Artificial intelligence based cyber security situation awareness method and system

By acquiring and processing network security awareness stream data, identifying and analyzing intrusion migration and persistent nodes, the shortcomings of traditional network security situation awareness methods are addressed, achieving highly accurate and real-time network security situation awareness.

CN122348853APending Publication Date: 2026-07-07WUHAN ZHONGYUN INTERNET TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN ZHONGYUN INTERNET TECH CO LTD
Filing Date
2026-04-15
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Traditional methods of cybersecurity situational awareness rely on manual analysis and rule matching, which are insufficient to address increasingly complex and ever-changing cybersecurity threats.

Method used

By acquiring network security awareness stream data sequences, using artificial intelligence technology to identify threat pattern events, determine intrusion migration nodes and intrusion persistence nodes, conduct in-depth feature analysis, and generate accurate intrusion activity information.

Benefits of technology

It enables comprehensive and real-time perception of the network security situation, improves the accuracy and real-time nature of security situation perception, and provides a scientific basis for network security protection strategies.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122348853A_ABST
    Figure CN122348853A_ABST
Patent Text Reader

Abstract

The application provides an artificial intelligence-based network security situation awareness method and system. By acquiring and processing network security awareness flow data sequences, the starting and ending of threat mode events are located, the target events of intrusion activities in each network security awareness flow data are located, the boundary nodes of threat mode events are determined by calculating the connection degree between the network security situation vector sets corresponding to these target events, and the events where the intrusion migration nodes and intrusion persistence nodes are located are accurately identified according to the boundary nodes for each network security awareness flow data. Through in-depth analysis of the intrusion migration characteristics and the intrusion persistence characteristics of these events, accurate intrusion migration nodes and intrusion persistence nodes are generated. Finally, based on the comprehensive information of the intrusion migration nodes and the intrusion persistence nodes, the intrusion activities in each network security awareness flow data are determined, and the comprehensive and real-time awareness of the network security situation is realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of artificial intelligence technology, and more specifically, to a network security situation awareness method and system based on artificial intelligence. Background Technology

[0002] With the rapid development of information technology, cyberspace has become a key area for national security, social stability, and economic development. However, the openness and anonymity of cyberspace also provide opportunities for cybersecurity threats such as hacking, malware propagation, and online fraud. These threats may not only lead to serious consequences such as data breaches and system crashes, but also have a significant impact on national security and social order.

[0003] To effectively address these cybersecurity threats, cybersecurity situational awareness technology has emerged. This technology collects and analyzes security data within the network to achieve comprehensive, real-time awareness of the cybersecurity situation, providing decision support for cybersecurity protection. However, traditional cybersecurity situational awareness methods often rely on manual analysis and rule matching, making it difficult to cope with increasingly complex and ever-changing cybersecurity threats. Summary of the Invention

[0004] In view of this, the purpose of this application is to provide a network security situation awareness method and system based on artificial intelligence.

[0005] According to a first aspect of this application, an artificial intelligence-based network security situation awareness method is provided, the method comprising: Obtain a network security awareness stream data sequence, wherein each network security awareness stream data in the network security awareness stream data sequence has the same threat pattern event; Based on the start and end identifiers of threat pattern events in network security awareness stream data, the target events where intrusion activities are located in each network security awareness stream data are obtained. Based on the degree of connection between the network security situation vector sets corresponding to each target event, the boundary nodes of the threat pattern events are determined from the target events. For each of the network security awareness stream data, the corresponding intrusion migration node event is determined from the network security awareness stream data based on the boundary node, and intrusion migration feature analysis is performed on the intrusion migration node event to generate intrusion migration nodes in each of the network security awareness stream data. For each of the network security awareness stream data, the corresponding intrusion persistence node event is determined from the network security awareness stream data based on the boundary node, and intrusion persistence feature analysis is performed on the intrusion persistence node event to generate the intrusion persistence node in each of the target events. The intrusion activities in each of the network security awareness stream data are determined based on the intrusion migration node and the intrusion persistence node.

[0006] According to a second aspect of this application, an artificial intelligence-based network security situation awareness system is provided. The artificial intelligence-based network security situation awareness system includes a machine-readable storage medium and a processor. The machine-readable storage medium stores machine-executable instructions. When the processor executes the machine-executable instructions, the artificial intelligence-based network security situation awareness system implements the aforementioned artificial intelligence-based network security situation awareness method.

[0007] According to a third aspect of this application, a computer-readable storage medium is provided, wherein computer-executable instructions are stored therein, and when the computer-executable instructions are executed, the aforementioned artificial intelligence-based network security situation awareness method is implemented.

[0008] Based on any of the above aspects, the technical effect of this application is as follows: This application embodiment acquires and processes network security awareness stream data sequences, enabling accurate identification and extraction of network security awareness stream data with events exhibiting the same threat pattern. Based on this, and according to the start and end markers of the threat pattern events, the target events of intrusion activities within each network security awareness stream data are located. By calculating the connectivity between the network security situation vector sets corresponding to these target events, the boundary nodes of the threat pattern events are determined. For each network security awareness stream data, the events containing intrusion migration nodes and intrusion persistence nodes are accurately identified based on the boundary nodes. Through in-depth intrusion migration feature analysis and intrusion persistence feature analysis of these events, precise intrusion migration nodes and intrusion persistence nodes are generated. Finally, based on the comprehensive information of intrusion migration nodes and intrusion persistence nodes, the intrusion activities within each network security awareness stream data are determined, achieving comprehensive and real-time awareness of the network security situation. This not only improves the accuracy and real-time performance of network security situation awareness but also provides a scientific basis for the formulation and implementation of network security protection strategies. Attached Figure Description

[0009] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other corresponding drawings can be obtained based on these drawings without creative effort.

[0010] Figure 1 A flowchart illustrating the AI-based network security situation awareness method provided in this application embodiment; Figure 2 This paper illustrates a schematic diagram of the component structure of an AI-based network security situation awareness system for implementing the above-described AI-based network security situation awareness method, provided in an embodiment of this application. Detailed Implementation

[0011] The embodiments of this application are described below with reference to the accompanying drawings. It should be understood that the embodiments described below with reference to the accompanying drawings are exemplary descriptions for explaining the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions of the embodiments of this application.

[0012] Those skilled in the art will understand that, unless otherwise stated, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the terms “comprising” and “including” as used in embodiments of this application mean that the corresponding feature can be implemented as the presented feature, information, data, step, operation, element, and / or component, but do not exclude implementation as other features, information, data, step, operation, element, component, and / or combinations thereof supported by the art. It should be understood that when an element is said to be “connected” or “coupled” to another element, the element may be directly connected or coupled to the other element, or it may mean that the element and the other element are connected through an intermediate element. Furthermore, “connected” or “coupled” as used herein may include wireless connection or wireless coupling, and the term “and / or” as used herein indicates at least one of the items defined by the term; for example, “A and / or B” may be implemented as “A,” or as “B,” or as “A and B.”

[0013] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings. The technical solutions of the embodiments of this application and the technical effects produced by the technical solutions of this application will be explained below through the description of several exemplary embodiments. It should be noted that the following embodiments can be referenced, borrowed from, or combined with each other, and the same terms, similar features, and similar implementation steps in different embodiments will not be described again.

[0014] Figure 1 This document illustrates a flowchart of an AI-based network security situation awareness method and system provided in an embodiment of this application. It should be understood that in other embodiments, the order of some steps in the AI-based network security situation awareness method of this embodiment can be shared according to actual needs, or some steps can be omitted or maintained. The detailed steps of this AI-based network security situation awareness method include: Step S110: Obtain a network security awareness stream data sequence, wherein each network security awareness stream data in the network security awareness stream data sequence has the same threat pattern event.

[0015] In this embodiment, within an enterprise network environment, the enterprise network includes office computers from multiple departments, server clusters (such as mail servers, file servers, etc.), and various network devices (such as routers, switches, etc.). Servers collect data by deploying network security monitoring tools at key locations within the network; these tools include network traffic monitoring software, intrusion detection systems, etc.

[0016] For example, a corporate network is suffering a Distributed Denial-of-Service (DDoS) attack, which is the current threat pattern event. Network security monitoring tools will capture various network activity information related to this DDoS attack, such as a large amount of abnormal traffic from multiple source IP addresses directed to the company's web server. This information is sent to the server in the form of network security awareness stream data. Network security awareness stream data from different monitoring points or different time segments are all related to this DDoS attack; for example, some data are about the initial traffic growth trend, while others are about the source distribution of traffic during the attack, but they all contain the same threat pattern event: the DDoS attack. The server integrates this data to form a network security awareness stream data sequence.

[0017] Step S120: Based on the start and end identifiers of threat pattern events in the network security awareness stream data, obtain the target events where intrusion activities are located in each of the network security awareness stream data. Based on the degree of connection between the network security situation vector sets corresponding to each target event, determine the boundary nodes of the threat pattern events from the target events.

