A knowledge graph driven bayesian network security risk quantification reasoning method and system
By employing a knowledge graph-driven Bayesian method for quantifying cybersecurity risks, this approach addresses the challenges of characterizing causal dependencies and the inadequacy of multi-source data fusion in cybersecurity. It achieves objectivity and interpretability in risk assessment and provides structured risk quantification reasoning results.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIDIAN UNIV
- Filing Date
- 2026-04-03
- Publication Date
- 2026-07-14
AI Technical Summary
Existing cybersecurity risk quantification technologies are insufficient to characterize the causal dependencies between threats, vulnerabilities, and risk events. They lack multi-source data fusion, lack support for correlation analysis of unstructured knowledge, and their probabilistic reasoning is highly subjective, relying on expert experience and resulting in distorted results.
We employ a knowledge graph-driven Bayesian method for quantifying cybersecurity risks. By collecting multi-source cybersecurity data, we construct a cybersecurity knowledge graph, extract risk propagation subgraphs, and transform them into a reasonable Bayesian network. This generates reasonable probability parameters and enables real-time access to standardized multi-source data for risk quantification and reasoning.
It achieves unified semantic modeling and information extraction of multi-source security data, reduces the subjectivity of traditional Bayesian risk models, provides a structured and scalable data and knowledge base, and makes risk assessment results closer to real attack scenarios.
Smart Images

Figure CN122394846A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology and relates to a knowledge graph-driven Bayesian network security risk quantification reasoning method and system. Background Technology
[0002] Existing cybersecurity risk quantification technologies typically rely on vulnerability scoring systems, expert scoring methods, or simple risk matrix probability models. For example, a general vulnerability scoring system can be introduced to quantify the severity of a vulnerability, and factors such as asset importance and the frequency of threat occurrence can be combined to weight or classify risks. However, these methods often employ linear superposition or rule-driven approaches, making it difficult to characterize the causal dependencies between threats, vulnerabilities, and risk events. Furthermore, they have limited ability to handle uncertainties and missing information, resulting in assessments that are often highly subjective and static.
[0003] As the scale of security data grows, some research and systems have begun to incorporate knowledge graph technology to organize and associate security elements such as vulnerabilities, assets, attack behaviors, and protective measures in a graph structure, thereby enhancing the integration capabilities of multi-source security information. By constructing a cybersecurity knowledge graph, the exploitation relationships between threats and vulnerabilities, as well as their impact on assets and data, can be expressed at the semantic level, supporting correlation analysis and path lookup. However, existing knowledge graph technologies for security risk assessment focus on risk knowledge representation and relationship links, making it difficult to output statistically significant risk assessment results. Bayesian networks, as a probabilistic graphical model, can effectively describe the conditional dependencies between random variables and perform probabilistic inference in the presence of uncertainty and limited observational information. Leveraging their probabilistic inference capabilities, they have been applied in fields such as fault diagnosis, reliability analysis, and risk assessment. However, existing schemes using Bayesian networks for risk quantification still suffer from insufficient data support, strong subjective dependence, and poor dynamic adaptability. In cybersecurity scenarios, the structure and parameter settings of Bayesian models often rely on manual modeling, making it difficult to adapt to complex and dynamically changing security environments and to integrate with threat intelligence in real-world scenarios.
[0004] Existing network security technologies mainly suffer from the following problems: (1) Most risk quantification methods are static or linear models, which are difficult to express uncertainty and conditional dependence. Existing risk quantification methods use weighted scoring, risk matrices or rule judgment methods, which are usually based on fixed weights or expert experience to assess risk, making it difficult to describe the chain propagation effect between assets, threats, vulnerabilities and risks.
[0005] (2) Insufficient integration of multi-source data and lack of correlation analysis to support quantitative reasoning for unstructured knowledge. Network security data is characterized by multiple sources and heterogeneity, but existing technologies have failed to fully explore the value of the data. For example, semi-structured data such as CVE, CWE, CVSS, and CPE are only stored in a structured manner using knowledge graph technology, and isolated security knowledge is obtained through graph information retrieval, lacking the ability to explore the correlation of potential risks.
