Cybersecurity information vulnerability intelligent early warning method and system
By combining multi-source data collection and dynamic risk assessment models with hybrid machine learning to predict vulnerability trends, intelligent, accurate, and forward-looking early warning of network security vulnerabilities has been achieved. This solves the problems of untimely vulnerability warnings and high false alarm rates in existing technologies, and is applicable to scenarios such as government and enterprise, cloud platforms, and industrial internet.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- WUHAN POLYTECHNIC
- Filing Date
- 2026-04-30
- Publication Date
- 2026-07-03
AI Technical Summary
Existing cybersecurity vulnerability early warning technologies suffer from problems such as limited data collection, static and fixed risk assessments, outdated and passive early warning models, and insufficient coordination between early warning and response. These issues result in untimely vulnerability warnings, high false alarm rates, a lack of foresight and coordination with response efforts, and an inability to adapt to complex and dynamic cybersecurity situations.
A standardized vulnerability feature library is constructed by collecting data from multiple sources. A dynamic vulnerability risk assessment model is built by combining an improved hierarchical analysis method and a fuzzy comprehensive evaluation method. Multi-level dynamic early warning thresholds are set. A hybrid machine learning model of Bi-LSTM and attention mechanism is used to predict the probability of vulnerability exploitation and the outbreak time. Tiered early warning information is pushed and automated emergency response scripts are generated.
It achieves intelligent, accurate, and forward-looking vulnerability early warning, significantly reduces false alarm rate, is suitable for network security prevention and control scenarios such as government and enterprise, cloud platforms, and industrial internet, and improves the timeliness of early warning and the degree of automation of handling.
Smart Images

Figure CN122339816A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security early warning technology, and in particular to an intelligent early warning method and system for network security information vulnerabilities. Background Technology
[0002] As digital transformation continues to deepen, core businesses across various industries are gradually migrating to cyberspace. The scale and complexity of information systems and network assets are constantly increasing, accompanied by an exponential growth in the number of network vulnerabilities, with increasingly diverse vulnerability types and more covert exploitation methods. Currently, vulnerability exploitation attacks have become one of the major threats in the field of cybersecurity. Various malicious attack organizations exploit unpatched vulnerabilities to carry out malicious acts such as data breaches, system paralysis, and ransomware attacks, causing not only huge economic losses but also potentially affecting the normal operation of public services and endangering cyberspace security, posing a severe challenge to the cybersecurity protection systems of enterprises, institutions, and even nations.
[0003] To address these threats, existing cybersecurity vulnerability warning technologies have emerged. However, practical experience has shown that these technologies still have many critical flaws and are insufficient to meet the needs for accurate early warning and proactive protection in today's complex network environment.
[0004] First, the data collection is one-sided. Most existing technologies only collect basic static data about the vulnerability itself, such as vulnerability number, vulnerability type, and CVSS basic score. They do not effectively integrate multi-source heterogeneous data such as real-time network environment data, dynamic threat intelligence data, and vulnerability historical exploitation data. As a result, risk assessment can only focus on the inherent characteristics of the vulnerability and cannot fully consider external influencing factors. The assessment results are one-sided and out of touch with reality.
[0005] Secondly, the risk assessment method is static and fixed, using a fixed weight allocation scheme and warning threshold. It does not adapt to dynamic changes in the network environment, such as the online status of assets and the operation of protection equipment. As a result, the accuracy of risk value calculation is low, and according to industry statistics, the false alarm rate is as high as 30%-50%. This increases the amount of ineffective operation and maintenance work and makes it easy to overlook the risks of critical vulnerabilities.
[0006] Third, the early warning mode is lagging and passive, and the alert is often triggered only after the vulnerability has been discovered or even exploited. It lacks the ability to predict the exploitation trend and outbreak time window of the vulnerability, which leads to the operation and maintenance personnel responding passively and missing the best protection opportunity.
[0007] Fourth, there is insufficient coordination between early warning and response. Early warning information only indicates the existence of vulnerabilities without providing targeted remediation solutions and automated response methods. Operation and maintenance personnel need to manually analyze and judge the situation and write response scripts, which is inefficient and can easily exacerbate security risks due to operational errors.
[0008] In summary, existing technologies are ill-suited to the complex and dynamic cybersecurity landscape. Developing a vulnerability early warning technology that addresses these pain points has become an urgent issue in the current cybersecurity field. Summary of the Invention
[0009] The purpose of this invention is to propose an intelligent early warning method for network security information vulnerabilities, aiming to solve the technical problems of untimely vulnerability warnings, high false alarm rates, and lack of foresight and coordination in early warning and response.
