A security attack identification method based on big data intelligent operation and maintenance

By performing behavioral semantic association and virtual-real interweaving verification in complex asset environments, the problem of fragmented attack identification and high false alarm rate in existing technologies is solved, and high-precision identification and dynamic verification of attack chains across multiple nodes are achieved.

CN122394836APending Publication Date: 2026-07-14BEIJING HANRUIDE NETWORK TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING HANRUIDE NETWORK TECH CO LTD
Filing Date
2026-03-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies suffer from fragmented attack identification, high false positive rates, and an inability to dynamically observe the chain reactions triggered by attack behavior in the actual system topology when identifying attack chains across multiple nodes in complex asset environments, resulting in delayed response or missed detections.

Method used

The system captures raw behavior sequences by deploying behavior collectors, binds semantic associations using a behavior semantic deconstruction engine to form a behavior semantic network, extracts candidate behavior clusters by combining them with a threat behavior pattern library, and assembles them coherently in the attack intent inference model. The virtual-real interweaving verification module dynamically reproduces attack hypotheses in an isolated sandbox, synchronously compares them with changes in the real environment, and verifies the authenticity of the attack hypotheses.

Benefits of technology

It enhances the ability to reconstruct the behavioral logic associations of cross-domain and multi-stage attack chains, improves the accuracy of attack identification and the credibility of judgment results, reduces the false alarm rate, and realizes dynamic verification of attack intent.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394836A_ABST
    Figure CN122394836A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security and operation and maintenance, and discloses a security attack identification method based on big data intelligent operation and maintenance. The method captures system operation panoramic data through a behavior collector, and utilizes a preset asset topology relation graph to perform semantic correlation binding on disordered behaviors in a behavior semantic deconstruction engine, so that a structured behavior semantic network is formed. Candidate behavior clusters are extracted based on a threat behavior mode library, and an attack intention assembly and scoring are performed through an attack intention deduction model, so that an attack hypothesis set is generated. An attack sequence is dynamically reproduced in a sandbox through a virtual-real interlaced verification module, and a real environment change is synchronously compared, the attack authenticity is verified through difference comparison, and a judgment result is output. The method can restore the context logic of a complex attack chain, and through simulation and real-time environment linkage verification, the accuracy and reliability of attack identification are improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security and operation and maintenance technology, specifically a security attack identification method based on big data intelligent operation and maintenance. Background Technology

[0002] Currently, leveraging big data technology for security operations and attack identification has become a mainstream approach. Existing methods typically collect massive amounts of raw data such as system logs, network traffic, and host commands during system operation, and then use rule matching, feature comparison, or machine learning models for anomaly detection and threat assessment. These technologies aim to discover suspicious behavioral points that deviate from the normal baseline from complex data.

[0003] Existing technical solutions have shortcomings. The collected raw behavioral sequences are inherently disordered and mixed, lacking effective contextual relationships between isolated events generated by different devices and processes. Conventional time-series analysis or simple rule associations are insufficient to accurately reconstruct coherent attack chains across multiple nodes, such as lateral movement and privilege escalation, in complex asset environments. This leads to fragmented attack identification and a high false positive rate. Even when the detection model outputs a suspicious attack hypothesis, its verification often relies on re-matching a static rule base or independently reproducing the suspicious code in a completely isolated sandbox. This verification method is disconnected from the real production environment in real time, making it impossible to dynamically observe the chain reactions that attack behavior may trigger in the actual system topology. It is difficult to confirm the authenticity of the attack intent and the scope of its impact, resulting in delayed response or missed detections.

[0004] The key issues to be addressed are how to accurately semantically associate massive amounts of disordered raw behaviors based on the inherent logic of the system, and how to effectively verify the generated attack hypotheses in a way that closely reflects the dynamic changes in the real environment. Summary of the Invention

[0005] The purpose of this invention is to provide a security attack identification method based on big data intelligent operation and maintenance, so as to solve the problems mentioned in the background art.

[0006] To achieve the above objectives, this invention provides a security attack identification method based on big data intelligent operation and maintenance, the method comprising:

[0007] Behavior collectors deployed on computing nodes capture raw behavior sequences containing operation commands and communication sessions from the network and host devices, forming a panoramic view of system operation data;

[0008] The system operation panoramic data is input into the behavior semantic deconstruction engine. Based on the preset asset topology relationship graph, the disordered and mixed behavior units in the system operation panoramic data are semantically associated and bound to form a behavior semantic network with logical association tags.

[0009] Based on a preset threat behavior pattern library, which stores typical behavior patterns of known attack chains, candidate behavior clusters that are potentially related to typical behavior patterns are extracted from the behavioral semantic network.

[0010] The candidate behavior clusters are imported into the attack intent inference model, which simulates the logical evolution path of a multi-stage attack. The discrete behavior units in the candidate behavior clusters are assembled for intent coherence and scored for path probability to generate a set of attack hypotheses.

[0011] The set of attack hypotheses is submitted to the virtual-real interleaving verification module. The virtual-real interleaving verification module dynamically reproduces the behavioral sequence described by the set of attack hypotheses in an isolated sandbox environment and simultaneously compares it with the real-time changes of the behavioral semantic network in the real environment. By comparing the differences between the reproduced results and the real-time changes, the authenticity of the set of attack hypotheses is verified, and finally the verified attack behavior judgment result is output.

[0012] Preferably, the process of semantically associating and binding disordered and mixed behavioral units in the panoramic data of system operation includes:

[0013] The behavioral semantic deconstruction engine performs in-depth protocol parsing and instruction reconstruction on the panoramic data of system operation, extracting each independent behavioral unit and its metadata.

[0014] The behavioral semantic deconstruction engine calls the pre-built asset topology diagram to query the logical position and ownership relationship of the source target address, process identifier, and user identity involved in the behavioral unit in the asset topology diagram;

[0015] Based on the logical location and attribution relationship found in the query, the behavioral semantic deconstruction engine calculates the association weights between different behavioral units in three dimensions: asset topology, temporal proximity, and data flow direction.

[0016] Based on the calculated association weights, the behavioral semantic deconstruction engine dynamically clusters behavioral units that exceed the association weight threshold and assigns a semantic label to each cluster that reflects its potential business or attack logic, thereby generating a behavioral semantic network with logical association tags.

