Defence decision generation method and system facing dynamic threat situation and electronic equipment
By using dynamic threat situation modeling and defense knowledge graph construction, combined with a large defense model to generate multi-stage decision strategies, the problem of lacking dynamic defense decision-making in existing technologies is solved, and the automatic generation and continuous optimization of automated defense strategies in the network environment are realized.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HARBIN INSTITUTE OF TECHNOLOGY (SHENZHEN) (INSTITUTE OF SCIENCE AND TECHNOLOGY INNOVATION HARBIN INSTITUTE OF TECHNOLOGY SHENZHEN)
- Filing Date
- 2026-04-21
- Publication Date
- 2026-07-10
Smart Images

Figure CN122372286A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, specifically to a method, system, and electronic device for generating defense decisions in response to dynamic threat situations. Background Technology
[0002] With the widespread application of cloud computing, the Internet of Things, and artificial intelligence technologies, the cyberspace environment is characterized by high openness, dynamic change, and complex heterogeneity. At the same time, existing attack methods are constantly evolving, and attack chains are becoming increasingly automated. This necessitates that network defense systems not only possess threat detection capabilities but also rapid decision-making capabilities.
[0003] Currently, cybersecurity defense systems have evolved from traditional perimeter protection to a comprehensive defense model that integrates situational awareness and threat detection. In practical applications, security systems typically identify attack behaviors through log analysis, traffic detection, and threat intelligence correlation, and then handle threat events by combining security orchestration and automated response mechanisms, such as blocking abnormal access and isolating controlled hosts.
[0004] Furthermore, with the development of large language models, some research has begun to explore the use of large models to assist security analysis, thereby improving the efficiency of security operations. However, most existing technologies are still at the level of "detection-alarm-manual response" and have not yet formed a mechanism for generating defense decision-making strategies in response to dynamic threat situations.
[0005] From the perspective of generating defense decision strategies, existing technologies still have the following shortcomings: 1) Defense decisions rely on human experience: Existing defense and response processes are mainly formulated manually by security experts, and the system has difficulty in autonomously generating decision strategies for different situations.
[0006] 2) Lack of a multi-stage coordinated defense strategy chain: Existing systems usually perform single actions, making it difficult to form a complete defense decision sequence covering detection, recovery and hardening.
[0007] 3) Lack of real-time adjustment capability for dynamic threat situations: Network topology, attack paths and defense status are constantly changing, and existing static rule methods are difficult to dynamically update strategies according to the evolution of the situation.
[0008] 4) Lack of closed-loop feedback and continuous optimization mechanism: Existing automatic responses are mostly one-time executions, lacking the ability to regenerate strategies for evaluation and feedback. Summary of the Invention
[0009] To address the aforementioned issues, this invention provides a method, system, and electronic device for generating defense decisions in response to dynamic threat situations. It unifies the modeling of threat situations, asset environments, and defense knowledge, and achieves automatic generation of defense decisions through strategy generation, evaluation feedback, and dynamic optimization mechanisms, thereby overcoming the shortcomings of existing technologies.
[0010] According to a first aspect of the present disclosure, a method for generating defense decisions oriented towards dynamic threat situations is provided, the method comprising the following steps: Dynamic threat posture modeling and defense knowledge base construction include a structured description of the target network topology, assets and threat events, construction of a dynamic threat posture representation, and formation of a defense knowledge graph by combining defense rules, response actions and security constraints; Multi-stage decision strategy generation based on a large defense model includes a defense knowledge graph, which introduces a large defense model as the core reasoning engine, divides the defense process into multiple defense stages, and generates a sequence of candidate defense strategies in each stage. The strategy evaluation feedback and closed-loop dynamic optimization output include multi-dimensional evaluation of candidate defense strategies, dynamic adjustment of constraints based on execution feedback, triggering strategy regeneration, forming a closed-loop defense decision-making mechanism to output the sustainable optimization of the strategy.
[0011] A further technical solution of the present invention is: dynamic threat situation representation is used to characterize the changes in the security status of a target network at different time stages, including three dimensions: threat events, signs of attack behavior, and situation evolution trends.