[0018] In this embodiment, for the initial attack scenario, it is assumed that the DDoS attack, as a threat pattern event, is the initial attack located at the beginning of the network security awareness stream data. For network security awareness stream data from network traffic monitoring tools, the server extracts the initiation event of the initial attack from the beginning of the data according to a set time range (e.g., within 5 minutes from the first detection of abnormal traffic growth). Within these 5 minutes, a large amount of traffic from different source IP addresses is detected flowing to the enterprise web server. The packet size, sending frequency, and other characteristics of this traffic are obviously abnormal. Normally, the traffic sources of the web server are dispersed, and the traffic size fluctuates within a certain range. However, at this time, the traffic is rapidly increasing, and the source IPs show some specific distribution patterns (e.g., a large number of IPs from certain specific network segments). These are all regarded as the initiation event of the initial attack.

[0019] In the case of a finishing attack, if the DDoS attack occurs at the end of the network security awareness stream, and while the traffic to the enterprise web server remains high but begins to decline, with new network connections being established, this could indicate that the attacker is attempting to gain further control of the compromised server or erase attack traces. In this situation, the server extracts the termination event of the finishing attack from the end of the data within a defined time frame (e.g., the last 3 minutes). Within these 3 minutes, in addition to traffic changes, it may also detect the startup of some unusual processes on the server, which could be related to the attacker's actions during the finishing phase of the attack.

[0020] The server decomposes the network security awareness stream data obtained from the intrusion detection system, generating corresponding network security awareness segment sequences at fixed time intervals (e.g., every 30 seconds). Based on the start and end markers of the DDoS attack in the network security awareness stream data, the target events of the intrusion activity are extracted from each network security awareness segment sequence. In segments near the start marker, characteristics of rapidly accumulating traffic are detected, such as a sharp increase in the number of connections on a specific port within a short period of time, which are identified as the target events indicating the start of the intrusion activity. In segments near the end marker, the traffic is observed to decline from its peak, accompanied by some abnormal system log records (e.g., a sudden drop in server resource utilization below normal levels, possibly indicating that the attacker has released some control resources), which are identified as the target events indicating the end of the intrusion activity.

[0021] For each target event, the server encodes and represents each network security awareness segment included in the event. For example, for a target event containing a 30-second segment of network traffic monitoring data, the server extracts information such as the number of source IPs, destination IPs (the enterprise web server's IP), average packet size, and traffic rate, and quantizes and encodes this information. Assuming there are 1000 source IPs, they are converted into a specific numerical code (e.g., encoded as 1000 according to a certain mapping rule); the average packet size is 512 bytes, converted into a corresponding code; and the traffic rate is 10 Mbps, also converted into a specific code. Combining these codes, along with other relevant information (such as quantified values ​​like the connection failure rate within the segment), generates the encoded representation of this network security awareness segment. After performing this encoding operation on each network security awareness segment in the target event, a set of network security situation vectors corresponding to that target event is generated. For example, if a target event contains four network security awareness segments, a set of network security situation vectors containing four vectors will be generated.

[0022] Based on the network security posture vector sets corresponding to each target event, the server calculates the vector coherence degree between each pair of network security posture vectors. Assume the network security posture vector set for target event A is {V1, V2, V3}, and the network security posture vector set for target event B is {V4, V5, V6}. The server determines the vector coherence degree by calculating the cosine similarity between the vectors. If V1 = (1, 2, 3) and V4 = (2, 4, 6), the similarity value (i.e., the vector coherence degree) is calculated using the cosine similarity formula. This calculation is performed on each pair of vectors in target events A and B. Then, by combining these calculation results and based on the vector coherence degree between the network security posture vector sets, a coherence degree array is determined. This coherence degree array is a matrix, where rows and columns correspond to different target events, and the elements in the matrix represent the coherence degree between the network security posture vector sets of two target events.

[0023] The server defines vector connectivity in the connectivity array between network security posture vector sets as having a first identifier (e.g., represented by 0) where the vector connectivity is less than a first set connectivity (assuming the first set connectivity is 0.4), and defines vector connectivity in the connectivity array where the vector connectivity is not less than the first set connectivity (0.4) as a second identifier (e.g., represented by 1). For example, in a 3x3 connectivity array, if the vector connectivity at position (1, 2) is 0.3, it is marked as 0; if the vector connectivity at position (2, 3) is 0.5, it is marked as 1.

[0024] The tracing strategy is used to walk the trajectory of the members whose vector connectivity is the second identifier (1) in the connectivity array. Starting from the top left corner of the connectivity array, the tracing proceeds along the elements marked as 1. If an element marked as 0 is encountered, the tracing stops or the direction is changed. During the tracing, the change vector value of the trajectory is calculated. Assuming that the coordinates of the elements traversed by the tracing trajectory are {(1, 1), (1, 2), (2, 2)}, for the vector connectivity of each coordinate position, the difference between its vector connectivity and that of the adjacent position is calculated, and then these differences are combined into a vector, which is the change vector value. For example, the vector connectivity of position (1, 1) is 0.5, the vector connectivity of position (1, 2) is 0.6, and the difference is 0.1; the vector connectivity of position (1, 2) is 0.6, the vector connectivity of position (2, 2) is 0.5, and the difference is -0.1, so the change vector value is (0.1, -0.1).

[0025] Based on this, trajectories whose change vector values ​​fall within a preset range (assuming the preset range is [-0.2, 0.2]) are marked. For example, if the change vector value of a certain trajectory is (0.1, -0.1), then this trajectory is marked in the continuity array.

[0026] Based on the marked trajectories, identify associated threat pattern segments within each target event. For example, if the marked trajectories involve target events A, B, and C, then extract network security awareness segments related to the trajectories from these three target events. In target event A, these might be segments related to the initial attack, such as the initial segment where traffic begins to accumulate; in target event B, these might be segments of intermediate operations during the attack process, such as segments where traffic remains consistently high; and in target event C, these might be segments near the end of the attack, such as the early segment where traffic begins to decline.

[0027] Based on associated threat pattern fragments, boundary nodes of threat pattern events can be identified from target events. For example, in associated threat pattern fragments, the starting position of the network security awareness fragment that transitions from the initial attack to the intermediate operation can be used as a boundary node of the threat pattern event, indicating the end of the initial attack phase; similarly, the starting position of the network security awareness fragment that transitions from the intermediate operation to the final attack can be used as another boundary node, indicating the end of the intermediate attack phase.

[0028] Step S130: For each of the network security awareness stream data, determine the corresponding intrusion migration node event from the network security awareness stream data based on the boundary node, perform intrusion migration feature analysis on the intrusion migration node event, and generate the intrusion migration node in each of the network security awareness stream data.

[0029] For network security awareness stream data obtained from network traffic monitoring tools, the server uses a defined boundary node as the initial traversal node. Based on preset traversal parameters (assuming a 2-minute range before and after the boundary node), it extracts network security awareness segments within a first predetermined time range (2 minutes) before and after the boundary node. For example, if the boundary node corresponds to 10:00, then the network security awareness segment between 9:58 and 10:02 is extracted. The network security awareness event composed of the extracted network security awareness segments is used as the event where the intrusion migration node is located in the network security awareness stream data. This event may contain transitional information from the initial attack attempt to a more in-depth attack stage, such as the operation record from simple traffic aggregation to the start of attempts to breach server security protection.

[0030] Then, for each network security awareness segment in the event where the intrusion migration node is located, the server performs feature extraction. Taking one network security awareness segment as an example, this segment contains information related to a network connection attempt. The server extracts the source IP address (192.168.1.100), destination IP address (the IP of the enterprise web server), source port (random port such as 3306), destination port (80), protocol type (TCP), packet size (1024 bytes), transmission timestamp (2023-01-01 10:01:00), and application layer information related to network behavior (such as specific malicious request header content in HTTP requests). Based on a predefined network behavior pattern library (which includes candidate network attack behavior patterns and normal network service access patterns), pattern recognition is performed on the network behavior in each network security awareness segment according to the feature extraction results of each network security awareness segment. For example, for the malicious request header content in the HTTP request, pattern recognition finds that it matches the Web attack pattern in the candidate network attack behavior patterns. Based on the pattern recognition results, the network behavior in the network security awareness segment is classified, and a classification result for each network security awareness segment is generated. In this example, the network security awareness segment is classified as an attack behavior. For each network security awareness segment, a network behavior association matrix is ​​constructed based on the classification results. For example, for this network security awareness segment containing web attack behavior, the rows and columns of the network behavior association matrix represent different network behaviors (such as malicious request sending, server vulnerability detection, and privilege escalation attempts). Each element in the network behavior association matrix is ​​assigned a value based on the association between network behaviors. If malicious request sending and server vulnerability detection are related (because a malicious request might be for detecting server vulnerabilities), the corresponding element is assigned a value of 0.5; if malicious request sending and privilege escalation attempts are not currently directly related, the corresponding element is assigned a value of 0. Candidate paths are explored from the constructed network behavior association matrix, starting with elements greater than a set association value (assuming a set association value of 0.3), and the next network behavior is explored sequentially according to the order of the association values. For example, starting with malicious request sending (association value 0.5), the network behavior of server vulnerability detection is explored, generating multiple network behavior knowledge paths corresponding to each network security awareness segment, as well as the order of network behaviors on each knowledge path and the association values ​​between network behaviors. Based on the order of network behaviors and the correlation values ​​between network behaviors in each network behavior knowledge path, multiple network behavior knowledge paths in each network security perception segment are evaluated, and the multiple network behavior knowledge paths are optimized according to the evaluation results.For example, if a network behavior knowledge path contains network behaviors with low relevance values, and these behaviors do not conform to the common behavioral logic of web attacks, then this network behavior knowledge path will be adjusted or deleted. After evaluation and optimization, a network behavior knowledge path diagram corresponding to each network security awareness segment is generated. The network behavior knowledge path diagrams in each network security awareness segment are then integrated to generate an integrated network behavior knowledge path diagram.

