An ai-driven three-dimensional apt network security dynamic defense method and system

By employing an AI-driven, multi-dimensional cybersecurity defense approach, combined with a zero-trust platform, real-time collection and analysis of diverse security data is achieved. This process identifies anomalies and generates response strategies, resolving the fragmentation and delayed response issues inherent in existing cybersecurity protection systems. Ultimately, this enables proactive defense and adaptive capabilities against advanced persistent threats.

CN122394829APending Publication Date: 2026-07-14CHINA TOWER CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA TOWER CO LTD
Filing Date
2026-02-26
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing cybersecurity protection systems suffer from fragmented protection, delayed response, and insufficient intelligence, making them unable to effectively respond to advanced persistent threats (APT) attacks. In particular, they lack the ability to detect new technologies and unknown attacks, and their reliance on manual operation leads to inefficiency.

Method used

We adopt an AI-driven, three-dimensional dynamic network security defense approach. By deeply integrating AI agents with a zero-trust security protection platform, we collect diverse and heterogeneous security data in real time, establish a baseline model, identify abnormal data, conduct in-depth correlation and threat analysis, generate response strategies, and implement collaborative protection at the network, terminal, and data levels. The results are then fed back to the AI ​​agents for iterative optimization.

Benefits of technology

It enables proactive and dynamic defense against advanced persistent threats, enhances defense capabilities, shortens threat dwell time, reduces false alarm rates, improves the automation and intelligence of security operations, and forms an adaptive defense system capable of coping with the evolution of the network threat environment.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394829A_ABST
    Figure CN122394829A_ABST
Patent Text Reader

Abstract

The application discloses an AI-driven three-dimensional APT network security dynamic defense method and system, belonging to the technical field of network security, comprising real-time collection and processing of multi-element heterogeneous security data of networks, terminals and applications. A baseline model is established based on the processed multi-element heterogeneous security data, and abnormal data is identified. The abnormal data is subjected to deep correlation and threat analysis to obtain analysis results. Response strategies are generated according to the analysis results, and corresponding decision instructions are issued to a zero-trust security protection platform. Based on the decision instructions, cooperative protection actions are implemented at the network, terminal and data levels. The protection results are fed back to the AI agent for iterative optimization. The application deeply integrates the cognitive decision-making ability of intelligent AI and the execution ability of the zero-trust security protection platform, forms an organic whole with a 'perception-cognition-decision-protection' closed loop, and realizes a paradigm shift from passive, static and single-point protection to active, dynamic and three-dimensional protection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, and specifically relates to an AI-driven three-dimensional dynamic defense method and system for APT network security. Background Technology

[0002] With the accelerating pace of digital transformation, information systems in governments and enterprises at all levels carry a large amount of sensitive data and critical business operations, making them prime targets for Advanced Persistent Threat (APT) attacks. APT attacks are characterized by long-term latency, technical complexity, and clear targeting, making traditional static, single-point network security protection systems ineffective. Existing network security protection systems typically consist of independent security products such as firewalls, intrusion detection systems (IDS), and antivirus software, which have significant limitations. First, these products operate independently, lacking collaborative mechanisms, resulting in isolated security data silos and an inability to construct a complete attack chain perspective, leaving attackers with opportunities to exploit blind spots. Second, existing solutions primarily rely on pre-set rule bases and signature-based threat matching, which is severely inadequate for detecting unknown APT attacks employing new technologies such as zero-day vulnerabilities and fileless attacks. Furthermore, the response and analysis of security incidents heavily depend on manual operations by security experts, resulting in excessively long cycles from threat discovery to final resolution, leading to low efficiency and failing to meet the need for real-time countermeasures against APT attacks. While artificial intelligence (AI) technology and the zero-trust security concept have been introduced into the cybersecurity field, existing solutions often simply combine the two or apply them only to single aspects such as threat detection and access control. There is a lack of a complete system that deeply couples AI intelligent decision-making with comprehensive security execution capabilities. For example: 1. Traditional perimeter security devices (such as next-generation firewalls) primarily rely on IP, port, and static policies for access control, offering limited detection capabilities against application-layer threats and internal lateral movement. 2. Standalone zero-trust network access (ZTNA) solutions focus on authentication and authorization in remote access scenarios, typically lacking deep integration with endpoint and data security capabilities, as well as AI-driven dynamic policy adjustment capabilities. 3. Signature-based detection systems (such as traditional antivirus software) depend on signature databases of known threats, making it difficult to identify and defend against new and covert APT attack methods. 4. Isolated data loss prevention (DLP) systems rely mainly on static rules such as keywords and regular expressions, resulting in high false positive rates and difficulty adapting to dynamic changes in business and data formats. In summary, existing technologies suffer from core defects such as fragmented protection, delayed response, insufficient intelligence, and static policies. Therefore, there is an urgent need for an innovative and systematic solution to enhance proactive, dynamic, and systematic defense capabilities against advanced persistent threats. Summary of the Invention

[0003] To address the aforementioned issues, this invention provides an AI-driven, three-dimensional dynamic defense method and system for APT network security, which solves the problems of fragmented protection, delayed response, insufficient intelligence, and inability to dynamically adjust based on real-time risk assessment results in existing network security protection systems.

[0004] An AI-driven, three-dimensional dynamic defense method for APT cybersecurity, based on a system architecture that deeply integrates AI agents and a zero-trust security protection platform, includes: Collect and process diverse and heterogeneous security data from networks, terminals, and applications in real time; A baseline model is established based on the processed multi-dimensional heterogeneous security data, and abnormal data is identified. Perform in-depth correlation and threat analysis on abnormal data to obtain analysis results; Based on the analysis results, a response strategy is generated and corresponding decision instructions are issued to the zero-trust security protection platform. Based on decision-making instructions, coordinated protection actions are implemented at the network, terminal, and data levels, and The protection results are fed back to the AI ​​agent for iterative optimization.

[0005] According to a specific embodiment of the present invention, the real-time collection and processing of diverse heterogeneous security data from networks, terminals, and applications specifically includes: Real-time collection of network traffic data, system logs, terminal process information, and user operation behavior data, followed by data cleaning and standardization.

[0006] According to a specific embodiment of the present invention, a baseline model is established based on processed multi-dimensional heterogeneous security data, and the identification of anomalous data specifically includes: Based on the processed network traffic data and user operation behavior data, an unsupervised learning algorithm is used to establish a baseline model and identify abnormal data that deviates from the baseline.

[0007] According to a specific embodiment of the present invention, the analysis results obtained by performing deep correlation and threat analysis on abnormal data further include: An attack knowledge graph is constructed based on abnormal data, and security events are associated with the attack knowledge graph. The attack knowledge graph includes attack tactics, techniques, programs, vulnerability information, and malware family relationships. Based on the neural symbol system, interpretable analysis and logical reasoning of security events are performed to identify the attack intent of security events; Based on user and entity behavior analysis, a behavioral baseline for each user and device is established, and a machine learning model is used to continuously monitor and analyze security events to identify internal threats and abnormal accounts.