[0010] This invention is implemented as follows: a method for intelligent early warning of network security information vulnerabilities, the method comprising: Collect vulnerability-related data from network security information, clean, normalize, and structure the collected data, and construct a standardized vulnerability feature library; the vulnerability-related data includes basic vulnerability data, real-time network environment data, threat intelligence data, and historical exploitation data; Based on the improved analytic hierarchy process, the weight coefficients of vulnerability type, scope of impact, exploitation difficulty, exposure degree, and asset value are determined. A dynamic network environment correction factor is introduced, and a dynamic vulnerability risk assessment model is constructed by combining the fuzzy comprehensive evaluation method. The standardized vulnerability feature library data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. Based on the network security level protection requirements and the security baseline of business scenarios, multi-level dynamic early warning thresholds are set. Real-time vulnerability risk values are compared with early warning thresholds. At the same time, based on the difficulty of vulnerability exploitation and the scope of impact, early warning levels are divided and corresponding early warning methods are used. Construct a hybrid machine learning model based on Bi-LSTM and attention mechanism, input temporal vulnerability feature data, train to learn the vulnerability evolution trend, and output the future exploitation probability, outbreak time window, and prediction confidence of the vulnerability. When the predicted probability of vulnerability exploitation exceeds the preset probability threshold, or the real-time vulnerability risk value reaches the corresponding warning level, it is determined that the warning triggering conditions are met, and a graded warning information is pushed to the corresponding operation and maintenance terminal; at the same time, according to the warning level and vulnerability type, graded vulnerability remediation suggestions and automated emergency response scripts are generated simultaneously.
[0011] Another objective of this invention is to provide an intelligent early warning system for network security information vulnerabilities. The system includes:
[0012] The multi-source data acquisition module is used to collect vulnerability-related data from network security information, clean, normalize, and structure the collected data, and build a standardized vulnerability feature library; the vulnerability-related data includes basic vulnerability data, real-time network environment data, threat intelligence data, and historical exploitation data; The real-time vulnerability risk value calculation module is used to determine the weight coefficients of vulnerability type, impact scope, exploitation difficulty, exposure degree, and asset value based on the improved analytic hierarchy process. It introduces a dynamic network environment correction factor and combines the fuzzy comprehensive evaluation method to construct a dynamic vulnerability risk assessment model. The standardized vulnerability feature library data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. The warning level determination module is used to set multi-level dynamic warning thresholds based on network security level protection requirements and business scenario security baselines. It compares real-time vulnerability risk values with warning thresholds and, in conjunction with vulnerability exploitation difficulty and impact scope, classifies warning levels and corresponds to different warning methods. The hybrid machine learning model building module is used to build a hybrid machine learning model based on Bi-LSTM and attention mechanism. It takes temporal vulnerability feature data as input, trains and learns the vulnerability evolution trend, and outputs the future exploitation probability, outbreak time window, and prediction confidence of the vulnerability. The early warning and response linkage module is used to determine whether the early warning triggering conditions are met when the predicted vulnerability exploitation probability exceeds a preset probability threshold or the real-time vulnerability risk value reaches the corresponding early warning level. It then pushes graded early warning information to the corresponding operation and maintenance terminal. At the same time, it generates graded vulnerability remediation suggestions and automated emergency response scripts based on the early warning level and vulnerability type.
[0013] Beneficial effects of the present invention This invention discloses an intelligent early warning method and system for network security information vulnerabilities. The method includes: collecting vulnerability-related data from network security information from multiple sources in a heterogeneous manner to construct a standardized vulnerability feature library; constructing a dynamic vulnerability risk assessment model for the integrated network environment based on an improved analytic hierarchy process (AHP) and fuzzy comprehensive evaluation method to quantify real-time risk values; setting multi-level dynamic early warning thresholds, classifying early warning levels based on risk values and vulnerability evolution trends, and matching differentiated early warning methods; analyzing historical vulnerability characteristics and network environment-related data based on a hybrid machine learning algorithm using a bidirectional long short-term memory network (Bi-LSTM) and attention mechanism to predict vulnerability exploitation probability and outbreak time windows; and simultaneously generating graded remediation suggestions and automated emergency response scripts when pushing early warning information to achieve an early warning-response closed loop. This invention achieves intelligent, accurate, and forward-looking vulnerability early warning, significantly reducing false alarm rates and network security risks, and is suitable for various network security prevention and control scenarios such as government and enterprise, cloud platforms, and industrial internet. Attached Figure Description
[0014] Figure 1 This is a flowchart of a preferred embodiment of the intelligent early warning method for network security information vulnerabilities of the present invention; Figure 2 This is a structural diagram of a network security information vulnerability intelligent early warning system according to a preferred embodiment of the present invention. Detailed Implementation
[0015] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. For ease of explanation, only the parts related to the embodiments of this invention are shown. It should be understood that the specific embodiments described herein are merely for explaining this invention and are not intended to limit this invention.
[0016] This invention proposes an intelligent early warning method and system for network security information vulnerabilities. The method includes: collecting vulnerability-related data from multiple heterogeneous sources in network security information to construct a standardized vulnerability feature library; building a dynamic vulnerability risk assessment model for the integrated network environment based on an improved analytic hierarchy process (AHP) and fuzzy comprehensive evaluation method to quantify real-time risk values; setting multi-level dynamic early warning thresholds, classifying early warning levels based on risk values and vulnerability evolution trends, and matching differentiated early warning methods; analyzing historical vulnerability characteristics and network environment-related data using a hybrid machine learning algorithm based on a bidirectional long short-term memory network (Bi-LSTM) and attention mechanism to predict vulnerability exploitation probability and outbreak time windows; and simultaneously generating graded remediation suggestions and automated emergency response scripts when pushing early warning information to achieve a closed-loop early warning and response system. This invention achieves intelligent, accurate, and forward-looking vulnerability early warning, significantly reducing false alarm rates and network security risks, and is adaptable to various network security prevention and control scenarios such as government and enterprise, cloud platforms, and the industrial internet.
