic diagram of the security audit system based on intelligent agents provided in this manual.
[0017] Figure 5 This is a schematic diagram of the structure of an electronic device provided in this specification. Detailed Implementation
[0018] The technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings.
[0019] The terms "first," "second," etc., in the description, claims, and accompanying drawings are used to distinguish different objects and not to describe a particular order. Furthermore, the term "comprising" and any variations thereof are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or apparatus that includes a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units not listed, or may optionally include other steps or units inherent to such processes, methods, products, or apparatus.
[0020] This specification provides a security auditing method based on intelligent agents through several embodiments. The executing entity of this security auditing method can be the security auditing system based on intelligent agents provided in the embodiments of this invention.
[0021] Before providing a detailed description of the agent-based security auditing method in conjunction with one or more embodiments, this specification first introduces the application scenarios of the agent-based security auditing method.
[0022] Please see Figure 1 , Figure 1This is a schematic diagram illustrating an application scenario of a security auditing method based on intelligent agents provided in an embodiment of the present invention. In this embodiment, the security auditing system 100 based on intelligent agents can be integrated into an electronic device, such as a terminal or a server. The terminal can be a mobile phone, tablet computer, smart Bluetooth device, laptop computer, or personal computer (PC); the server can be a single server or a server cluster composed of multiple servers.
[0023] In some embodiments, the agent-based security audit system 100 can also be integrated into multiple electronic devices. For example, the agent-based security audit system 100 can be integrated into multiple servers, and the agent-based security audit method of this application can be implemented by multiple servers.
[0024] In some embodiments, the server may also be implemented as a terminal. The terminal may be a mobile phone, tablet computer, smart Bluetooth device, laptop computer, or personal computer (PC), etc. The terminal includes a central processing unit (CPU), a graphics processing unit (GPU), memory, storage devices, a network communication module, sensors, a display screen, a battery and power management module, etc.
[0025] For example, refer to Figure 1 The electronic device may include a server 110, a storage terminal 120, etc. The storage terminal 120 stores security audit tasks, etc. The server 110 and the storage terminal 120 communicate with each other, which will not be described in detail here.
[0026] Server 110 may include a processor and memory. Server 110 can be based on a multi-agent collaborative architecture, which includes a coordinating agent, an information gathering agent, an analysis agent, a verification agent, and a reporting agent. Server 110 can receive security audit tasks through the coordinating agent, determine the type characteristics of the target system based on the security audit tasks, load audit rule templates corresponding to the type characteristics based on a preset audit policy library, generate several policy nodes with execution order dependencies, and instantiate the policy nodes into atomic instructions. Server 110 can also have an information gathering agent obtain multi-dimensional information about the target system based on atomic instructions, and generate control based on the source code of the target system from the multi-dimensional information. The server 110 integrates flow graphs, data flow graphs, and function call relationship graphs into a code attribute graph and stores it in a vector knowledge base. The server 110 can also analyze how agents obtain system knowledge representations of the target system from the vector knowledge base based on retrieval enhancement generation services, and perform vulnerability mining analysis using a large language model to generate vulnerability analysis data. The server 110 can also verify the verification test scripts that agents determine based on the vulnerability analysis data, execute the verification test scripts based on a security sandbox, and obtain vulnerability verification data. Furthermore, the server 110 can report the vulnerability information obtained by the agents based on the vulnerability verification data, and generate standardized security audit reports based on the vulnerability information and preset report templates.
[0027] It should be noted that, Figure 1 The schematic diagram of the agent-based security audit system shown is merely an example. The agent-based security audit system and scenario described in this embodiment are intended to more clearly illustrate the technical solutions of this embodiment and do not constitute a limitation on the technical solutions provided by this embodiment. As those skilled in the art will know, with the evolution of agent-based security audit systems and the emergence of new scenarios, the technical solutions provided by this embodiment are also applicable to similar technical problems.
[0028] Please see Figure 2 , Figure 2 This is a flowchart illustrating a security auditing method based on intelligent agents provided in an embodiment of the present invention. This security auditing method based on intelligent agents can be... Figure 1 The agent-based security auditing system 100 shown is executed. This agent-based security auditing method may include at least the following steps:
[0029] 200. The coordinating agent receives security audit tasks, determines the type characteristics of the target system based on the security audit tasks, loads the audit rule templates corresponding to the type characteristics based on the preset audit strategy library, generates several strategy nodes with execution order dependencies, and instantiates the strategy nodes into atomic instructions.
[0030] In this embodiment, the intelligent agent can be an entity with autonomous perception, decision-making and execution capabilities, and can be software, hardware or system. It can simulate the behavior patterns of human experts under the drive of preset rules or large language models. Different intelligent agents have different preset functions, that is, they can complete specific network security audit tasks independently or collaboratively.
[0031] In this embodiment, the security audit task can be an immediate audit request submitted by the user, a periodic audit task automatically triggered by the system according to a preset time period, or a dynamic audit task automatically generated in response to a target system change event. A security audit task includes at least the target system identifier to be audited, the audit scope, and the audit priority. An atomic instruction can be the smallest granularity operation instruction generated by the coordinating agent after instantiating the policy nodes in the audit policy chain, and can be directly executed by a single agent.