[0012] A further technical solution of the present invention is as follows: the defense knowledge graph is formed by establishing a utilization relationship between the vulnerability knowledge base and the attack technology knowledge base, and establishing an adversarial relationship between the attack technology knowledge base and the defense knowledge base.
[0013] A further technical solution of the present invention is as follows: the input vector of the large defense model includes threat situation features S, defense targets G, defense knowledge graph KG, and constraint conditions C, the first... The set of candidate strategies for each stage is , , Indicates the first Characteristics of the stage of the threat situation Indicates the relationship with the first The relevant knowledge context of the stage For historical strategy sequence, Generate functions for large-scale defense models.
[0014] A further technical solution of the present invention is: for the candidate strategy set Each candidate strategy 'a' is used to calculate a comprehensive score, which is then used to rank the candidate strategies. The specific expression for the score of candidate strategy 'a' is as follows:
[0015] Feasibility(a) represents the feasibility of strategy a in the current scenario, effectiveness(a) represents the mitigation effect on the threat, risk(a) represents the risk of impact on the business system, and cost(a) represents the resource cost. (Weight) , , , Indicates the weight.
[0016] A further technical solution of the present invention is: the execution steps of multiple defense phases include: Input the threat situation description S, defense target G, defense knowledge graph KG, constraints C, and maximum number of stages T; Initialize an empty defense strategy sequence P; Set the current stage to 1. If the defense target G is not reached and the stage number does not exceed the maximum stage number T, continue executing the following steps: Retrieve knowledge fragments K related to the current threat situation from the defense knowledge graph KG, and encode the current threat situation S, defense target G, constraint C, knowledge fragment K, and the generated strategy sequence P into the defense big model input X. The defense big model performs reasoning and generates multiple candidate defense strategies. The candidate strategies are comprehensively evaluated and scored, and the strategy with the highest score is selected as the optimal defense strategy for this stage and added to the defense strategy sequence P. After evaluating the optimal defense strategy and obtaining feedback results, if the evaluation results indicate that the strategy is not feasible or the risk is too high, the constraint condition C is updated or the strategy weight is adjusted based on the feedback, and candidate strategies are regenerated in the current stage; if the strategy passes the evaluation, the threat situation S is updated based on the execution feedback, and the next stage is entered to continue generating defense strategies. After the loop ends, the final defense strategy sequence P is output, forming a complete multi-stage closed-loop defense decision scheme.
[0017] A further technical solution of the present invention is as follows: Feasibility and risk assessment is performed on the generated strategy sequence P, and the assessment result forms an assessment vector F:
[0018] Indicates executability. Indicates business impact. Indicates execution cost, Indicates the effectiveness of the defense; A comprehensive evaluation of the policy sequence P is performed to obtain the overall evaluation result E(P):
[0019] Where T represents the number of policy phases, α 1、 , α4 is the evaluation weight parameter; When the strategy evaluation result fails to reach the threshold or has an excessive impact on business, the system will dynamically adjust the strategy generation process based on the evaluation feedback. The feedback adjustment rules include: when the defense effect is insufficient, the system can retrieve stronger measures from the defense knowledge graph; when the business impact is too high, the system will automatically adjust the constraint condition C to limit the frequency or scope of high-intensity defense actions and regenerate candidate strategies; the evaluation vector F and the updated constraint condition will serve as one of the inputs for the next round of strategy reasoning, so that the defense strategy gradually converges in the multi-round generation process.
[0020] According to a second aspect of the present disclosure, a defense decision generation system oriented towards dynamic threat situations is provided, comprising: The Dynamic Threat Situation Modeling and Defense Knowledge Base Construction Module is used to provide a structured description of the target network topology, assets, and threat events, construct a dynamic threat situation representation, and combine defense rules, response actions, and security constraints to form a defense knowledge graph. The multi-stage decision strategy generation module based on the defense big model is used to divide the defense process into multiple defense stages based on the defense knowledge graph and introduce the defense big model as the core reasoning engine, and generate a sequence of candidate defense strategies in each stage. The strategy evaluation feedback and closed-loop dynamic optimization output module is used to evaluate candidate defense strategies from multiple dimensions, dynamically adjust constraints based on execution feedback, trigger strategy regeneration, form a closed-loop defense decision mechanism, and output the sustainable optimization of the strategy.