[0017] Figure 1 This is a flowchart of a preferred embodiment of the intelligent early warning method for network security information vulnerabilities of the present invention; it includes the following steps: S1. Collect vulnerability-related data from network security information. The vulnerability-related data includes basic vulnerability data, network environment data, threat intelligence data, and historical exploitation data. Clean, normalize, and structure the collected data to build a standardized vulnerability feature library. The basic vulnerability data includes CVE (Common Vulnerability Disclosure) number, vulnerability name, vulnerability type, CVSS (Common Vulnerability Scoring System) score, affected components, and release date; The network environment data includes the online status of affected assets, asset importance level, network topology, firewall policies, and access control lists. The threat intelligence data includes information on vulnerability exploitation in the wild, information on malicious code associations, and attack trends of hacker groups. The historical exploitation data includes the vulnerability's historical exploitation time, exploitation success rate, attack traffic characteristics, and distribution of attacked assets.
[0018] S2, based on the improved analytic hierarchy process (AHP), determines the weight coefficients for vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value. It introduces a dynamic network environment correction factor and combines it with the fuzzy comprehensive evaluation method to construct a dynamic vulnerability risk assessment model. Standardized vulnerability feature database data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. The specific process includes: S21, by improving the analytic hierarchy process, the basic weights of vulnerability type, scope of impact, exploitation difficulty, exposure level, and asset value (five evaluation indicators) are determined; Specifically, a hierarchical model is constructed (target layer: vulnerability risk assessment; criteria layer: vulnerability type, impact scope, exploitation difficulty, exposure level, asset value; solution layer: specific vulnerability scenarios). A judgment matrix is constructed by pairwise comparing and scoring the relative importance of the five indicators in the criteria layer. After consistency testing (consistency test index CR < 0.1), the basic weight coefficients of the five indicators are calculated and denoted as the basic weight vector ω = [ , , , , ];in: This represents the weighting coefficient for vulnerability types. As the influence range weighting coefficient, In order to utilize the difficulty weighting coefficient, For the exposure degree weighting coefficient, It is the asset value weighting coefficient, and satisfies... + + + + =1; In this embodiment of the invention, the basic weight vector calculated by the improved analytic hierarchy process is ω=[0.15,0.25,0.20,0.15,0.25] (which can be adaptively adjusted according to the actual scenario through expert scoring and consistency checks).
[0019] S22, calculate the dynamic correction factor αᵢ of the network environment; Specifically, independent dynamic correction coefficients α1, α2, α3, α4, and α5 are introduced for each of the five evaluation indicators, so that the components of the corrected weight vector ω' are adjusted differently. The formula is defined as follows: αᵢ=(λ1ᵢ·X1^γ1+λ2ᵢ·X2^γ2+λ3ᵢ·X3^γ3)×βᵢ, Where i=1,2,3,4,5 correspond to the five indicators: vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value, respectively; λ1ᵢ, λ2ᵢ, and λ3ᵢ are fixed allocation coefficients for the environmental parameters corresponding to the i-th indicator, satisfying λ1ᵢ+λ2ᵢ+λ3ᵢ=1. The allocation coefficients for each indicator can be set differently according to the characteristics of the indicator; for example, the exposure level indicator is more sensitive to the asset online rate and can be allocated a larger weight of λ1ᵢ, while the asset value indicator is more sensitive to business continuity requirements and can be allocated a larger weight of λ3ᵢ; γ1, γ2, and γ3 are the independent influence adjustment coefficients for environmental parameters, and their value range is consistent with the aforementioned embodiment; βᵢ is the real-time situation adjustment coefficient corresponding to the i-th indicator, and its value is determined according to the network situation level. Network situation status assessment method: By collecting three types of data in real time—network attack situation, security device operation situation, and overall network asset security situation—the data are divided into three levels according to preset standards: low risk, normal, and slight risk. The data are matched with value ranges of 0.95–0.98, 0.98–1.02, and 1.02–1.05, respectively. Based on this, the specific value of βᵢ is determined, enabling differentiated dynamic adjustment of the correction coefficients for each indicator.