[0032] In this embodiment, the audit rule template can be a predefined set of reusable audit rules for a specific type of target system. The audit rule template encapsulates a type identifier, an information collection strategy applicable to the specific type, a vulnerability analysis strategy, and a verification strategy. Specifically, the type identifier identifies the type of target system to which the audit rule template applies, such as Java Web applications, microservice architectures, mobile applications, and IoT systems; the information collection strategy specifies the types of information to be collected and the collection methods for the specific type of target system, including configuration files requiring special attention, key code locations, and business module division methods; the vulnerability analysis strategy contains vulnerability analysis rules for the specific type of target system, including vulnerability types requiring special detection (such as SQL injection and unauthorized access), attack hypothesis generation rules, and key code links requiring verification; and the verification strategy specifies the vulnerability verification methods for this type of system, including rules for generating verification test scripts and configuration parameters for the security sandbox.
[0033] In some embodiments, please refer to Figure 3 , Figure 3 This is a flowchart illustrating the determination of a time-varying graph provided in this embodiment of the invention. Based on a preset audit strategy library, audit rule templates corresponding to type characteristics are loaded, generating several strategy nodes with execution order dependencies. These strategy nodes are then instantiated into atomic instructions, including:
[0034] 300. Based on the preset audit strategy library, match and combine the audit strategies corresponding to the type characteristics to generate an audit strategy chain consisting of several strategy nodes with execution order dependencies; 310. Instantiate each policy node in the audit policy chain into an atomic instruction that each agent can execute, and distribute the atomic instructions to each agent according to the preset functions of each agent.
[0035] In this embodiment, each intelligent agent includes at least an information gathering agent, an analysis agent, and a verification agent. A policy node is the basic execution unit constituting the audit policy chain. Each policy node corresponds to an executable audit action and includes the parameters required for the audit action's execution, as well as dependencies with other nodes. A policy node includes at least the following attributes: node identifier, node type, execution parameters, prerequisite dependencies, and output results. The node identifier identifies the policy node's information; the node type indicates the audit stage to which the policy node belongs, including at least an information gathering node, a vulnerability analysis node, a vulnerability verification node, and a report generation node; the execution parameters can be the configuration information required for the policy node's execution, including the target scope, detection rules, and analysis depth; the prerequisite dependencies can include a list of policy node identifiers completed before the policy node's execution, used to ensure the correctness of data flow and control flow; the output results can include the data generated after the policy node's execution, including collected information, vulnerabilities discovered through analysis, and verification conclusions.
[0036] 210. The information-gathering intelligent agent acquires multi-dimensional information of the target system based on atomic instructions. Based on the source code of the target system in the multi-dimensional information, it generates control flow graphs, data flow graphs and function call relationship graphs, and merges them into a code attribute graph before storing it in a vector knowledge base.
[0037] In this embodiment, atomic instructions can be the smallest granularity operation instructions generated by the coordinating agent after instantiating the policy nodes in the audit policy chain, which can be directly executed by a single agent. The information collection agent can perform comprehensive, hierarchical information collection on the target system based on the assigned sub-tasks, i.e., the corresponding atomic instructions, providing complete data support for the identification of core functional modules, the formulation of potential attack hypotheses, and the verification of code paths in the subsequent vulnerability analysis phase. The collected content may include: obtaining the target system's documentation (such as design specifications, architecture documents, and code comments), directory structure, and configuration files; accurately identifying the technology stack, project dependencies, and runtime environment parameters; determining the division of responsibilities among the target system's sub-modules, the inter-module call relationships, locating externally exposed interfaces, core business interfaces, and key data flow paths; establishing a mapping relationship between tasks and code; and performing deep analysis of the target system's source code using SAST tools (such as SonarQube and FindSecBugs) to generate three types of graphs and construct a code attribute graph.
[0038] In some embodiments, a control flow graph, a data flow graph, and a function call graph are generated based on the source code of the target system from multidimensional information, and then merged into a code attribute graph and stored in a vector knowledge base. This includes: parsing the source code of the target system to generate a control flow graph based on functions, a data flow graph tracking the cycle of variables, and a function call graph for determining global function call relationships; merging the control flow graph, data flow graph, and function call graph, using code elements as nodes and syntax associations, data dependencies, and control dependencies between elements as edges to obtain a code attribute graph; and storing the code attribute graph in a vector knowledge base.
[0039] In some embodiments, the source code of the target system is parsed to generate a control flow graph based on functions, a data flow graph tracking variable cycles, and a function call graph for determining global function call relationships. This includes: generating a control flow graph, using basic blocks in the program as nodes and control flow jumps between basic blocks as edges, determining the instruction execution order, branch jump paths, and loop structures of the program through directed connections between nodes; nodes are labeled with the instruction types, variable states, and jump conditions contained in the basic block; basic blocks are continuous and sequentially executed instruction sequences; generating a data flow graph to determine the variable cycle from definition, assignment, and transfer to use, labeling the data flow paths and read / write operation locations between different functions and modules; and generating a function call graph to determine direct, indirect, and recursive call relationships between global functions, locating core functions, entry functions, and dependent functions.