[0021] According to a third aspect of the present disclosure, an electronic device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the above-described method for generating defense decisions based on dynamic threat situations.
[0022] According to a fourth aspect of the present disclosure, a non-transitory computer-readable storage medium is provided, wherein computer instructions are stored on the storage medium, and when executed by a processor, the instructions implement the steps of the above-described defense decision generation method for dynamic threat situations.
[0023] The present disclosure provides a defense decision generation method, system, and electronic device for dynamic threat situations, the specific benefits of which include: 1) A phased defense decision generation framework for dynamic threat evolution: This invention proposes a strategy generation framework that models the network defense process as a multi-stage dynamic decision-making process. By modeling the changes in threat situation, network environment state, and defense constraints in stages, it guides the large model to gradually generate a continuous sequence of defense strategies at different defense stages.
[0024] 2) A defense strategy reasoning method that integrates defense knowledge graphs: This invention proposes a defense knowledge graph construction method that integrates CVE vulnerability knowledge base, ATT&CK attack technology knowledge base and D3FEND defense knowledge base. In the strategy generation process, based on the current threat situation and relevant defense knowledge, the candidate defense strategies generated by the large model are reasoned and enhanced, so that the generated strategies can comprehensively combine asset information, threat type and defense resource constraints.
[0025] 3) Closed-loop defense strategy optimization mechanism based on evaluation feedback: This invention proposes a closed-loop optimization mechanism based on strategy evaluation and feedback. By comprehensively evaluating the generated defense strategy and dynamically adjusting the strategy generation direction according to the evaluation results, the defense strategy can be continuously optimized and stably output in a multi-stage process.
[0026] In summary, this invention constructs a defense method with threat situation awareness, knowledge-driven reasoning, and closed-loop optimization capabilities, which can significantly improve the automated defense decision-making capability in complex network environments.
[0027] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description
[0028] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with the invention and, together with the description, serve to explain the principles of the invention.
[0029] Figure 1 This is a flowchart of the defense decision generation method for dynamic threat situation in this embodiment of the invention; Figure 2 This is a schematic diagram illustrating the overall implementation principle of the closed-loop defense decision generation method for dynamic threat situations in this embodiment of the invention. Figure 3 This is a schematic diagram of the strategy generation-evaluation-feedback closed loop in an embodiment of the present invention; Figure 4 This is a structural diagram of a defense decision generation system for dynamic threat situations in an embodiment of the present invention; Figure 5 This is a schematic diagram of an electronic device according to an embodiment of the present invention. Detailed Implementation
[0030] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of the invention. Furthermore, it should be noted that, for ease of description, only the parts relevant to the present invention are shown in the drawings, not the entire structure.
[0031] Before discussing the exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although the flowcharts describe the steps as sequential processes, many of these steps can be performed in parallel, concurrently, or simultaneously. Furthermore, the order of the steps can be rearranged. The process can be terminated when its operation is complete, but may also have additional steps not included in the figures. The process can correspond to a method, function, procedure, subroutine, subroutine, etc.
[0032] This invention relates to a method for generating defense decisions based on dynamic threat situations, such as... Figure 1 As shown, the method includes the following steps: S1. Dynamic threat situation modeling and defense knowledge base construction, including the structured description of target network topology, assets and threat events, construction of dynamic threat situation representation, and formation of defense knowledge graph by combining defense rules, response actions and security constraints; S2. Multi-stage decision strategy generation based on a large defense model, including the introduction of a large defense model as the core reasoning engine based on a defense knowledge graph, dividing the defense process into multiple defense stages, and generating a sequence of candidate defense strategies in each stage. S3, Strategy Evaluation Feedback and Closed-Loop Dynamic Optimization Output, includes multi-dimensional evaluation of candidate defense strategies, dynamic adjustment of constraints based on execution feedback, triggering strategy regeneration, forming a closed-loop defense decision-making mechanism, and outputting sustainable optimization of the strategy.