[0020] S23, calculates the basic weight vector of the five evaluation indicators after correction: vulnerability type, scope of impact, difficulty of exploitation, degree of exposure, and asset value; The base weight vector ω is fused with the dynamic correction factor αᵢ to obtain the corrected weight vector (dynamic weight vector) ω′, as shown in the following formula: ω′= =[ω1·α1,ω2·α2,ω3·α3,ω4·α4,ω5·α5]; That is, each indicator weight is multiplied by its corresponding correction coefficient, rather than multiplied by a single scalar. After correction, the weight vector needs to be normalized so that Σω'ᵢ=1 to ensure the mathematical regularity of subsequent fuzzy synthesis operations; This represents the basic weight coefficient corresponding to the i-th evaluation indicator;
[0021] S24, The fuzzy evaluation result of vulnerability risk is calculated using the fuzzy comprehensive evaluation algorithm; Fuzzy comprehensive evaluation is used to quantify and score vulnerability risks. Combined with a modified weight vector (i.e., a dynamic weight vector), standardized vulnerability feature database data and real-time network environment data are transformed into a fuzzy evaluation matrix. The fuzzy evaluation result of vulnerability risk is obtained through fuzzy synthesis operations. The specific algorithm formula is as follows: S241, Define the fuzzy evaluation level set V; The evaluation levels are selected as "low risk, medium risk, high risk, and extremely high risk", and denoted as the evaluation level set V=[v1,v2,v3,v4] (corresponding to quantitative scores [0,0.3], [0.3,0.6], [0.6,0.8], and [0.8,1.0]). S242, based on standardized vulnerability feature database data (vulnerability basic data, historical exploitation data) and real-time network environment data, performs fuzzy evaluation on five evaluation indicators, determines the membership degree of each indicator corresponding to each evaluation level, and constructs a 5×4 order fuzzy evaluation matrix R; Specifically, based on the basic vulnerability data and historical exploitation data in the standardized vulnerability feature library, as well as real-time collected network environment data (including asset online status, business continuity requirements, etc.), fuzzy evaluations are performed on the five assessment indicators. First, a trapezoidal membership function (i.e., membership intervals are set through historical data statistics and industry standards) is used to define three fuzzy membership ranges: low, medium, and high. Then, for each of the five assessment indicators (vulnerability type, impact scope, exploitation difficulty, exposure degree, and asset value), the membership degree corresponding to different risk levels is calculated. This membership degree is calculated using the trapezoidal membership function, that is, by combining the actual characteristics of each indicator (such as the matching degree between vulnerability type and risk level, the size of asset exposure, etc.), the membership degree values corresponding to low, medium, and high risk levels for each indicator are determined, ensuring that the sum of the membership degrees is 1. Finally, based on the above membership degree results, a 5×4 fuzzy evaluation matrix R is constructed. Each row of the matrix corresponds to an assessment indicator, and each column corresponds to a risk level. The matrix elements are the membership degrees of each indicator corresponding to different risk levels.
[0022] ; in, This indicates the membership degree of the i-th evaluation indicator (i=1,2,3,4,5 corresponding to the five core indicators) to the j-th evaluation level (j=1,2,3,4 corresponding to low, medium, high, and extremely dangerous risks), satisfying the following condition: Membership is determined by a trapezoidal membership function, based on basic vulnerability data and historical exploitation data in a standardized vulnerability feature library, as well as real-time network environment data (including asset online status, business continuity requirements, etc.), and combined with the actual characteristics of each assessment indicator (such as vulnerability type matching degree, asset exposure area, etc.), to ensure that the membership value is accurate and conforms to the risk assessment logic.
[0023] In this embodiment of the invention, the formula for calculating the membership degree μ of a single index is: Where x is the real-time monitoring value of a certain evaluation indicator (such as vulnerability CVSS score, asset online rate, business continuity requirement score, etc.), a is the lower limit threshold of the risk level corresponding to the indicator (such as the value corresponding to low risk), b is the upper limit threshold of the risk level corresponding to the indicator (such as the boundary value between medium risk and high risk), and c is the middle threshold of the trapezoidal membership function, that is, the middle threshold of the risk level corresponding to the indicator (such as the boundary value between medium risk and high risk). S243, perform fuzzy synthesis operation on the corrected weight vector ω′ and fuzzy evaluation matrix R to obtain fuzzy comprehensive evaluation result vector B; ; Where ∘ represents fuzzy