A secure asset data query method, device and equipment
By parsing security asset query requests using a large language model, generating standardized QueryField objects, and automatically constructing Elasticsearch query statements, the system solves the problem of insufficient flexibility in existing query systems and achieves efficient and intelligent security asset querying.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- WEBRAY TECH BEIJING CO LTD
- Filing Date
- 2026-04-15
- Publication Date
- 2026-07-14
AI Technical Summary
Existing security asset query systems have rigid query logic and poor flexibility for non-professional users, making it difficult to meet the needs of multi-condition combination and nested queries. Furthermore, their reliance on professional DSL syntax results in a high barrier to entry and high maintenance costs.
It employs a large language model to perform semantic parsing of natural language query requests, generates standardized QueryField objects, automatically maps field types and generates structured query statements, supports multi-condition Boolean logic combination and aggregation analysis, and lowers the technical threshold.
It achieves end-to-end automated processing from natural language to structured queries, improving the intelligence and accuracy of queries, lowering the barrier to entry, and enhancing query efficiency and system maintainability.
Smart Images

Figure CN122387983A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of natural language processing, and in particular to a method, apparatus, and device for querying secure asset data. Background Technology
[0002] With the acceleration of digital transformation, enterprise network architectures are becoming increasingly complex, posing significant challenges to security asset management. The number of assets such as network devices, servers, and business systems is growing exponentially, and traditional asset management methods can no longer meet the needs of real-time monitoring, vulnerability analysis, and risk assessment. Currently, security asset information is typically stored in structured formats in large-scale databases and efficiently queried and analyzed using search engines such as Elasticsearch. However, Elasticsearch uses a domain-specific query language (DSL), whose syntax is complex and highly structured, requiring users to have a professional technical background. Non-professional users often rely on fixed templates or front-end forms to generate query statements, greatly limiting the flexibility and expressiveness of queries.
[0003] Currently, the industry primarily employs two methods for security asset queries: one is based on predefined query templates, where users select fields and conditions through forms, and the system automatically generates DSL statements. While this approach lowers the barrier to entry, the query logic is rigid and cannot support complex multi-condition combinations or nested queries. The other is a professional mode that involves directly writing DSL statements. Although highly flexible, this requires users to be proficient in Elasticsearch syntax, and the debugging and maintenance costs are high. In recent years, breakthroughs in Natural Language Processing (NLP) technology, especially the development of Large Language Models (LLM), have provided new possibilities for the conversion of natural language into structured queries. However, existing technologies have not yet effectively solved the problem of how to accurately map natural language queries to complex DSL statements in specific domains, especially when dealing with scenarios involving multi-field combinations, nested Boolean logic, and aggregation analysis, where inaccurate semantic understanding and low query generation efficiency remain. Summary of the Invention
[0004] This invention provides a method, apparatus, and device for querying secure asset data, which solves the problem that non-professional users find it difficult to write complex query statements in the prior art, and lowers the technical threshold for secure asset querying.
[0005] This invention provides a method for querying secure asset data, comprising the following steps: Receive a user's natural language query request, perform semantic parsing on the natural language query request, and obtain the parsing result; Extract the field names from the parsing results; the field names correspond to the fields in the security asset index. The query type is determined based on the predefined field type mapping rules associated with the field names; Convert the user's query content into query values that are suitable for the query type; The standardized query field object is determined based on the field name, query type, and query value. Generate a structured query statement based on the query type in the query field object; Execute the structured query statement and return the query results.
[0006] According to a security asset data query method provided by the present invention, the step of determining the query type based on the predefined field type mapping rules associated with the field name specifically includes: when the field name is a time-related field, automatically determining the query type as a range query; when the field name is a tag-related field, automatically determining the query type as a multi-value matching query; when the field name is a text-related field, automatically determining the query type as a full-text matching query; and when the field name is a vulnerability number field, automatically adopting a compound Boolean strategy to integrate single-value and multi-value queries into the should clause of the Boolean query.
[0007] According to a security asset data query method provided by the present invention, the step of generating a structured query statement based on the query type in the query field object specifically includes: matching the query operator corresponding to the retrieval engine according to the query type in the query field object; combining the query value in the query field object with the matched query operator to generate basic query conditions; allocating the basic query conditions to corresponding Boolean query clauses according to the logical relationship identifier in the query field object; when there are multiple query field objects, sorting and combining the query conditions in the Boolean query clauses according to a preset priority rule to obtain a Boolean query structure; and integrating the Boolean query structure with pagination parameters and sorting parameters to generate the final structured query statement.