[0040] In this embodiment, the first instruction in the instruction sequence is the unique entry point of the basic block, and the last instruction in the instruction sequence is the unique exit point of the basic block.
[0041] In some embodiments, storing the code attribute graph in a vector knowledge base further includes: obtaining unstructured and semi-structured data from multidimensional information; standardizing the unstructured and semi-structured data from multidimensional information to obtain standardized data; and storing the standardized data and the code attribute graph in a vector knowledge base.
[0042] This embodiment can be based on three types of graphs: a control flow graph generated at the function level, a data flow graph tracking variable cycles, and a function call relationship graph used to determine global function call relationships. It integrates code syntax structure, semantic information, and program dependencies to construct a code attribute graph, abstracting each code element (such as statements, variables, functions, classes, etc.) as nodes, and abstracting the syntactic associations, data dependencies, and control dependencies between code elements as edges, thereby achieving an integrated representation of multi-dimensional code information and providing support for subsequent accurate code path tracing. This embodiment can also standardize and structure all collected unstructured and semi-structured information, storing it in a vector knowledge base to form a structured knowledge system that supports semantic retrieval and can accurately empower vulnerability analysis.
[0043] 220. The analysis agent obtains the system knowledge representation of the target system from the vector knowledge base based on the retrieval enhancement generation service, and performs vulnerability mining analysis through the large language model to generate vulnerability analysis data.
[0044] In some embodiments, a system knowledge representation of the target system is obtained from a vector knowledge base based on a retrieval-enhanced generation service, and vulnerability mining analysis is performed using a large language model to generate vulnerability analysis data. This includes: obtaining the system knowledge representation of the target system from the vector knowledge base through semantic retrieval corresponding to the retrieval-enhanced generation service; inputting the system knowledge representation into a large language model to identify the functional modules and corresponding task scenarios of the target system based on the large language model; determining scenario-based attack hypotheses corresponding to the functional modules based on an attack hypothesis library, according to the functional modules and corresponding task scenarios of the target system; locating the code path corresponding to the scenario-based attack hypothesis by calling a code attribute graph, including: determining the program execution path through a control flow graph and determining the data flow trajectory of sensitive parameters or dangerous operations through a data flow graph; and performing vulnerability detection on the code path corresponding to the scenario-based attack hypothesis to obtain vulnerability analysis data.
[0045] In this embodiment, the system knowledge representation may include at least document information, module call relationships, data interfaces, and data flow information.
[0046] In this embodiment, the retrieval-augmented generation service can be a retrieval-augmented generation (RAG) model, which is a model architecture that combines information retrieval and generative artificial intelligence.
[0047] This embodiment can accurately identify core functional modules. Specifically, the analysis agent retrieves document information, module call relationships, core interfaces, and data flow information of the target system from the vector knowledge base through semantic retrieval. Combined with the task scenario understanding capabilities of the large language model, the system functions are hierarchically classified to accurately identify functional modules and corresponding task scenarios. Functional modules may include user authentication modules (such as login, registration, password reset, etc.), permission management modules (such as role assignment, interface permission control, data permission isolation, etc.), transaction flow modules (such as order creation, payment settlement, refund verification, etc.), sensitive data processing modules (such as user information storage, de-identified transmission, log recording, etc.), system operation and maintenance modules (such as configuration modification, log auditing, service monitoring, etc.). At the same time, the core task logic, key input and output parameters, and dependent modules of each functional module are marked.
[0048] In this embodiment, the analytical agent can also determine scenario-based attack hypotheses for each functional module based on an attack hypothesis library, according to the functional modules of the target system and the corresponding task scenarios. That is, based on the identified functional modules and task scenarios, it simulates the attack thinking of human security experts, combining common industry vulnerability types, attack cases of similar systems, and a dynamically updated attack hypothesis library to propose scenario-based potential attack hypotheses for each functional module. For example, for the user authentication module, hypotheses such as "lack of login failure limit leading to brute-force attack" and "unencrypted password transmission leading to man-in-the-middle theft" are proposed; for the payment transaction module, hypotheses such as "order amount parameter tampering" and "asynchronous callback forgery of payment status" are proposed; for the permission management module, hypotheses such as "horizontal unauthorized access to others' data" and "vertical unauthorized operation of administrator functions" are proposed; and for the sensitive data processing module, hypotheses such as "simplified storage of sensitive information" and "log leakage of user privacy" are proposed, ensuring that attack hypotheses are deeply bound to the task scenarios and avoiding indiscriminate speculation.