[0017] Preferably, the specific steps for extracting candidate behavior clusters that have potential associations with typical behavioral patterns from the behavioral semantic network are as follows:

[0018] Each typical behavior pattern in the threat behavior pattern library is abstracted into a directed graph template consisting of key behavior nodes and the transition conditions between behavior nodes.

[0019] The directed graph template of typical behavior patterns is matched with the behavior semantic network to find the behavior units in the behavior semantic network that are semantically consistent with the key behavior nodes in the directed graph template.

[0020] When a group of behavioral units is found in the behavioral semantic network whose type, order and some attributes satisfy the matching conditions of a directed graph template of a typical behavioral pattern, the behavioral units and their context-related units in the behavioral semantic network are jointly marked as a candidate behavioral cluster.

[0021] Record the typical behavior pattern number matched by each candidate behavior cluster and the confidence score of the match.

[0022] Preferably, the step of performing intention coherence assembly and path probability scoring on discrete behavioral units in the candidate behavioral cluster includes:

[0023] The attack intent deduction model receives a cluster of candidate behaviors with matching information, and internally maintains a set of finite state automata that represent multi-stage attack logic.

[0024] The model attempts to map each behavioral unit in the candidate behavioral cluster to a specific state of a finite state automaton set, and tries to find a reasonable state transition path that can connect the states of multiple behavioral units.

[0025] For each possible state transition path, the attack intent inference model calculates the rationality score of the state transition path based on the timestamp interval of the behavioral unit, the implicit state of whether the operation is successful or not, and whether it conforms to the common order of attack tactics.

[0026] Paths with a reasonableness score exceeding the path threshold are selected from all possible paths. The path, along with its associated behavioral units and the derived attacker intent stage, are encapsulated into an attack hypothesis. All generated attack hypotheses constitute an attack hypothesis set.

[0027] Preferably, the process by which the virtual-real interleaving verification module dynamically reproduces the behavioral sequence described by the attack hypothesis set in an isolated sandbox environment includes:

[0028] The virtual-real interleaving verification module analyzes each attack hypothesis in the attack hypothesis set and extracts the software environment configuration, initial access point, and planned sequence of behavioral instructions on which the attack hypothesis depends.

[0029] Based on the extracted software environment configuration, a simulated target environment highly similar to the real victim environment is quickly constructed in a completely isolated sandbox network;

[0030] In the simulated target environment, the corresponding attack steps are automatically executed in strict accordance with the behavioral sequence instructions and time intervals described in the attack hypothesis. The changes in system status, processes, logs and network traffic in the simulated target environment are monitored throughout the process and recorded as sandbox reproduction trajectory.

[0031] Preferably, the process of synchronously comparing the real-time changes of the behavioral semantic network in the real environment includes:

[0032] While reproducing the behavior sequence in the sandbox, the virtual-real interweaving verification module continuously obtains real-time incremental updates of the behavior semantic network in the real production environment from the behavior semantic deconstruction engine;

[0033] For the attack hypothesis that is currently being reproduced, the virtual-real interweaving verification module establishes a time alignment window, and compares the impact events of each operation in the sandbox reproduction trajectory with the newly added or changed behavioral units in the real behavior semantic network within the time alignment window.

[0034] The features to be compared include, but are not limited to: new system call sequences, abnormal port connection patterns, access traces of sensitive files, and the generation of specific log entries.

[0035] Preferably, the specific logic for verifying the authenticity of the attack hypothesis set by comparing the reproduced results with the real-time changes is as follows:

[0036] The virtual-real interweaving verification module sets a similarity measurement rule to calculate the feature similarity between the impact events of the sandbox reproduced trajectory and the behavioral units that change in real time in the real environment;

[0037] If the sandbox reproduction trajectory corresponding to a certain attack hypothesis has an impact event that exceeds the similarity threshold, and finds highly similar behavioral unit changes within the time alignment window of the real environment, then the attack hypothesis is determined to have strong supporting evidence and high authenticity.

[0038] If the impact events of the sandbox-reproduced trajectory do not show corresponding changes in the real environment, or the similarity is below the threshold, but the attack hypothesis has an extremely high path probability score in the attack intent deduction model, then it is marked as a high-risk latent threat and needs to be continuously monitored.

[0039] If the events affecting the sandbox-reproduced trajectory cannot be found in the real environment and the path probability score is low, then the attack hypothesis is determined to be a false alarm or a low-quality hypothesis, and is downgraded or excluded.

[0040] Preferably, after outputting the verified attack behavior determination result, the method further includes a step of feedback learning on the behavioral semantic network and the threat behavior pattern library:

[0041] Attack hypotheses verified as highly realistic by the virtual-real interweaving verification module, along with their corresponding sequences of real-world environmental behavior changes, are taken as positive sample knowledge fragments.

[0042] The attack hypotheses and their corresponding candidate behavior clusters that are determined to be false alarms by the virtual-real interleaving verification module are used as negative sample knowledge fragments.

[0043] Positive sample knowledge fragments are used to refine and supplement typical behavior patterns in the threat behavior pattern library, adding new behavior pattern variants or adjusting the matching weights of existing patterns.

[0044] The semantic association binding logic in the behavioral semantic deconstruction engine is optimized by using negative sample knowledge fragments and adjusting the calculation parameters of association weights to reduce the probability of generating similar false positive candidate behavior clusters in the future.

[0045] Preferably, the specific method for the behavior semantic deconstruction engine to calculate the association weights between different behavior units is as follows:

[0046] For the asset topology dimension, if two behavioral units involve the same asset or directly connected assets, then a higher basic weight is assigned to the asset topology dimension.

[0047] For the temporal proximity dimension, the absolute difference between the timestamps of two behavioral units is calculated, and the absolute difference is converted into a weighting coefficient through a preset time decay function. The shorter the time interval, the higher the weighting coefficient.

[0048] For the data flow direction dimension, check whether the output data flow of the previous action unit can be used as the input of the next action unit. If there is an explicit or implicit data flow relationship, then assign a positive weight to the data flow direction dimension.

[0049] The weights calculated in the three dimensions are weighted and synthesized according to a preset fusion strategy to obtain the comprehensive correlation weight between behavioral units.

[0050] Preferably, the mechanism for constructing and updating the finite state automata set in the attack intent deduction model is as follows:

[0051] The finite state automata set was initially built based on the publicly available ATT&CK framework and a knowledge base of historical attack and defense cases. Each automata represents a specific attack tactic or technical implementation path.