[0033] In the specific implementation process, such as Figure 2 As shown, to address the shortcomings of existing defense technologies in generating strategy-level decisions and lacking closed-loop optimization capabilities under dynamic threat situations, this paper proposes a closed-loop defense decision-making strategy generation method for dynamic threat situations. With intelligent decision-making on the defense side as the core objective, it introduces the reasoning capabilities of a large model to uniformly model the threat situation, defense resources, and security constraints, enabling multi-stage planning and dynamic strategy generation for the defense process. The overall framework is constructed as a defense decision-making chain of "situational awareness + strategy generation + closed-loop feedback optimization," enabling the system to continuously adjust its defense strategy according to threat evolution.
[0034] In the specific implementation process, S1 first provides a structured description of the target network topology, assets, and threat events, constructing a dynamic threat posture representation. This representation, combined with defense rules, response actions, and security constraints, forms a defense knowledge base, providing a decision-making basis for subsequent strategy generation. Specifically, it unifies the modeling of network asset distribution, attack phase evolution, and defense deployment status, forming a threat posture input that can be updated over time. Combined with business constraints and response permission boundaries, this provides a scenario-based foundation for defense decisions.
[0035] The dynamic threat situation representation in S1 is used to characterize the changes in the security status of a target network at different time stages, including three dimensions: threat events, signs of attack behavior, and situation evolution trends.
[0036] In S1, the defense knowledge graph is formed by establishing exploitation relationships between the vulnerability knowledge base and the attack technology knowledge base, and establishing adversarial relationships between the attack technology knowledge base and the defense knowledge base.
[0037] Specifically, the first step is to construct a defense decision knowledge base oriented towards dynamic threat scenarios. This knowledge base is used to uniformly model network environment states, threat event characteristics, and defense resource constraints, providing fundamental support for subsequent defense strategy generation. Specifically, it includes the following: (1) Dynamic threat situation modeling: Dynamic threat situation modeling is used to depict the changes in the security status of a target network at different time stages. It is mainly described from three dimensions: threat events, signs of attack behavior, and situation evolution trends. Among them, threat event characteristics are used to characterize abnormal behaviors and attack signals detected in the current network environment, including: Alarm type: scanning and probing, malicious login, vulnerability exploitation, etc. Alarm source: attack source IP, user identity, abnormal process, etc. Alarm intensity: event frequency, scope of impact, etc.
[0038] Define the set of threat events as: ,in, Indicates the first i One threatening event.
[0039] Constructing the situation state vector: ,in, Indicates the intensity of the attack activity. This indicates the risk level assessment value.
[0040] (2) Defense resources and constraints modeling: The generation of defense strategies needs to consider the callable defense actions and their constraints, including blocking, isolation, and rate limiting.
[0041] Define the set of defensive actions as: ,in, Indicates the first m There are several executable defensive actions, each with different applicable conditions, execution costs, and defensive effects.
[0042] In the process of generating defense decisions, various constraints also need to be considered. Therefore, this invention constructs a set of constraints: ,in, Indicates the first k Constraints.
[0043] (3) Construction of a defense knowledge graph based on a security knowledge base: To improve the accuracy and interpretability of defense strategy generation, this invention constructs a defense knowledge graph oriented towards dynamic threat situations. This graph is constructed based on a public network security knowledge base and includes: 1) CVE Vulnerability Knowledge Base: Used to describe known vulnerabilities and their affected assets, including vulnerability number, affected components and risk level.
[0044] 2) ATT&CK Attack Techniques Knowledge Base: Used to describe attacker behavior and attack paths, including tactics, techniques and sub-techniques, to characterize the attack process.
[0045] 3) D3FEND Defense Knowledge Base: Used to describe defense measures against attack techniques, including defense strategies such as identification, blocking, isolation, and deception.
[0046] CVE, ATT&CK, and D3FEND are modeled together to construct three types of entity relationships: vulnerability → attack technique → defense measure. Specifically, CVE establishes an exploitation relationship with ATT&CK techniques, and ATT&CK techniques establish an adversarial relationship with D3FEND defense actions. This process forms a defense knowledge graph, which is used to retrieve defense strategies related to the current threat landscape during the strategy generation phase and serves as the knowledge constraint input for large-scale model inference.