[0006] (3) Probabilistic reasoning is highly subjective and lacks a parameter calibration mechanism specific to security scenarios. Traditional Bayesian reasoning relies heavily on expert subjective scoring for prior probability and conditional probability tables, which can easily lead to distorted reasoning results due to expert experience bias. Summary of the Invention
[0007] This invention aims to address the technical problems of risk uncertainty characterization, insufficient multi-source data fusion, and strong subjectivity in probabilistic reasoning in cybersecurity environments. This invention provides a knowledge graph-driven Bayesian method for quantifying and reasoning about cybersecurity risks. The technical solution adopted is as follows: A knowledge graph-driven Bayesian method for quantifying cybersecurity risks, comprising the following steps: S1. Collect multi-source network security data and standardize the processing to obtain standardized multi-source data; S2. Construct a cybersecurity knowledge graph using the standardized multi-source data, and extract the risk propagation subgraph from the cybersecurity knowledge graph; S3. Transform the semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, and generate reasonable probability parameters. S4. Using the probability parameters as the core, access the standardized multi-source data in real time, and obtain the risk quantification inference result by calculating and aggregating the posterior probability based on the Bayesian network.
[0008] In one embodiment of the present invention, step S2 includes: S21: Define node types and propagation relationships through network security ontology modeling, and clarify causal propagation links; S22: Extract and fuse knowledge from the standardized multi-source data to generate "node-relationship-attribute" knowledge triples, and construct a network security knowledge graph containing the node type and the propagation relationship; S23: Extract the risk propagation subgraph from the cybersecurity knowledge graph based on the key elements of risk assessment, the causal logic of risk propagation, and the probability requirements of inference.
[0009] In one embodiment of the present invention, in step S21, the node type includes: Asset: Asset nodes are used to represent the objects being evaluated, including hosts, systems, services, containers, or business systems. They are the carriers of risk propagation and the objects ultimately affected. Product: Product node, used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in the system; Vulnerability: A vulnerability node used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in a system; Weakness: A vulnerability node used to represent the general defect type corresponding to a vulnerability, supporting the classification and abstract modeling of different vulnerabilities; ThreatTechnique: A threat technology node that represents the attack techniques or methods that an attacker can employ, serving as an initial element for risk propagation. Control: Security measures node, used to represent security protection measures, which act as inhibitors in the risk propagation process; the security protection measures include: access control, patches, firewalls, and auditing; Evidence: Evidence node, used to represent evidence data, providing observational basis for risk reasoning; the evidence data includes security alerts, log events, and threat intelligence; Risk: Risk event node, used to represent a risk event resulting from a threat successfully exploiting a vulnerability in an asset.
[0010] In one embodiment of the present invention, in step S21, the propagation relationship includes: Asset–runs->Product: “runs” indicates that the asset runs specific software or components, which is used to establish the basis for the association between the asset and the vulnerability; Product–has_vuln->Vulnerability: “has_vuln” indicates that a software or component version contains a specific vulnerability, reflecting the scope of the vulnerability’s impact. Vulnerability-mapped_to->Weakness: "mapped_to" represents the mapping relationship between a vulnerability and its corresponding general defect type, which is used to support the abstraction and classification analysis of vulnerabilities; ThreatTechnique-exploits->Weakness / Vulnerability: "exploits" indicates that the attack technique can exploit a certain type of defect or specific vulnerability, which is a key exploitation relationship in the risk propagation chain; Control -mitigates->Vulnerability: "mitigates" refers to the effect of security control measures on suppressing or mitigating vulnerability exploitation behavior, and is used for subsequent risk probability modulation; Evidence -observes->ThreatTechnique: "observes" refers to the observational or indicative relationship between evidence and threat behavior, used to map security events into observed inputs for risk reasoning; Vulnerability -cause->Risk: "cause" indicates that the vulnerability was successfully exploited, leading to a risk event.
[0011] In one embodiment of the present invention, step S22 includes: S221. Perform basic extraction under ontology constraints on structured data, use a rule engine to extract structured relational knowledge from semi-structured data, and use a large language model to perform complex semantic extraction on unstructured text to generate knowledge triples. S222. Introduce a confidence filtering mechanism to filter out low-quality knowledge triples with confidence scores below the threshold, and obtain high-quality knowledge triples. S223. Using a node linking and semantic disambiguation algorithm, the similarity of node attributes is calculated, and the ranked candidate nodes are returned. The highest-scoring candidate node is taken as the final linking result. Duplicate nodes in heterogeneous data are merged into unified identifier nodes to obtain high-quality knowledge triples after fusion. S224. Import the fused high-quality knowledge triples into the database for storage, and construct a network security knowledge graph that includes the node type and the propagation relationship.