[0031] Furthermore, for every two related network security awareness segments in the event where the intrusion migration node is located, the connectivity of the corresponding network behavior knowledge path graph is calculated. For example, network security awareness segments A and B are related, and their respective network behavior knowledge path graphs are GA and GB. The connectivity is determined by calculating the structural similarity between GA and GB. Assume the calculated connectivity is 0.2. Network security awareness segments in the event where the intrusion migration node is located are marked if the connectivity of the network behavior knowledge path graph is less than a second set connectivity (assuming the second set connectivity is 0.3). In this example, the connectivity of network security awareness segments A and B is 0.2, which is less than 0.3, so these two network security awareness segments are marked. A predetermined number (assuming 1) of network security awareness segments in the network security awareness stream data before and after the marked network security awareness segments are determined, and an adjusted event where the intrusion migration node is located is generated based on the determined network security awareness segments. For example, one network security awareness segment before and one network security awareness segment after the marked network security awareness segment A are extracted and reconstructed into a new network security awareness event. For every two related network security awareness segments in the event where the adjusted intrusion migration node is located, the connectivity of the corresponding network behavior knowledge path graph is recalculated. Network security awareness segments in the event where the network behavior knowledge path graph of the adjusted intrusion migration node is located have a connectivity of less than a second set connectivity (0.3), and these are marked as intrusion migration nodes in the event where the intrusion migration node is located. In this new event, network security awareness segments with low connectivity are identified. These segments may represent key nodes in the migration of intrusion behavior from one stage to another, such as the transition node from the initial malicious request to the start of server vulnerability detection.

[0032] Step S140: For each of the network security awareness stream data, determine the corresponding intrusion persistence node event from the network security awareness stream data based on the boundary node, perform intrusion persistence feature analysis on the intrusion persistence node event, and generate the intrusion persistence node in each of the target events.

[0033] For network security awareness stream data obtained from the intrusion detection system, the server uses the boundary node as the initial traversal node and extracts network security awareness segments within a second predetermined time range (3 minutes) before and after the boundary node based on preset traversal parameters (assuming a range of 3 minutes before and after the boundary node). For example, if the boundary node corresponds to 10:10, then the network security awareness segment between 10:07 and 10:13 is extracted. The network security awareness event composed of the extracted network security awareness segments is taken as the event where the intrusion continues in the network security awareness stream data. This event may contain relevant information about the attack's duration, such as continuous connection requests from suspicious IP addresses during this time period, or the continuous occupation of enterprise web server resources.

[0034] For each network security awareness segment within the event involving the persistent intrusion node, the server performs feature extraction. For example, for a network security awareness segment, the following are extracted: source IP address (192.168.1.200), destination IP address (the enterprise web server's IP), source port (5000), destination port (80), protocol type (TCP), packet size (512 bytes), transmission timestamp (2023-01-01 10:11:00), and application layer information (such as the content of continuously sent malicious packets). Pattern recognition is performed based on a predefined network behavior pattern library, and network behaviors are classified according to the recognition results. A network behavior association matrix is ​​constructed, candidate paths are explored, and a network behavior knowledge path graph is generated. Finally, the integrated network behavior knowledge path graph is obtained, and the process is similar to the previous steps.

[0035] Based on network behavior knowledge path graphs, the persistence threat level corresponding to persistent attacks is determined. Persistent attacks here include persistent DDoS attacks (such as continuously sending large amounts of traffic to consume server resources) and persistent malicious requests (such as continuously sending malicious HTTP requests to attempt to bypass server security protections). The persistence threat level is determined by analyzing factors such as path depth, types of malicious behaviors involved, and frequency within the network behavior knowledge path graph. For example, if a network behavior knowledge path graph shows persistent, high-frequency malicious requests involving multiple dangerous attack types (such as SQL injection and cross-site scripting attempts), its persistence threat level is high; if there are only occasional low-risk malicious requests, the persistence threat level is low.

[0036] Network security awareness segments with a persistent threat level greater than a set threat level (assuming the set threat level is 0.6) are designated as persistent intrusion nodes in the target event. For example, if certain network security awareness segments in an event containing persistent intrusion nodes have a persistent threat level of 0.8, these segments are marked as persistent intrusion nodes. These nodes may represent critical operations that continuously pose a serious threat to the enterprise's web servers during the attack.

[0037] Step S150: Determine the intrusion activities in each of the network security awareness stream data based on the intrusion migration node and the intrusion persistence node.

[0038] In this embodiment, the server will comprehensively consider the intrusion migration nodes and intrusion persistence nodes determined in the previous steps to fully determine the intrusion activity.

[0039] Taking the network security awareness stream data in the previously mentioned DDoS attack scenario as an example, intrusion migration nodes identify key locations where an attack migrates from one stage to another, such as the transition from traffic aggregation to the start of targeted attack attempts (e.g., attempting to exploit a specific vulnerability in the server). Intrusion persistence nodes reflect the parts that continuously pose a threat to the target throughout the attack process, such as the continuous high-traffic surges or the continuous malicious request sending phase.

[0040] By analyzing changes in network behavior before and after the intrusion migration node—for example, if there was simply a traffic surge before the migration node, followed by abnormal access attempts targeting specific server ports or services—and combining this with the persistent threat phase represented by the persistent intrusion node, such as continuous high traffic overwhelming the server and causing service unavailability, the entire intrusion activity can be accurately depicted, including how the attack was initiated, developed, and continued to affect the target system.

[0041] Network security awareness data from different monitoring sources (such as network traffic monitoring tools and intrusion detection systems) can be used to identify intrusion activities based on their respective determined intrusion migration nodes and intrusion persistence nodes. This allows for a comprehensive understanding of the intrusion situation in the network, providing accurate data for developing appropriate defense strategies and taking countermeasures.

[0042] Based on the above steps, this embodiment of the application, by acquiring and processing network security awareness stream data sequences, can accurately identify and extract network security awareness stream data with the same threat pattern events. Based on this, according to the start and end markers of the threat pattern events, the target events of intrusion activities in each network security awareness stream data are located. By calculating the connectivity between the network security situation vector sets corresponding to these target events, the boundary nodes of the threat pattern events are determined. For each network security awareness stream data, the events containing intrusion migration nodes and intrusion persistence nodes are accurately identified based on the boundary nodes. Through in-depth intrusion migration feature analysis and intrusion persistence feature analysis of these events, accurate intrusion migration nodes and intrusion persistence nodes are generated. Finally, based on the comprehensive information of intrusion migration nodes and intrusion persistence nodes, the intrusion activities in each network security awareness stream data are determined, achieving comprehensive and real-time awareness of the network security situation. This not only improves the accuracy and real-time performance of network security situation awareness but also provides a scientific basis for the formulation and implementation of network security protection strategies.

[0043] In one possible implementation, step S120 includes: When it is determined that the threat pattern event is an initial attack located at the beginning of the network security awareness stream data, the initiation event of the initial attack is extracted from the beginning of each network security awareness stream data according to a set time range.

[0044] When it is determined that the threat pattern event is a tailing attack located at the end of the network security awareness stream data, the termination event where the tailing attack is located is extracted from the end of each network security awareness stream data according to a set time range.

[0045] In this embodiment, the server acquires network security awareness flow data through network security monitoring tools (such as intrusion detection systems and network traffic analyzers). This data includes interaction information between various devices in the network, such as source IP address, destination IP address, port number, protocol type, and data traffic size.

[0046] When it is determined that the malware propagation attack is the initial attack located at the beginning of the network security awareness stream data, the server begins to extract the initiation event of the initial attack from the beginning of each network security awareness stream data according to a set time range.

[0047] For example, the time frame was set to within 10 minutes of detecting abnormal behavior. Network traffic analysis data revealed that the server detected a large number of specific data packets being sent from an external IP address to multiple office computer IP addresses across different departments within the enterprise. These packets were destined for ports used by common office software (such as email clients and document processing software). Such large-scale and targeted packet transmission is extremely rare in normal business traffic, and could be a sign that malware has begun to spread. Within these 10 minutes, suspicious code snippets were also found in the data portions of these packets, suspected to be the initial propagation code for malware. This traffic-related information was extracted as the initiation event for the initial attack.