[0047] After completing the dynamic threat situation modeling and defense knowledge base construction, the defense big model serves as the core decision engine. Combining the current threat situation and constraints, a multi-stage defense decision strategy sequence is generated, and the optimal strategy is ultimately determined through candidate strategy evaluation. The specific steps are as follows: (1) Construction of decision input The threat situation features S, defense targets G, knowledge graph KG, and constraints C are encoded into input vector representations that the model can understand. Structured feature encoding is used, with graph structure or vectorization encoding for network asset status, alarm events, etc. Textual description is used, with natural language descriptions for business impact constraints, defense action templates, etc. Knowledge retrieval is enhanced by retrieving relevant triples from KG and generating knowledge context K based on the current stage and objectives.
[0048] Model input X: The knowledge graph (KG) is built from the CVE vulnerability database, the ATT&CK attack technology database, and the D3FEND defense database, and is used to provide standardized security knowledge support for the generation of defense strategies.
[0049] (2) Reasoning on multi-stage defense strategies This invention divides the defense process into multiple stages, and in each stage, it invokes a large-scale defense model to generate candidate strategy actions. The generation of each stage follows the process of "stage objective → knowledge constraints → strategy generation".
[0050] The input vector of the large-scale defense model includes threat situation features S, defense targets G, defense knowledge graph KG, and constraints C. The set of candidate strategies for each stage is , , Indicates the first Characteristics of the stage of the threat situation Indicates the relationship with the first The relevant knowledge context of the stage For historical strategy sequence, Generate functions for large-scale defense models.
[0051] (3) Multi-strategy candidate generation and ranking To improve strategy quality, this invention generates multiple candidate strategies for each stage, scores and ranks the candidate strategies, and selects the optimal strategy to enter the execution and feedback stage.
[0052] Candidate policy set A t = {a {t,1} , a {t,2} , ..., a {t,m} For each candidate strategy a, calculate the overall score:
[0053] Among them, feasibility(a): the feasibility of the strategy in the current scenario; effectiveness(a): the effect of mitigating the threat; risk(a): the risk of impact on the business system; cost(a): resource cost; the weights w1~w4 can be set by experts or obtained by training based on historical data.
[0054] Intra-stage scoring is used to rank candidate strategies, while the stage execution evaluation results are used for feedback on subsequent strategy generation, thus forming a cross-stage closed-loop optimization.
[0055] (4) Multi-stage defense strategy generation algorithm Input: Threat situation description S, defense target G, defense knowledge graph KG, constraints C, maximum number of stages T; Output: Defense strategy sequence P; Steps: First, initialize an empty defense strategy sequence P and set the current stage to 1. Execute the strategy cyclically as long as the defense objective G is not reached and the number of stages does not exceed the maximum number of stages T. In each stage, the system retrieves knowledge fragments K related to the current threat situation from the defense knowledge graph KG, and encodes the current threat situation S, defense objective G, constraints C, knowledge fragment K, and the generated strategy sequence P into a unified model input X. This input is fed into the defense model for reasoning, generating multiple candidate defense strategies. Subsequently, the candidate strategies are comprehensively evaluated and scored, and the strategy with the highest score is selected as the optimal defense strategy for this stage and added to the strategy sequence P. After evaluating the strategy, feedback is obtained. If the evaluation result indicates that the strategy is unexecutable or too risky, the constraints C are updated or the strategy weights are adjusted based on the feedback, and a new candidate strategy is generated in the current stage. If the strategy passes the evaluation, the threat situation S is updated based on the execution feedback, and the system proceeds to the next stage to continue generating defense strategies. After the loop ends, the final defense strategy sequence P is output, forming a complete multi-stage closed-loop defense decision scheme.
[0056] The strategy evaluation process can be implemented through rule engines or simulation environments to ensure the interpretability of the defense strategy generation process. Through these steps, this invention achieves multi-stage defense strategy reasoning and generation oriented towards dynamic threat situations, providing reliable strategy input for subsequent strategy execution and feedback optimization.
[0057] After completing the multi-stage defense strategy, this invention dynamically optimizes and controls the execution of the defense strategy sequence through strategy evaluation, closed-loop feedback, and security constraint control mechanisms. The specific implementation steps are as follows: (1) Evaluation of the effectiveness and impact of defense strategies A feasibility and risk assessment is performed on the generated strategy sequence P. The assessment indicators include: Defense effectiveness: The ability to suppress current threat events and the degree of risk reduction.