[0008] According to a security asset data query method provided by the present invention, the step of sorting and combining the query conditions in the Boolean query clause according to a preset priority rule to obtain a Boolean query structure specifically includes: sorting the query field objects according to the security asset domain priority rule; constructing the execution order of the Boolean query clauses according to the sorting result; optimizing and reorganizing the query conditions in the Boolean query clauses to obtain an optimization result; and generating a Boolean query structure according to the execution order and the optimization result.
[0009] According to a security asset data query method provided by the present invention, after generating a Boolean query structure, the method further includes: performing a security semantic integrity check on the Boolean query structure; if a key risk field is missing, generating supplementary query conditions based on the natural language query request; and adding the supplementary query conditions to the original Boolean query structure to form a completed Boolean query structure.
[0010] According to a security asset data query method provided by the present invention, the semantic parsing of the natural language query request specifically includes: parsing the natural language query request through a large language model to obtain a parsing result; the parsing result includes field name, query value, query type, and query weight.
[0011] The present invention also provides a secure asset data query device, comprising the following modules: The parsing module is used to receive natural language query requests from users, perform semantic parsing on the natural language query requests, and obtain parsing results; The query field determination module is used to extract field names from the parsing results, where the field names correspond to fields in the security asset index; determine the query type based on the predefined field type mapping rules associated with the field names; convert the user query content into query values that are compatible with the query type; and determine standardized query field objects based on the field names, query types, and query values. The query statement generation module is used to generate a structured query statement based on the query type in the query field object; The query result return module is used to execute the structured query statement and return the query results.
[0012] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the security asset data query method as described above.
[0013] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the security asset data query method as described above.
[0014] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the security asset data query method as described above.
[0015] This invention provides a method, apparatus, and device for querying secure asset data, which offers the following advantages: By receiving a user's natural language query request, semantic parsing technology is used to transform the unstructured query intent into machine-understandable parsing results. This step overcomes the reliance of traditional query methods on specialized DSL syntax knowledge. By standardizing the parsing results into query field objects containing key information such as field names and query types, structured encapsulation of query elements is achieved, providing a unified data interface for subsequent query generation. Based on the type information in the query field objects, the system can automatically match and generate structured query statements that conform to retrieval engine specifications. This process not only avoids the tediousness of manually writing query statements but also ensures the accuracy of the query syntax. Finally, by executing the generated structured query and returning the results, end-to-end automated processing from user natural language input to query result output is achieved. Attached Figure Description
[0016] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0017] Figure 1 This is a flowchart illustrating the secure asset data query method provided by the present invention.
[0018] Figure 2 This is a schematic diagram of the workflow for intelligent querying of security assets based on a large language model provided by the present invention.
[0019] Figure 3 This is a schematic diagram of the structure of the secure asset data query device provided by the present invention.
[0020] Figure 4 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0021] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0022] The English words or English abbreviations involved in this invention will be explained below.
[0023] LLM (Large Language Model) is a deep learning-based artificial intelligence model that can understand and generate human language text for natural language processing tasks.
[0024] DSL (Domain Specific Language) is a computer language designed specifically for a particular domain, such as the query syntax of Elasticsearch.
[0025] Elasticsearch (ES) is an open-source distributed search and analytics engine that supports fast retrieval and aggregation analysis of structured data.
[0026] IP (Internet Protocol) is a unique address used to identify network devices, such as "192.168.1.1".
[0027] CVE (Common Vulnerabilities and Exposures) is a public vulnerability numbering standard maintained by MITRE, in the format "CVE-Year-Number".
[0028] QueryField (Query Field Object) is a standardized data structure defined in this invention, containing meta-information such as field name, query value, query type, and weight.
[0029] JSON (JavaScript Object Notation) is a lightweight data interchange format used for structured representation of Elasticsearch query statements.
[0030] CIDR (Classless Inter-Domain Routing) is a method of representing IP addresses, such as "192.168.1.0 / 24".
[0031] CMDB (Configuration Management Database) is a database system that stores IT asset configuration information.
[0032] bool (Boolean Query) is a composite query type in Elasticsearch that supports combinations of must, should, must_not, and filter clauses.
[0033] Term (exact match query) is a query type in Elasticsearch that performs an exact match on field values.
[0034] `match` (full-text match query) is a query type in Elasticsearch that performs word segmentation matching on text fields.
[0035] Range queries are range queries in Elasticsearch that target numeric / time fields within a given range.
[0036] Aggregation (aggregation query) is a function in Elasticsearch for statistical analysis of data.