[0052] Whenever the virtual-real interweaving verification module confirms a new, highly realistic multi-stage attack instance, it analyzes the complete behavioral path and state transition relationship of the multi-stage attack instance.

[0053] If the existing set of finite state automata can cover multi-stage attack instances, then adjust the conditional probabilities of state transitions in the corresponding automata according to the multi-stage attack instances.

[0054] If a multi-stage attack instance exhibits a new behavioral path or state that is not covered by existing automata, a new finite state automaton is created or learned for the attack intent inference model and added to the finite state automaton set.

[0055] Compared with the prior art, the beneficial effects of the present invention are:

[0056] The behavioral semantic deconstruction engine operates based on a pre-defined asset topology graph. This technology treats captured raw operational commands and communication sessions not as independent events, but rather within the context of known connections and dependencies between network devices, hosts, and services. Through this topology-based semantic association binding, previously disordered and mixed behavioral units are assigned logical association tags, forming a structured behavioral semantic network. This allows discrete attack traces to be reassembled based on the actual access paths and trust relationships between assets, improving the ability to reconstruct and identify the logical associations of behaviors in cross-domain, multi-stage attack chains.

[0057] The virtual-real interleaved verification module employs a technique that dynamically reproduces attack hypothesis sequences in an isolated sandbox and synchronously compares them with real-time changes in the semantic network of behavior in the actual environment. This module not only simulates and reproduces attack behaviors but also monitors the dynamic behavior of corresponding asset nodes in the production environment in real time. By comparing the differences between the simulated behavioral trajectories and the actual behavioral changes in the real environment, the feasibility and authenticity of the attack hypotheses are directly verified empirically. This method transforms attack verification from a static, environment-detached analysis into a dynamic process that interacts and verifies with the real system, identifying attack paths with real threats and false positives that are merely noise, thus improving the credibility of the judgment results. Attached Figure Description

[0058] Figure 1 This is a schematic diagram illustrating the working principle of the security attack identification method based on big data intelligent operation and maintenance described in this invention.

[0059] Figure 2 A flowchart for binding semantic associations of behaviors;

[0060] Figure 3 A flowchart for extracting candidate behavior clusters;

[0061] Figure 4 Grouped bar chart comparing sandbox reproduction with real-world features in security attack identification;

[0062] Figure 5A grouped bar chart comparing multi-dimensional feature similarity scores in security attack identification. Detailed Implementation

[0063] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0064] Please see Figure 1 This invention provides a security attack identification method based on big data intelligent operation and maintenance. The method includes: First, using behavior collectors deployed on various computing nodes, real-time raw data such as network traffic, host system calls, and log information are captured. This data includes operation instructions and communication sessions, collectively forming a panoramic data reflecting the system's operating status. Then, a behavior semantic deconstruction engine receives this panoramic data and, based on a pre-set asset topology diagram, performs deep analysis and semantic association binding on the disordered and mixed behavior units in the data, thereby generating a behavior semantic network with logical association markers. This network reveals the potential logical relationships between behavior units. Next, based on a pre-set threat behavior pattern library, candidate behavior clusters that have potential associations with typical behavior patterns of known attack chains in the library are extracted from the generated behavior semantic network. Then, the extracted candidate behavior clusters are imported into an attack intent inference model. This model simulates the logical evolution path of a multi-stage attack, performs intent coherence assembly and path probability scoring on the discrete behavior units in the candidate behavior clusters, and generates a set of attack hypotheses containing multiple possibilities. Finally, the set of attack hypotheses is submitted to the virtual-real interleaved verification module. This module dynamically reproduces the behavioral sequences described by the attack hypotheses in an isolated sandbox environment, while simultaneously comparing them with the real-time changes of the behavioral semantic network in the real production environment. By systematically comparing the differences between the sandbox reproduction results and the real-time changes in the real environment, the authenticity of each attack hypothesis is verified, and finally, the verified attack behavior judgment result is output.

[0065] In one embodiment of the present invention, see [reference] Figure 2The behavioral semantic deconstruction engine performs deep protocol parsing and instruction reconstruction on the input system operation overview data, extracting each independent behavioral unit and its related metadata. The engine then calls a pre-defined asset topology graph to query the logical position and asset ownership of the source and target addresses, process identifiers, and user identities involved in each behavioral unit within the graph. Based on the retrieved logical positions and ownership relationships, the engine calculates the association weights between different behavioral units across three dimensions. In the asset topology dimension, if two behavioral units involve the same asset or directly connected assets, a higher base weight is assigned to this dimension. In the temporal proximity dimension, the absolute difference between the timestamps of two behavioral units is calculated, and this absolute difference is converted into a weight coefficient using a pre-defined time decay function; the shorter the time interval, the higher the weight coefficient. In the data flow dimension, it checks whether the output data flow of the previous behavioral unit serves as the input of the next behavioral unit; if an explicit or implicit data flow relationship exists, a positive weight is assigned to this dimension. The engine then weights the weights calculated across the three dimensions according to a pre-defined fusion strategy to obtain the comprehensive association weight between each pair of behavioral units. Based on the calculated comprehensive association weights, the behavioral semantic deconstruction engine dynamically clusters behavioral units that exceed the preset association weight threshold, and assigns a semantic label to each generated cluster that reflects its potential business logic or attack logic, thereby ultimately generating a behavioral semantic network with logical association tags.

[0066] In practical implementation, a specific example scenario involves an attack against a web server. The raw behavioral sequence captured by the behavior collector contains multiple discrete entries: Behavior unit A records that the source IP address 192.168.1.100 initiated a connection attempt on port 445 of the target host 10.0.0.5; behavior unit B records that after successfully connecting, the source IP address 192.168.1.100 transmitted an executable file payload.exe to the target host 10.0.0.5; behavior unit C records that a new process named "svchost_helper" was subsequently created on host 10.0.0.5; and behavior unit D records that this new process attempted to connect to the external domain name command.control.com. The behavior semantic deconstruction engine performs deep protocol parsing and instruction reconstruction on the system operation panorama data containing these entries, extracting each independent behavior unit and its metadata. The metadata includes timestamps, source and target IP addresses, ports, operation types, and the identifiers of the files or processes involved.