composition operation, The comprehensive membership degree of a vulnerability belonging to the j-th evaluation level is expressed as follows: ; j=1,2,3,4; S25, the fuzzy comprehensive evaluation result vector B and the evaluation level quantitative scoring vector S are weighted and summed to calculate the real-time vulnerability risk value F; ; Wherein, F is the real-time vulnerability risk value, with a value range of [0, 1.0]. The larger the value, the higher the vulnerability risk and the higher the corresponding warning level; S is the evaluation level quantitative scoring vector, which is set in combination with the vulnerability risk assessment requirements. In this embodiment, S = [0.15, 0.45, 0.70, 0.90] (corresponding to the quantitative scores of low, medium, high, and extremely dangerous risks, respectively). Let S be the transpose of S. The quantitative scoring vector S for the evaluation level corresponds to the quantitative score of the vulnerability risk evaluation level. Specifically, it is a vector formed by assigning corresponding quantitative scores to the four vulnerability evaluation levels of "low risk, medium risk, high risk, and critical risk". The specific process is as follows: First, define the evaluation level set V=[v1,v2,v3,v4], corresponding to the four vulnerability risk levels of "low risk, medium risk, high risk, and critical risk", and define a clear quantitative scoring range for each level (low risk [0,0.3], medium risk [0.3,0.6], high risk [0.6,0.8], critical risk [0.8,1.0]). Then, according to the actual risk level, potential loss, and prevention priority of each risk level, assign a corresponding quantitative score to each evaluation level. The score must fall within the quantitative range of the corresponding level and follow the logic of "the higher the risk level, the higher the quantitative score". Finally, arrange the quantitative scores corresponding to each evaluation level in the order of "low risk, medium risk, high risk, and critical risk" to form the quantitative scoring vector S for the evaluation level. In this embodiment, based on the actual needs of vulnerability risk assessment, S is set to [0.15, 0.45, 0.70, 0.90];
[0024] For example, in an optional embodiment of the present invention, a remote code execution vulnerability (CVE-2024-XXXX) is selected as the evaluation object. Given the basic weight vector ω=[0.15,0.25,0.20,0.15,0.25], when calculating the dynamic correction coefficient αᵢ of the network environment, the environmental parameter allocation coefficients corresponding to the five evaluation indicators are set as follows: vulnerability type (i=1) λ 11 =0.2、λ 21 =0.5、λ 31 =0.3, γ1=1.0, γ2=1.1, γ3=1.2, β1=1.03; scope of influence (i=2) λ 12 =0.4、λ 22 =0.3、λ 32 =0.3, γ1=1.0, γ2=1.1, γ3=1.2, β2=1.03; utilization difficulty (i=3) λ 13 =0.3、λ 23 =0.5、λ 33 =0.2, γ1=1.0, γ2=1.1, γ3=1.2, β3=1.02; exposure level (i=4) λ 14 =0.6、λ 24 =0.2、λ 34 =0.2, γ1=1.0, γ2=1.1, γ3=1.2, β4=1.03; asset value (i=5) λ 15 =0.2、λ 25 =0.2、λ 35= 0.6, γ1 = 1.0, γ2 = 1.1, γ3 = 1.2, β5 = 1.05. Substitute into αᵢ = (λ1ᵢ・X1^γ1 + λ2ᵢ・X2^γ2 + λ3ᵢ・X3^γ3) × βᵢ, and calculate to get α1 = 1.05, α2 = 1.08, α3 = 1.02, α4 = 1.06, α5 = 1.09; Multiply the basic weights by the corresponding αᵢ to obtain the corrected weight vector ω′ = [0.15 × 1.05, 0.25 × 1.08, 0.20 × 1.02, 0.15 × 1.06, 0.25 × 1.09] = [0.1575, 0.27, 0.204, 0.159, 0.2725]. After normalization, ensure that the sum of the weights is 1; Use the trapezoidal membership function to calculate the risk membership degrees of the five indicators, construct the fuzzy evaluation matrix R, and then perform the fuzzy synthesis operation on ω′ and R to obtain the comprehensive membership degree vector B = [0.04, 0.11, 0.25, 0.60]. Finally, substitute into F = B・Sᵀ, where S = [0.15, 0.45, 0.70, 0.90], and calculate the real-time vulnerability risk value F = 0.04 × 0.15 + 0.11 × 0.45 + 0.25 × 0.70 + 0.60 × 0.90 = 0.82, which belongs to high risk, triggers the corresponding level of warning and generates targeted repair suggestions.
[0025] S3, According to the requirements of network security level protection and the security baseline of the business scenario, set multi-level dynamic warning thresholds, compare the real-time vulnerability risk value with the warning thresholds, and at the same time combine the difficulty of vulnerability exploitation and the scope of influence to divide the warning levels and correspond to different warning methods; In the embodiments of the present invention, the warning levels are divided into four levels: low risk, medium risk, high risk, and extreme risk; The four-level dynamic warning thresholds are the low-risk threshold T1, the medium-risk threshold T2, the high-risk threshold T3, and the extreme-risk threshold T4, and T1 < T2 < T3 < T4; The warning methods include terminal pop-up windows, text messages, emails, enterprise WeChat, sound and light alarms, and linkage with security devices to automatically block. Low-risk warnings use terminal pop-up windows + emails, medium-risk warnings add text messages, high-risk warnings add enterprise WeChat + sound and light alarms, and extreme-risk warnings trigger all warning methods and link security devices to execute preset blocking strategies.