[0058] Feasibility: Whether the permission conditions, deployment conditions, and system resource constraints are met.
[0059] Business impact (risk): Risk of false blocking, false reporting, or loss of control of strategy.
[0060] Execution cost (cost): time, computing resources, and operational expenses.
[0061] The evaluation results form an evaluation vector F:
[0062] Based on this, the overall evaluation of the strategy sequence P is performed to obtain the comprehensive evaluation result E(P) of the strategy sequence:
[0063] Where T represents the number of strategy phases. The weighting parameters are used to evaluate the relationship between security protection effectiveness and business stability.
[0064] (2) Feedback mechanism and dynamic optimization of strategy When the strategy evaluation result fails to meet the threshold or has an excessive impact on business operations, the system will dynamically adjust the strategy generation process based on the evaluation feedback. Specifically, a feedback update will be triggered when any of the following conditions are met:
[0065] Where θ eff θ is the threshold for defense effectiveness. risk Threshold for impact on business operations.
[0066] The feedback adjustment rules are as follows: When the defense effect is insufficient, the system can retrieve stronger measures from the defense knowledge graph; when the business impact is too high, it automatically adjusts the constraint C, limiting the frequency or scope of high-intensity defense actions, and regenerates candidate strategies. The evaluation vector F and the updated constraint will serve as one of the inputs for the next round of strategy reasoning, allowing the defense strategy to gradually converge in multiple rounds of generation, forming a closed-loop optimization process of "generation—evaluation—feedback—regeneration," such as... Figure 3 As shown.
[0067] (3) Controllable execution and safe output mechanism To ensure the controllability of the defense strategy in a real-world environment, this invention introduces multiple constraint control mechanisms in the strategy output phase: Access and scope control: Allow the execution of defense policies only within authorized management domains or specified network scopes.
[0068] Business continuity constraints: Set frequency limits for defensive actions that may affect core business operations.
[0069] Strategy Explanation Output: The generated defense strategy is accompanied by the decision-making basis and risk description.
[0070] Execution interface constraints: Policies are uniformly distributed through a secure orchestration platform or policy execution engine to avoid directly generating uncontrollable instructions.
[0071] Through the aforementioned evaluation, feedback, and control mechanisms, this invention achieves closed-loop optimization of defense strategies for dynamic threat situations, enabling the large-scale defense model to continuously generate executable and interpretable multi-stage defense decision strategies while ensuring security.
[0072] Another embodiment provides a defense decision generation system 400 for dynamic threat situations, including: The Dynamic Threat Situation Modeling and Defense Knowledge Base Construction Module 410 is used to provide a structured description of the target network topology, assets, and threat events, construct a dynamic threat situation representation, and combine defense rules, response actions, and security constraints to form a defense knowledge graph. The multi-stage decision strategy generation module 420 based on the defense big model is used to divide the defense process into multiple defense stages based on the defense knowledge graph and introduce the defense big model as the core reasoning engine, and generate a sequence of candidate defense strategies in each stage. The strategy evaluation feedback and closed-loop dynamic optimization output module 430 is used to evaluate candidate defense strategies in multiple dimensions, dynamically adjust constraints based on execution feedback, trigger strategy regeneration, form a closed-loop defense decision mechanism, and output the sustainable optimization of the strategy.
[0073] In addition to the modules described above, the defense decision generation system 400 for dynamic threat situations may also include other components; however, since these components are not relevant to the embodiments of this disclosure, their illustrations and descriptions are omitted here. Other specific processes for generating defense decisions based on dynamic threat situations using the aforementioned defense decision generation system 400 are described in the above-described embodiment of the defense decision generation method for dynamic threat situations, and will not be repeated here.