[0067] In some embodiments, the behavioral semantic deconstruction engine invokes a pre-defined asset topology graph for querying. This graph defines host 10.0.0.5 as a server deploying a web application, belonging to the "DMZ Web Server" asset group, and having a logical access relationship with the internal database server. The behavioral semantic deconstruction engine query reveals that the target address 10.0.0.5 in behavioral unit A and behavioral unit B has the same logical location and asset ownership relationship in the asset topology graph, meaning they both belong to the "DMZ Web Server" asset group. Based on the queried logical location and ownership relationship, the behavioral semantic deconstruction engine calculates the association weights between different behavioral units in three dimensions: asset topology, temporal proximity, and data flow. For behavioral units A and B, since they involve the same target asset, they receive a higher base weight in the asset topology dimension. The absolute difference between the timestamps of behavioral units A and B is calculated and converted into a weight coefficient using a time decay function; a shorter time interval results in a higher weight coefficient. The establishment of the connection of behavior unit A is a prerequisite for the file transfer of behavior unit B, and there is an implicit data flow relationship. Therefore, positive weight is assigned to the data flow dimension.

[0068] It is understandable that the behavioral semantic deconstruction engine weights calculated across the three dimensions according to a preset fusion strategy to obtain a comprehensive association weight between behavioral unit A and behavioral unit B, where the comprehensive association weight exceeds a preset association weight threshold. In specific implementation, the weight coefficient of the temporal proximity dimension can be calculated using the following formula:

[0069]

[0070] Where: symbol Represents the time proximity weighting coefficient, symbol This represents the preset decay rate parameter, symbol... and These represent the timestamps of the occurrence of the two behavioral units, with symbols... This represents the base of the natural logarithm. Based on the calculated comprehensive association weights, the behavioral semantic deconstruction engine dynamically clusters behavioral units A and B. Behavioral units C and D are also clustered into the same cluster based on their asset associations and data flow associations with behavioral unit B. The behavioral semantic deconstruction engine assigns a semantic label reflecting the potential attack logic of this cluster, such as "suspicious lateral movement and payload delivery," thereby generating a behavioral semantic network with logical association tags. This network clearly reveals the potential logical chains between a series of behavioral units, from external scanning and file delivery to suspicious process creation and external communication.

[0071] In one embodiment of the present invention, see [reference] Figure 3Each typical behavior pattern stored in the threat behavior pattern library is abstracted as a directed graph template consisting of key behavior nodes and transition conditions between them. When extracting candidate behavior clusters, the directed graph template of the typical behavior pattern is matched against the behavioral semantic network. Behavioral units in the behavioral semantic network that semantically match the key behavior nodes in the directed graph template are searched. When a group of behavioral units is found in the behavioral semantic network whose behavior type, occurrence order, and some attributes satisfy the matching conditions of a typical behavior pattern's directed graph template, this group of behavioral units and its contextually related units in the behavioral semantic network are collectively marked as a candidate behavior cluster. The system records the typical behavior pattern number matched by each candidate behavior cluster and the confidence score of this match.

[0072] In practical implementation, each typical behavior pattern in the threat behavior pattern library is abstracted into a directed graph template consisting of key behavior nodes and the transition conditions between them. For example, a typical behavior pattern describing a ransomware attack can be abstracted into a directed graph template containing three key behavior nodes: "lateral movement," "encrypting files," and "connecting to a C2 server," and their sequential relationships. In practical implementation, the behavioral semantic network contains behavioral units deconstructed from a security incident, including behavioral unit X, behavioral unit Y, and behavioral unit Z. The directed graph template of the typical ransomware attack behavior pattern is matched with this behavioral semantic network. This requires finding behavioral units in the behavioral semantic network that semantically match the key behavior nodes in the directed graph template. Behavioral unit X semantically matches the "lateral movement" node, behavioral unit Y matches the "encrypting files" node, and behavioral unit Z matches the "connecting to a C2 server" node.

[0073] In some embodiments, when a group of behavioral units is found in the behavioral semantic network whose type, order, and some attributes satisfy the matching conditions of a directed graph template of a typical behavioral pattern, the behavioral units and their context-related units in the behavioral semantic network are jointly marked as a candidate behavioral cluster. For example, if the types and occurrence order of behavioral units X, Y, and Z completely match a ransomware attack template, then this group of behavioral units and their directly associated context units in the behavioral semantic network are jointly marked as a candidate behavioral cluster. In a specific implementation, the typical behavioral pattern number matched by each candidate behavioral cluster and the confidence score of the match are recorded. The calculation of the confidence score can take into account the accuracy of the node attribute matching, for example, by using the formula:

[0074]

[0075] Where: symbol The confidence score represents the match between the current candidate behavior cluster and the target typical behavior pattern, denoted by the symbol. This represents the total number of critical behavior nodes in a directed graph template, with the symbol [symbol missing]. Indicates the first The preset weights of key behavioral nodes in the matching calculation, with symbols... In the semantic network representing behavior, the template is the first The actual attribute set of the behavioral unit matched by each node, symbol Indicates the first in the template The expected attribute set of key behavioral nodes, function Used to calculate the actual attribute set With the expected set of attributes The degree of matching between them.

[0076] It is understandable that the matching degree function The output value ranges from 0 to 1. It outputs 1 when the actual behavioral unit attribute perfectly matches the expected attribute, 0 when it doesn't match at all, and an intermediate value when it partially matches. In some embodiments, for the ransomware attack pattern matching example above, the system records the pattern number matching this candidate behavioral cluster and the specific confidence score calculated according to the formula. Optionally, a data leakage pattern template in the threat behavior pattern library includes "accessing the database," "packaging data," and "sending data." When a behavioral unit group matching this sequence and attribute exists in the behavioral semantic network, it will also be extracted and marked as an independent candidate behavioral cluster, and its corresponding pattern number and confidence score will be recorded.

[0077] In one embodiment of the present invention, the attack intent deduction model internally maintains a set of finite state automata to represent multi-stage attack logic. This set of finite state automata is initially constructed based on the publicly available ATT&CK framework and a historical attack and defense case knowledge base, where each automaton represents an attack tactic or technical implementation path. The attack intent deduction model receives candidate behavior clusters with matching information. The model attempts to map each behavior unit in the candidate behavior cluster to a specific state in its internal set of finite state automata and attempts to find a reasonable state transition path that can connect the states of multiple behavior units. For each state transition path, the attack intent deduction model calculates a reasonableness score based on the timestamp interval of the behavior unit, the implicit state of success or failure of the operation, and whether it conforms to the common order of attack tactics. Paths with reasonableness scores exceeding a preset path threshold are selected from all paths, and this path, along with its connected behavior units and the deduced attacker intent stage, are encapsulated into an attack hypothesis. All generated attack hypotheses constitute an attack hypothesis set. The set of finite state automata has an update mechanism. Whenever the virtual-real interleaving verification module confirms a new, highly realistic multi-stage attack instance, it analyzes the complete behavioral path and state transition relationship of the instance. If the existing set of finite state automata can cover the instance, the conditional probability of state transition in the corresponding automaton is adjusted according to the instance. If the instance exhibits a new behavioral path or state that is not covered by the existing automata, a new finite state automaton is created or learned and added to the set.