[0026] S4, Construct a hybrid machine learning model based on Bi-LSTM and attention mechanism, input time-series vulnerability feature data for training, learn the evolution trend of vulnerabilities, and output the future exploitation probability of vulnerabilities, the outbreak time window, and the prediction confidence; In some optional embodiments of the present invention, the hybrid machine learning model adopts a two-layer network structure for joint prediction, which is divided into four layers: an input layer, a feature extraction layer, an attention enhancement layer, and a joint output layer. The specific structure includes: The hybrid machine learning model takes temporal vulnerability feature data as input. The input layer standardizes and aligns the collected temporal features (vulnerability disclosure duration, historical exploitation frequency, threat intelligence heat changes, etc.) into temporal vectors suitable for model training. The feature extraction layer uses a Bi-LSTM network as its core, employing bidirectional parallel computation of forward and backward LSTMs to capture the temporal dependencies of vulnerability features, uncovering the temporal evolution trend of vulnerabilities from disclosure to potential outbreak, and addressing the problem that single-direction LSTMs cannot capture complete temporal correlations. The attention enhancement layer follows the Bi-LSTM layer, calculating the temporal features... The attention weights of features are adaptively enhanced for key features that have a significant impact on vulnerability exploitation probability and outbreak time window (such as POC / EXP public status and attack traffic mutation features), while weakening the interference of irrelevant features and improving the targeting of feature extraction. Finally, multi-dimensional synchronous prediction is achieved through a joint output layer, which contains two parallel branches: a probability prediction branch and an interval regression branch. The probability prediction branch adopts a binary classification structure and outputs the vulnerability exploitation probability within the future observation period. The interval regression branch outputs an outbreak time window of adaptive length [start time, end time]. At the same time, based on feature contribution and model output distribution, the prediction confidence is calculated and output synchronously. In this embodiment of the invention, a preset confidence threshold (e.g., 85%) can be set based on the historical vulnerability prediction accuracy statistics and security business early warning baseline. When the prediction confidence of the model output is lower than the threshold, a manual review mechanism is automatically triggered, and the vulnerability time series feature data and prediction results are pushed to the security expert terminal simultaneously. After expert review and confirmation, the prediction results are updated. S5. When the predicted vulnerability exploitation probability (output by the hybrid machine learning model) exceeds the preset probability threshold, or the real-time vulnerability risk value (calculated by the dynamic risk assessment model) reaches the corresponding warning level, it is determined that the warning triggering conditions are met, and a graded warning information is pushed to the corresponding operation and maintenance terminal; at the same time, according to the warning level and vulnerability type, graded vulnerability remediation suggestions and automated emergency response scripts are generated simultaneously. In this embodiment of the invention, the early warning information includes basic vulnerability information, risk level, scope of impact, real-time risk value, predicted probability of exploitation, and outbreak time window; The tiered vulnerability remediation recommendations include temporary mitigation measures, official patch update plans, system configuration hardening strategies, and business alternatives; the automated emergency response scripts include port blocking scripts, malicious traffic filtering scripts, affected asset isolation scripts, and vulnerability exploitation attack interception scripts. In this embodiment of the invention, low-risk, medium-risk, and high-risk warnings are handled manually by maintenance personnel based on repair suggestions and handling scripts. Under extremely dangerous warning conditions, no manual intervention is required. The matching emergency handling script is automatically called and executed, and the handling results and system status change data are collected in real time. The data is synchronously fed back to the dynamic risk assessment model and the hybrid machine learning model for iterative optimization, ultimately forming a complete safety closed loop of warning-analysis-handling-feedback. Corresponding to the intelligent early warning method for network security information vulnerabilities described in the above embodiments, Figure 2 This diagram illustrates the structural block diagram of an intelligent early warning system for network security information vulnerabilities provided in an embodiment of this application. For ease of explanation, only the parts relevant to the embodiment of this application are shown. The system includes:
[0027] The multi-source data acquisition module is used to collect vulnerability-related data from network security information, clean, normalize, and structure the collected data, and build a standardized vulnerability feature library; the vulnerability-related data includes basic vulnerability data, real-time network environment data, threat intelligence data, and historical exploitation data; The real-time vulnerability risk value calculation module is used to determine the weight coefficients of vulnerability type, impact scope, exploitation difficulty, exposure degree, and asset value based on the improved analytic hierarchy process. It introduces a dynamic network environment correction factor and combines the fuzzy comprehensive evaluation method to construct a dynamic vulnerability risk assessment model. The standardized vulnerability feature library data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. The warning level determination module is used to set multi-level dynamic warning thresholds based on network security level protection requirements and business scenario security baselines. It compares real-time vulnerability risk values with warning thresholds and, in conjunction with vulnerability exploitation difficulty and impact scope, classifies warning levels and corresponds to different warning methods. The hybrid machine learning model building module is used to build a hybrid machine learning model based on Bi-LSTM and attention mechanism. It takes temporal vulnerability feature data as input, trains and learns the vulnerability evolution trend, and outputs the future exploitation probability, outbreak time window, and prediction confidence of the vulnerability. The early warning and response linkage module is used to determine whether the early warning triggering conditions are met when the predicted vulnerability exploitation probability exceeds a preset probability threshold or the real-time vulnerability risk value reaches the corresponding early warning level. It then pushes graded early warning information to the corresponding operation and maintenance terminal. At the same time, it generates graded vulnerability remediation suggestions and automated emergency response scripts based on the early warning level and vulnerability type.
[0028] Those skilled in the art will understand that all or part of the steps in the methods of the above embodiments can be implemented by program instructions and related hardware. The program can be stored in a computer-readable storage medium, such as ROM, RAM, disk, optical disk, etc.