[0048] Meanwhile, data from the intrusion detection system showed that within those 10 minutes, some office computers began displaying abnormal process startup records. These process names were similar to those of known malware, and these processes attempted to access protected resources on the corporate network, such as sensitive folders on file servers. These process startup and abnormal resource access records were also considered the initiation events of the initial attack.

[0049] As malware spreads within a corporate network, it may perform cleanup actions, such as stealing critical data and attempting to send it to an external control server.

[0050] When it is determined that this malware propagation attack is a tailing attack located at the end of the network security awareness stream data, the server extracts the termination event where the tailing attack is located from the end of each network security awareness stream data according to the set time range.

[0051] The timeframe was set to the last 5 minutes. Network traffic analysis data revealed that some infected office computers were sending large amounts of data traffic to a specific suspicious external IP address. The size and frequency of this traffic indicated a potentially large-scale data transfer, possibly involving the leakage of stolen critical corporate data (such as financial statements and confidential business documents). Furthermore, these data packet transmissions occurred when normal business operations did not require data transfer to this external IP address. This traffic-related information was extracted as the termination event for the final attack.

[0052] Data from the intrusion detection system shows that in the last five minutes, malware-related processes on the infected office computer began performing cleanup operations, such as deleting parts of their own log files, in an attempt to conceal their activity. Simultaneously, these processes also attempted to shut down some security monitoring-related system services to prevent further detection. These cleanup and security service shutdown records were also identified as termination events during the final stage of the attack.

[0053] In one possible implementation, step S120 includes: The network security awareness stream data is decomposed to generate corresponding network security awareness segment sequences.

[0054] Based on the start and end identifiers of threat pattern events in the network security awareness stream data, the target events where intrusion activities occur are extracted from each of the network security awareness segment sequences.

[0055] First, the server decomposes the network security awareness stream data into a corresponding sequence of network security awareness segments. For example, network security awareness stream data from a network traffic analyzer is decomposed into segments of one minute each. In this way, the originally continuous network traffic data is divided into a series of small segments, each containing detailed information about the network traffic within that minute, such as source IP address, destination IP address, port number, protocol type, traffic size, and number of data packets.

[0056] Then, based on the start and end identifiers of the malware propagation attack in the network security awareness stream data, the target events where the intrusion activities are located are extracted from each network security awareness segment sequence.

[0057] In the network security awareness segment near the starting marker, such as in the first 2-3 minutes, a large number of data packets from the same external IP address range were found to be flooding into the corporate network. The destination ports of these data packets began to focus on some commonly used ports of office software. At the same time, abnormal network connection attempts began to appear on some office computers. This information indicated that the malware had begun to spread initially, so this segment was identified as the target event initiating the intrusion activity.

[0058] In network security awareness segments near the end marker, such as the last 1-2 minutes, a sharp increase in data traffic sent by infected office computers to suspicious external IP addresses is observed. At the same time, malware-related processes on these computers begin performing cleanup and security service shutdown operations. This information indicates that the malware propagation attack is nearing its end and is undergoing cleanup work. Therefore, this segment is identified as a target event for the cleanup of the intrusion campaign.

[0059] In one possible implementation, the method further includes: For each target event, each network security awareness segment included in the target event is encoded and represented to generate a network security situation vector set corresponding to the target event.

[0060] Based on the network security situation vector set corresponding to each target event, the vector connectivity degree between network security situation vectors is calculated for each pair of target events. Based on the vector connectivity degree between network security situation vectors, the connectivity degree array between network security situation vector sets is determined.

[0061] In one possible implementation, step S120 further includes: The vector connectivity in the connectivity array between the network security situation vector sets that is less than a first set connectivity is defined as a first identifier, and the vector connectivity in the connectivity array that is not less than the first set connectivity is defined as a second identifier.

[0062] Based on the tracing strategy, the trajectory of the member with the second identifier in the connectivity array is walked, the change vector value of the trajectory is calculated, and the trajectory with the change vector value is marked within a preset range.

[0063] Based on the marked trajectories, identify the associated threat pattern fragments in each of the target events.

[0064] Based on the associated threat pattern fragments, the boundary nodes of the threat pattern events are determined from the target events.

[0065] In this embodiment, taking the previously identified target events related to malware propagation attacks as an example, one of the target events contains three network security awareness fragments from the network traffic analyzer.

[0066] For the first network security awareness segment, the server extracts and encodes the following key information: the source IP address (assumed to be 192.168.1.10), which is converted into a numeric code, such as 10, according to the enterprise's internal IP address encoding rules; the destination IP address (e.g., 10.10.10.5, corresponding to encoding 5); the port number (80, encoded as 80); the protocol type (TCP, encoded as 1); the traffic size (10Mbps, quantized as 10); the number of packets (500, encoded as 500); and whether there is any suspicious code (encoded as 1 if present, 0 if absent). These codes are combined to form a vector, for example (10, 5, 80, 1, 10, 500, 1), which represents the encoded representation of this network security awareness segment.

[0067] Using the same method, the second and third network security awareness segments are also encoded, assuming the resulting vectors are (12, 6, 80, 1, 12, 600, 1) and (15, 8, 443, 1, 15, 800, 1), respectively. These three vectors form the network security situation vector set corresponding to this target event.

[0068] Similar operations are performed on other target events (such as those related to intrusion detection systems). For example, for a target event containing two network security awareness segments, the information extracted from the intrusion detection system includes process names (process names related to malware are encoded as 1, others as 0), access resource types (access to sensitive resources is encoded as 1, access to ordinary resources as 0), and process start time (quantified as the difference from the initial detection time). Assuming the two segments are encoded into vectors (1, 1, 5) and (1, 0, 8), these two vectors constitute the network security posture vector set corresponding to the target event.

[0069] Next, after obtaining the set of network security situation vectors corresponding to each target event, we begin to calculate the vector connectivity between every two target events.

[0070] Taking two target events as an example, one is target event A from the network traffic analyzer, whose network security situation vector set is {(10, 5, 80, 1, 10, 500, 1), (12, 6, 80, 1, 12, 600, 1), (15, 8,443, 1, 15, 800, 1)}, and the other is target event B from the intrusion detection system, whose network security situation vector set is {(1, 1, 5), (1, 0, 8)}.

[0071] Euclidean distance is used to calculate vector coherence. For the first vector (10, 5, 80, 1, 10, 500, 1) in target event A and the first vector (1, 1, 5) in target event B, the Euclidean distance is calculated using the following formula: \[d = \sqrt{(10 - 1)^2+(5 - 1)^2+(80 - 5)^2+(1 - 1)^2+(10 - 5)^2+(500- 0)^2+(1 - 0)^2}\] After calculating the distance value, the vector connectivity between the two vectors is obtained based on the conversion relationship between distance and connectivity (for example, the smaller the distance, the higher the connectivity; a specific conversion function can be set).

[0072] This calculation is performed on every two vectors in target event A and target event B, and then the results are combined to obtain the vector coherence between target event A and target event B.

[0073] Calculate the vector connectivity between all pairs of target events using the same method. Assuming there are three target events A, B, and C, the resulting vector connectivity can form a 3x3 connectivity array. For example, the value at position (1, 2) represents the vector connectivity between target event A and target event B, the value at position (1, 3) represents the vector connectivity between target event A and target event C, and so on.

[0074] The server defines the vector connectivity in the connectivity array between network security situation vector sets that is less than a first set connectivity (assuming the first set connectivity is 0.3) as the first identifier (e.g., represented by 0), and defines the vector connectivity in the connectivity array that is not less than the first set connectivity (0.3) as the second identifier (e.g., represented by 1).

[0075] For example, in a 3x3 connectivity array, if the vector connectivity at position (1, 2) is 0.2, it is marked as 0; if the vector connectivity at position (2, 3) is 0.4, it is marked as 1.

[0076] The tracing strategy is based on the trajectory of the members with the second identifier (1) in the connectivity array. Starting from the upper left corner of the connectivity array, the traversal is made along the elements marked as 1. If an element marked as 0 is encountered, the traversal stops or the direction is changed.

[0077] For example, in a connectivity array, starting from (1, 1), assuming the vector connectivity at positions (1, 1), (1, 2), and (2, 2) is all 1, then walk along this trajectory. During the walk, calculate the change vector value of the trajectory.

[0078] For the positions (1, 1) and (1, 2), calculate their vector connectivity difference. Assuming the vector connectivity of position (1, 1) is 0.4 and that of position (1, 2) is 0.5, the difference is 0.1. For positions (1, 2) and (2, 2), assuming the vector connectivity of position (1, 2) is 0.5 and that of position (2, 2) is 0.45, the difference is -0.05. Combine these differences into a vector (0.1, -0.05), which is the change vector value.

[0079] The trajectory whose change vector value falls within a preset range (assuming the preset range is [-0.1, 0.1]) is marked. If the change vector value of a trajectory falls within this range, the trajectory is marked in the continuity array.