[0012] In one embodiment of the present invention, step S23 includes: S231, limiting the six core node types to ThreatTechnique, Vulnerability, Asset, Risk, Control, and Evidence, retaining the seven propagation relationships that support the causal logic of risk propagation: exploits, has_vuln, runs, misigates, observes, mapped_to, and cause, and extracting the quantitative features of nodes and propagation relationships; S232. Based on the quantization features, a bidirectional breadth-first search algorithm is adopted. Forward traversal: starting from the ThreatTechnique node, traversing the Vulnerability nodes associated with exploits, and then traversing the Asset nodes associated with Vulnerability through has_vuln; Reverse traversal: starting from the Asset node, traversing the Vulnerability nodes associated with has_vuln, and then traversing the ThreatTechnique nodes associated with Vulnerability by exploits. S233. Automatically incorporate the Risk, Control, and Evidence nodes encountered during the traversal into the risk propagation subgraph; S234. Perform structural verification on the risk propagation subgraph, and check whether the risk propagation subgraph satisfies the complete causal chain of "ThreatTechnique→Vulnerability→Asset→Risk". If there is a broken link, supplement the associated nodes.
[0013] In one embodiment of the present invention, step S3 includes: S31. Based on the nodes and propagation relationship structure in the risk propagation subgraph, generate a Bayesian network that is logically consistent with the risk propagation subgraph. The Bayesian network includes a threat layer, a vulnerability layer, and a risk layer. The threat layer corresponds to the ThreatTechnique node in the risk propagation subgraph, the vulnerability layer corresponds to the Vulnerability node in the risk propagation subgraph, and the risk layer corresponds to the Risk node in the risk propagation subgraph. S32. Based on the quantitative attribute features of the risk propagation subgraph, generate the probability parameters of the Bayesian network, and improve the objectivity of the quantitative data through historical data calibration.
[0014] In one embodiment of the present invention, step S32 includes: S321. Based on the activity frequency characteristics of ThreatTechnique and the credibility of threat intelligence in the risk propagation subgraph, the prior probability of the threat node is calculated using a weighted summation and normalization algorithm. The calculated prior probability of the threat node is expressed as: (1) In formula (1), This represents the prior probability of a threat node. Normalize is a Min-Max normalization function with an output range of [0,1]. Indicates the frequency of activity of threatening technologies. Indicates the credibility of threat intelligence; S322. Using the feature mapping mechanism of the general vulnerability scoring system, the CVSS exploitability index of Vulnerability in the risk propagation subgraph is transformed into a vulnerability exploitability benchmark value. This benchmark value is then linearly weighted by combining the exposure surface variable and the control variable, and mapped to a probability value using the Sigmoid function. The conditional probability of the vulnerable node is calculated, and the conditional probability of the vulnerable node is expressed as follows: (2) In formula (2), This represents the conditional probability of a vulnerable node. , , The sigmoid coefficient represents the relative weight of vulnerability exploitability, asset exposure level, and security measures on the probability of successful exploitation. The sigmoid function ensures the output probability is in the range [0,1]. Indicates the threat layer. Indicates the vulnerability layer. Represents the control measures variable. Represents the exposure surface variable. This represents a baseline value for vulnerability exploitability; S323. Combining the probability of a risk event's occurrence with its impact on assets, and based on the Asset's importance level, business impact, and Vulnerability utilization probability in the risk propagation subgraph, weights are determined using the analytic hierarchy process (AHP) to calculate the conditional probability of risk nodes. The conditional probability of risk nodes is expressed as follows: (3) In formula (3), This represents the conditional probability of a risk node. , and The weighting coefficients represent the contribution weights of asset importance, business impact, and vulnerability exploitation probability to the occurrence of risk, respectively. The weights are determined through scoring and consistency checks. Indicates the vulnerability layer. Indicates the risk layer. Indicates the level of importance. Indicates the degree of business impact. This represents the conditional probability of a vulnerable node.
[0015] In one embodiment of the present invention, step S4 includes: The posterior probability is calculated as follows: (4) In formula (4), Let be the posterior risk probability, representing the probability of a safety risk event R occurring given the observed evidence O. The likelihood probability represents the probability of observing evidence O given that the risk event R has occurred, reflecting the degree of correlation between the evidence and the risk event. The prior risk probability represents the initial probability of the risk event R occurring before any observational evidence is obtained. The marginal probability of evidence represents the global probability of observing the current evidence O in the entire network environment. It is used to normalize the results and ensure that the posterior probability falls within the interval [0,1]. A weighted summation algorithm is used to aggregate the posterior probabilities of multiple risk events to obtain the total cybersecurity risk, which is expressed as: (5) In formula (5), Risk event Influence weight, Indicates a risk event The posterior probability, This represents the total cybersecurity risk, with an output range of [0,10], corresponding to three risk levels: high (7,10], medium (3,7], and low [0,3]. Based on the Bayesian network, the top-n propagation paths that contribute the most to risk level mapping and risk propagation path are output using the maximum a posteriori probability path algorithm, thus obtaining the risk quantification inference result.