[0008] According to a specific embodiment of the present invention, generating a response strategy based on the analysis results and issuing corresponding decision instructions to the zero-trust security protection platform further includes: The identified threats are quantitatively assessed for risk, and a risk value is calculated by combining the severity level of the threat, the importance of the affected assets, and the rate of attack spread. The risk level and threat type are determined based on the risk value, and a corresponding response policy is selected from a predefined response policy library. These response policies include isolating devices, blocking IPs, resetting passwords, and issuing alarm notifications. Issue decision instructions corresponding to the response strategy to the zero-trust security protection platform, and automate the response decision instructions through security orchestration to automatically execute the response strategy.

[0009] According to a specific embodiment of the present invention, implementing coordinated protection actions at the network, terminal, and data layers based on decision instructions specifically includes: Based on decision-making instructions, network boundary security protection, endpoint security protection, and data security protection are executed respectively.

[0010] According to a specific embodiment of the present invention, network boundary security protection includes AI-integrated intelligent firewall and Web application firewall protection, DDoS protection, and 4T trusted access protection based on continuous verification of identity, terminal, application, and behavior.

[0011] According to a specific embodiment of the present invention, endpoint security protection includes using a dual-engine endpoint protection platform that employs a local virus database and cloud-based threat intelligence to perform virus detection and removal, and to perform endpoint security monitoring, application hardening, and peripheral device management.

[0012] According to a specific embodiment of the present invention, data security protection includes using natural language processing and pattern recognition technologies to perform data classification, categorization and protection for the intelligent data leakage prevention system, and using secure multi-party computation and homomorphic encryption technologies to perform privacy computation.

[0013] An AI-driven, three-dimensional, dynamic APT cybersecurity defense system includes: The data acquisition module is used to collect and process diverse and heterogeneous security data from networks, terminals, and applications in real time. The anomaly detection module is used to establish a baseline model based on the processed multi-dimensional heterogeneous security data and to identify anomalous data. The Deep Correlation and Analysis module is used to perform deep correlation and threat analysis on abnormal data and obtain analysis results. The response strategy generation module is used to generate response strategies based on the analysis results and issue corresponding decision instructions to the zero-trust security protection platform. The action execution module is used to implement coordinated protection actions at the network, terminal, and data levels based on decision commands. The feedback and optimization module is used to feed the protection results back to the AI ​​agent for iterative optimization.

[0014] According to a specific embodiment of the present invention, the deep correlation and analysis module further includes: The association module is used to build an attack knowledge graph based on abnormal data and associate security events with the attack knowledge graph. The attack knowledge graph includes attack tactics, techniques, programs, vulnerability information, and malware family relationships. The interpretability analysis module is used to perform interpretability analysis and logical reasoning on security events based on the neural symbol system, and to identify the attack intent of security events; The threat identification module is used to establish behavioral baselines for each user and device based on user and entity behavior analysis, and to continuously monitor and analyze security events through machine learning models to identify internal threats and abnormal accounts.

[0015] According to a specific embodiment of the present invention, the response strategy generation module further includes: The risk assessment module is used to quantify the risk assessment of identified threats and calculate the risk value by combining the severity level of the threat, the importance of the affected assets, and the speed of attack spread. The policy generation module determines the risk level and threat type based on the risk value and selects the appropriate response policy from a predefined response policy library. These response policies include isolating devices, blocking IPs, resetting passwords, and issuing alarm notifications. The instruction issuance module is used to issue decision instructions corresponding to the response policy to the zero-trust security protection platform, and to automatically execute the response policy by automating the response decision instructions through security orchestration.

[0016] An electronic device includes a processor and a memory, wherein a computer program is stored in the memory, and the computer program is loaded and executed by the processor to implement the aforementioned AI-driven three-dimensional APT network security dynamic defense method.

[0017] A computer-readable storage medium storing a computer program, which is loaded and executed by a processor to implement the aforementioned AI-driven three-dimensional APT network security dynamic defense method.

[0018] Compared with existing technologies, the AI-driven three-dimensional dynamic defense method and system for APT network security provided by this invention has the following advantages: 1. It has achieved a fundamental shift from passive response to proactive prediction, significantly improving the ability to defend against advanced persistent threats (APTs).

[0019] This invention utilizes an AI agent to establish a dynamic behavioral baseline through unsupervised learning, and combines attack knowledge graphs with UEBA for deep threat hunting. It can identify abnormal behaviors that deviate from normal patterns in the early stages of attack reconnaissance and lateral movement, thereby achieving proactive discovery and predictive defense against APT attacks, effectively shortening threat dwell time and minimizing losses.

[0020] 2. It breaks down data silos and capability barriers between security products, forming a collaborative and interconnected three-dimensional protection system.

[0021] In existing technologies, various security devices operate independently, making it difficult to cope with complex attack chains. This invention constructs an architecture centered on an AI agent and based on a zero-trust platform, and designs standardized linkage interfaces to achieve deep collaboration across the three security layers: network, endpoint, and data. Once a threat is identified, the system can automatically schedule components such as firewalls, EDR, and DLP to execute a combination of response strategies including isolation, blocking, and encryption, building a comprehensive protection capability without blind spots.

[0022] 3. It significantly improves the automation and intelligence level of security operations, and reduces reliance on scarce security experts and labor costs.

[0023] This invention automates the threat analysis, assessment, decision-making, and response processes through AI intelligent agents and security orchestration automation response technology. The system can automatically complete the entire process from correlating events from massive logs and assessing risks to issuing handling instructions, freeing security personnel from tedious alarm review and manual operations, improving operational efficiency by more than 50%, and allowing limited expert resources to focus on more complex strategic analysis and strategy optimization.

[0024] 4. Through intelligent data identification and dynamic strategy adjustment, precise protection is achieved, effectively reducing the false alarm rate.

[0025] Traditional static rule-based DLP systems suffer from high false alarm rates, impacting normal business operations. This invention's intelligent DLP employs NLP technology to self-learn sensitive data features, significantly improving data classification accuracy. Simultaneously, the zero-trust platform's dynamic access control policies are adjusted based on real-time AI risk assessment results, achieving "on-demand allocation" of access permissions. This ensures security while minimizing interference with legitimate business operations, achieving a balance between security and efficiency.

[0026] 5. A dynamic defense system with adaptive capabilities has been built, which can continuously evolve as the network threat environment changes.

[0027] The core advantage of this invention lies in the formation of a complete closed loop of "perception-cognition-decision-protection-feedback". The outcome of each threat response is fed back to the AI ​​agent to optimize the detection model and response strategy. This transforms the entire defense system from a static "black box" of rules into an organic entity capable of continuous learning, iteration, and evolution from real-world experience, possessing long-term viability to address future emerging cyber threats. Attached Figure Description

[0028] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0029] Figure 1 This is a flowchart of an AI-driven, three-dimensional dynamic defense method for APT network security, provided according to an embodiment of the present invention.

[0030] Figure 2 This is a flowchart of a method for deep correlation and threat analysis of abnormal data according to an embodiment of the present invention.

[0031] Figure 3 This is a flowchart of a method for generating a response strategy based on analysis results and issuing corresponding decision instructions to a zero-trust security protection platform, according to an embodiment of the present invention.

[0032] Figure 4 This is a structural diagram of an AI-driven, three-dimensional APT network security dynamic defense system according to an embodiment of the present invention.

[0033] Figure 5 This is a structural diagram of a deep association and analysis module provided according to an embodiment of the present invention.