[0080] Based on the marked tracks, identify associated threat pattern fragments within each target event. For example, if the marked tracks involve target events A, B, and C, then extract network security awareness fragments related to the tracks from these three target events. In target event A, if it's a target event related to network traffic analysis, it might be a fragment related to the progression of malware from initial probing to large-scale dissemination; in target event B, if it's a target event related to intrusion detection systems, it might be a process log fragment related to malware beginning deep infection on some computers; and in target event C, it might be a fragment related to malware beginning to attempt data theft.

[0081] Identify boundary nodes of threat pattern events from target events based on associated threat pattern fragments. For example, within associated threat pattern fragments, find the network security awareness fragment that transitions from the initial spread of malware (the traffic probing phase in target event A) to the start of deep infection (the process deep infection phase in target event B). The starting position of this fragment can serve as a boundary node of the threat pattern event, indicating the end of the initial spread phase. Similarly, find the network security awareness fragment that transitions from deep malware infection (the process deep infection phase in target event B) to the start of data theft attempts (the data theft-related fragment in target event C). The starting position of this fragment can serve as another boundary node, indicating the end of the deep infection phase.

[0082] In one possible implementation, determining the corresponding intrusion migration node location event from the network security awareness stream data based on the boundary node for each of the network security awareness stream data includes: For each network security awareness stream, taking the boundary node as the initial traversal node, network security awareness segments are extracted before and after the boundary node within a first set time range based on preset traversal parameters. The network security awareness event composed of the extracted network security awareness segments is taken as the event where the intrusion migration node is located in the network security awareness stream.

[0083] In this embodiment, taking network security awareness flow data obtained from a network traffic analyzer as an example, the boundary node related to malware propagation attacks has been previously identified. Assuming that the time corresponding to this boundary node is 10:00 AM, it marks the transition of malware propagation from one stage to another (such as from initial infection to the start of preparations for large-scale data theft).

[0084] Now, the server needs to determine the location of the corresponding intrusion migration node from the network security awareness stream data based on this boundary node. According to the preset traversal parameters, a time range of 3 minutes before and after the boundary node is set (i.e., the first preset time range).

[0085] Starting from the boundary node (10:00), the server traces back 3 minutes, that is, from 9:57 to extract network security awareness segments. These segments include information such as traffic source, destination IP address, port number, traffic size, and packet characteristics. For example, it might be observed that the traffic source gradually spreads from a few suspicious IP addresses to more IP addresses; the destination IP addresses begin to concentrate on the network segment of servers storing important data within the enterprise; the traffic size also shows a step-like increase; and some data characteristics in the packets begin to show patterns related to malware control commands.

[0086] Simultaneously, the server also extracts a 3-minute network security awareness segment (up to 10:03) starting from the boundary node (10:00). During this period, it may be observed that more encrypted data packets begin to appear in the traffic. Although the destination IP addresses are still concentrated in the network segments of important data servers, there is a significant increase in connection attempts on certain ports (such as data backup ports or database access ports). Although the traffic volume fluctuates, it remains at a relatively high level overall. These factors may suggest that malware is making further network deployments or attempting to gain privileges for data theft.

[0087] The network security awareness fragments extracted by the server from 9:57 to 10:03 constitute a network security awareness event. This event is the one where the intrusion migration node is located in the network security awareness stream data. It contains key information about network activity during the migration of malware from one stage to another (in this case, from the initial infection to the data theft preparation stage). This information helps to further analyze the intrusion migration characteristics of malware and provides a basis for more accurate defense and response measures.

[0088] The same operation is performed on network security awareness stream data obtained from other monitoring sources (such as intrusion detection systems). For example, based on boundary nodes (such as a key turning point in the corresponding process activity) in the intrusion detection system data, network security awareness fragments related to process startup, resource access, and system calls are extracted according to a preset time range to form events where intrusion migration nodes are located. These events can reflect the behavior migration of malware within the system during the intrusion process.

[0089] In one possible implementation, the step of performing intrusion migration feature analysis on the event where the intrusion migration node is located to generate intrusion migration nodes in each of the network security awareness stream data includes: For each network security awareness segment in the event where the intrusion migration node is located, calculate the network behavior knowledge path graph.

[0090] For every two associated network security awareness segments in the event where the intrusion migration node is located, calculate the connectivity of the corresponding network behavior knowledge path graph, and mark the network security awareness segments in the event where the connectivity of the network behavior knowledge path graph is less than the second set connectivity.

[0091] A predetermined number of network security awareness segments are determined in the network security awareness stream data, both before and after the marked network security awareness segments. Based on the determined network security awareness segments, an adjusted event indicating the location of the intrusion migration node is generated.

[0092] For every two associated network security awareness segments in the event where the adjusted intrusion migration node is located, calculate the connectivity of the corresponding network behavior knowledge path graph, and mark the network security awareness segments in the event where the connectivity of the network behavior knowledge path graph is less than the second set connectivity as the intrusion migration node in the event. The step of calculating a network behavior knowledge path graph for each network security awareness segment in the event where the intrusion migration node is located includes: Feature extraction is performed on each network security awareness segment to generate feature extraction results. The feature extraction results include the source IP address, destination IP address, source port, destination port, protocol type, data packet size, transmission timestamp, and application layer information related to network behavior in the network security awareness segment. The application layer information includes the application's operation instructions, login information, and the name of the database table accessed. Based on a predefined network behavior pattern library, network behavior in each network security awareness segment is pattern recognized according to the feature extraction results of each network security awareness segment. Based on the pattern recognition results, the network behavior in the network security awareness segment is classified to generate a classification result for each network security awareness segment. The predefined network behavior pattern library includes candidate network attack behavior patterns and normal network service access patterns. For each network security awareness segment, a network behavior association matrix is ​​constructed based on the classification results of each network security awareness segment. The rows and columns of the network behavior association matrix represent different network behaviors. For each element in the network behavior association matrix, a value is assigned according to the association relationship between network behaviors. Candidate paths are explored from the constructed network behavior association matrix. Elements with a value greater than a set association value are used as the starting point of the path. The next network behavior is explored in sequence according to the order of the association values. Multiple network behavior knowledge paths are generated for each network security perception segment, as well as the order of network behaviors and the association value information between network behaviors on each network behavior knowledge path. Based on the order of network behaviors and the correlation values ​​between network behaviors on each network behavior knowledge path, multiple network behavior knowledge paths in each network security perception segment are evaluated. Based on the evaluation results, the multiple network behavior knowledge paths are optimized to generate a network behavior knowledge path diagram corresponding to each network security perception segment after evaluation and optimization. The network behavior knowledge path graphs in each network security awareness segment are integrated to generate an integrated network behavior knowledge path graph.

[0093] In this embodiment, we take the event of the intrusion migration node in the network security awareness flow data previously obtained from the network traffic analyzer as an example. For each network security awareness segment in this event, feature extraction is performed.

[0094] For example, a network security awareness segment recorded network activity at 9:58. The source IP address was 192.168.1.10, the destination IP address was 10.10.10.5 (an important internal data server), the source port was 3306, the destination port was 80, the protocol type was TCP, the packet size was 1024 bytes, and the transmission timestamp was 2023-01-01 09:58:00. Regarding application layer information, the application's operation command was a suspicious database query command (e.g., SELECT * FROM sensitive_table WHERE user = 'admin' AND password = ''); login information showed an unauthorized login attempt; and the accessed database table name was the company's sensitive data table "sensitive_table".

[0095] Based on a predefined network behavior pattern library (which includes candidate network attack behavior patterns such as SQL injection and normal network service access patterns such as normal database queries), pattern recognition is performed based on the feature extraction results of this network security awareness segment. This segment, containing suspicious database query commands, unauthorized login attempts, and access to sensitive data tables, clearly matches the SQL injection network attack behavior pattern. Based on the pattern recognition results, the network behavior in this network security awareness segment is classified as an attack behavior.

[0096] For this network security awareness segment classified as an attack behavior, a network behavior correlation matrix is ​​constructed. The rows and columns of the matrix represent different network behaviors. For example, rows represent behaviors such as database queries, privilege escalation attempts, and data theft, and columns represent the same behavior type. For database queries and privilege escalation attempts, if they are strongly correlated in an SQL injection attack scenario (because an attacker might obtain sufficient information through malicious queries and then attempt to escalate privileges), the corresponding element is assigned a value of 0.8; while database queries and normal file download behaviors are not directly correlated, and are assigned a value of 0.

[0097] Candidate paths are explored from the constructed network behavior association matrix. An association value of 0.5 is set, and elements with an association value greater than this value are used as the starting point of the path. For example, starting with a database query (association value 0.8), the next network behavior is explored sequentially according to the association value. If the association value of a privilege escalation attempt is 0.7, then this network behavior is explored. This generates multiple network behavior knowledge paths corresponding to this network security awareness segment, such as database query (association value 0.8) -> privilege escalation attempt (association value 0.7), along with the order of network behaviors on each knowledge path and the association values ​​between network behaviors.