[0049] In some embodiments, vulnerability detection is performed on the code paths corresponding to scenario-based attack hypotheses to obtain vulnerability analysis data, including: detecting security flaws in key links; detecting security flaws in key links, including: input parameter validation, used to detect the length, format, range, presence of unfiltered special characters, and parameter out-of-bounds of input parameters; authorization authentication, used to detect whether the code location corresponding to the key operation contains authorization verification logic, whether the authorization verification logic covers all code paths accessing the key operation, and whether the authorization verification logic has security flaws that can be bypassed, with security flaws including at least incomplete verification conditions and abnormal branches in the verification logic that can be exploited; data processing and state change, used to detect whether the code location corresponding to sensitive data is encrypted, whether transaction state changes have atomicity guarantees, and whether concurrent operations cause data inconsistency; exception handling, used to detect whether the code location prone to exceptions has corresponding exception handlers, whether the exception handlers contain risks of sensitive information leakage, and whether uncaught exceptions cause abnormal interruption of program execution or failure to release system resources properly; risks include outputting exception stack information, system paths, database query statements, or user privacy data to the client or log files.
[0050] In this embodiment, the analysis agent can also call the code attribute graph to locate the corresponding code path for each attack hypothesis, combine the control flow graph to trace the program execution path, combine the data flow graph to trace the data flow trajectory of sensitive parameters or dangerous operations, and check whether there are security defects in key links. Key links can include at least the input parameter verification link, the authorization authentication link, the data processing and state change link, and the exception handling link.
[0051] In this embodiment, the analysis agent can accurately identify potential security vulnerabilities through full-path tracing and key link verification, mark the code line where the vulnerability is located, the triggering conditions, the scope of impact, and related attack hypotheses, and summarize and generate vulnerability analysis data containing information such as vulnerability type, preliminary location, and risk level prediction.
[0052] In this embodiment, the analytical agent can also dynamically update the attack hypothesis library according to the task scenario of the target system, and formulate differentiated vulnerability analysis strategies for different task scenarios (such as payment scenarios, user information management scenarios, etc.).
[0053] 230. The verification agent determines the verification test scripts for potential vulnerabilities based on the vulnerability analysis data, executes the verification test scripts based on the security sandbox, and obtains vulnerability verification data.
[0054] In this embodiment, the verification agent receives vulnerability analysis data output by the analysis agent and generates a corresponding verification test script for each potential vulnerability. The verification test script is executed in a preset security sandbox environment (such as a Docker sandbox) to simulate attack behavior and verify the authenticity and exploitability of the vulnerability. If the verification test script is successfully executed, the vulnerability is confirmed to exist. If the execution fails, the verification agent can adjust the parameters of the verification test script to re-execute the verification. If the verification still fails after multiple attempts, it is determined to be a false alarm and removed. Based on the verified vulnerability information, an accurate vulnerability list, i.e., vulnerability verification data, is determined.
[0055] In some embodiments, the security sandbox employs a four-layer isolation mechanism to restrict the resource access scope of verification test scripts and to implement permission minimization control for agent tool calls. The four-layer isolation mechanism includes a network isolation layer, a file system isolation layer, a process isolation layer, and a system call isolation layer.
[0056] In this embodiment, the network isolation layer can be configured to allow verification test scripts to access only a preset simulated target system or an isolated test network; the file system isolation layer can be configured to allow verification test scripts to perform read and write operations only in an isolated temporary storage space; the process isolation layer can be configured to run verification test scripts in an independent execution environment isolated from the host machine and external processes; and the system call isolation layer can be configured to intercept system call requests from verification test scripts and only allow pre-authorized secure system calls.
[0057] This embodiment employs a four-layer isolation mechanism in its secure sandbox environment. These four layers work together to minimize the access permissions for intelligent agent tool calls, restrict the resource access scope of verification test scripts, and prevent security threats to the target system and external environment during the verification process.
[0058] 240. The reporting agent obtains vulnerability information based on vulnerability verification data and generates a standardized security audit report based on the vulnerability information and a preset report template.
[0059] In this embodiment, the reporting agent summarizes the accurate vulnerability list output by the verification agent, collects vulnerability information (such as vulnerability location, vulnerability type, risk level, attack path, scope of impact, etc.), and generates a standardized security audit report based on a preset report template; the coordinating agent can provide the audit report to the user and support the user to query the audit results and submit objections.
[0060] In some embodiments, the coordinating agent continuously detects change events in the target system. These change events include at least code updates, configuration modifications, and changes to dependent components. When a change event is detected, the information collection agent is triggered to re-collect information based on the change event, update the corresponding structured knowledge in the vector knowledge base, and initiate an incremental audit process. The incremental audit process performs security audit operations on the code units and configuration items corresponding to the change event based on the updated structured knowledge.
[0061] This embodiment also sets up a dynamic audit optimization process, which coordinates the intelligent agent to continuously detect changes in the target system (such as code updates, configuration changes, etc.). When a system change is detected, the information collection intelligent agent is triggered to re-collect relevant information, update the vector knowledge base, and start the incremental audit process to perform targeted audits only on the changed parts, thereby improving audit efficiency.