[0074] Another embodiment illustrating that the system of the present invention can also be achieved by means of... Figure 5 The architecture of the computing device shown is used to implement this. Figure 5 The architecture of the computing device is shown. For example... Figure 5 As shown, the computer system 510 includes a system bus 530, one or more CPUs 540, input / output 520, and memory 550. Memory 550 can store various data or files used for computer processing and / or communication, as well as program instructions executed by the CPU, including methods for generating defense decisions based on dynamic threat situations. Figure 5 The architecture shown is merely exemplary and should be adjusted according to actual needs when implementing different devices. Figure 5One or more components are included. The memory 550, as a computer-readable storage medium, can be used to store software programs, computer-executable programs, and modules, such as the program instructions / modules corresponding to the aforementioned defense decision generation method for dynamic threat situations in this embodiment of the invention. One or more CPUs 540 execute various functional applications and data processing of the system of the present invention by running the software programs, instructions, and modules stored in the memory 550. Of course, the processor of the server provided in the embodiments of the present invention is not limited to performing the method operations described above, but can also perform related operations in the defense decision generation method for dynamic threat situation provided in any embodiment of the present invention.
[0075] The memory 550 may primarily include a program storage area and a data storage area. The program storage area may store the operating system and at least one application program required for a given function; the data storage area may store data created based on terminal usage. Furthermore, the memory 550 may include high-speed random access memory and non-volatile memory, such as at least one disk storage device, flash memory, or other non-volatile solid-state storage device. In some instances, the memory 550 may further include memory remotely configured relative to one or more CPUs 540, which can be connected to the device via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
[0076] Input / output 520 can be used to receive input digital or character information, and to generate key signal inputs related to user settings and function control of the device. Input / output 520 may also include a display device such as a display screen.
[0077] This invention also provides a non-transitory computer-readable storage medium storing a computer program. When executed by a processor, this computer program implements the defense decision generation method for dynamic threat situations described in the above embodiments. The computer-readable storage medium of this invention can be any combination of one or more computer-readable media. A computer-readable medium can be a computer-readable signal medium or a computer-readable storage medium. For example, a computer-readable storage medium can be, but is not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
[0078] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, capable of sending, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device.
[0079] The program code contained on the storage medium can be transmitted using any suitable medium, including but not limited to wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.
[0080] Furthermore, other specific operational processes of a non-transitory computer-readable storage medium are described in the above-described embodiments of the defense decision generation method for dynamic threat situations, and will not be repeated here.
[0081] In this document, the terms “comprising,” “including,” or any other variations thereof are intended to cover non-exclusive inclusion, such that a step or method that comprises a list of elements includes not only those elements but also other elements not expressly listed or inherent to such a step or method.
[0082] The above description, in conjunction with specific preferred embodiments, provides a further detailed explanation of the present invention. It should not be construed that the specific implementation of the present invention is limited to these descriptions. For those skilled in the art, various simple deductions or substitutions can be made without departing from the concept of the present invention, and all such modifications and substitutions should be considered within the scope of protection of the present invention.
Claims
1. A method for generating defense decisions based on dynamic threat situations, characterized in that, The method includes the following steps: Dynamic threat posture modeling and defense knowledge base construction include a structured description of the target network topology, assets and threat events, construction of a dynamic threat posture representation, and formation of a defense knowledge graph by combining defense rules, response actions and security constraints; Multi-stage decision strategy generation based on a large defense model includes a defense knowledge graph, which introduces a large defense model as the core reasoning engine, divides the defense process into multiple defense stages, and generates a sequence of candidate defense strategies in each stage. The strategy evaluation feedback and closed-loop dynamic optimization output include multi-dimensional evaluation of candidate defense strategies, dynamic adjustment of constraints based on execution feedback, triggering strategy regeneration, forming a closed-loop defense decision-making mechanism to output the sustainable optimization of the strategy.
2. The defense decision generation method for dynamic threat situation as described in claim 1, characterized in that, Dynamic threat posture representation is used to depict the changes in the security status of a target network at different time stages, including three dimensions: threat events, signs of attack behavior, and trends in posture evolution.
3. The defense decision generation method for dynamic threat situation as described in claim 1, characterized in that, A defense knowledge graph is formed by establishing exploitation relationships between a vulnerability knowledge base and an attack technique knowledge base, and by establishing adversarial relationships between an attack technique knowledge base and a defense knowledge base.