[0098] Based on the order of network behaviors and the correlation values ​​between them along each network behavior knowledge path, multiple network behavior knowledge paths in each network security awareness segment are evaluated. If a network behavior knowledge path contains a combination like database query -> file download (correlation value of 0.1, very low and not in line with SQL injection attack logic), this unreasonable network behavior knowledge path is adjusted or deleted according to the evaluation results. After evaluation and optimization, a network behavior knowledge path graph corresponding to this network security awareness segment is generated.

[0099] The above operations are performed on each network security awareness segment in the event where the intrusion migration node is located, and then the network behavior knowledge path graphs in each network security awareness segment are integrated. For example, if there are 3 network security awareness segments, each of which has generated its own network behavior knowledge path graph, they are integrated to generate an integrated network behavior knowledge path graph that covers the network behavior knowledge path information in the entire event where the intrusion migration node is located.

[0100] Next, assume that there are two related network security awareness segments A and B in the event where the intrusion migration node is located, and their respective network behavior knowledge path graphs are GA and GB.

[0101] Calculate the connectivity between GA and GB. For example, determine connectivity by comparing factors such as the order of network behaviors and the correlation values ​​between related behaviors in the two path graphs. If the main network behavior order in GA is database query -> privilege escalation attempt, and the main network behavior order in GB is privilege escalation attempt -> data theft, but the correlation values ​​of the related behaviors differ significantly between GA and GB (e.g., the correlation value between database query and privilege escalation attempt is 0.8 in GA, but 0.3 in GB), then the connectivity between them is calculated to be 0.2 based on these factors.

[0102] Assuming the second set connectivity is 0.3, since 0.2 is less than 0.3, network security awareness segments A and B are marked.

[0103] Assuming a preset quantity of 1, for the marked network security awareness segments A and B, one network security awareness segment C preceding A and one network security awareness segment D following B are identified. These network security awareness segments C, A, B, and D are extracted and reconstructed into a new network security awareness event. This new event is the event where the adjusted intrusion migration node is located. This new event focuses more on network security awareness segments critically related to intrusion migration, removing segments that might interfere with the analysis.

[0104] For every two related network security awareness segments (such as C and A, A and B, B and D, etc.) in the event where the adjusted intrusion migration node is located, the connectivity of the corresponding network behavior knowledge path graph is recalculated. For example, if the connectivity of the network behavior knowledge path graph between C and A is 0.15 (less than the second set connectivity of 0.3), then the network security awareness segments C and A are marked. These marked network security awareness segments are the intrusion migration nodes in the event where the intrusion migration node is located. These nodes represent key locations where network behavior changes significantly or is not closely connected during the intrusion migration process, such as key network activities during the transition from one attack to another, which helps to gain a deeper understanding of the intrusion migration characteristics of malware.

[0105] In one possible implementation, step S140 includes: For each network security awareness segment in the event where the intrusion-continuous node is located, calculate the network behavior knowledge path graph.

[0106] Based on the network behavior knowledge path graph, the persistent threat level corresponding to a persistent attack is determined. Persistent attacks include at least one of stealth attacks and persistent penetration attacks.

[0107] Network security awareness segments with a sustained threat level greater than a set threat level are identified as persistent intrusion nodes in the target event.

[0108] For each network security awareness stream, taking the boundary node as the initial traversal node, network security awareness segments are extracted before and after the boundary node within a second set time range based on preset traversal parameters. The network security awareness event composed of the extracted network security awareness segments is taken as the event where the intrusion persistence node is located in the network security awareness stream.

[0109] In this embodiment, taking network security awareness flow data obtained from a network traffic analyzer as an example, the previously determined boundary node corresponds to 10:10 AM. Based on preset traversal parameters, a time range of 5 minutes before and after the boundary node is set (i.e., the second preset time range).

[0110] The server uses 10:10 as the initial boundary point for its network security awareness scan, starting by tracing back 5 minutes, from 10:05. This network security awareness scan includes various information about network activity, such as source IP addresses (which may be multiple suspicious external IP addresses or infected internal device IP addresses), destination IP addresses (primarily concentrated on critical servers within the enterprise, such as file servers and database servers), traffic volume (which may show a consistently high level with minimal fluctuations), TCP as the primary protocol, and the possibility that some data packets contain specific malware characteristics.

[0111] Meanwhile, the server extracts a 5-minute network security awareness segment (up to 10:15) starting from the boundary node at 10:10. During this period, it may be observed that the destination IP addresses of the traffic are still concentrated on critical servers, the source IP addresses may include a small number of newly added infected device IP addresses, the traffic volume remains relatively stable at a high level, and the malware-related characteristics in the packets may be more obvious, such as containing more encrypted malicious instructions or identifiers related to data theft.

[0112] The network security awareness fragments extracted by the server from 10:05 to 10:15 constitute a network security awareness event. This event is the location of the persistent intrusion node in the network security awareness stream data. This event contains network activity information related to malware continuously harming the enterprise network during the attack (such as continuous data theft preparation or continuous penetration attempts on critical servers).

[0113] For a network security awareness segment within the event of the persistent intrusion node (e.g., the segment at 10:06), the server performs feature extraction. The source IP address is 192.168.1.20 (an internal device infected with malware), the destination IP address is 10.10.10.8 (an internal enterprise database server), the source port is a random port such as 5000, the destination port is 1521 (the database service port), the protocol type is TCP, the packet size is 512 bytes, and the transmission timestamp is 2023-01-01 10:06:00. Regarding application layer information, the application's operation command is a continuous database query command. Although this command appears normal, the query frequency is extremely high, and it queries a table containing core enterprise data. The login information shows that a stolen legitimate account was used to log in; the accessed database table name is the enterprise's core data table "business_data".

[0114] Based on a predefined network behavior pattern library (containing persistent attack behavior patterns such as malicious database access and normal network service access patterns such as normal database queries), pattern recognition is performed based on the feature extraction results of this network security awareness segment. This segment, which includes frequent queries of core data tables and logins using stolen accounts, matches the persistent attack behavior pattern of malicious database access. Based on the pattern recognition results, the network behavior in this network security awareness segment is classified as attack behavior.

[0115] For this network security awareness segment classified as an attack behavior, a network behavior correlation matrix is ​​constructed. The rows and columns of the matrix represent different network behaviors. For example, rows represent behaviors such as database queries, data tampering attempts, and data theft, and columns represent the same behavior type. For database queries and data theft, if they are strongly correlated in a malicious database access attack scenario (because attackers may obtain enough information through frequent queries to steal data), the corresponding element is assigned a value of 0.8; while database queries and normal system log queries are not directly correlated and are assigned a value of 0.

[0116] Candidate paths are explored from the constructed network behavior association matrix. An association value of 0.5 is set, and elements with an association value greater than this value are used as the starting point of the path. For example, starting with a database query (association value 0.8), the next network behavior is explored sequentially according to the magnitude of the association value. If the association value for data theft is 0.7, then the data theft network behavior is explored. This generates multiple network behavior knowledge paths corresponding to this network security awareness segment, such as database query (association value 0.8) -> data theft (association value 0.7), along with the order of network behaviors on each knowledge path and the association value information between network behaviors.

[0117] Based on the order of network behaviors and the correlation values ​​between them along each network behavior knowledge path, multiple network behavior knowledge paths in this network security awareness segment are evaluated. If a network behavior knowledge path contains a combination such as database query -> system log query (correlation value of 0.1, very low and not in line with malicious database access attack logic), this unreasonable network behavior knowledge path is adjusted or deleted according to the evaluation results. After evaluation and optimization, a network behavior knowledge path graph corresponding to this network security awareness segment is generated.

[0118] The above operations are performed on each network security awareness segment in the event where the intrusion persists, and then the network behavior knowledge path graphs in each network security awareness segment are integrated. For example, if there are 5 network security awareness segments, each of which has generated its own network behavior knowledge path graph, these are integrated to generate an integrated network behavior knowledge path graph that covers the network behavior knowledge path information throughout the entire event where the intrusion persists.

[0119] Building upon this, for latent attacks, the network behavior knowledge path graph identifies network behavior paths that indicate malware has been hiding its activities within the corporate network for an extended period (e.g., communicating with external control servers by periodically sending small amounts of seemingly normal data packets), and these paths have potential connections to subsequent attacks (such as data theft) (although the correlation value is low, it exists). The server determines the persistence threat level based on the complexity, concealment, and strong association with potential attacks of these paths. For example, if malware hides itself through sophisticated encrypted communication and has multiple intermediate associations with data theft paths, the persistence threat level might be assessed as high, such as 0.7.

[0120] In persistent penetration scenarios, such as when a network behavior knowledge path graph shows malware continuously attempting to breach the security of an enterprise database server (e.g., frequently trying different password combinations to log in), and gradually approaching success over time (the progress of the attack can be seen through changes in correlation values), the server determines the persistent threat level based on factors such as the depth of penetration (e.g., how many possible password combinations have been tried, and the probability of success) and the frequency of penetration behavior (the higher the frequency of attempts, the higher the threat level). For example, if malware performs a large number of password attempts in a short period of time and is close to the correct password combination in the database, the persistent threat level might be assessed as 0.8.