[0062] The embodiments in this specification adopt a multi-agent collaborative architecture, in which each agent cooperates to automatically complete the entire audit process of information collection, vulnerability discovery, verification and report generation without human intervention, significantly reducing labor costs and improving audit efficiency, and can meet the audit needs of large-scale complex systems.
[0063] The embodiments in this specification can receive security audit tasks through a coordinating agent, determine the type characteristics of the target system, load audit rule templates based on a preset audit strategy library, generate policy nodes, and instantiate the policy nodes into atomic instructions; thereby decomposing the audit plan into multiple sub-tasks and assigning them to the information collection agent. The sub-tasks correspond to the policy nodes, realizing the formulation of personalized audit plans based on security audit tasks.
[0064] Furthermore, the embodiments of this specification can acquire multi-dimensional information of the target system through an information-gathering intelligent agent. Based on the source code of the target system in the multi-dimensional information, control flow graphs, data flow graphs, and function call relationship graphs are generated and merged into a code attribute graph and stored in a vector knowledge base. The embodiments of this specification achieve integrated representation of multi-dimensional information of the code by constructing a code attribute graph, providing complete data support for the identification of core functional modules, the proposal of potential attack hypotheses, and the verification of code paths in the subsequent vulnerability analysis stage. Moreover, a structured knowledge system that supports semantic retrieval and can accurately empower vulnerability analysis is formed through the vector knowledge base.
[0065] Furthermore, the embodiments of this specification can obtain the system knowledge representation of the target system from the vector knowledge base through the analysis agent based on the retrieval enhancement generation service, and perform vulnerability mining analysis through the large language model to generate vulnerability analysis data. The analysis agent of the embodiments of this specification uses the structured information in the vector knowledge base as the core support, retrieves the system knowledge representation of the target system from the vector knowledge base based on the retrieval enhancement generation service, and combines the task scenario understanding ability of the large language model to accurately identify core functional modules and generate scenario-based attack hypotheses. It can effectively detect task logic vulnerabilities such as payment bypass, unauthorized access, and coupon abuse, filling the detection blind spots of traditional tools.
[0066] Furthermore, the embodiments in this specification can not only verify the code path of attack hypotheses by analyzing the intelligent agent based on the code attribute graph, but also combine the security sandbox to execute verification test scripts to perform secondary confirmation of potential vulnerabilities, effectively eliminate false alarms, and greatly reduce the interference of invalid alarms to auditors.
[0067] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.
[0068] Please see Figure 4 , Figure 4 This is a schematic diagram of the structure of the agent-based security audit system provided in the embodiments of this specification.
[0069] like Figure 4 As shown, this agent-based security audit system is based on a multi-agent collaborative architecture, which may include at least a coordinating agent 400, an information gathering agent 410, an analysis agent 420, a verification agent 430, and a reporting agent 440, etc., wherein:
[0070] The coordinating agent 400 is used to receive security audit tasks, determine the type characteristics of the target system based on the security audit tasks, load the audit rule templates corresponding to the type characteristics based on the preset audit strategy library, generate several policy nodes with execution order dependencies, and instantiate the policy nodes into atomic instructions.
[0071] Information gathering agent 410 is used to acquire multi-dimensional information of the target system based on atomic instructions, generate control flow graph, data flow graph and function call relationship graph based on the source code of the target system in the multi-dimensional information, and merge them into code attribute graph and store them in vector knowledge base;
[0072] Analysis agent 420 is used to obtain system knowledge representations of the target system from the vector knowledge base based on retrieval enhancement generation service, and to perform vulnerability mining analysis through a large language model to generate vulnerability analysis data;
[0073] Verification agent 430 is used to determine verification test scripts for potential vulnerabilities based on vulnerability analysis data, execute verification test scripts based on a security sandbox, and obtain vulnerability verification data.
[0074] Reporting agent 440 is used to obtain vulnerability information based on vulnerability verification data and generate a standardized security audit report based on the vulnerability information and a preset report template.
[0075] In some embodiments, the security audit task includes at least the target system identifier to be audited, the audit scope, and the audit priority; the coordinating agent 400 also includes a node generation module, which is used to: match and combine audit strategies corresponding to type features based on a preset audit strategy library, and generate an audit strategy chain composed of several strategy nodes with execution order dependencies; instantiate each strategy node in the audit strategy chain into an atomic instruction that each agent can execute, and distribute the atomic instruction to each agent according to the preset function of each agent; each agent includes at least an information collection agent, an analysis agent, and a verification agent.
[0076] In some embodiments, the information collection agent 410 further includes a graph generation module, which is used to: parse the source code of the target system to generate a control flow graph in units of functions, a data flow graph that tracks the cycle of variables, and a function call relationship graph for determining global function call relationships; merge the control flow graph, data flow graph, and function call relationship graph, and obtain a code attribute graph with code elements as nodes and syntax associations, data dependencies, and control dependencies between elements as edges; and store the code attribute graph in a vector knowledge base.
[0077] In some embodiments, the information collection agent 410 includes a storage module, which is used to: acquire unstructured and semi-structured data from multidimensional information; perform standardization processing on the unstructured and semi-structured data from multidimensional information to obtain standardized data; and store the standardized data and the code attribute graph into a vector knowledge base.