[0029] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A network security information vulnerability intelligent early warning method, characterized in that, The method includes: Collect vulnerability-related data from network security information, clean, normalize, and structure the collected data, and construct a standardized vulnerability feature library; the vulnerability-related data includes basic vulnerability data, real-time network environment data, threat intelligence data, and historical exploitation data; Based on the improved analytic hierarchy process, the weight coefficients of vulnerability type, scope of impact, exploitation difficulty, exposure degree, and asset value are determined. A dynamic network environment correction factor is introduced, and a dynamic vulnerability risk assessment model is constructed by combining the fuzzy comprehensive evaluation method. The standardized vulnerability feature library data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. Based on the network security level protection requirements and the security baseline of business scenarios, multi-level dynamic early warning thresholds are set. Real-time vulnerability risk values are compared with early warning thresholds. At the same time, based on the difficulty of vulnerability exploitation and the scope of impact, early warning levels are divided and corresponding early warning methods are used. Construct a hybrid machine learning model based on Bi-LSTM and attention mechanism, input temporal vulnerability feature data, train to learn the vulnerability evolution trend, and output the future exploitation probability, outbreak time window, and prediction confidence of the vulnerability. When the predicted probability of vulnerability exploitation exceeds the preset probability threshold, or the real-time vulnerability risk value reaches the corresponding warning level, it is determined that the warning triggering conditions are met, and a graded warning information is pushed to the corresponding operation and maintenance terminal; at the same time, according to the warning level and vulnerability type, graded vulnerability remediation suggestions and automated emergency response scripts are generated simultaneously.
2. The intelligent early warning method for network security information vulnerabilities as described in claim 1, characterized in that, The basic vulnerability data includes CVE number, vulnerability name, vulnerability type, CVSS score, affected components, and release time; The network environment data includes the online status of affected assets, asset importance level, network topology, firewall policies, and access control lists. The threat intelligence data includes information on vulnerability exploitation in the wild, information on malicious code associations, and attack trends of hacker groups. The historical exploitation data includes the vulnerability's historical exploitation time, exploitation success rate, attack traffic characteristics, and distribution of attacked assets. 3.The network security information vulnerability intelligent early warning method of claim 2, wherein, The method uses an improved analytic hierarchy process (AHP) to determine the weighting coefficients for vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value. It introduces a dynamic network environment correction factor and combines it with a fuzzy comprehensive evaluation method to construct a dynamic vulnerability risk assessment model. Standardized vulnerability feature database data and real-time network environment data are input into the model to calculate real-time vulnerability risk values, including: The basic weights of vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value are determined by improving the analytic hierarchy process. Calculate the dynamic correction factor αᵢ for the network environment; Calculate the basic weight vector ω′ of the five evaluation indicators after correction: vulnerability type, scope of impact, difficulty of exploitation, degree of exposure, and asset value; The fuzzy comprehensive evaluation method is used to calculate the fuzzy evaluation results of vulnerability risks; The real-time vulnerability risk value is calculated by weighting and summing the fuzzy comprehensive evaluation result vector and the evaluation level quantitative score vector.
4. The intelligent early warning method for network security information vulnerabilities as described in claim 3, characterized in that, The fuzzy evaluation results of vulnerability risk calculated using the fuzzy comprehensive evaluation algorithm include: Define a fuzzy evaluation level set V; Based on standardized vulnerability feature database data and real-time network environment data, fuzzy evaluation is performed on five evaluation indicators to determine the membership degree of each indicator corresponding to each evaluation level, and a fuzzy evaluation matrix R is constructed. The modified weight vector ω′ is combined with the fuzzy evaluation matrix R to obtain the fuzzy comprehensive evaluation result vector B.
5. The intelligent early warning method for network security information vulnerabilities as described in claim 3 or 4, characterized in that, The hierarchical model consists of a target layer for vulnerability risk assessment; a criteria layer for vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value; and a solution layer for specific vulnerability scenarios. A judgment matrix is constructed by pairwise comparing and scoring the relative importance of the five criteria layer indicators. After consistency verification, the basic weight coefficients of the five indicators are calculated and denoted as the basic weight vector ω=[ , , , , ];in: This represents the weighting coefficient for vulnerability types. As the influence range weighting coefficient, In order to utilize the difficulty weighting coefficient, For the exposure degree weighting coefficient, It is the asset value weighting coefficient, and satisfies... + + + + =1.
6. The intelligent early warning method for network security information vulnerabilities as described in claim 5, characterized in that, The formula for calculating the dynamic correction factor of the network environment is: αᵢ=(λ1ᵢ·X1^γ1+λ2ᵢ·X2^γ2+λ3ᵢ·X3^γ3)×βᵢ, Where i = 1, 2, 3, 4, 5 correspond to the five indicators: vulnerability type, scope of impact, exploitation difficulty, exposure level, and asset value, respectively; λ1ᵢ, λ2ᵢ, and λ3ᵢ are fixed allocation coefficients for the environmental parameters corresponding to the i-th indicator, satisfying λ1ᵢ + λ2ᵢ + λ3ᵢ = 1; γ1, γ2, and γ3 are adjustment coefficients for the independent influence of environmental parameters; and βᵢ is the real-time situation adjustment coefficient corresponding to the i-th indicator. The calculated base weight vector for vulnerability type, impact scope, exploitation difficulty, exposure level, and asset value after correction is obtained by fusing the base weight vector ω with the dynamic correction factor αᵢ, where ω′ = =[ω1·α1,ω2·α2,ω3·α3,ω4·α4,ω5·α5]; This represents the basic weight coefficient corresponding to the i-th evaluation indicator; The fuzzy evaluation results for vulnerability risk calculated using the fuzzy comprehensive evaluation algorithm include... Define a fuzzy evaluation level set V; The evaluation levels are selected as "low risk, medium risk, high risk, and extremely high risk", and denoted as the evaluation level set V=[v1,v2,v3,v4]. Based on standardized vulnerability feature database data and real-time network environment data, fuzzy evaluation is performed on five evaluation indicators to determine the membership degree of each indicator corresponding to each evaluation level, and a 5×4 order fuzzy evaluation matrix R is constructed. ; in, This indicates the membership degree of the i-th evaluation indicator to the j-th evaluation level, satisfying... Membership degree is determined by the trapezoidal membership function. The modified weight vector ω′ is combined with the fuzzy evaluation matrix R to obtain the fuzzy comprehensive evaluation result vector B. ; Where ∘ represents fuzzy composition operation, The comprehensive membership degree of a vulnerability belonging to the j-th evaluation level is expressed as follows: ; j=1,2,3,4; The formula for calculating the real-time vulnerability risk value F is: ; Where F is the real-time vulnerability risk value, with a value range of [0, 1.0]; S is the evaluation level quantitative scoring vector, which is set in combination with the vulnerability risk assessment requirements; Let S be the transpose of S.