[0034] Figure 6 This is a structural diagram of a response strategy generation module provided according to an embodiment of the present invention.

[0035] Figure 7 This is a schematic diagram of a computer device structure according to an embodiment of the present invention.

[0036] Figure label: 01-Data Acquisition Module; 02-Anomaly Detection Module; 03-Deep Correlation and Analysis Module; 04-Response Strategy Generation Module; 05-Action Execution Module; 06-Feedback and Optimization Module; 031-Association Module; 032-Explainability Analysis Module; 033-Threat Identification Module; 041-Risk assessment module; 042-Strategy generation module; 043-Instruction issuance module. Detailed Implementation

[0037] To enable those skilled in the art to more clearly understand the concepts and ideas of the present invention, the present invention is described in detail below with reference to specific embodiments. It should be understood that the embodiments given herein are only a part of all possible embodiments of the present invention. Those skilled in the art, after reading this specification, are capable of making improvements, modifications, or substitutions to parts or the entirety of the following embodiments, and such improvements, modifications, or substitutions are also included within the scope of protection claimed by the present invention.

[0038] In this document, the terms “announcement,” “arrival,” and other similar words are not intended to imply any order, quantity, or importance, but are merely used to distinguish different elements. The terms “one,” “a,” and other similar words are not intended to indicate the existence of only one thing, but rather that the description pertains to only one of the things, which may have one or more. The terms “contains,” “includes,” and other similar words are intended to indicate a logical relationship, not a spatial relationship. For example, “A includes B” means that logically B belongs to A, not that spatially B is located inside A. Furthermore, the meanings of the terms “contains,” “includes,” and other similar words should be considered open-ended, not closed. For example, “A includes B” means that B belongs to A, but B does not necessarily constitute all of A; A may also include other elements such as C, D, and E.

[0039] In this document, the terms "embodiment," "this embodiment," "an embodiment," and "one embodiment" do not imply that the description applies only to one specific embodiment, but rather that such description may also be applicable to one or more other embodiments. Those skilled in the art will understand that any description made herein with respect to one embodiment can be substituted, combined, or otherwise combined with the descriptions in one or more other embodiments. New embodiments resulting from such substitutions, combinations, or other combinations are readily conceived by those skilled in the art and fall within the scope of protection of this invention.

[0040] Example 1 Additional aspects and advantages of embodiments of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of embodiments of the invention. Figures 1-3 This invention provides an AI-driven, three-dimensional dynamic defense method for APT network security. This method is based on a system architecture that deeply integrates AI agents and a zero-trust security protection platform. The method includes: S1: Collects and processes diverse and heterogeneous security data from networks, terminals, and applications in real time.

[0041] S2: Establish a baseline model based on the processed multi-dimensional heterogeneous security data and identify anomalous data.

[0042] S3: Perform in-depth correlation and threat analysis on abnormal data to obtain analysis results.

[0043] S4: Generate response strategies based on the analysis results and issue corresponding decision instructions to the zero-trust security protection platform.

[0044] S5: Implements coordinated protection actions at the network, terminal, and data levels based on decision-making instructions.

[0045] S6: Feedback the protection results to the AI ​​agent for iterative optimization.

[0046] In a specific embodiment of this invention, to address the problems of "single-point protection, data silos, and passive response" in existing government cybersecurity systems, this invention deeply integrates AI agents with a zero-trust security protection platform to construct a comprehensive APT cybersecurity dynamic defense system with a closed-loop capability of "perception-cognition-decision-protection." This system achieves three-dimensional collaborative defense of networks, terminals, data, and applications, and uses AI technology to realize intelligent security operations and maintenance, reducing reliance on professional security personnel, improving security operation efficiency and reducing labor costs. It also enhances the intelligent detection, in-depth analysis, and automated response capabilities to complex network attacks such as Advanced Persistent Threats (APTs), shortening threat dwell time. The AI ​​agent is responsible for in-depth analysis of network-wide security data, threat assessment, and policy generation. It adopts a layered architecture, with each layer working collaboratively. The system architecture of the AI ​​agent comprises an infrastructure layer (i.e., the AI ​​computing platform), a perception layer (i.e., the data sharing and open platform), a cognition layer (i.e., the AI ​​agent application development platform), and a decision-making layer (i.e., the AI ​​middleware). The infrastructure layer, serving as the underlying computing power of the entire AI agent, provides high-performance GPU / TPU computing resources. This platform supports the training and inference of large-scale machine learning (ML) and deep learning (DL) models, and can process massive amounts of network traffic logs, terminal behavior data, and security event alarms in parallel. It provides a model training environment and real-time analysis capabilities for upper-layer applications. The platform has elastic scalability, dynamically allocating computing power according to the scale of security threats. The perception layer is responsible for the collection, aggregation, and preliminary processing of multi-source heterogeneous security data, providing high-quality input for upper-layer cognitive analysis. The cognition layer is responsible for deep correlation, intent understanding, and attack chain reconstruction of anomalies and threats reported by the perception layer. The decision-making layer is responsible for automatically generating the optimal response strategy and issuing instructions based on the threat analysis results from the cognition layer. The Zero Trust Security Platform acts as the "executor" of the AI ​​agent's decision-making, responsible for implementing specific protective actions in the physical world. It covers all aspects of cybersecurity, including network boundary security, endpoint security, and data security. This system architecture and linkage mechanism successfully constructs an intelligent, dynamic defense system capable of self-evolution and collaborative defense, effectively addressing the challenges of advanced persistent threats.

[0047] In a specific embodiment of the present invention, for scenarios with limited resources, a hybrid deployment mode combining cloud-based intelligent AI services with a local lightweight zero-trust gateway can be adopted to reduce initial investment.

[0048] Specifically, step S1 involves real-time collection and processing of diverse heterogeneous security data from the network, terminals, and applications, including: Real-time collection of network traffic data, system logs, terminal process information, and user operation behavior data, followed by data cleaning and standardization.

[0049] In a specific embodiment of the present invention, network traffic data, system logs, terminal process information, and user operation behavior data are first collected in real time by traffic probes and proxies deployed at network boundaries, key servers, and terminal devices. The network traffic data includes, but is not limited to, source / destination IP addresses, port numbers, communication protocols, number of data packets, number of bytes, and session start and end times. System logs include, but are not limited to, operating system event logs, application error logs, user authentication logs, and alarm and blocking logs from security devices. The collected raw data is then cleaned, standardized, and correlated to eliminate noise and transform the scattered and chaotic massive amounts of security data into uniformly formatted, high-quality security data, providing a reliable data foundation for subsequent intelligent analysis and automated decision-making. Specifically, the data is first validated and cleaned. For example, meaningless traffic records with source IPs that are private addresses or multicast addresses are filtered out; encoding errors or garbled characters in the logs are corrected or marked; and duplicate log entries caused by network jitter are deduplicated. The cleaned data is then standardized / normalized to unify data from different sources and in different formats into standardized internal data. The engine maps various types of data to a unified JSON format based on predefined parsing templates. The processed data forms a high-quality, standardized, and secure data lake.