[0037] should (Boolean or Logical): The clause in an Elasticsearch bool query that represents an "OR" relationship.
[0038] must (Boolean and Logical): A clause in Elasticsearch bool queries that represents an "AND" relationship.
[0039] As the importance of cyberspace asset security continues to rise, the number of various network devices, servers, business systems, and other assets continues to grow, posing significant challenges to asset management, vulnerability monitoring, and security risk assessment. To achieve refined management of these security assets, more and more systems are beginning to store asset information in structured databases and perform indexing, retrieval, and behavioral analysis using query languages (such as Elasticsearch DSL). Elasticsearch (ES), as a mainstream full-text search engine, is widely used in the security field for rapid retrieval of security assets, log analysis, and event correlation. However, Elasticsearch itself uses a structured query DSL (Domain Specific Language) syntax, which is costly for non-professional users to understand and write, especially when handling multi-field, multi-condition combined queries, aggregate queries, and nested conditions, often requiring a strong technical background. Furthermore, most current security asset management platforms rely on fixed templates or front-end form components to generate query statements, limiting their query capabilities and expressive power. In recent years, natural language processing technology has developed rapidly, especially with the widespread application of Large Language Models (LLMs) such as GPT, making it possible to convert natural language into structured expressions. Using LLM to understand the user's natural language query intent and automatically convert it into structured query statements has become an important means to improve human-computer interaction capabilities and system intelligence.
[0040] Existing security asset query systems generally rely on preset query templates or form controls, resulting in fixed query logic, poor flexibility, and limited support for natural language, making it difficult to meet users' needs for freely expressing their query intent in natural language. Furthermore, these systems lack a deep understanding of query semantics and cannot automatically match query fields and query types based on user intent. Especially when handling complex scenarios such as multi-condition Boolean queries, aggregation analysis, and special fields (e.g., vulnerability numbers), manually writing structured DSL statements is often required, leading to high usage barriers, high maintenance costs, and severely impacting the system's intelligence and usability.
[0041] The purpose of this invention is to provide a semantically driven method and system for automatically generating Elasticsearch queries that combines a large language model. This system can automatically parse query intent and fields from natural language input; automatically map domain field types; intelligently infer query methods (such as matching, range, fuzzy, etc.); support multi-condition Boolean logic combinations, complex aggregation analysis, and sorting control; generate structured query statements that conform to the ES query DSL standard; and output formatted results containing readable query descriptions for easy user understanding and debugging.
[0042] This invention proposes an intelligent security asset query system and method based on a large language model, aiming to solve the problems of traditional security asset retrieval, such as reliance on fixed templates, lack of deep semantic understanding, and insufficient query flexibility. The system introduces a unified query field abstraction structure, QueryField, and combines it with deep semantic parsing of natural language queries using a large language model to automatically generate complex query statements conforming to the Elasticsearch standard, achieving intelligent, efficient, and accurate retrieval of security asset information.
[0043] The following is combined Figures 1-4 The embodiments of the present invention are described in detail.
[0044] Figure 1 This is a flowchart illustrating the secure asset data query method provided by the present invention, as shown below. Figure 1 As shown, the method includes the following steps: S110. Receive the user's natural language query request, perform semantic parsing on the natural language query request, and obtain the parsing result.
[0045] According to the security asset data query method provided by the present invention, semantic parsing of natural language query requests is performed, specifically including: parsing the natural language query requests through a large language model to obtain parsing results; the parsing results include field names, query values, query types, and query weights.
[0046] Specifically, the large language model, through its powerful natural language processing capabilities, accurately identifies and extracts key semantic elements from query requests, including but not limited to target query fields, such as core attributes of security assets like device IP address, geographic coordinates, and vulnerability number; specific query content, such as limiting conditions like IP address range and vulnerability severity level; and implicit query intent, such as exact matching, fuzzy search, or statistical analysis.
[0047] This invention introduces a Large Language Model (LLM) into a secure asset retrieval system for the first time, enabling deep semantic understanding of user natural language input. It can automatically identify query fields, operation types (such as matching, range, aggregation), and logical relationships, achieving end-to-end conversion from natural language to structured queries, significantly improving the system's intelligence level and user experience.