7. The intelligent early warning method for network security information vulnerabilities as described in claim 6, characterized in that, The formula for calculating the single-index membership degree μ of the trapezoidal membership function is as follows: ; Where x is the real-time monitoring value of a certain assessment indicator, a is the lower limit threshold of the risk level corresponding to the indicator, b is the upper limit threshold of the risk level corresponding to the indicator, and c is the middle threshold of the risk level corresponding to the indicator.
8. The intelligent early warning method for network security information vulnerabilities as described in claim 1, characterized in that, The hybrid machine learning model adopts a two-layer network structure for joint prediction, which consists of four layers: an input layer, a feature extraction layer, an attention enhancement layer, and a joint output layer. The specific structure includes: The hybrid machine learning model takes temporal vulnerability feature data as input. The input layer standardizes and aligns the collected temporal features, transforming them into temporal vectors suitable for model training. The feature extraction layer uses a Bi-LSTM network as its core, employing bidirectional parallel computation of forward and backward LSTMs to fully capture the temporal dependencies of vulnerability features and uncover the temporal evolution trend of vulnerabilities from public disclosure to potential outbreak. The attention enhancement layer follows the Bi-LSTM layer, calculating the attention weights of each temporal feature to adaptively enhance key features that significantly influence vulnerability exploitation probability and outbreak time window. Finally, a joint output layer achieves multi-dimensional synchronous prediction. This layer contains two parallel branches: a probability prediction branch and an interval regression branch. The probability prediction branch uses a binary classification structure to output the vulnerability exploitation probability within the future observation period, while the interval regression branch outputs an adaptive-length outbreak time window [start time, end time]. Simultaneously, based on feature contribution and model output distribution, the prediction confidence is calculated and output.
9. The intelligent early warning method for network security information vulnerabilities as described in claim 1, characterized in that, The warning levels are divided into four levels: low risk, medium risk, high risk, and extremely high risk. Warning methods include terminal pop-ups, SMS, email, WeChat for Business, audible and visual alarms, and automatic blocking by linked security devices; Low-risk warnings use terminal pop-ups and emails, medium-risk warnings add SMS, high-risk warnings add WeChat and audio-visual alarms, and extremely high-risk warnings trigger all alarm methods and link security devices to execute preset blocking strategies.
10. A network security information vulnerability intelligent early warning system, characterized in that, include: The multi-source data acquisition module is used to collect vulnerability-related data from network security information, clean, normalize, and structure the collected data, and build a standardized vulnerability feature library; the vulnerability-related data includes basic vulnerability data, real-time network environment data, threat intelligence data, and historical exploitation data; The real-time vulnerability risk value calculation module is used to determine the weight coefficients of vulnerability type, impact scope, exploitation difficulty, exposure degree, and asset value based on the improved analytic hierarchy process. It introduces a dynamic network environment correction factor and combines the fuzzy comprehensive evaluation method to construct a dynamic vulnerability risk assessment model. The standardized vulnerability feature library data and real-time network environment data are input into the model to calculate the real-time vulnerability risk value. The warning level determination module is used to set multi-level dynamic warning thresholds based on network security level protection requirements and business scenario security baselines. It compares real-time vulnerability risk values with warning thresholds and, in conjunction with vulnerability exploitation difficulty and impact scope, classifies warning levels and corresponds to different warning methods. The hybrid machine learning model building module is used to build a hybrid machine learning model based on Bi-LSTM and attention mechanism. It takes temporal vulnerability feature data as input, trains and learns the vulnerability evolution trend, and outputs the future exploitation probability, outbreak time window, and prediction confidence of the vulnerability. The early warning and response linkage module is used to determine that the early warning triggering conditions are met when the predicted probability of vulnerability exploitation exceeds the preset probability threshold or the real-time vulnerability risk value reaches the corresponding early warning level, and to push graded early warning information to the corresponding operation and maintenance terminal. Simultaneously, based on the warning level and vulnerability type, graded vulnerability remediation suggestions and automated emergency response scripts are generated.