[0078] In its implementation, the attack intent deduction model internally maintains a set of finite state automata to represent multi-stage attack logic. This set is initially built based on the publicly available ATT&CK framework and a historical attack and defense case knowledge base. Each automaton represents an attack tactic or technical implementation path. A specific example scenario involves a set of discrete behavioral units labeled as candidate behavior clusters. Behavior unit E records the successful exploitation of an application vulnerability and code execution on the host; behavior unit F records the attempt to establish new administrative privileges on the host by adding a user account or modifying the registry; and behavior unit G records the attempt to achieve persistent residency on the host by creating a scheduled task or installing a service. The attack intent deduction model receives candidate behavior clusters with matching information. It attempts to map each behavioral unit in the candidate behavior cluster to a specific state in the finite state automaton set. For example, it maps behavior unit E to the "initial access and code execution" state, behavior unit F to the "privilege escalation" state, and behavior unit G to the "persistence" state, and tries to find a reasonable state transition path that can chain the states of multiple behavioral units together.

[0079] In some embodiments, for each state transition path, the attack intent inference model calculates a reasonableness score based on the timestamp interval of the behavioral unit, the implicit state of success or failure of the operation, and whether it conforms to the common sequence of attack tactics. In a specific implementation, when calculating the reasonableness score of a state transition path, the attack intent inference model first evaluates it based on the timestamp interval of the behavioral unit. The timestamp interval is processed by a preset function, the output value of which is inversely proportional to the time difference between adjacent behavioral units; that is, the shorter the time interval, the higher the contribution score factor, reflecting the coherence of the attack behavior. Second, the model infers the implicit state of success or failure of the operation based on the metadata of the behavioral unit, such as process return codes or login success flags. The implicit state score reflects the execution effect of each behavioral unit, with successful operations assigned a positive score. Finally, the model checks whether the sequence of behavioral units matches typical attack phases such as initial access, privilege escalation, or persistence, referring to the common sequence of known attack tactics. The conformity score is calculated based on the degree of deviation between the sequence and the standard tactical order. The model weights and synthesizes the scores of these three dimensions using preset weight coefficients to generate a final reasonableness score, which is used to filter high-probability attack paths. The formula for calculating the reasonableness score can be expressed as:

[0080]

[0081] Where: symbol The symbol represents the reasonableness score of the current state transition path being evaluated. , , These are the preset weighting coefficients corresponding to the time interval factor, implicit state factor, and tactical order factor, respectively, with symbols... It is a sequence of timestamp intervals between adjacent action units in the path. The function is given as input, and its output value is inversely proportional to the length of the time interval, with sign... It is an operation success implicit state score based on behavioral unit metadata evaluation, symbol... It assesses the conformity score of the sequence of behavioral units to the known attack tactical phase sequence. Paths with a reasonableness score exceeding a preset threshold are selected from all paths, and these paths, along with their associated behavioral units and the derived attacker intent phase, are encapsulated into an attack hypothesis. All generated attack hypotheses constitute the attack hypothesis set.

[0082] It is understandable that the finite state automaton set has an update mechanism. Whenever the virtual-real interleaving verification module confirms a new, highly realistic multi-stage attack instance, it analyzes the complete behavioral path and state transition relationships of the multi-stage attack instance. In specific implementation, assuming that the virtual-real interleaving verification module subsequently confirms a new attack instance whose behavioral path, after the traditional "privilege escalation," is not immediately "persistent," but instead inserts new states of "credential theft" and "internal lateral movement," the attack intent inference model will analyze this multi-stage attack instance. If the existing finite state automaton set can cover the multi-stage attack instance, the conditional probabilities of state transitions in the corresponding automaton are adjusted according to the multi-stage attack instance. If the multi-stage attack instance exhibits a new behavioral path or state not covered by the existing automaton, a new finite state automaton is created or learned for the attack intent inference model and added to the finite state automaton set. Optionally, for the aforementioned new instance containing "credential theft" and "internal lateral movement," the attack intent inference model is prompted to generate a more complex finite state automaton that integrates these new states for future intent inference of similar attack chains.

[0083] In one embodiment of the present invention, the virtual-real interleaving verification module parses each attack hypothesis in the attack hypothesis set, extracting the software environment configuration, initial access point, and planned sequence of behavioral instructions upon which the attack hypothesis depends. Based on the extracted software environment configuration, the virtual-real interleaving verification module quickly constructs a simulated target environment highly similar to the real victim environment in a completely isolated sandbox network. In the simulated target environment, the corresponding attack steps are automatically executed strictly according to the sequence of behavioral instructions and time intervals described in the attack hypothesis, and the changes in system status, processes, logs, and network traffic in the simulated target environment are monitored throughout, with the monitoring results recorded as the sandbox reproduction trajectory. While reproducing the behavioral sequence in the sandbox, the virtual-real interleaving verification module continuously obtains real-time incremental updates of the behavioral semantic network in the real production environment from the behavioral semantic deconstruction engine. For the attack hypothesis currently being reproduced, the virtual-real interleaving verification module establishes a time alignment window, comparing the impact events generated by each operation in the sandbox reproduction trajectory with the newly added or changed behavioral units in the real behavioral semantic network within the time alignment window. The features compared include new system call sequences, abnormal port connection patterns, access traces to sensitive files, and the generation of specific log entries.