[0048] The system then encapsulates these parsed results into a structured collection of QueryField objects. Each QueryField object contains standardized information in four dimensions: field name (corresponding to specific fields in the Elasticsearch index, such as "ip_address", "geo_location", "cve_id", etc.), query value (the standardized query condition value), query type (the matching method automatically determined based on semantics, including full-text match, exact term match, multi-value term match, range query, etc.), and optional weight parameters (used to adjust the relative importance of each condition in multi-condition queries). Specifically, considering the characteristics of the security asset domain, the system has also established a professional field type mapping rule library, for example, automatically mapping time-related fields to range queries and tag-related fields to terms queries, ensuring optimal matching between query methods and field characteristics.
[0049] The unified data structure QueryField proposed in this invention is used to abstractly represent metadata such as query fields, query values, query types, and weights. This structure enables query conditions to have high composability and modularity, facilitating the dynamic construction, management, and expansion of complex query logic, thereby enhancing the maintainability and flexibility of the system.
[0050] Through the deep semantic parsing capabilities of the large language model, accurate conversion from natural language to structured query elements is achieved; the standardized QueryField object design not only preserves the integrity of query semantics but also provides a unified processing interface for subsequent query statement generation; the professional field type mapping mechanism ensures optimal matching between query methods and field characteristics, laying a solid foundation for generating efficient and accurate security asset queries.
[0051] S120. Extract field names from the parsing results, where each field name corresponds to a field in the security asset index; determine the query type based on the predefined field type mapping rules associated with the field name; convert the user's query content into a query value that matches the query type; and determine the standardized query field object based on the field name, query type, and query value.
[0052] According to the security asset data query method provided by the present invention, the query type is determined based on the predefined field type mapping rules associated with the field name. Specifically, the query type is automatically determined as a range query when the field name is a time-related field; as a multi-value matching query when the field name is a tag-related field; as a full-text matching query when the field name is a text-related field; and as a vulnerability number field when the query type is a vulnerability number field, a composite Boolean strategy is automatically adopted to integrate single-value and multi-value queries into the should clause of the Boolean query.
[0053] Specifically, the intelligent security asset query system first receives a natural language query request from the user. The system then uses a large language model to perform semantic parsing of the query request, extracting field names from the parsing results. These field names correspond to predefined fields in the security asset index. For example, when a user queries "Apache Log4j2 vulnerability that appeared last week," the system parses and extracts the field names "cves" (vulnerability ID field) and "@timestamp" (time-related field). The system has pre-defined field type mapping rules that automatically associate and determine the query type based on the extracted field names: when the field name "@timestamp" is identified, since this field belongs to the time category, the system automatically determines its query type as a range query; when the field name "cves" is identified, since this field belongs to the vulnerability ID field, the system automatically determines its query type as a compound Boolean strategy.
[0054] After determining the query type, the system converts the user's query content into query values that match the query type: for the "@timestamp" field, the system converts the natural language time expression "last week" into a specific time range value, such as start and end times; for the "cves" field, the system converts "Apache Log4j2" into a specific vulnerability number value, such as "CVE-2021-44228". Next, based on the field name, query type, and converted query values, the system generates a standardized query field object (QueryField). Finally, for the compound Boolean strategy of the vulnerability number field, the system automatically constructs a Boolean query and integrates single-value queries (terms) and multi-value queries (terms) into the should clause, thus forming a complete structured query statement for execution in the Elasticsearch search engine.
[0055] This embodiment introduces an automatic mapping mechanism between field types and query types, and adapts corresponding query strategies for different field types such as time, tags, text, and vulnerability numbers. In particular, it adopts a composite Boolean strategy that integrates single-value and multi-value queries for the vulnerability number field, which achieves accurate matching and automated construction of query methods. This avoids users manually selecting query types or writing complex query logic, and significantly improves the intelligence of query construction, the accuracy of semantic matching, and the recall rate for fields specific to security assets.
[0056] S130. Generate a structured query statement based on the query type in the query field object.
[0057] According to the security asset data query method provided by the present invention, a structured query statement is generated based on the query type in the query field object. Specifically, the method includes: matching the query operator corresponding to the retrieval engine based on the query type in the query field object; combining the query value in the query field object with the matched query operator to generate basic query conditions; allocating the basic query conditions to the corresponding Boolean query clauses based on the logical relationship identifier in the query field object; when there are multiple query field objects, sorting and combining the query conditions in the Boolean query clauses according to a preset priority rule to obtain a Boolean query structure; and integrating the Boolean query structure with pagination parameters and sorting parameters to generate the final structured query statement.