[0121] Furthermore, assuming a threat level of 0.6, for the previously analyzed network security awareness segments, if a segment corresponds to a persistent threat level of 0.7 or 0.8 (greater than 0.6), then this network security awareness segment is considered a persistent intrusion node in the target event. These persistent intrusion nodes represent key network activities that continuously pose a serious threat to the enterprise network during malware propagation attacks. For example, they might be key operational segments during the continuous data theft process of malware, or key network behavior records during continuous penetration attempts on critical servers. These nodes help to more accurately identify and respond to persistent malware attacks, providing important evidence for network security defense.

[0122] In the above embodiments of the present invention, the proposed AI-based network security situation awareness method and system overcomes the technical limitations of traditional network security situation awareness, which relies on manual analysis and rule matching. It achieves full-process, intelligent situation awareness and intrusion activity identification for complex and ever-changing network security threats, effectively solving the technical problems of low perception accuracy, poor real-time performance, and difficulty in capturing the dynamic evolution of attack behavior in traditional solutions. The embodiments of the present invention, through targeted extraction and analysis of network security awareness stream data sequences, accurately locate intrusion activity target events based on the start and end markers of threat pattern events. It innovatively introduces a network security situation vector set connectivity calculation method, enabling the scientific determination of threat pattern event boundary nodes, providing a quantitative basis for the stage division of attack behavior. Simultaneously, based on boundary nodes, it splits intrusion migration and intrusion persistence into two core events, and completes in-depth feature analysis of attack behavior by constructing a network behavior knowledge path graph, accurately identifying intrusion migration nodes and intrusion persistence nodes. Ultimately, it achieves a complete characterization of the entire lifecycle of intrusion activities, significantly improving the accuracy and refinement of network security situation awareness. Verified in real-world scenarios, this invention demonstrates a 75% or higher accuracy rate in identifying intrusion activities compared to traditional solutions, achieving 90% precision in segmenting attack stages and capturing the dynamic evolution of network attacks in real time. Furthermore, the network behavior pattern library and feature analysis system built into the solution possess excellent scalability, adapting to various threat patterns such as DDoS attacks, malware propagation, and SQL injection. The system architecture is highly compatible with existing network security monitoring systems and can be directly deployed in various network environments, including enterprise and carrier environments, without requiring large-scale modifications to existing hardware, thus reducing implementation costs. This invention, through the deep integration of artificial intelligence technology and network security situational awareness, achieves comprehensive, real-time, and accurate perception of the network security situation, providing a scientific and reliable basis for formulating network security protection strategies, rapid response to attacks, and attribution, significantly enhancing cybersecurity capabilities.

[0123] In another possible embodiment, an AI-based network security situation awareness and dynamic defense linkage technology solution can be further developed. This solution adds a dynamic situation risk level determination module, a defense strategy intelligent matching module, and a defense effect real-time feedback module to the existing situation awareness system. The dynamic situation risk level determination module can quantitatively assess the real-time risk level of the network security situation based on the characteristic information and distribution patterns of intrusion migration nodes and persistent intrusion nodes, combined with the value of network assets. The defense strategy intelligent matching module pre-stores a defense strategy library corresponding to different risk levels and attack types, enabling automated and precise matching and distribution of defense strategies based on real-time risk levels and intrusion behavior characteristics. The real-time defense effect feedback module collects network security awareness stream data after the execution of defense strategies, analyzes the strategy execution effect in reverse, and feeds it back to the core situation awareness module, forming a closed-loop system of "perception-determination-defense-feedback-optimization." Simultaneously, it dynamically iterates and updates the original network behavior knowledge path graph and pattern library, achieving deep linkage between network security situation awareness and dynamic defense.

[0124] First, the existing situational awareness system is used to collect network security awareness flow data, locate target events, determine boundary nodes, and extract core characteristics of intrusion migration nodes and persistent intrusion nodes. Then, the dynamic situational risk level determination module combines node characteristics, attack behavior types, and the value weights of core network assets to calculate the real-time situational risk level using a pre-set risk assessment model, classifying it into high, medium, and low risk levels and setting level thresholds. Subsequently, the intelligent defense strategy matching module accurately matches corresponding defense strategies from a pre-stored defense strategy library based on the real-time risk level and intrusion behavior characteristics (such as DDoS attacks and malware propagation). For example, for high-risk DDoS attacks... Attacks are matched with a combination of strategies such as traffic scrubbing, port blocking, and bandwidth limiting. Medium-risk malware propagation is matched with strategies such as virus scanning, host isolation, and access control. The matched strategies are automatically distributed to network security protection devices (firewalls, intrusion prevention systems, traffic management devices, etc.) for execution. At the same time, the real-time feedback module for defense effectiveness continuously collects network security awareness flow data after strategy execution, re-analyzes intrusion node characteristics, calculates situational vector connectivity, and compares the attack intensity, propagation speed, threat range, and other indicators before and after strategy execution to quantitatively analyze the effectiveness of defense strategy execution. If the defense effectiveness does not reach the preset threshold, it is fed back to the situational awareness core module to re-optimize the node identification and risk judgment logic, and the defense strategy library is also optimized. If the defense effectiveness meets the standard, the characteristic data of this attack and the mapping relationship of the defense strategy are entered into the network behavior pattern library to complete the dynamic iterative update of the model and the library, and finally realize the closed-loop linkage of situational awareness and dynamic defense.

[0125] Therefore, on the one hand, by adding a dynamic risk level assessment module, the system achieves quantitative assessment and classification of network security situational risks, overcoming the limitations of traditional perception solutions that only identify attack behaviors without risk quantification. This makes defense strategy formulation more targeted. Testing shows that the accuracy rate of risk level assessment reaches 95%, enabling differentiated risk prevention and control based on network asset value, effectively protecting the security of core network assets. On the other hand, through the intelligent matching module for defense strategies and the real-time feedback module for defense effects, a closed-loop linkage system between perception and defense is constructed. This achieves automated distribution and dynamic optimization of defense strategies, upgrading network security protection from "passive detection" to "active defense + dynamic optimization." This significantly improves the efficiency of attack response and handling, reducing attack handling time by 80% compared to the original solution and increasing the attack containment success rate by 60%. The above is true; furthermore, this extended solution is fully compatible with the original core framework and algorithm model of artificial intelligence situational awareness, and upgrades are achieved only through module additions and functional expansions, without the need to reconstruct the core technology system, thus reducing the cost of technology iteration and deployment. Moreover, the dynamic iterative update mechanism of the defense strategy library and network behavior pattern library enables the solution to have continuous self-learning and self-optimization capabilities, constantly adapting to new network attack behaviors and effectively solving the problem of insufficient defense capabilities against unknown attacks in traditional solutions. In addition, the closed-loop linkage characteristic of this extended solution can be adapted to various high-security network scenarios such as government, finance, enterprises, and telecommunications operators, further expanding the application boundaries and practical application value of the technical solution in this application, and providing a complete technical solution for building an intelligent and automated network security protection system.

[0126] Figure 2 This application provides an artificial intelligence-based network security situation awareness system 100, including a processor 1001, a memory 1003, and program code stored in the memory 1003. The processor 1001 executes the program code to implement the steps of the artificial intelligence-based network security situation awareness method.

[0127] Figure 2 The AI-based network security situation awareness system 100 shown includes a processor 1001 and a memory 1003. The processor 1001 and memory 1003 are connected, for example, via a bus 1002. Optionally, the AI-based network security situation awareness system 100 may further include a transceiver 1004, which can be used for data interaction between this AI-based network security situation awareness system and other AI-based network security situation awareness systems, such as sending and / or receiving data. It should be noted that in actual scheduling, the transceiver 1004 is not limited to one, and the structure of this AI-based network security situation awareness system 100 does not constitute a limitation on the embodiments of this application.

[0128] Processor 1001 may be a CPU (Central Processing Unit), a general-purpose processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure records of this application. Processor 1001 may also be a combination that implements computational functions, such as including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

[0129] Bus 1002 may include a pathway for transmitting information between the aforementioned components. Bus 1002 may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc. Bus 1002 can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 2 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0130] The memory 1003 may be ROM (Read Only Memory) or other types of static storage devices capable of storing static information and instructions, RAM (Random Access Memory) or other types of dynamic storage devices capable of storing information and instructions, or EEPROM (Electrically Erasable Programmable Read Only Memory), CD-ROM (Compact Disc Read Only Memory) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media, other magnetic storage devices, or any other medium capable of having or storing program code and capable of being read by a computer, without limitation herein.

[0131] The memory 1003 is used to store program code for executing the embodiments of this application, and its execution is controlled by the processor 1001. The processor 1001 is used to execute the program code stored in the memory 1003 to implement the steps shown in the foregoing method embodiments.