[0084] In practical implementation, an example scenario involves an attack hypothesis derived from an attack intent deduction model. This hypothesis describes an attacker gaining database access through an SQL injection vulnerability in a web application and then attempting to export data from the database server to an external address. The virtual-real interleaving verification module parses this attack hypothesis from the set of attack hypotheses, extracting the software environment configuration, initial access point, and planned sequence of actions upon which the attack hypothesis depends. The software environment configuration includes the operating system version running on the target web server, the web application framework type and version, and the database type. The initial access point is a URL parameter injection point. The planned sequence of actions includes constructing an SQL injection payload, executing system commands, establishing a reverse shell connection, and initiating data transmission from the database server to an external IP address. Based on the extracted software environment configuration, the virtual-real interleaving verification module quickly constructs a simulated target environment highly similar to the real victim environment in a completely isolated sandbox network. The simulated target environment deploys the same versions of the operating system, web application, and database.

[0085] In the simulated target environment, the virtual-real interleaving verification module automatically executes the corresponding attack steps strictly according to the behavioral sequence instructions and time intervals described in the attack hypothesis. For example, it first sends an HTTP request carrying an SQL injection payload to the web application URL in the simulated target environment, then executes system commands to create a reverse shell connection through the established database connection, and finally initiates a high-capacity network connection from the simulated database server to an external simulated address. The virtual-real interleaving verification module monitors the changes in system status, processes, logs, and network traffic in the simulated target environment throughout the process, recording them as the sandbox reproduction trajectory. See Table 1.

[0086] Table 1: Comparison of Sandbox Replicated Trajectory and Incremental Change Characteristics with Real Environment

[0087]

[0088] While reproducing the behavioral sequence in the sandbox, the virtual-real interleaving verification module continuously obtains real-time incremental updates of the behavioral semantic network in the real production environment from the behavioral semantic deconstruction engine. These incremental updates include all newly generated behavioral units and their relationships in the real environment during the reproduction process. For the attack hypothesis currently being reproduced, the virtual-real interleaving verification module establishes a time alignment window. The start time of the time alignment window is aligned with the time point when the first step of the operation is performed in the sandbox. The width of the time alignment window is dynamically determined by a formula:

[0089]

[0090] Where: symbol The symbol represents the width of the time-aligned window. It is a preset scaling factor, symbol arrive These represent the actual execution time of steps 1 to n recorded in the sandbox reproduction trajectory, with symbols... It is a preset fixed buffer time constant. The impact events of each operation in the sandbox reproduction trajectory are compared with the newly added or changed behavioral units in the real behavior semantic network within the time alignment window. The features compared include newly added system call sequences, abnormal port connection patterns, access traces of sensitive files, and the generation of specific log entries.

[0091] It is understandable that, in the example shown in Table 1, the virtual-real interleaving verification module compares the log characteristics generated in the "execute SQL injection payload" step in the sandbox with the newly added Web log access records in the real environment behavioral semantic network within the time alignment window; the two are highly similar. In some embodiments, for the "establish reverse shell connection" step in the sandbox, the virtual-real interleaving verification module did not find a corresponding network connection behavior unit within the time alignment window of the real environment. Optionally, for the "initiate data outbound transmission" step in the sandbox, the virtual-real interleaving verification module found a behavior unit in the real environment describing a database server initiating a high-volume connection, but the target address of the connection is an internal legitimate log analysis server rather than an external address, which constitutes a comparison difference that requires further analysis.

[0092] See Figure 4 This is a grouped bar chart comparing features from sandbox simulations and real-world environments in security attack identification. It displays the similarity of four categories of indicators—"Web Log Features," "Process Creation Features," "TCP Connection Features," and "Traffic Transmission Features"—between the sandbox simulation and the real-world environment. This serves as the basis for verifying attack hypotheses during the feature comparison phase. The slightly lower similarity in the real-world environment compared to the sandbox indicates that traffic transmission exists in the real-world environment, but may differ from the target / scenario simulated in the sandbox. This type of chart is a key tool in security attack identification, demonstrating the value of the "virtual-real interleaved verification" strategy. It visually illustrates the feature differences between the sandbox simulation and the real-world environment, aiding in the accurate determination of attack behavior.

[0093] In one embodiment of the present invention, the virtual-real interleaving verification module sets a similarity measurement rule to calculate the feature similarity between the impact events of the sandbox reproduction trajectory and the behavioral units that change in real time in the real environment. The specific logic for verifying the authenticity of the attack hypothesis is as follows: If, in the sandbox reproduction trajectory corresponding to a certain attack hypothesis, the impact events exceeding a preset similarity threshold are found to have highly similar behavioral unit changes within the time alignment window of the real environment, then the attack hypothesis is determined to have strong supporting evidence and high authenticity. If the impact events of the sandbox reproduction trajectory do not have corresponding changes in the real environment, or the similarity is lower than the threshold, but the path probability score of the attack hypothesis in the attack intent inference model is extremely high, then it is marked as a high-risk latent threat and needs to be transferred to the continuous monitoring process. If the impact events of the sandbox reproduction trajectory cannot be found to have any corresponding counterparts in the real environment, and the path probability score is also low, then the attack hypothesis is determined to be a false alarm or a low-quality hypothesis, and is downgraded or excluded. After outputting the verified attack behavior judgment results, the system performs a feedback learning step: attack hypotheses verified as highly realistic by the virtual-real interleaving verification module, along with their corresponding sequences of real-world environmental behavior changes, are used as positive sample knowledge fragments; attack hypotheses determined as false positives by the virtual-real interleaving verification module, along with their corresponding candidate behavior cluster sources, are used as negative sample knowledge fragments. The positive sample knowledge fragments are used to refine and supplement typical behavior patterns in the threat behavior pattern library, adding new behavior pattern variants or adjusting the matching weights of existing patterns. The negative sample knowledge fragments are used to optimize the semantic association binding logic in the behavior semantic deconstruction engine, adjusting the calculation parameters of the association weights.

[0094] In practical implementation, a specific example scenario continues from the comparison results shown in Table 1. The virtual-real interleaving verification module needs to evaluate each comparison item and make a final judgment based on the similarity measurement rules. For the comparison item "Execute SQL injection payload" in Table 1, the characteristics of the Web application logs recorded in the sandbox reproduction trajectory and the newly added Web log access records in the real environment show high similarity in parameter structure, timestamp distribution, and user agent string. The calculated feature similarity value exceeds the preset similarity threshold.