[0050] Specifically, step S2 establishes a baseline model based on the processed multi-dimensional heterogeneous security data and identifies anomalous data, including: Based on the processed network traffic data and user operation behavior data, an unsupervised learning algorithm is used to establish a baseline model and identify abnormal data that deviates from the baseline.

[0051] In a specific embodiment of the present invention, a baseline modeling and anomaly detection engine in an AI intelligent agent application development platform is used for baseline modeling and anomaly identification. The aim is to utilize unsupervised learning algorithms (such as cluster analysis) to learn normal patterns from normal network and user behavior, thereby automatically identifying abnormal data without relying on predefined attack signatures. Baseline modeling comprises two parallel and interconnected modeling processes: network traffic behavior baseline modeling and user operation behavior baseline modeling. For network traffic behavior baseline modeling, the model is first constructed and trained. The engine uses processed network traffic data as input to the model and employs cluster analysis to construct and train the network traffic behavior baseline model. After training, the system establishes a dynamic behavioral baseline for each network entity (such as an IP address). This baseline is not a fixed value but a dynamic threshold range that changes over time. The engine compares the actual traffic characteristics of the entity within the current time window with the baseline model. Abnormal network behavior is determined when the following occurs: 1. Sudden increase / decrease in traffic: The actual traffic value significantly exceeds or falls below the confidence interval predicted by the time series model at multiple consecutive time points. 2. Deviation in Behavioral Pattern: The entity's current behavioral feature vector is determined in the clustering model to not belong to any "normal behavior cluster," or to a very small "abnormal cluster." 3. Low-Frequency High-Risk Communication: Communication with IPs of known malware, servers, or high-risk geographical locations is detected, even if the traffic is small, and will be marked as a deviation from the implicit baseline of "secure access to external resources." For user operation behavior baseline modeling, the engine uses processed user operation behavior data as input to the model and builds a behavioral profile for each user, using statistical methods to describe their normal behavioral characteristics, such as: this user usually logs in between 9-12 am, 99% of logins come from city A, and accesses the file server an average of 10 times per day. When analyzing user sessions in real time, the user's current behavior is compared with their personal baseline profile and sequence model. When the following situations occur, it is determined to be abnormal user behavior (i.e., potential user account leakage or internal threat): 1. Abnormal Time / Location: The user logs into the system outside of working hours (such as 2 am) or from a place they have never been before (such as overseas). 2. Privilege Escalation: A regular user account suddenly attempts to access sensitive systems or data that are only accessible to executives or IT administrators. 3. Anomaly in Behavioral Sequence: The order of actions performed by a user after logging in deviates significantly from the high-probability sequence predicted by the HMM model. For example, a finance staff member logs in and immediately executes a system permission query command instead of accessing the finance system. Identified abnormal network traffic events and user behavior events that deviate from the baseline are packaged into unified abnormal security events, accompanied by anomaly scores, triggering rule types, and related entity information. These events are reported in real time and serve as key inputs for in-depth correlation analysis and attack chain reconstruction.

[0052] Specifically, step S3 performs in-depth correlation and threat analysis on the abnormal data, and the analysis results further include: S31: Construct an attack knowledge graph based on abnormal data and associate security events with the attack knowledge graph, which includes attack tactics, techniques, programs, vulnerability information, and malware family relationships.

[0053] S32: Based on the neural symbol system, perform interpretability analysis and logical reasoning on security events to identify the attack intent of security events.

[0054] S33: Establish behavioral baselines for each user and device based on user and entity behavior analysis, and continuously monitor and analyze security events through machine learning models to identify internal threats and abnormal accounts.

[0055] In one specific embodiment of the present invention, the present invention first constructs an attack knowledge graph based on the abnormal data identified in step S2, which includes attack tactics, techniques, procedures (TTPs), vulnerability information, and malware family relationships. When a security incident occurs, the system associates the security incident with the attack knowledge graph to quickly identify the attacker's tactical intent and the attack organization to which they belong. Then, combining neural networks and symbolic systems, the neural network learns patterns from the data, and the symbolic system leverages its logical reasoning advantages to perform logical reasoning and interpretability analysis on the security incident, thereby identifying the attack intent of the security incident. For example, when the neural network detects a suspicious file, the symbolic system infers the possible role of the file in the attack chain based on predefined rules. Finally, the attack chain is reconstructed using User and Entity Behavior Analysis (UEBA). By establishing behavioral baselines for each user and device and continuously analyzing their behavioral dynamics through machine learning models, when a user account accesses sensitive data from an unfamiliar location at an abnormal time, or when a server initiates an abnormal external connection, the system can promptly identify potential account leaks or internal threats.

[0056] In a specific embodiment of the present invention, the neural symbol system can be simplified into a knowledge graph reasoning model based on graph neural networks (GNN) in a specific scenario to reduce the implementation complexity.

[0057] Specifically, step S4, which generates a response strategy based on the analysis results and issues corresponding decision instructions to the zero-trust security protection platform, further includes: S41: Quantify the risk assessment of identified threats and calculate the risk value by combining the severity level of the threat, the importance of the affected assets, and the rate of attack spread.

[0058] S42: Determine the risk level and threat type based on the risk value, and select the corresponding response policy from the predefined response policy library. The response policies include isolating devices, blocking IPs, resetting passwords, and alarm notifications.

[0059] S43: Issue decision instructions corresponding to the response strategy to the zero-trust security protection platform, and automatically execute the response strategy by automating the response decision instructions through security orchestration.

[0060] In a specific embodiment of this invention, the invention generates corresponding strategies based on the analysis results, realizing a closed loop from "cognition" to "protection." Its core lies in transforming AI analysis results into executable security actions. This step is primarily executed by the security orchestration automation response engine of the AI ​​platform. Specifically, after receiving the threat analysis results, the AI ​​platform first activates a dynamic risk assessment model to quantify and classify the threat, assigning values ​​based on the threat severity level, the importance of the affected assets, and the attack's spread rate. The threat severity level can be assigned based on the inherent attributes of the threat itself. For example, attacks exploiting zero-day vulnerabilities are assigned a "critical" score (90-100 points); known malware activity is assigned a "high" score (70-89 points); while ordinary policy violations may be assigned a "medium" score (50-69 points). The scoring criteria can refer to general vulnerability scoring systems or the confidence level of internal threat intelligence. For assigning importance values ​​to affected assets, key business attributes of the affected assets can be obtained from the CMDB (Configuration Management Database). For example, servers hosting core databases are assigned a value of "extremely high"; ordinary employee office computers are assigned a value of "medium"; and test environment servers are assigned a value of "low". For assessing the attack spread rate, the speed of its lateral movement and the expansion of its impact range can be determined based on currently observed attack behavior. For example, if rapid propagation across multiple terminals using lateral movement tools is detected, it is assessed as "fast"; if the threat is currently confined to a single point, it is assessed as "slow". The final risk value can be calculated by combining all the above risk factors.

[0061] In a specific embodiment of the present invention, when a risk value is calculated, the system enters the strategy decision-making stage. First, it determines the risk level based on the risk value. The system automatically determines the risk level corresponding to the calculated risk value based on a preset risk threshold range, for example: 0-60 points for low risk, 61-120 points for medium risk, and above 121 points for high risk. The system has a built-in predefined response strategy library, which is mapped one-to-one with risk levels and threat types (such as ransomware, data theft, and insider threats). For each risk level, the system automatically selects or combines strategies from the predefined response strategy library (such as isolating devices, blocking IPs, resetting passwords, and issuing alarm notifications) to generate the optimal handling solution. For example, for a high-risk ransomware attack, it immediately triggers terminal isolation and network blocking.