[0016] A knowledge graph-driven Bayesian network security risk quantification inference system, comprising: Multi-source data standardization module: used to collect multi-source network security data and standardize it to obtain standardized multi-source data; Cybersecurity knowledge graph construction module: used to construct a cybersecurity knowledge graph using the standardized multi-source data, and extract risk propagation subgraphs from the cybersecurity knowledge graph; Bayesian network building module: used to transform the semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, and generate reasonable probability parameters; Risk quantification reasoning module: It is used to obtain risk quantification reasoning results by calculating and aggregating posterior probabilities based on the probability parameters, with the standardized multi-source data in real time and the Bayesian network.
[0017] The beneficial effects of this invention are: The Bayesian network security risk quantification reasoning method and system of this invention performs unified semantic modeling and information extraction on multiple types of security elements, establishes risk element node types and propagation relationships, systematically expresses the risk formation and propagation path, and constructs a network security knowledge graph. This effectively solves the problems of semantic fragmentation and implicit relationships in multi-source security data, providing a structured and scalable data and knowledge foundation for risk quantification reasoning. By combining the network security knowledge graph with Bayesian networks, the influence of subjectivity in the structure construction and probability setting of traditional Bayesian risk models on the risk quantification results is reduced. Threats, vulnerabilities, and risk events are mapped to nodes in the Bayesian network, and corresponding directed edge structures are constructed based on risk propagation relationships to form a Bayesian network that can be used for probabilistic reasoning. This effectively solves the problem of inconsistency between severity and actual risk caused by relying solely on vulnerability severity scores for risk assessment, making the risk assessment results closer to real attack scenarios. Attached Figure Description
[0018] Figure 1 This is a flowchart of the knowledge graph-driven Bayesian network security risk quantification reasoning method provided in this embodiment of the invention; Figure 2 This is a schematic diagram of the structure of the knowledge graph-driven Bayesian network security risk quantification reasoning system provided in the embodiments of the present invention. Detailed Implementation
[0019] The present invention will now be described in detail with reference to the accompanying drawings and specific embodiments.
[0020] This invention provides a knowledge graph-driven Bayesian method for quantifying and reasoning about cybersecurity risks, as detailed in the appendix. Figure 1 This includes the following steps: S1. Collect multi-source network security data and standardize the processing to obtain standardized multi-source data; S2. Construct a cybersecurity knowledge graph using standardized multi-source data, and extract the risk propagation subgraph from the cybersecurity knowledge graph; S3. Transform the semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, and generate reasonable probability parameters. S4. Taking probability parameters as the core, it accesses standardized multi-source data in real time, and obtains risk quantification inference results by calculating and aggregating posterior probabilities based on Bayesian networks.
[0021] This invention uses standardized multi-source data as input, and takes a network security knowledge graph fused with a Bayesian network as its core technical architecture. It combines the calculation and aggregation of posterior probabilities to output risk quantification inference results, thereby realizing quantitative assessment and interpretable inference of network security risks, and providing strong technical support for compliance auditing and security governance.
[0022] Specifically, step S1 of this invention is used to acquire the basic factual and evidentiary data required for constructing a network security knowledge graph and a Bayesian network, and process it into standardized data to solve the problems of inconsistent formats, inconsistent naming, and isolated available data among multi-source heterogeneous data. The collected data is not only used to describe the objective state of the network environment, but also to support the modeling of risk propagation relationships, the initialization of probability parameters, and the observation input in the risk reasoning process. It is the foundation for this invention to realize risk quantification and dynamic reasoning.
[0023] For the target assessment object, five types of core data are collected to meet the needs of risk quantification assessment: asset data, vulnerability and weakness data, threat and attack knowledge data, security incident alerts and log evidence data, and security control and policy data.