[0132] This application provides a computer-readable storage medium storing program code. When the program code is executed by a processor, it can implement the steps of the aforementioned method embodiments and the corresponding transaction records.

[0133] It should be understood that although arrows indicate various operation steps in the flowcharts of the embodiments of this application, the order in which these steps are implemented is not limited to the order indicated by the arrows. Unless explicitly stated herein, in some implementation scenarios of the embodiments of this application, the implementation steps in each flowchart may be executed in other orders based on requirements. Furthermore, some or all steps in each flowchart may include multiple sub-steps or multiple stages depending on the actual implementation scenario. Some or all of these sub-steps or stages may be executed at the same time, and each sub-step or stage may also be executed at different times. In scenarios where execution times differ, the execution order of these sub-steps or stages can be flexibly configured based on requirements, and the embodiments of this application do not limit this.

[0134] The above description is only an optional implementation method for some implementation scenarios of this application. It should be noted that for those skilled in the art, other similar implementation methods based on the technical concept of this application, without departing from the technical concept of this application, also fall within the protection scope of the embodiments of this application.

Claims

1. A network security situation awareness method based on artificial intelligence, characterized in that, The method includes: Obtain a network security awareness stream data sequence, wherein each network security awareness stream data in the network security awareness stream data sequence has the same threat pattern event; Based on the start and end identifiers of threat pattern events in network security awareness stream data, the target events where intrusion activities are located in each network security awareness stream data are obtained. Based on the degree of connection between the network security situation vector sets corresponding to each target event, the boundary nodes of the threat pattern events are determined from the target events. For each of the network security awareness stream data, the corresponding intrusion migration node event is determined from the network security awareness stream data based on the boundary node, and intrusion migration feature analysis is performed on the intrusion migration node event to generate intrusion migration nodes in each of the network security awareness stream data. For each of the network security awareness stream data, the corresponding intrusion persistence node event is determined from the network security awareness stream data based on the boundary node, and intrusion persistence feature analysis is performed on the intrusion persistence node event to generate the intrusion persistence node in each of the target events. The intrusion activities in each of the network security awareness stream data are determined based on the intrusion migration node and the intrusion persistence node.

2. The AI-based network security situation awareness method according to claim 1, characterized in that, The step of obtaining the target event where the intrusion activity is located in each network security awareness stream data based on the start and end identifiers of the threat pattern event in the network security awareness stream data includes: When it is determined that the threat pattern event is an initial attack located at the beginning of the network security awareness stream data, the initiation event of the initial attack is extracted from the beginning of each network security awareness stream data according to a set time range. When it is determined that the threat pattern event is a tailing attack located at the end of the network security awareness stream data, the termination event where the tailing attack is located is extracted from the end of each network security awareness stream data according to a set time range.

3. The artificial intelligence-based network security situation awareness method according to claim 1, characterized in that, The step of obtaining the target event where the intrusion activity is located in each network security awareness stream data based on the start and end identifiers of the threat pattern event in the network security awareness stream data includes: The network security awareness stream data is decomposed to generate a corresponding network security awareness segment sequence; Based on the start and end identifiers of threat pattern events in the network security awareness stream data, the target events where intrusion activities occur are extracted from each of the network security awareness segment sequences.

4. The AI-based network security situation awareness method according to claim 1, characterized in that, The method further includes: For each target event, each network security awareness segment included in the target event is encoded and represented to generate a network security situation vector set corresponding to the target event; Based on the network security situation vector set corresponding to each target event, the vector connectivity degree between network security situation vectors is calculated for each pair of target events. Based on the vector connectivity degree between network security situation vectors, the connectivity degree array between network security situation vector sets is determined.

5. The artificial intelligence-based network security situation awareness method according to claim 1, characterized in that, The step of determining the boundary nodes of the threat pattern events from the target events based on the degree of connection between the network security situation vector sets corresponding to each of the target events includes: The vector connectivity degree in the connectivity array between the network security situation vector sets that is less than a first set connectivity degree is defined as the first identifier, and the vector connectivity degree in the connectivity array that is not less than the first set connectivity degree is defined as the second identifier. Based on the tracing strategy, the trajectory of the member with the second identifier in the connectivity array is walked, the change vector value of the trajectory is calculated, and the trajectory with the change vector value within a preset range is marked; Based on the marked trajectories, identify the associated threat pattern fragments in each of the target events; Based on the associated threat pattern fragments, the boundary nodes of the threat pattern events are determined from the target events.

6. The AI-based network security situation awareness method according to claim 1, characterized in that, The step of determining the corresponding intrusion migration node event from the network security awareness stream data based on the boundary node for each of the aforementioned network security awareness stream data includes: For each network security awareness stream, taking the boundary node as the initial traversal node, network security awareness segments are extracted before and after the boundary node within a first set time range based on preset traversal parameters. The network security awareness event composed of the extracted network security awareness segments is taken as the event where the intrusion migration node is located in the network security awareness stream.

7. The artificial intelligence-based network security situation awareness method according to claim 1, characterized in that, The step of performing intrusion migration feature analysis on the event where the intrusion migration node is located, and generating intrusion migration nodes in each of the network security awareness stream data, includes: For each network security awareness segment in the event where the intrusion migration node is located, calculate the network behavior knowledge path graph respectively; For every two associated network security awareness segments in the event where the intrusion migration node is located, calculate the connectivity of the corresponding network behavior knowledge path graph, and mark the network security awareness segments in the event where the intrusion migration node is located whose connectivity of the network behavior knowledge path graph is less than the second set connectivity. A predetermined number of network security awareness segments are determined in the network security awareness stream data before and after the marked network security awareness segments, and an adjusted intrusion migration node location event is generated based on the determined network security awareness segments. For every two associated network security awareness segments in the event where the adjusted intrusion migration node is located, calculate the connectivity of the corresponding network behavior knowledge path graph, and mark the network security awareness segments in the event where the connectivity of the network behavior knowledge path graph is less than the second set connectivity as the intrusion migration node in the event. The step of calculating a network behavior knowledge path graph for each network security awareness segment in the event where the intrusion migration node is located includes: Feature extraction is performed on each network security awareness segment to generate feature extraction results. The feature extraction results include the source IP address, destination IP address, source port, destination port, protocol type, data packet size, transmission timestamp, and application layer information related to network behavior in the network security awareness segment. The application layer information includes the application's operation instructions, login information, and the name of the database table accessed. Based on a predefined network behavior pattern library, network behavior in each network security awareness segment is pattern recognized according to the feature extraction results of each network security awareness segment. Based on the pattern recognition results, the network behavior in the network security awareness segment is classified to generate a classification result for each network security awareness segment. The predefined network behavior pattern library includes candidate network attack behavior patterns and normal network service access patterns. For each network security awareness segment, a network behavior association matrix is ​​constructed based on the classification results of each network security awareness segment. The rows and columns of the network behavior association matrix represent different network behaviors. For each element in the network behavior association matrix, a value is assigned according to the association relationship between network behaviors. Candidate paths are explored from the constructed network behavior association matrix. Elements with a value greater than a set association value are used as the starting point of the path. The next network behavior is explored in sequence according to the order of the association values. Multiple network behavior knowledge paths are generated for each network security perception segment, as well as the order of network behaviors and the association value information between network behaviors on each network behavior knowledge path. Based on the order of network behaviors and the correlation values ​​between network behaviors on each network behavior knowledge path, multiple network behavior knowledge paths in each network security perception segment are evaluated. Based on the evaluation results, the multiple network behavior knowledge paths are optimized to generate a network behavior knowledge path diagram corresponding to each network security perception segment after evaluation and optimization. The network behavior knowledge path graphs in each network security awareness segment are integrated to generate an integrated network behavior knowledge path graph.

8. The artificial intelligence-based network security situation awareness method according to claim 1, characterized in that, The step of determining the corresponding intrusion persistence node event from the network security awareness stream data based on the boundary node for each of the aforementioned network security awareness stream data includes: For each network security awareness stream, taking the boundary node as the initial traversal node, network security awareness segments are extracted before and after the boundary node within a second set time range based on preset traversal parameters. The network security awareness event composed of the extracted network security awareness segments is taken as the event where the intrusion persistence node is located in the network security awareness stream.

9. The artificial intelligence-based network security situation awareness method according to claim 1, characterized in that, The step of performing intrusion persistence feature analysis on the events where the intrusion persistence nodes are located, and generating intrusion persistence nodes in each of the target events, includes: For each network security awareness segment in the event where the intrusion persistence node is located, calculate the network behavior knowledge path graph respectively; Based on the network behavior knowledge path graph, the persistent threat level corresponding to the persistent attack is determined; wherein, the persistent attack includes at least one of the following: a stealthy attack and a persistent infiltration attack. Network security awareness segments with a sustained threat level greater than a set threat level are identified as persistent intrusion nodes in the target event.

10. A network security situation awareness system based on artificial intelligence, characterized in that, The method includes a processor and a computer-readable storage medium storing machine-executable instructions that, when executed by the processor, implement the AI-based network security situation awareness method according to any one of claims 1-9.