4. The defense decision generation method for dynamic threat situations according to claim 1, characterized in that, The input vector of the large-scale defense model includes threat situation features S, defense targets G, defense knowledge graph KG, and constraints C. The set of candidate strategies for each stage is , , Indicates the first Characteristics of the stage of the threat situation Indicates the relationship with the first The relevant knowledge context of the stage For historical strategy sequence, Generate functions for large-scale defense models.
5. The defense decision generation method for dynamic threat situations according to claim 4, characterized in that, For candidate policy set Each candidate strategy 'a' is used to calculate a comprehensive score, which is then used to rank the candidate strategies. The specific expression for the score of candidate strategy 'a' is as follows: Feasibility(a) represents the feasibility of strategy a in the current scenario, effectiveness(a) represents the mitigation effect on the threat, risk(a) represents the risk of impact on the business system, and cost(a) represents the resource cost. (Weight) , , , Indicates the weight.
6. The defense decision generation method for dynamic threat situations according to claim 5, characterized in that, The execution steps for multiple defense phases include: Input the threat situation description S, defense target G, defense knowledge graph KG, constraints C, and maximum number of stages T; Initialize an empty defense strategy sequence P; Set the current stage to 1. If the defense target G is not reached and the stage number does not exceed the maximum stage number T, continue executing the following steps: Retrieve knowledge fragments K related to the current threat situation from the defense knowledge graph KG, and encode the current threat situation S, defense target G, constraint C, knowledge fragment K, and the generated strategy sequence P into the defense big model input X. The defense big model performs reasoning and generates multiple candidate defense strategies. The candidate strategies are comprehensively evaluated and scored, and the strategy with the highest score is selected as the optimal defense strategy for this stage and added to the defense strategy sequence P. After evaluating the optimal defense strategy and obtaining feedback results, if the evaluation results indicate that the strategy is not feasible or the risk is too high, the constraint condition C is updated or the strategy weight is adjusted based on the feedback, and candidate strategies are regenerated in the current stage; if the strategy passes the evaluation, the threat situation S is updated based on the execution feedback, and the next stage is entered to continue generating defense strategies. After the loop ends, the final defense strategy sequence P is output, forming a complete multi-stage closed-loop defense decision scheme.
7. The defense decision generation method for dynamic threat situation as described in claim 1, characterized in that, The feasibility and risk assessment of the generated strategy sequence P is performed, and the assessment results form the assessment vector F: Indicates executability. Indicates business impact. Indicates execution cost, Indicates the effectiveness of the defense; A comprehensive evaluation of the policy sequence P is performed to obtain the overall evaluation result E(P): Where T represents the number of policy phases, α 1、 , α4 is the evaluation weight parameter; When the strategy evaluation result fails to reach the threshold or has an excessive impact on business, the system will dynamically adjust the strategy generation process based on the evaluation feedback. The feedback adjustment rules include: when the defense effect is insufficient, the system can retrieve stronger measures from the defense knowledge graph; when the business impact is too high, the system will automatically adjust the constraint condition C to limit the frequency or scope of high-intensity defense actions and regenerate candidate strategies; the evaluation vector F and the updated constraint condition will serve as one of the inputs for the next round of strategy reasoning, so that the defense strategy gradually converges in the multi-round generation process.
8. A defense decision generation system oriented towards dynamic threat situations, characterized in that, include: The Dynamic Threat Situation Modeling and Defense Knowledge Base Construction Module is used to provide a structured description of the target network topology, assets, and threat events, construct a dynamic threat situation representation, and combine defense rules, response actions, and security constraints to form a defense knowledge graph. The multi-stage decision strategy generation module based on the defense big model is used to divide the defense process into multiple defense stages based on the defense knowledge graph and introduce the defense big model as the core reasoning engine, and generate a sequence of candidate defense strategies in each stage. The strategy evaluation feedback and closed-loop dynamic optimization output module is used to evaluate candidate defense strategies from multiple dimensions, dynamically adjust constraints based on execution feedback, trigger strategy regeneration, form a closed-loop defense decision mechanism, and output the sustainable optimization of the strategy.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the defense decision generation method for dynamic threat situations as described in any one of claims 1 to 7.
10. A non-transitory computer-readable storage medium storing computer instructions, characterized in that, When the instruction is executed by the processor, it implements the steps of the defense decision generation method for dynamic threat situation as described in any one of claims 1 to 7.