[0062] In a specific embodiment of the present invention, after the decision is generated, the AI ​​platform executes the instruction issuance through the Security Orchestration and Response (SOAR) technology. The SOAR engine links with various components of the Zero Trust Security Protection Platform through API interfaces. The SOAR engine translates the abstract response strategy into specific API instructions that can be recognized by each component of the Zero Trust Security Protection Platform, and calls standardized API interfaces to concurrently issue instructions to various modules of the Zero Trust Security Protection Platform. After the instructions are issued, the system automatically executes the defense strategy, achieving a "decision-as-execution" response within seconds. The SOAR engine continuously monitors the return status of each execution component to ensure that the strategy is fully executed. By automatically executing the defense strategy through the SOAR engine, a seamless, efficient, and automated connection from intelligent decision-making to physical world protection actions is ensured, realizing a shift from a "human-driven" to a "system-driven" security operation mode, and greatly shortening the threat response time.

[0063] Specifically, step S5, based on decision instructions, implements coordinated protection actions at the network, terminal, and data levels, including: Based on decision-making instructions, network boundary security protection, endpoint security protection, and data security protection are executed respectively.

[0064] Network perimeter security protection includes AI-integrated intelligent firewalls and web application firewalls, DDoS protection, and 4T trusted access protection based on continuous verification of identity, endpoint, application, and behavior. Endpoint security protection includes an endpoint protection platform employing a dual-engine approach of local virus database and cloud-based threat intelligence for virus scanning and removal, as well as endpoint security monitoring, application hardening, and peripheral device management. Data security protection includes an intelligent data leakage prevention system using natural language processing and pattern recognition technologies for data classification, categorization, and protection, and privacy computation using secure multi-party computation and homomorphic encryption technologies.

[0065] In a specific embodiment of the present invention, after receiving decision instructions from the AI ​​platform, the zero-trust security protection platform decomposes them into specific actions that can be executed at the physical and logical levels, and coordinates them at the network, terminal, and data levels to form a three-dimensional protection. Specifically, network boundary security protection is the first line of defense for executing access control and blocking malicious traffic. Its actions executed according to the instructions include: 1. Dynamic policy execution: After receiving the instructions, the intelligent firewall and Web application firewall dynamically update their access control lists or security policies. The intelligent firewall (e.g., the NGFW next-generation firewall) and Web application firewall not only provide rule-based protection but also integrate AI capabilities to intelligently identify and block application-layer attacks (e.g., SQL injection, cross-site scripting). 2. DDoS protection: Through the traffic scrubbing center, inbound traffic is analyzed in real time to identify and filter malicious DDoS traffic, ensuring business continuity. 3. Zero-trust network access control: The zero-trust gateway dynamically adjusts authorization for specific sessions or users according to the instructions. This includes 4T trusted access, following the principle of "never trust, always verify," to achieve identity-based dynamic access control. Trusted identity, strong authentication (e.g., multi-factor authentication, MFA). Trusted endpoint, checking the security status of endpoint devices before access (e.g., patching, antivirus software status). Trusted application, ensuring the accessed application is authorized. Trusted behavior, continuously evaluating user behavior during access sessions. Endpoint security protection is responsible for isolating and eliminating threats at their source—the endpoint device. Its actions include: 1. Epidemic Preventive Protection (EPP), employing a dual-engine model of "local virus database + cloud-based threat intelligence" to improve the detection rate and response speed of known and unknown malware. 2. Endpoint security detection and hardening, including APK / IPA application hardening to prevent decompilation, control of endpoint peripherals (e.g., USB drives), system security baseline checks and automatic repair, reducing the attack surface from the source. Data security protection focuses on protecting the ultimate goal—the data itself—preventing the leakage of sensitive information. Its actions include: Intelligent DLP (Data Loss Prevention): utilizing Natural Language Processing (NLP) and pattern recognition technologies to enable the DLP system to learn. Administrators can upload sample files containing sensitive information (such as citizen ID numbers and trade secrets). The system automatically learns sensitive features through NLP and contextual analysis to generate a classification dictionary, greatly improving the accuracy and efficiency of data classification and reducing operational pressure. Privacy computation: In scenarios where data needs to be jointly modeled or analyzed but is inconvenient to leave the domain, secure multi-party computation and homomorphic encryption technologies are used to achieve "data usable but not visible".

[0066] In a specific embodiment of the present invention, the NLP technology in intelligent DLP can adopt a classification method based on a combination of predefined strategy templates and machine learning when dealing with highly structured data.

[0067] Specifically, step S6 feeds back the protection results to the AI ​​agent for iterative optimization.

[0068] In one specific embodiment of the present invention, all execution actions, execution results (success or failure), and the entire lifecycle of the event are recorded in detail and fed back to the AI ​​agent as feedback data to optimize future risk assessment models and response strategies, thereby achieving a true adaptive security closed loop.

[0069] Example 2 Based on the above method, embodiments of the present invention provide an AI-driven, three-dimensional, dynamic APT network security defense system, such as... Figures 4-6 As shown, it includes: Data acquisition module 01 is used to collect and process diverse and heterogeneous security data from networks, terminals, and applications in real time.

[0070] The anomaly identification module 02 is used to establish a baseline model based on the processed multi-dimensional heterogeneous security data and identify anomalous data.

[0071] The Deep Correlation and Analysis Module 03 is used to perform deep correlation and threat analysis on abnormal data and obtain analysis results.

[0072] The response strategy generation module 04 is used to generate response strategies based on the analysis results and issue corresponding decision instructions to the zero-trust security protection platform.

[0073] Action execution module 05 is used to implement coordinated protection actions at the network, terminal and data levels based on decision instructions.

[0074] The feedback and optimization module 06 is used to feed back the protection results to the AI ​​agent for iterative optimization.

[0075] In a specific embodiment of the present invention, the data acquisition module 01 first collects network traffic data, system logs, terminal process information, and user operation behavior data in real time through traffic probes and proxies deployed at network boundaries, key servers, and terminal devices. The network traffic data includes, but is not limited to, source / destination IP addresses, port numbers, communication protocols, number of data packets, number of bytes, and session start and end times. System logs include, but are not limited to, operating system event logs, application error logs, user authentication logs, and alarm and blocking logs from security devices. Then, the collected raw data undergoes data cleaning, standardization, and correlation processing to eliminate noise and transform the scattered and chaotic massive amounts of security data into uniformly formatted, high-quality security data, providing a reliable data foundation for subsequent intelligent analysis and automated decision-making. Specifically, the data is first validated and cleaned. For example, meaningless traffic records with source IPs that are private addresses or multicast addresses are filtered out; encoding errors or garbled characters that may exist in the logs are corrected or marked; and duplicate log entries caused by network jitter are deduplicated. Then, the cleaned data undergoes standardization / normalization processing to unify data from different sources and in different formats into standardized internal data. The engine maps various types of data to a unified JSON format based on predefined parsing templates. The processed data forms a high-quality, standardized, and secure data lake.