[0078] In some embodiments, the information collection agent 410 includes a graph generation submodule, which is used to: generate a control flow graph, using basic blocks in the program as nodes and control flow jumps between basic blocks as edges, and determine the instruction execution order, branch jump paths, and loop structures of the program through directed connections between nodes; the nodes are labeled with the instruction types, variable states, and jump conditions contained in the basic blocks; the basic blocks are a continuous and sequentially executed sequence of instructions; generate a data flow graph to determine the variable cycle from definition, assignment, transfer to use, and label the data flow paths and read / write operation positions between different functions and modules; and generate a function call relationship graph to determine the direct, indirect, and recursive call relationships between global functions, and locate the core function, entry function, and dependent functions.
[0079] In some embodiments, the system knowledge representation includes at least document data, module call relationships, data interfaces, and data flow information; the verification agent 430 includes a vulnerability detection module, which is used to: obtain the system knowledge representation of the target system from the vector knowledge base by retrieving the semantic retrieval corresponding to the enhanced generation service; input the system knowledge representation into a large language model, and identify the functional modules and corresponding task scenarios of the target system based on the large language model; determine the scenario-based attack hypotheses corresponding to the functional modules based on the attack hypothesis library and the corresponding task scenarios of the target system; based on the scenario-based attack hypotheses, call the code attribute graph to locate the code path corresponding to the scenario-based attack hypotheses, including: determining the program execution path through the control flow graph, and determining the data flow trajectory of sensitive parameters or dangerous operations through the data flow graph; perform vulnerability detection on the code path corresponding to the scenario-based attack hypotheses to obtain vulnerability analysis data.
[0080] In some embodiments, the vulnerability detection module includes a vulnerability detection submodule, which is used to detect security flaws in critical stages, including: an input parameter validation stage, used to detect the length, format, range, presence of unfiltered special characters, and parameter out-of-bounds of input parameters; an authorization authentication stage, used to detect whether the code location corresponding to the critical operation contains authorization verification logic, whether the authorization verification logic covers all code paths accessing the critical operation, and whether the authorization verification logic has security flaws that can be bypassed, with security flaws including at least incomplete verification conditions and abnormal branches in the verification logic that can be exploited; a data processing and state change stage, used to detect whether the code location corresponding to sensitive data is encrypted, whether transaction state changes have atomicity guarantees, and whether concurrent operations cause data inconsistency; and an exception handling stage, used to detect whether the code location prone to exceptions has corresponding exception handlers, whether the exception handlers contain risks of sensitive information leakage, and whether uncaught exceptions cause abnormal interruption of program execution or failure to release system resources properly; risks include outputting exception stack information, system paths, database query statements, or user privacy data to the client or log files.
[0081] In some embodiments, the security sandbox employs a four-layer isolation mechanism to restrict the resource access scope of verification test scripts and to implement permission minimization control for agent tool calls. The four-layer isolation mechanism includes a network isolation layer, a file system isolation layer, a process isolation layer, and a system call isolation layer.
[0082] In some embodiments, the coordinating agent 400 further includes an update module, which is used to continuously detect change events of the target system. The change events include at least code updates, configuration modifications, and changes to dependent components. When a change event is detected, the information collection agent is triggered to re-collect information based on the change event, update the corresponding structured knowledge in the vector knowledge base, and start an incremental audit process. The incremental audit process is to perform security audit operations on the code unit and configuration item corresponding to the change event based on the updated structured knowledge.
[0083] Based on the content of the agent-based security audit system in multiple embodiments of this specification, it can be seen that the embodiments of this specification adopt a multi-agent collaborative architecture, in which each agent cooperates to automatically complete the entire audit process of information collection, vulnerability discovery, verification and report generation without human intervention, significantly reducing labor costs, improving audit efficiency, and adapting to the audit needs of large-scale complex systems.
[0084] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on its differences from other embodiments. In particular, the embodiments of the agent-based security audit system are relatively simple in description because they are fundamentally similar to the embodiments of the agent-based security audit method; relevant parts can be referred to the descriptions in the method embodiments.
[0085] Please see Figure 5 The diagram shown is a structural schematic of an electronic device provided in an embodiment of this specification.
[0086] like Figure 5 As shown, the electronic device 500 may include at least one processor 510, at least one network interface 540, a user interface 530, a memory 550, and at least one communication bus 520.
[0087] The communication bus 520 can be used to realize the connection and communication of the above components.
[0088] The user interface 530 may include buttons, and the optional user interface may also include a standard wired interface or a wireless interface.
[0089] The network interface 540 may include, but is not limited to, Bluetooth modules, NFC modules, Wi-Fi modules, etc.
[0090] The processor 510 may include one or more processing cores. The processor 510 connects to various parts within the electronic device 500 using various interfaces and lines. It executes various functions and processes data by running or executing instructions, programs, code sets, or instruction sets stored in the memory 550, and by calling data stored in the memory 550. Optionally, the processor 510 may be implemented using at least one hardware form of DSP, FPGA, or PLA. The processor 510 may integrate one or more of the following: CPU, GPU, and modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the content required for display; and the modem handles wireless communication. It is understood that the modem may also not be integrated into the processor 510 and may be implemented as a separate chip.