[0095] In some embodiments, if the impact events exceeding a similarity threshold in the sandbox reproduction trajectory corresponding to an attack hypothesis find highly similar behavioral unit changes within the time alignment window of the real environment, then the attack hypothesis is determined to have strong supporting evidence and high authenticity. For example, the strong match of the SQL injection logs mentioned above provides confirmation of the "initial access" phase of the attack hypothesis. In specific implementations, for the comparison items "establishing a reverse shell connection" and "initiating data transmission" in Table 1, calculations show that the impact events of the sandbox reproduction trajectory do not find corresponding network connections in the real environment or have a similarity lower than the threshold. The virtual-real interleaving verification module needs to make a comprehensive judgment by combining the path probability score in the attack intent inference model. If the path probability score of the attack hypothesis in the attack intent inference model is extremely high, then the virtual-real interleaving verification module marks it as a high-risk latent threat and transfers it to the continuous monitoring process. Optionally, for another attack hypothesis, if the impact events of its sandbox reproduction trajectory cannot be found in the real environment at all and its path probability score in the attack intent inference model is also low, then the virtual-real interleaving verification module determines that the attack hypothesis is a false alarm or a low-quality hypothesis and downgrades or excludes it.

[0096] It is understandable that after verifying and outputting the judgment result, the system performs a feedback learning step. Attack hypotheses verified as highly plausible by the virtual-real interleaving verification module, along with their corresponding sequences of real-world behavioral changes, are used as positive sample knowledge fragments. For example, the verified SQL injection attack path and its complete behavioral semantic network subgraph generated in the real environment are saved as positive sample knowledge fragments. Attack hypotheses judged as false positives by the virtual-real interleaving verification module, along with their corresponding candidate behavior cluster sources, are used as negative sample knowledge fragments. For example, a data leakage hypothesis that was misjudged due to confusion with a legitimate backup operation pattern, along with the candidate behavior cluster information that initially triggered the match, is saved as a negative sample knowledge fragment. Positive sample knowledge fragments are used to refine and supplement typical behavioral patterns in the threat behavior pattern library. Specific operations may include adding new behavioral pattern variants discovered by the positive sample or adjusting the matching weights of existing patterns using formulas.

[0097]

[0098] Where: symbol Indicates the updated pattern matching weight, symbol This represents the original pattern matching weight before the update, symbol [symbol]. It is a preset learning rate coefficient, with the symbol... The reward factor is calculated based on the verification confidence and attack severity level of positive sample knowledge fragments. Negative sample knowledge fragments are used to optimize the semantic association binding logic in the behavioral semantic deconstruction engine. For example, by analyzing the key behavioral unit combinations that lead to false positives in negative sample knowledge fragments, the time decay coefficient or data flow determination threshold in the association weight calculation parameters are adjusted in reverse to reduce the probability of generating similar false positive candidate behavioral clusters in the future.

[0099] See Figure 5 This is a grouped bar chart comparing multi-dimensional feature similarity scores in security attack identification. It displays the feature similarity scores of "SQL injection attacks" and "reverse shell attacks" across five dimensions: logs, processes, connections, traffic, and file access. This corresponds to the attack behavior matching analysis in the similarity measurement phase. It's used to pinpoint feature matching differences between different attack behaviors: high similarity in SQL injection strongly supports its determination, while low similarity in reverse shell attacks suggests a high-risk, potentially false positive scenario, serving as a core basis for verifying attack hypotheses. Such charts are key tools in security attack identification, demonstrating the value of multi-dimensional feature comparison strategies. They intuitively show the degree of matching between different attack behaviors in the real-world environment, aiding in the accurate assessment of attack risks.

[0100] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0101] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A security attack identification method based on big data intelligent operation and maintenance, characterized in that, include: Behavior collectors deployed on computing nodes capture raw behavior sequences containing operation commands and communication sessions from the network and host devices, forming a panoramic view of system operation data; The system operation panoramic data is input into the behavior semantic deconstruction engine. Based on the preset asset topology relationship graph, the disordered and mixed behavior units in the system operation panoramic data are semantically associated and bound to form a behavior semantic network with logical association tags. Based on a preset threat behavior pattern library, which stores typical behavior patterns of known attack chains, candidate behavior clusters that are potentially related to typical behavior patterns are extracted from the behavioral semantic network. The candidate behavior clusters are imported into the attack intent inference model, which simulates the logical evolution path of a multi-stage attack. The discrete behavior units in the candidate behavior clusters are assembled for intent coherence and scored for path probability to generate a set of attack hypotheses. The set of attack hypotheses is submitted to the virtual-real interleaving verification module. The virtual-real interleaving verification module dynamically reproduces the behavioral sequence described by the set of attack hypotheses in an isolated sandbox environment and simultaneously compares it with the real-time changes of the behavioral semantic network in the real environment. By comparing the differences between the reproduced results and the real-time changes, the authenticity of the set of attack hypotheses is verified, and finally the verified attack behavior judgment result is output.

2. The security attack identification method based on big data intelligent operation and maintenance according to claim 1, characterized in that, The process of semantically associating and binding disordered and mixed behavioral units in the panoramic data of system operation includes: The behavioral semantic deconstruction engine performs in-depth protocol parsing and instruction reconstruction on the panoramic data of system operation, extracting each independent behavioral unit and its metadata. The behavioral semantic deconstruction engine calls the pre-built asset topology diagram to query the logical position and ownership relationship of the source target address, process identifier, and user identity involved in the behavioral unit in the asset topology diagram; Based on the logical location and attribution relationship found in the query, the behavioral semantic deconstruction engine calculates the association weights between different behavioral units in three dimensions: asset topology, temporal proximity, and data flow direction. Based on the calculated association weights, the behavioral semantic deconstruction engine dynamically clusters behavioral units that exceed the association weight threshold and assigns a semantic label to each cluster that reflects its potential business or attack logic, thereby generating a behavioral semantic network with logical association tags.

3. The security attack identification method based on big data intelligent operation and maintenance according to claim 2, characterized in that, The specific steps for extracting candidate behavior clusters that are potentially associated with typical behavior patterns from the behavioral semantic network are as follows: Each typical behavior pattern in the threat behavior pattern library is abstracted into a directed graph template consisting of key behavior nodes and the transition conditions between behavior nodes. The directed graph template of typical behavior patterns is matched with the behavior semantic network to find the behavior units in the behavior semantic network that are semantically consistent with the key behavior nodes in the directed graph template. When a group of behavioral units is found in the behavioral semantic network whose type, order and some attributes satisfy the matching conditions of a directed graph template of a typical behavioral pattern, the behavioral units and their context-related units in the behavioral semantic network are jointly marked as a candidate behavioral cluster. Record the typical behavior pattern number matched by each candidate behavior cluster and the confidence score of the match.