[0076] In a specific embodiment of the present invention, the anomaly identification module 02 uses the baseline modeling and anomaly detection engine in the AI ​​intelligent agent application development platform for baseline modeling and anomaly identification. The aim is to utilize unsupervised learning algorithms (such as cluster analysis) to learn normal patterns from normal network and user behavior, thereby automatically identifying abnormal data without relying on predefined attack signatures. Baseline modeling includes two parallel and related modeling processes: network traffic behavior baseline modeling and user operation behavior baseline modeling. For network traffic behavior baseline modeling, the model is first constructed and trained. The engine uses processed network traffic data as input to the model and employs cluster analysis to construct and train the network traffic behavior baseline model. After training, the system establishes a dynamic behavior baseline for each network entity (such as an IP address). This baseline is not a fixed value but a dynamic threshold range that changes over time. The engine compares the actual traffic characteristics of the entity within the current time window with the baseline model. Abnormal network behavior is determined when the following occurs: 1. Sudden increase / decrease in traffic: The actual traffic value significantly exceeds or falls below the confidence interval predicted by the time series model at multiple consecutive time points. 2. Deviation in Behavioral Pattern: The entity's current behavioral feature vector is determined in the clustering model to not belong to any "normal behavior cluster," or to a very small "abnormal cluster." 3. Low-Frequency High-Risk Communication: Communication with IPs of known malware, servers, or high-risk geographical locations is detected, even if the traffic is small, and will be marked as a deviation from the implicit baseline of "secure access to external resources." For user operation behavior baseline modeling, the engine uses processed user operation behavior data as input to the model and builds a behavioral profile for each user, using statistical methods to describe their normal behavioral characteristics, such as: this user usually logs in between 9-12 am, 99% of logins come from city A, and accesses the file server an average of 10 times per day. When analyzing user sessions in real time, the user's current behavior is compared with their personal baseline profile and sequence model. When the following situations occur, it is determined to be abnormal user behavior (i.e., potential user account leakage or internal threat): 1. Abnormal Time / Location: The user logs into the system outside of working hours (such as 2 am) or from a place they have never been before (such as overseas). 2. Privilege Escalation: A regular user account suddenly attempts to access sensitive systems or data that are only accessible to executives or IT administrators. 3. Anomaly in Behavioral Sequence: The order of actions performed by a user after logging in deviates significantly from the high-probability sequence predicted by the HMM model. For example, a finance staff member logs in and immediately executes a system permission query command instead of accessing the finance system. Identified abnormal network traffic events and user behavior events that deviate from the baseline are packaged into unified abnormal security events, accompanied by anomaly scores, triggering rule types, and related entity information. These events are reported in real time and serve as key inputs for in-depth correlation analysis and attack chain reconstruction.

[0077] Specifically, the deep correlation and analysis module 03 also includes: The association module 031 is used to construct an attack knowledge graph based on abnormal data and associate security events with the attack knowledge graph. The attack knowledge graph includes attack tactics, techniques, programs, vulnerability information, and malware family relationships.

[0078] The interpretability analysis module 032 is used to perform interpretability analysis and logical reasoning on security events based on the neural symbol system, and to identify the attack intent of the security events.

[0079] The threat identification module 033 is used to establish behavioral baselines for each user and device based on user and entity behavior analysis, and to continuously monitor and analyze security events through machine learning models to identify internal threats and abnormal accounts.

[0080] In a specific embodiment of the present invention, the invention first constructs an attack knowledge graph containing attack tactics, techniques, procedures (TTPs), vulnerability information, and malware family relationships through the association module 031. When a security incident occurs, the system associates the security incident with the attack knowledge graph to quickly identify the attacker's tactical intent and the attack organization to which they belong. Then, the interpretability analysis module 032 performs logical reasoning and interpretability analysis on the security incident to identify the attack intent of the security incident. For example, when a neural network detects a suspicious file, the symbolic system infers the possible role of the file in the attack chain according to predefined rules. Finally, the attack chain is reconstructed using the threat identification module 033. By establishing behavioral baselines for each user and device and continuously analyzing their behavioral dynamics through machine learning models, when a user account accesses sensitive data from an unfamiliar location at an abnormal time, or a server initiates an abnormal external connection, the system can promptly identify potential account leaks or internal threats.

[0081] Specifically, the response strategy generation module 04 also includes: Risk assessment module 041 is used to quantify the risk assessment of identified threats and calculate the risk value by combining the severity level of the threat, the importance of the affected assets, and the speed of attack spread.

[0082] The policy generation module 042 is used to determine the risk level and threat type based on the risk value, and select the corresponding response policy from the predefined response policy library. The response policies include isolating devices, blocking IPs, resetting passwords, and alarm notifications.

[0083] The instruction issuing module 043 is used to issue decision instructions corresponding to the response strategy to the zero-trust security protection platform, and to automatically execute the response strategy by automating the response decision instructions through security orchestration.

[0084] In a specific embodiment of the present invention, the invention first quantifies and classifies the identified threats through the risk assessment module 041, assigning values ​​based on the threat severity level, the importance of the affected assets, and the attack spread rate. For threat severity level assignment, a score can be given based on the inherent attributes of the threat itself. For example, attacks exploiting zero-day vulnerabilities are assigned a "critical" score (90-100 points); known malware activity is assigned a "high" score (70-89 points); while ordinary policy violations may be assigned a "medium" score (50-69 points). The scoring criteria can refer to general vulnerability scoring systems or the confidence level of internal threat intelligence. For the importance of affected assets, key business attributes of the affected assets can be obtained from the CMDB (Configuration Management Database). For example, servers hosting core databases are assigned a "very high" score; ordinary employee office computers are assigned a "medium" score; and test environment servers are assigned a "low" score. For attack spread rate assessment, the speed of its lateral movement and the expansion of its impact range can be determined based on currently observed attack behavior. For example, if the threat is detected spreading rapidly across multiple devices using lateral movement tools, it is assessed as "rapid"; if the threat is currently confined to a single point, it is assessed as "slow". The final risk value is calculated by combining these risk factors. Then, the risk level is determined by the policy generation module 042. The system automatically determines the risk level corresponding to the calculated risk value based on preset risk threshold ranges, for example: 0-60 points for low risk, 61-120 points for medium risk, and above 121 points for high risk. The system has a built-in predefined response policy library, which is mapped one-to-one with risk level and threat type (e.g., ransomware, data theft, insider threat). For the above risk level, the system automatically selects or combines from the predefined response policy library (e.g., device isolation, IP blocking, password reset, alarm notification, etc.) to generate the optimal handling solution. For example, for a high-risk ransomware attack, terminal isolation and network blocking are immediately triggered.

[0085] Finally, the command issuance module 043 executes the command issuance, linking with various components of the Zero Trust Security Protection Platform via API interfaces. It translates the abstract response strategy into specific API commands recognizable by each component of the Zero Trust Security Protection Platform, and calls standardized API interfaces to concurrently issue commands to various modules of the platform. After the commands are issued, the system automatically executes the defense strategy, achieving a "decision-to-execution" response within seconds, and continuously monitors the return status of each execution component to ensure the complete execution of the strategy. The automatic execution of the defense strategy through the command issuance module 043 ensures a seamless, efficient, and automated connection from intelligent decision-making to physical-world protection actions, realizing a shift from a "human-driven" to a "system-driven" security operation model, and significantly shortening threat response time.