[0058] Specifically, in the implementation of structured query statement generation, the system implements a complete query construction pipeline. First, the query transformation engine matches appropriate Elasticsearch query operators for each field based on the query type attribute in the QueryField object by looking up a pre-defined query operator mapping table: for text fields such as "vulnerability_description", the system automatically selects the match query and configures an appropriate tokenizer; for enumeration fields such as "severity_level", it uses term exact matching; and for time fields such as "last_patch_time", it generates a range query.
[0059] During the basic query condition generation phase, the system intelligently processes the query values: it uses term exact matching for IP address fields to ensure precise location, performs term query exact matching for CVE vulnerability numbers (or performs term queries for the CVE list), and adds time zone identifiers to time values to adapt to global business scenarios. Subsequently, the condition allocation module assigns conditions to Boolean query structures based on logical relationship identifiers: critical security conditions, such as high-risk vulnerabilities, are placed in the must clause; exclusionary conditions, such as test environments, are placed in must_not; and auxiliary conditions, such as device type, are assigned to the should clause and the minimum_should_match parameter is automatically calculated.
[0060] When processing multi-condition queries, the priority engine sorts them according to security asset domain rules: vulnerability-related conditions are processed first, followed by network attributes, and finally business attributes. Ultimately, the system integrates pagination parameters (intelligently calculating `from / size`), sorting rules (supporting multi-field weighted sorting), and performance hints to output a complete query DSL conforming to RESTful specifications.
[0061] Intelligent query operator matching and numerical standardization significantly improve query accuracy and reliability; the security priority-based condition sorting mechanism effectively improves the query efficiency of key security indicators; the automatically generated standardized DSL statements retain all the functional features of a professional search engine while greatly reducing the barrier to entry.
[0062] According to the security asset data query method provided by the present invention, the query conditions in the Boolean query clause are sorted and combined according to a preset priority rule to obtain a Boolean query structure. Specifically, the method includes: sorting the query field objects according to the security asset domain priority rule; constructing the execution order of the Boolean query clauses according to the sorting result; optimizing and reorganizing the query conditions in the Boolean query clauses to obtain an optimized result; and generating a Boolean query structure according to the execution order and the optimized result.
[0063] Specifically, the system first loads the priority rule set from the security asset domain knowledge base. This rule set divides the query fields into three priority levels: the first priority is security critical fields (including CVE vulnerability number, risk level, attack vector, etc.), the second priority is network attribute fields (including IP address, port number, protocol type, etc.), and the third priority is business attribute fields (including department affiliation, asset responsible person, geographical location, etc.).
[0064] During the sorting phase, the priority engine comprehensively analyzes multiple factors, including real-time threat intelligence, asset criticality scores, and user historical query patterns, dynamically adjusting the weight coefficients of each field. For high-priority fields, such as CVE numbers with known vulnerabilities, the system elevates their corresponding query conditions to the front of the `must` clause and automatically sets a higher boost weight value. For regular-priority fields, they are sorted by business relevance and assigned to the `should` clause. Simultaneously, the system performs condition optimization and reorganization, including merging range query conditions with identical fields, eliminating redundant term queries, and performing conflict detection and automatic correction for contradictory conditions. The final generated Boolean query structure not only ensures that critical security conditions are executed first but also improves query performance through query flattening and caching strategy marking (adding cache hints to frequently queried fields).
[0065] This embodiment significantly improves the efficiency and accuracy of security asset queries through intelligent priority management and query optimization mechanisms. It dynamically adjusts field priorities based on multi-dimensional factors to ensure that critical security conditions are processed first; optimizes the query logic structure through condition reorganization and conflict detection to improve query execution reliability; and effectively enhances system response speed by combining flattening processing and caching strategies. Overall, this embodiment achieves a security asset query that highlights key aspects while also considering comprehensiveness, making the query results more aligned with the actual needs of security operations and maintenance.
[0066] According to the security asset data query method provided by the present invention, after generating the Boolean query structure, the security semantic integrity of the Boolean query structure is verified; if a key risk field is missing, supplementary query conditions are generated based on the natural language query request; the supplementary query conditions are added to the original Boolean query structure to form a complete Boolean query structure.
[0067] Specifically, the system maintains a list of key risk fields, including CVE vulnerability numbers, high-risk service ports, unpatched patches, and other core security elements, and updates this list in real time to reflect the latest threat intelligence. When a Boolean query structure is generated, the integrity verification engine performs multi-dimensional analysis: first, it checks field coverage, comparing the query conditions with the list of key risk fields; second, it analyzes the original query intent using a large language model to identify potential hidden security needs; and finally, it assesses the business rationale of the query using an asset knowledge graph. When a missing key field is detected, such as querying device information without specifying the vulnerability status, the system initiates an intelligent completion process: it generates supplementary conditions based on the query context, such as automatically adding the condition "high-risk vulnerability exists," and evaluates the reliability of the completion suggestions through a confidence scoring mechanism. These supplementary conditions are integrated into the original query structure in the form of a `should` clause, with dedicated annotations indicating the source of the completion.