4. The security attack identification method based on big data intelligent operation and maintenance according to claim 3, characterized in that, The steps of performing intention coherence assembly and path probability scoring on discrete behavioral units in the candidate behavioral cluster include: The attack intent deduction model receives a cluster of candidate behaviors with matching information, and internally maintains a set of finite state automata that represent multi-stage attack logic. The model attempts to map each behavioral unit in the candidate behavioral cluster to a specific state of a finite state automaton set, and tries to find a reasonable state transition path that can connect the states of multiple behavioral units. For each possible state transition path, the attack intent inference model calculates the rationality score of the state transition path based on the timestamp interval of the behavioral unit, the implicit state of whether the operation is successful or not, and whether it conforms to the common order of attack tactics. Paths with a reasonableness score exceeding the path threshold are selected from all possible paths. The path, along with its associated behavioral units and the derived attacker intent stage, are encapsulated into an attack hypothesis. All generated attack hypotheses constitute an attack hypothesis set.

5. A security attack identification method based on big data intelligent operation and maintenance according to claim 4, characterized in that, The process by which the virtual-real interleaving verification module dynamically reproduces the behavioral sequence described by the attack hypothesis set in an isolated sandbox environment includes: The virtual-real interleaving verification module analyzes each attack hypothesis in the attack hypothesis set and extracts the software environment configuration, initial access point, and planned sequence of behavioral instructions on which the attack hypothesis depends. Based on the extracted software environment configuration, a simulated target environment highly similar to the real victim environment is quickly constructed in a completely isolated sandbox network; In the simulated target environment, the corresponding attack steps are automatically executed in strict accordance with the behavioral sequence instructions and time intervals described in the attack hypothesis. The changes in system status, processes, logs and network traffic in the simulated target environment are monitored throughout the process and recorded as sandbox reproduction trajectory.

6. A security attack identification method based on big data intelligent operation and maintenance according to claim 5, characterized in that, The process of synchronously comparing the real-time changes of the behavioral semantic network in the real environment includes: While reproducing the behavior sequence in the sandbox, the virtual-real interweaving verification module continuously obtains real-time incremental updates of the behavior semantic network in the real production environment from the behavior semantic deconstruction engine; For the attack hypothesis that is currently being reproduced, the virtual-real interweaving verification module establishes a time alignment window, and compares the impact events of each operation in the sandbox reproduction trajectory with the newly added or changed behavioral units in the real behavior semantic network within the time alignment window. The features to be compared include, but are not limited to: new system call sequences, abnormal port connection patterns, access traces of sensitive files, and the generation of specific log entries.

7. A security attack identification method based on big data intelligent operation and maintenance according to claim 6, characterized in that, The specific logic for verifying the authenticity of the attack hypothesis set by comparing the reproduced results with the real-time changes is as follows: The virtual-real interweaving verification module sets a similarity measurement rule to calculate the feature similarity between the impact events of the sandbox reproduced trajectory and the behavioral units that change in real time in the real environment; If the sandbox reproduction trajectory corresponding to a certain attack hypothesis has an impact event that exceeds the similarity threshold, and finds highly similar behavioral unit changes within the time alignment window of the real environment, then the attack hypothesis is determined to have strong supporting evidence and high authenticity. If the impact events of the sandbox-reproduced trajectory do not show corresponding changes in the real environment, or the similarity is below the threshold, but the attack hypothesis has an extremely high path probability score in the attack intent deduction model, then it is marked as a high-risk latent threat and needs to be continuously monitored. If the events affecting the sandbox-reproduced trajectory cannot be found in the real environment and the path probability score is low, then the attack hypothesis is determined to be a false alarm or a low-quality hypothesis, and is downgraded or excluded.

8. A security attack identification method based on big data intelligent operation and maintenance according to claim 7, characterized in that, After outputting the verified attack behavior determination results, the process also includes a step of feedback learning on the behavioral semantic network and the threat behavior pattern library: Attack hypotheses verified as highly realistic by the virtual-real interweaving verification module, along with their corresponding sequences of real-world environmental behavior changes, are taken as positive sample knowledge fragments. The attack hypotheses and their corresponding candidate behavior clusters that are determined to be false alarms by the virtual-real interleaving verification module are used as negative sample knowledge fragments. Positive sample knowledge fragments are used to refine and supplement typical behavior patterns in the threat behavior pattern library, adding new behavior pattern variants or adjusting the matching weights of existing patterns. The semantic association binding logic in the behavioral semantic deconstruction engine is optimized by using negative sample knowledge fragments and adjusting the calculation parameters of association weights to reduce the probability of generating similar false positive candidate behavior clusters in the future.

9. A security attack identification method based on big data intelligent operation and maintenance according to claim 2, characterized in that, The specific method by which the behavioral semantic deconstruction engine calculates the association weights between different behavioral units is as follows: For the asset topology dimension, if two behavioral units involve the same asset or directly connected assets, then a higher basic weight is assigned to the asset topology dimension. For the temporal proximity dimension, the absolute difference between the timestamps of two behavioral units is calculated, and the absolute difference is converted into a weighting coefficient through a preset time decay function. The shorter the time interval, the higher the weighting coefficient. For the data flow direction dimension, check whether the output data flow of the previous action unit can be used as the input of the next action unit. If there is an explicit or implicit data flow relationship, then assign a positive weight to the data flow direction dimension. The weights calculated in the three dimensions are weighted and synthesized according to a preset fusion strategy to obtain the comprehensive correlation weight between behavioral units.

10. A security attack identification method based on big data intelligent operation and maintenance according to claim 4, characterized in that, The mechanism for constructing and updating the finite state automata set in the attack intent deduction model is as follows: The finite state automata set was initially built based on the publicly available ATT&CK framework and a knowledge base of historical attack and defense cases. Each automata represents a specific attack tactic or technical implementation path. Whenever the virtual-real interweaving verification module confirms a new, highly realistic multi-stage attack instance, it analyzes the complete behavioral path and state transition relationship of the multi-stage attack instance. If the existing set of finite state automata can cover multi-stage attack instances, then adjust the conditional probabilities of state transitions in the corresponding automata according to the multi-stage attack instances. If a multi-stage attack instance exhibits a new behavioral path or state that is not covered by existing automata, a new finite state automaton is created or learned for the attack intent inference model and added to the finite state automaton set.