[0091] The memory 550 may include RAM or ROM. Optionally, the memory 550 may include a non-transitory computer-readable medium. The memory 550 may be used to store instructions, programs, code, code sets, or instruction sets. The memory 550 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function (such as touch function, sound playback function, image playback function, etc.), instructions for implementing the above-described method embodiments, etc.; the data storage area may store data involved in the above-described method embodiments, etc. Optionally, the memory 550 may also be at least one storage device located remotely from the aforementioned processor 510. As a computer storage medium, the memory 550 may include an operating system, a network communication module, a user interface module, and an agent-based security auditing application. The processor 510 may be used to invoke the agent-based security auditing application stored in the memory 550 and execute the steps of the agent-based security auditing method mentioned in the foregoing embodiments.
[0092] This specification also provides a computer-readable storage medium storing instructions that, when executed on a computer or processor, cause the computer or processor to perform the above-described instructions. Figures 2-4 One or more steps in the illustrated embodiment. If the constituent modules of the above-described electronic device are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.
[0093] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the flow or function according to the embodiments of this specification is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted through a computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available media can be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., Digital Versatile Discs (DVDs)), or semiconductor media (e.g., Solid State Disks (SSDs)).
[0094] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the methods described above. The aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disks, or optical disks. Unless otherwise specified, the technical features of this embodiment and its implementation can be combined arbitrarily.
[0095] The above embodiments are merely preferred embodiments described in this specification and are not intended to limit the scope of this specification. Any modifications and improvements made by those skilled in the art to the technical solutions of this specification without departing from the spirit of this specification should fall within the protection scope defined by the claims of this specification.
Claims
1. A security auditing method based on intelligent agents, characterized in that, Based on a multi-agent collaborative architecture, the multi-agent collaborative architecture includes a coordinating agent, an information gathering agent, an analysis agent, a verification agent, and a reporting agent, comprising: The coordinating agent receives a security audit task, determines the type characteristics of the target system based on the security audit task, loads the audit rule template corresponding to the type characteristics based on the preset audit strategy library, generates several strategy nodes with execution order dependencies, and instantiates the strategy nodes into atomic instructions. The information collection agent acquires multi-dimensional information of the target system based on the atomic instructions, generates control flow graph, data flow graph and function call relationship graph based on the source code of the target system in the multi-dimensional information, and merges them into a code attribute graph and stores it in the vector knowledge base; The analytical agent obtains the system knowledge representation of the target system from the vector knowledge base based on the retrieval enhancement generation service, and performs vulnerability mining analysis through a large language model to generate vulnerability analysis data. The verification agent determines verification test scripts for potential vulnerabilities based on the vulnerability analysis data, executes the verification test scripts based on the security sandbox, and obtains vulnerability verification data. The reporting agent obtains vulnerability information based on the vulnerability verification data, and generates a standardized security audit report based on the vulnerability information and a preset report template.
2. The method according to claim 1, characterized in that, The security audit task includes at least the target system identifier to be audited, the audit scope, and the audit priority; the step of loading audit rule templates corresponding to the type characteristics based on a preset audit strategy library, generating several strategy nodes with execution order dependencies, and instantiating the strategy nodes into atomic instructions includes: Based on the preset audit strategy library, the audit strategies corresponding to the type features are matched and combined to generate an audit strategy chain composed of several strategy nodes with execution order dependencies; each strategy node in the audit strategy chain is instantiated into an atomic instruction that each intelligent agent can execute, and the atomic instruction is distributed to each intelligent agent according to the preset function of each intelligent agent; Each of the intelligent agents includes at least an information gathering intelligent agent, an analysis intelligent agent, and a verification intelligent agent.
3. The method according to claim 1, characterized in that, The process of generating control flow graphs, data flow graphs, and function call relationship graphs based on the source code of the target system from the multidimensional information, and then merging them into a code attribute graph and storing it in a vector knowledge base includes: The source code of the target system is parsed to generate a control flow graph in units of functions, a data flow graph that tracks the cycle of variables, and a function call relationship graph for determining global function call relationships; By merging the control flow graph, the data flow graph, and the function call relationship graph, and using code elements as nodes and the syntax associations, data dependencies, and control dependencies between elements as edges, a code attribute graph is obtained. The code attribute graph is stored in the vector knowledge base.
4. The method according to claim 3, characterized in that, Storing the code attribute graph into the vector knowledge base also includes: Obtain unstructured and semi-structured data from the multidimensional information; The unstructured and semi-structured data in the multidimensional information are standardized to obtain standardized data; The standardized data and the code attribute graph are stored in a vector knowledge base.