[0086] In a specific embodiment of the present invention, after receiving a decision instruction, the action execution module 05 decomposes it into specific actions that can be executed at the physical and logical levels, and coordinates them at the network, terminal, and data levels to form a three-dimensional protection. Network boundary security protection includes AI-integrated intelligent firewall and Web application firewall protection, DDoS protection, and 4T trusted access protection based on continuous verification of identity, terminal, application, and behavior. Terminal security protection includes a terminal protection platform using a dual-engine approach of local virus database and cloud threat intelligence for virus scanning and removal, and performs terminal security monitoring, application hardening, and peripheral device management. Data security protection includes using natural language processing and pattern recognition technologies to classify, categorize, and protect data in an intelligent data leakage prevention system, and using secure multi-party computation and homomorphic encryption technologies for privacy computation. Specifically, network boundary security protection is the first line of defense for executing access control and blocking malicious traffic. Its actions executed according to instructions include: 1. Dynamic policy execution: After receiving instructions, the intelligent firewall and Web application firewall dynamically update their access control lists or security policies. Intelligent firewalls (such as NGFW next-generation firewalls) and web application firewalls not only provide rule-based protection but also integrate AI capabilities to intelligently identify and block application-layer attacks (such as SQL injection and cross-site scripting). 2. DDoS Protection: Through a traffic scrubbing center, inbound traffic is analyzed in real time to identify and filter malicious DDoS traffic, ensuring business continuity. 3. Zero-Trust Network Access Control: Zero-trust gateways dynamically adjust authorization for specific sessions or users based on instructions. This includes 4T trusted access, adhering to the principle of "never trust, always verify," to achieve identity-based dynamic access control. Trusted identity: strong identity authentication (e.g., multi-factor authentication, MFA). Trusted endpoint: checking the security status of endpoint devices (e.g., patching, antivirus software status) before access. Trusted application: ensuring that the accessed application is authorized. Trusted behavior: continuously evaluating user behavior during access sessions. Endpoint security protection is responsible for taking isolation and removal measures at the source of the threat—the endpoint device. Its actions include: 1. Epidemic Prediction and Protection (EPP): Employing a dual-engine approach of "local virus database + cloud-based threat intelligence" to improve the detection rate and response speed for both known and unknown malware. 2. Endpoint security detection and hardening: This includes APK / IPA application hardening to prevent decompilation, control of peripheral devices (such as USB drives), system security baseline checks and automatic repair, reducing the attack surface at the source. Data security protection focuses on protecting the ultimate goal—the data itself—preventing the leakage of sensitive information. Its actions include: Intelligent DLP (Data Loss Prevention): Utilizing Natural Language Processing (NLP) and pattern recognition technologies to enable the DLP system to learn.Administrators can upload sample files containing sensitive information (such as citizen ID numbers and trade secrets). The system automatically learns sensitive features through NLP and contextual analysis to generate a classification dictionary, greatly improving the accuracy and efficiency of data classification and reducing operational pressure. Privacy computation: In scenarios where data needs to be jointly modeled or analyzed but is inconvenient to leave the domain, secure multi-party computation and homomorphic encryption technologies are used to achieve "data usable but not visible".

[0087] In a specific embodiment of the present invention, the feedback and optimization module 06 records in detail all execution actions, execution results (success or failure), and the entire lifecycle of the event, and feeds them back to the AI ​​agent as feedback data to optimize future risk assessment models and response strategies, thereby achieving a true adaptive safety closed loop.

[0088] Example 3 This invention also provides a specific example of an AI-driven, three-dimensional dynamic defense method for APT network security. This example is applicable to a typical APT attack defense scenario and is also based on a deep integration system of AI agents and zero-trust platforms, specifically including the following: Step 1: The terminal EDR detects abnormal PowerShell script execution behavior on an office computer and reports the event to the data sharing open platform.

[0089] Step 2: The AI ​​agent platform receives the event, analyzes it using UEBA, discovers abnormal user behavior, and, combined with the attack knowledge graph, determines that this behavior matches the "command line interface" attack technique, possibly an attempt by the attacker to move laterally. The neural symbolic system further infers the complete attack chain.

[0090] Step 3: Based on this high-risk assessment, the AI ​​platform automatically generates a response strategy: immediately isolate the terminal device, block its IP address from accessing the core server at the network level, and notify the security administrator.

[0091] Step 4: The decision command is sent to the zero-trust platform via API. The endpoint security module performs device isolation, and the smart firewall performs network blocking, thus nipping the attack in the bud.

[0092] Step 5: Feedback of the processing results to the AI ​​intelligent agent platform and AI middleware platform for optimization of future detection models and response strategies.

[0093] Example 4 like Figure 7As shown, this embodiment of the invention also provides an electronic device, including a processor and a memory. The memory stores a computer program, which is loaded and executed by the processor to implement the aforementioned AI-driven three-dimensional APT network security dynamic defense method. The device in this invention can be a server, PC, PAD, mobile phone, etc.

[0094] Furthermore, this embodiment of the invention also provides a computer-readable storage medium storing a computer program, which is loaded and executed by a processor to implement the above-described AI-driven three-dimensional APT network security dynamic defense method.

[0095] In summary, the AI-driven, three-dimensional dynamic defense method and system for APT network security described in this invention has the following advantages: 1. It has achieved a fundamental shift from passive response to proactive prediction, significantly improving the ability to defend against advanced persistent threats (APTs).

[0096] This invention utilizes an AI agent to establish a dynamic behavioral baseline through unsupervised learning, and combines attack knowledge graphs with UEBA for deep threat hunting. It can identify abnormal behaviors that deviate from normal patterns in the early stages of attack reconnaissance and lateral movement, thereby achieving proactive discovery and predictive defense against APT attacks, effectively shortening threat dwell time and minimizing losses.

[0097] 2. It breaks down data silos and capability barriers between security products, forming a collaborative and interconnected three-dimensional protection system.

[0098] In existing technologies, various security devices operate independently, making it difficult to cope with complex attack chains. This invention constructs an architecture centered on an AI agent and based on a zero-trust platform, and designs standardized linkage interfaces to achieve deep collaboration across the three security layers: network, endpoint, and data. Once a threat is identified, the system can automatically schedule components such as firewalls, EDR, and DLP to execute a combination of response strategies including isolation, blocking, and encryption, building a comprehensive protection capability without blind spots.

[0099] 3. It significantly improves the automation and intelligence level of security operations, and reduces reliance on scarce security experts and labor costs.

[0100] This invention automates the threat analysis, assessment, decision-making, and response processes through AI intelligent agents and security orchestration automation response technology. The system can automatically complete the entire process from correlating events from massive logs and assessing risks to issuing handling instructions, freeing security personnel from tedious alarm review and manual operations, improving operational efficiency by more than 50%, and allowing limited expert resources to focus on more complex strategic analysis and strategy optimization.

[0101] 4. Through intelligent data identification and dynamic strategy adjustment, precise protection is achieved, effectively reducing the false alarm rate.