[0068] This embodiment significantly improves the comprehensiveness and reliability of security asset queries through intelligent query integrity verification and automatic completion mechanisms. Based on a real-time updated list of key risk fields and multi-dimensional analysis, the system can effectively identify and complete important security conditions that users may have missed. Through collaborative analysis of large language models and knowledge graphs, it ensures that the supplementary conditions are both consistent with the query intent and have business rationality. The use of confidence scoring and annotation tagging mechanisms makes the completion process transparent and controllable. Overall, this embodiment makes the query results more comprehensively cover security risk elements while maintaining the clarity and interpretability of the query logic.
[0069] According to the security asset data query method provided by the present invention, a query structure including a basic aggregation layer and a nested aggregation layer is dynamically generated based on the user's analysis intent; the basic aggregation layer is grouped and statistically analyzed according to specified fields, and the nested aggregation layer supports multi-level sub-aggregate drill-down analysis; sampling aggregation or approximate calculation is automatically enabled for large data volume queries; and the metadata supplementation and visualization tagging functions of the aggregation results are enhanced.
[0070] The system first parses the analytical requirements from the natural language query, such as identifying the grouping dimension (department) and statistical indicators (vulnerability type) in "distribution of vulnerability types by department". The query engine then constructs a three-level processing structure: the first level groups by department through term aggregation; the second level nests term sub-aggregates to further subdivide by vulnerability type; and the third level adds filter sub-aggregates to filter high-risk vulnerabilities and calculate their proportions. For queries with more than 100,000 records, a sampler is automatically triggered to avoid memory overflow. In the results return phase, the system correlates with the CMDB database to supplement department head information, adds red warning markers to abnormal risk values, and generates clickable drill-down analysis paths.
[0071] In terms of analytical dimensions, it supports panoramic analysis from macro-statistics to micro-drill-down; in terms of query performance, dynamic optimization strategies shorten the response time for aggregating millions of data points; and in terms of result presentation, enhanced visualization and interaction improve analytical efficiency.
[0072] S140. Execute the structured query statement and return the query results.
[0073] This invention proposes an intelligent query method for security assets based on a large language model, effectively solving the technical bottlenecks in traditional security asset management, such as rigid query methods and insufficient semantic understanding. The system innovatively constructs an intelligent conversion mechanism from "natural language to structured query," and by introducing a standardized QueryField intermediate representation layer, it achieves automated generation of professional-grade Elasticsearch queries from user natural language input, enabling intelligent, efficient, and accurate retrieval of security asset information.
[0074] The system adopts a layered processing architecture. First, it performs deep semantic parsing of user queries using a domain-adapted large language model to accurately identify query intent, target fields, and conditional relationships. The parsing results are encapsulated into QueryField objects with clear semantics. These objects use a four-tuple structure (field name, query value, query type, weight) to fully preserve the query semantics. The system's built-in intelligent mapping engine automatically optimizes query strategies based on the characteristics of security assets: time-related fields use range queries by default and support time zone conversion; enumeration-related fields use term multi-value matching; text-related fields are configured with match full-text search and integrated thesaurus expansion; and for critical fields such as vulnerability numbers, a "term + terms" composite query strategy is adopted, using the should clause to improve query coverage.
[0075] For different fields, the system has built-in field type mapping rules that automatically associate the appropriate query type, ensuring that the query method matches the field attributes. For example, time fields automatically use range queries, tag fields use multi-value matching, and text fields use full-text matching by default. In particular, for vulnerability number fields in the security domain, the system uses a compound Boolean strategy, integrating single-value and multi-value queries into the should clause, effectively covering various query needs and improving query accuracy and recall.
[0076] The system's construction module dynamically generates corresponding Elasticsearch query DSLs based on the query types defined in the QueryField. It supports diverse query methods, including match, term, terms, range, exists, wildcard, fuzzy, prefix, and regexp, meeting the diverse needs of complex security asset queries. Query conditions are combined using Boolean logic structures and flexibly allocated to must, must_not, should, and filter branches, enabling automatic construction of complex Boolean queries. Furthermore, the system supports multi-level aggregation query construction, enabling grouping, statistics, and analysis of various attributes of security assets. Aggregate types cover terms, top_hits, avg, sum, stats, and cardinality, and support dynamic nesting of sub-aggregates to meet the multi-dimensional drill-down requirements of security events. The pagination and sorting modules automatically set the result range and sorting rules according to the user's query intent, ensuring the business relevance of query results and response performance.