5. The method according to claim 3, characterized in that, The process of parsing the source code of the target system to generate a control flow graph in units of functions, a data flow graph tracking the cycle of variables, and a function call relationship graph for determining global function call relationships includes: A control flow graph is generated, with basic blocks in the program as nodes and control flow jumps between the basic blocks as edges. The instruction execution order, branch jump paths, and loop structures of the program are determined through the directed connections between nodes. The nodes are labeled with the instruction types, variable states, and jump conditions contained in the basic block. The basic block is a continuous and sequentially executed sequence of instructions. Generate a data flow graph to determine the variable lifecycle from definition, assignment, and transfer to use, and mark the data flow path and read / write operation locations between different functions and modules. Generate a function call graph to determine the direct, indirect, and recursive call relationships between global functions, and locate the core function, entry function, and dependent functions.
6. The method according to claim 1, characterized in that, The system knowledge representation includes at least document data, module call relationships, data interfaces, and data flow information; the retrieval-enhanced generation service obtains the system knowledge representation of the target system from the vector knowledge base, and performs vulnerability mining analysis through a large language model to generate vulnerability analysis data, including: The system knowledge representation of the target system is obtained from the vector knowledge base by retrieving the semantic retrieval corresponding to the enhanced generation service; The system knowledge representation is input into a large language model, and the functional modules and corresponding task scenarios of the target system are identified based on the large language model. Based on the attack hypothesis library, the scenario-based attack hypothesis corresponding to the functional module is determined according to the functional module of the target system and the corresponding task scenario. Based on the scenario-based attack hypothesis, the code attribute graph is invoked to locate the code path corresponding to the scenario-based attack hypothesis, including: determining the program execution path through the control flow graph, and determining the data flow trajectory of sensitive parameters or dangerous operations through the data flow graph; Vulnerability detection is performed on the code paths corresponding to the aforementioned scenario-based attack assumptions to obtain vulnerability analysis data.
7. The method according to claim 6, characterized in that, The vulnerability detection of the code path corresponding to the scenario-based attack hypothesis to obtain vulnerability analysis data includes: detecting security flaws in key links; The security defects in the key detection process include: The input parameter validation step is used to detect the length, format, range, presence of unfiltered special characters, and whether the parameters are out of bounds of the input parameters. In the authorization authentication process, it is used to detect whether the code location corresponding to the critical operation contains authorization verification logic, whether the authorization verification logic covers all code paths that access the critical operation, and whether the authorization verification logic has any security flaws that can be bypassed. The security flaws include at least incomplete verification conditions and abnormal branches in the verification logic that can be exploited. In the data processing and state change stage, it is used to detect whether the code corresponding to sensitive data is encrypted, whether the transaction state change has an atomicity guarantee mechanism, and whether there are concurrent operations that cause data inconsistency. The exception handling stage is used to detect whether there is a corresponding exception handler for the code location that is prone to exceptions, to detect whether the exception handler contains a risk of sensitive information leakage, and to detect whether an uncaught exception causes an abnormal interruption of the program execution flow or a failure to release system resources properly. The risks include outputting exception stack information, system paths, database query statements, or user privacy data to the client or log files.
8. The method according to claim 1, characterized in that, The security sandbox employs a four-layer isolation mechanism to restrict the resource access scope of the verification test scripts and to implement permission minimization control for agent tool calls. The four-layer isolation mechanism includes a network isolation layer, a file system isolation layer, a process isolation layer, and a system call isolation layer.
9. The method according to claim 1, characterized in that, The coordinating agent continuously detects change events in the target system, and the change events include at least code updates, configuration modifications, and changes to dependent components. When the change event is detected, the information collection agent is triggered to re-collect information based on the change event, update the corresponding structured knowledge in the vector knowledge base, and start the incremental audit process. The incremental audit process is to perform security audit operations on the code unit and configuration item corresponding to the change event based on the updated structured knowledge.
10. A security auditing system based on intelligent agents, characterized in that, Based on a multi-agent collaborative architecture, the multi-agent collaborative architecture includes a coordinating agent, an information gathering agent, an analysis agent, a verification agent, and a reporting agent, comprising: The coordinating agent is used to receive security audit tasks, determine the type characteristics of the target system based on the security audit tasks, load audit rule templates corresponding to the type characteristics based on a preset audit strategy library, generate several strategy nodes with execution order dependencies, and instantiate the strategy nodes into atomic instructions. The information collection agent is used to acquire multi-dimensional information of the target system based on the atomic instructions, generate control flow graph, data flow graph and function call relationship graph based on the source code of the target system in the multi-dimensional information, and merge them into a code attribute graph and store it in a vector knowledge base. The analytical agent is used to obtain the system knowledge representation of the target system from the vector knowledge base based on the retrieval enhancement generation service, and to perform vulnerability mining analysis through a large language model to generate vulnerability analysis data. The verification agent is used to determine verification test scripts for potential vulnerabilities based on the vulnerability analysis data, execute the verification test scripts based on the security sandbox, and obtain vulnerability verification data. The reporting agent is used to obtain vulnerability information based on the vulnerability verification data, and generate a standardized security audit report based on the vulnerability information and a preset report template.