[0102] Traditional static rule-based DLP systems suffer from high false alarm rates, impacting normal business operations. This invention's intelligent DLP employs NLP technology to self-learn sensitive data features, significantly improving data classification accuracy. Simultaneously, the zero-trust platform's dynamic access control policies are adjusted based on real-time AI risk assessment results, achieving "on-demand allocation" of access permissions. This ensures security while minimizing interference with legitimate business operations, achieving a balance between security and efficiency.

[0103] 5. A dynamic defense system with adaptive capabilities has been built, which can continuously evolve as the network threat environment changes.

[0104] The core advantage of this invention lies in the formation of a complete closed loop of "perception-cognition-decision-protection-feedback". The outcome of each threat response is fed back to the AI ​​agent to optimize the detection model and response strategy. This transforms the entire defense system from a static "black box" of rules into an organic entity capable of continuous learning, iteration, and evolution from real-world experience, possessing long-term viability to address future emerging cyber threats.

[0105] The concepts, principles, and ideas of the present invention have been described in detail above with reference to specific embodiments (including examples and instances). Those skilled in the art should understand that the embodiments of the present invention are not limited to those given above. After reading this application, those skilled in the art can make any possible improvements, substitutions, and equivalents to the steps, methods, systems, and components in the above embodiments. These improvements, substitutions, and equivalents should be considered to fall within the scope of the present invention, and the scope of protection of the present invention is limited to the claims.

Claims

1. An AI-driven, three-dimensional dynamic defense method for APT network security, characterized in that, The method is based on a system architecture that deeply integrates AI agents and a zero-trust security protection platform. The method includes: Collect and process diverse and heterogeneous security data from networks, terminals, and applications in real time; A baseline model is established based on the processed multi-dimensional heterogeneous security data, and abnormal data is identified. The abnormal data was subjected to in-depth correlation and threat analysis to obtain the analysis results; Based on the analysis results, a response strategy is generated and corresponding decision instructions are issued to the zero-trust security protection platform. Based on the aforementioned decision instructions, coordinated protection actions are implemented at the network, terminal, and data levels, respectively. The protection results are fed back to the AI ​​agent for iterative optimization.

2. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 1, characterized in that, The real-time acquisition and processing of diverse heterogeneous security data from networks, terminals, and applications specifically includes: Real-time collection of network traffic data, system logs, terminal process information, and user operation behavior data, followed by data cleaning and standardization.

3. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 1, characterized in that, The baseline model established based on the processed multi-dimensional heterogeneous security data, and the identification of anomalous data specifically include: Based on the processed network traffic data and user operation behavior data, an unsupervised learning algorithm is used to establish a baseline model and identify abnormal data that deviates from the baseline.

4. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 1, characterized in that, The deep correlation and threat analysis of the abnormal data, and the resulting analysis, further include: An attack knowledge graph is constructed based on abnormal data, and security events are associated with the attack knowledge graph, which includes attack tactics, techniques, programs, vulnerability information, and malware family relationships. Based on the neural symbol system, interpretable analysis and logical reasoning of security events are performed to identify the attack intent of security events; Based on user and entity behavior analysis, a behavioral baseline for each user and device is established, and the security events are continuously monitored and analyzed through machine learning models to identify internal threats and abnormal accounts.

5. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 1, characterized in that, The step of generating a response strategy based on the analysis results and issuing corresponding decision instructions to the zero-trust security protection platform further includes: The identified threats are quantitatively assessed for risk, and a risk value is calculated by combining the severity level of the threat, the importance of the affected assets, and the rate of attack spread. The risk level and threat type are determined based on the risk value, and a corresponding response policy is selected from a predefined response policy library. These response policies include isolating devices, blocking IP addresses, resetting passwords, and issuing alarm notifications. The system issues decision instructions corresponding to the response strategy to the zero-trust security protection platform and automatically responds to the decision instructions through security orchestration to automatically execute the response strategy.

6. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 1, characterized in that, The implementation of coordinated protection actions at the network, terminal, and data levels based on the decision instructions specifically includes: Based on the decision instructions, network boundary security protection, terminal security protection, and data security protection are executed respectively.

7. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 6, characterized in that, The network boundary security protection includes AI-integrated intelligent firewall and Web application firewall protection, DDoS protection, and 4T trusted access protection based on continuous verification of identity, terminal, application, and behavior.

8. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 6, characterized in that, The endpoint security protection includes a dual-engine endpoint protection platform that uses a local virus database and cloud-based threat intelligence to perform virus scanning and removal, as well as endpoint security monitoring, application hardening, and peripheral device management.

9. The AI-driven three-dimensional dynamic defense method for APT network security according to claim 6, characterized in that, The data security protection includes using natural language processing and pattern recognition technologies to classify, categorize, and protect data in the intelligent data leakage prevention system, and using secure multi-party computation and homomorphic encryption technologies for privacy computation.

10. An AI-driven, three-dimensional, dynamic APT network security defense system, characterized in that, include: The data acquisition module is used to collect and process diverse and heterogeneous security data from networks, terminals, and applications in real time. The anomaly detection module is used to establish a baseline model based on the processed multi-dimensional heterogeneous security data and to identify anomalous data. The deep correlation and analysis module is used to perform deep correlation and threat analysis on the abnormal data and obtain analysis results; The response strategy generation module is used to generate response strategies based on the analysis results and issue corresponding decision instructions to the zero-trust security protection platform. The action execution module is used to implement coordinated protection actions at the network, terminal, and data levels based on the decision instructions. The feedback and optimization module is used to feed the protection results back to the AI ​​agent for iterative optimization.

11. The AI-driven three-dimensional APT network security dynamic defense system according to claim 10, characterized in that, The deep correlation and analysis module also includes: The association module is used to construct an attack knowledge graph based on abnormal data and associate security events with the attack knowledge graph, wherein the attack knowledge graph includes attack tactics, techniques, programs, vulnerability information and malware family relationships. The interpretability analysis module is used to perform interpretability analysis and logical reasoning on security events based on the neural symbol system, and to identify the attack intent of security events; The threat identification module is used to establish behavioral baselines for each user and device based on user and entity behavior analysis, and to continuously monitor and analyze security events through machine learning models to identify internal threats and abnormal accounts.

12. The AI-driven three-dimensional APT network security dynamic defense system according to claim 10, characterized in that, The response strategy generation module also includes: The risk assessment module is used to quantify the risk assessment of identified threats and calculate the risk value by combining the severity level of the threat, the importance of the affected assets, and the speed of attack spread. The policy generation module is used to determine the risk level and threat type based on the risk value, and select the corresponding response policy from a predefined response policy library. The response policies include isolating devices, blocking IPs, resetting passwords, and issuing alarm notifications. The instruction issuing module is used to issue decision instructions corresponding to the response strategy to the zero-trust security protection platform, and to automatically respond to the decision instructions through security orchestration in order to automatically execute the response strategy.

13. An electronic device, characterized in that, include: A processor and a memory, wherein the memory stores a computer program, the computer program being loaded and executed by the processor to implement the AI-driven three-dimensional APT network security dynamic defense method according to any one of claims 1 to 9.

14. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, which is loaded and executed by a processor to implement the AI-driven three-dimensional APT network security dynamic defense method according to any one of claims 1 to 9.