[0077] After the query statement is generated, the system provides structured and formatted output and query description text to help users understand the query logic and assist in debugging, thereby improving the system's interpretability and user experience. The overall architecture design is based on the standardized abstraction of QueryField, effectively decoupling semantic parsing and query construction, greatly enhancing the system's maintainability and scalability.
[0078] like Figure 2 This demonstrates the complete workflow of a security asset intelligent query system based on a large language model. The system first receives natural language query requests from users, performs deep semantic understanding through a semantic parsing module (based on a large language model LLM), extracts key query elements (such as IP address, geographical location, time range, etc.), and identifies the query type (exact match, range query, etc.) and priority weight.
[0079] Subsequently, the query field encapsulation module standardizes these parsed results into QueryField objects, uniformly representing all query conditions. The query builder dynamically generates Elasticsearch query fragments based on these standardized objects, supporting various query types (such as match, term, range, etc.) and Boolean logic combinations (must, should, etc.), and employs composite query strategies to optimize results for special fields (such as vulnerability numbers). The system also supports building multi-level aggregation analyses (such as grouped term statistics, numerical calculation averages, etc.), automatically generating pagination and sorting rules, and finally constructing a complete query request body conforming to the Elasticsearch DSL specification.
[0080] The query formatting module formats the generated DSL into JSON format and adds explanatory text to improve readability. Finally, the query execution module retrieves the results and displays them through a visual interface, completing the end-to-end process from natural language input to structured result output. This design, through a layered modular architecture, enables flexible construction and efficient execution of query logic, while ensuring system interpretability and user experience.
[0081] In summary, the intelligent security asset query system and method of this invention, by deeply integrating the semantic capabilities of a large language model with the powerful search engine of Elasticsearch, overcomes the semantic limitations of traditional security asset retrieval, significantly improving the intelligence level, applicability, and retrieval efficiency of queries. It is suitable for various security business scenarios such as security device management, vulnerability analysis, and asset monitoring. Users can directly express their query needs using natural language, and the system automatically parses the intent and constructs complex query logic through a large language model, eliminating the need to master professional structured query syntax and greatly reducing the technical threshold. Regarding query construction, the system supports multi-field, multi-condition combined queries and the automatic generation of nested Boolean logic, avoiding the tedious process of manually writing DSL statements, thus improving query efficiency and ensuring accuracy. Through a standardized QueryField structure and intelligent field type mapping mechanism, the system can accurately match field meanings with query methods. In particular, it employs a combined query strategy for key fields such as IP addresses and vulnerability numbers, effectively improving the coverage of semantic matching and business relevance. In addition, the system supports automated aggregation analysis based on multiple dimensions such as asset region and type, and provides comprehensive data support for security situation awareness and decision-making through a multi-level statistical structure, realizing an integrated query capability from simple retrieval to complex analysis.
[0082] The security asset data query device provided by the present invention is described below. The security asset data query device described below can be referred to in correspondence with the security asset data query method described above.
[0083] like Figure 3 The image shows a secure asset data query device provided by the present invention, comprising: The parsing module 310 is used to receive the user's natural language query request, perform semantic parsing on the natural language query request, and obtain the parsing result; The query field determination module 320 is used to extract field names from the parsing results, with the field names corresponding to fields in the security asset index; determine the query type based on the field names and predefined field type mapping rules; convert the user query content into query values that are suitable for the query type; and determine standardized query field objects based on the field names, query types, and query values. The query statement generation module 330 is used to generate structured query statements based on the query type in the query field object; The query result return module 340 is used to execute structured query statements and return query results.
[0084] Figure 4 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 4 As shown, the electronic device may include a processor 410, a communications interface 420, a memory 430, and a communication bus 440. The processor 410, communications interface 420, and memory 430 communicate with each other via the communication bus 440. The processor 410 can invoke logical instructions in the memory 430 to execute a security asset data query method. This method includes: receiving a user's natural language query request; performing semantic parsing on the natural language query request to obtain a parsing result; extracting field names from the parsing result, where each field name corresponds to a field in the security asset index; determining the query type based on predefined field type mapping rules associated with the field name; converting the user's query content into a query value adapted to the query type; determining a standardized query field object based on the field name, query type, and query value; generating a structured query statement based on the query type in the query field object; executing the structured query statement and returning the query result.
[0085] Furthermore, the logical instructions in the aforementioned memory 430 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, essentially, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0086] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the security asset data query method provided by the above methods. The method includes: receiving a user's natural language query request; performing semantic parsing on the natural language query request to obtain a parsing result; extracting field names from the parsing result, wherein the field names correspond to fields in the security asset index; determining the query type according to the field names and predefined field type mapping rules; converting the user's query content into a query value that matches the query type; determining a standardized query field object based on the field name, query type, and query value; generating a structured query statement based on the query type in the query field object; executing the structured query statement and returning the query result.
[0087] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements a security asset data query method provided by the above methods. The method includes: receiving a user's natural language query request; performing semantic parsing on the natural language query request to obtain a parsing result; extracting field names from the parsing result, wherein the field names correspond to fields in the security asset index; determining a query type based on the field names and predefined field type mapping rules; converting the user's query content into a query value adapted to the query type; determining a standardized query field object based on the field name, query type, and query value; generating a structured query statement based on the query type in the query field object; executing the structured query statement and returning the query result.
[0088] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0089] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.
[0090] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for querying security asset data, characterized in that, include: Receive a user's natural language query request, perform semantic parsing on the natural language query request, and obtain the parsing result; Extract the field names from the parsing results; the field names correspond to the fields in the security asset index. The query type is determined based on the predefined field type mapping rules associated with the field names; Convert the user's query content into query values that are suitable for the query type; The standardized query field object is determined based on the field name, query type, and query value. Generate a structured query statement based on the query type in the query field object; Execute the structured query statement and return the query results.
2. The method for querying security asset data according to claim 1, characterized in that, The step of determining the query type based on the predefined field type mapping rules associated with the field name specifically includes: When the field name is a time-related field, the query type is automatically determined to be a range query; When the field name is a tag field, the query type is automatically determined to be a multi-value matching query; When the field name is a text field, the query type is automatically determined to be a full-text matching query; When the field name is a vulnerability number field, a compound Boolean strategy is automatically adopted, which combines single-value queries and multi-value queries into the should clause of the Boolean query.
3. The method for querying security asset data according to claim 1, characterized in that, The step of generating a structured query statement based on the query type in the query field object specifically includes: Based on the query type in the query field object, match the query operator corresponding to the search engine; The query values in the query field object are combined with the matching query operators to generate basic query conditions; Based on the logical relationship identifier in the query field object, the basic query conditions are assigned to the corresponding Boolean query clauses; When there are multiple query field objects, the query conditions in the Boolean query clause are sorted and combined according to a preset priority rule to obtain a Boolean query structure. The Boolean query structure is integrated with pagination parameters and sorting parameters to generate the final structured query statement.
4. The method for querying security asset data according to claim 3, characterized in that, The step of sorting and combining the query conditions in the Boolean query clause according to a preset priority rule to obtain the Boolean query structure specifically includes: Sort the query field objects according to the priority rules of the security asset domain; The execution order of constructing Boolean query clauses according to the sorting results; The query conditions in the Boolean query clause are optimized and reorganized to obtain the optimized result; A Boolean query structure is generated based on the execution order and the optimization result.
5. The method for querying security asset data according to claim 4, characterized in that, After generating the Boolean query structure, the method further includes: Perform a security semantic integrity check on the Boolean query structure; If key risk fields are missing, supplementary query conditions will be generated based on the natural language query request. The supplementary query conditions are added to the original Boolean query structure to form the completed Boolean query structure.
6. The method for querying security asset data according to claim 1, characterized in that, The semantic parsing of the natural language query request specifically includes: The natural language query request is parsed using a large language model to obtain the parsing result; The parsing results include field names, query values, query types, and query weights.
7. A security asset data query device, characterized in that, include: The parsing module is used to receive natural language query requests from users, perform semantic parsing on the natural language query requests, and obtain parsing results; The query field determination module is used to extract field names from the parsing results, where the field names correspond to fields in the security asset index; determine the query type based on the predefined field type mapping rules associated with the field names; convert the user query content into query values that are compatible with the query type; and determine standardized query field objects based on the field names, query types, and query values. The query statement generation module is used to generate a structured query statement based on the query type in the query field object; The query result return module is used to execute the structured query statement and return the query results.
8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the security asset data query method as described in any one of claims 1 to 6.
9. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the security asset data query method as described in any one of claims 1 to 6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by the processor, it implements the security asset data query method as described in any one of claims 1 to 6.