[0024] The specific data collection methods are as follows: For asset data, common asset scanning tools such as Scope Sentry, Goby, and Nmap are used to probe the target network for ports and assets, completing the asset data collection. For vulnerability and weakness data, vulnerability scanning tools such as Nessus, Nexpose, and OpenVAS are used to perform a full vulnerability scan of the target assets, collecting data related to asset-related vulnerabilities and CVSS scores. Simultaneously, basic vulnerability and weakness data associated with the CVEs and Common Weakness Enumerations (CWEs) scanned in the previous step are obtained in batches from publicly available Common Vulnerabilities and Exposures (CVE) databases and National Vulnerability Databases (NVD) using techniques such as web scraping. For threat and attack knowledge data, the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework and Common Attack Pattern Enumeration and Classification (CETEC) are used (e.g., using Python parsing scripts). In the Classification (CAPEC) database, standardized attack techniques and vulnerability exploitation-related threat and attack knowledge data associated with the previous CVE and CWE are collected. Regarding security incident alerts and log evidence data, log collection tools such as Fluentd, Logstash, and Filebeat are used to collect system logs and application logs from network devices, servers, and terminal hosts. Alarm events and suspicious behavior data are collected from the intrusion detection and endpoint detection response systems of the assessed objects. The collected multi-source logs are aggregated to achieve raw data collection and analysis of security incident alerts and attack log evidence. Regarding security control and policy data, automated or manual information collection is performed on the security defense technologies and measures of the target assessed objects. This includes collecting network isolation configuration information from firewalls and obtaining security control and policy data related to user access control, authentication policies, and encryption configurations through identity authentication platforms and encryption management systems.
[0025] After completing the collection of five types of data, the collected data undergoes standardization processing: First, a unified identifier mapping technique is used to perform cross-source alignment of asset IDs, product version numbers, attack method IDs, CVE / CWE codes, and CVSS features, eliminating semantic ambiguity and ensuring that the same node from different data sources can be accurately associated by the knowledge graph layer. Then, based on log parsing algorithms such as Drain or regular expression rule bases, unstructured or semi-structured log alert texts are preprocessed, transforming logs of different formats into a unified set of structured fields. Based on a weighted mechanism of alert source authority and rule matching confidence, an evidence credibility weight function is constructed by scoring the historical statistics of false alarm rates or rule hit levels of different security devices, generating corresponding credibility weight parameters for alerts, thereby transforming alert information into observational evidence that can participate in probabilistic reasoning. Simultaneously, time window aggregation is used to uniformly convert the timestamps in the alert logs. The processed alert logs are encapsulated into evidence objects containing standardized semantic identifiers, credibility weight parameters, and time attribute information, serving as input data for knowledge graph node extraction. Finally, based on regular expressions and a rule engine, key features such as attack vector (AV), attack complexity (AC), and permission requirements (PR) in the quantitative dimensions of the Common Vulnerability Scoring System (CVSS) are automatically parsed and transformed into numerical features, providing quantitative input for subsequent probabilistic modeling of vulnerable nodes.
[0026] Step S2 of this invention is the specific construction process of the network security knowledge graph. The processed standardized multi-source data is used as input. On the one hand, the node type and propagation relationship are defined through network security ontology modeling, and a top-level conceptual model is designed for the information extraction task. On the other hand, the instruction prompt guides the Large Language Model (LLM) to execute the information extraction task. The semi-structured and unstructured data are transformed into structured knowledge triples and then knowledge fusion is performed to construct the network security knowledge graph. Finally, the risk propagation subgraph is extracted as the output of this module, providing a causal structure basis for the Bayesian network modeling in the next step.
[0027] Specifically, the steps include the following: S21: Define node types and propagation relationships through network security ontology modeling, and clarify causal propagation links; S22: Extract and fuse knowledge from standardized multi-source data to generate "node-relationship-attribute" knowledge triples, and construct a network security knowledge graph that includes node types and propagation relationships; S23: Extract the risk propagation subgraph from the cybersecurity knowledge graph based on the key elements of risk assessment, the causal logic of risk propagation, and the probability requirements of inference.
[0028] An ontology is the top-level conceptual model for constructing a knowledge graph. This invention, targeting the scenario of quantitative assessment of cybersecurity risks, integrates multiple data sources and designs an ontology model that reflects the risk propagation chain, defining a unified semantic framework for information extraction and knowledge fusion. Subsequent cybersecurity knowledge graphs will extract and construct information based on the defined node types and propagation relationships.
[0029] First, eight categories of core nodes are designed, and the descriptions of each type of node are as follows: Asset: Asset nodes are used to represent the objects being evaluated, including hosts, systems, services, containers, or business systems. They are the carriers of risk propagation and the objects ultimately affected. Product: Product node, used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in the system; Vulnerability: A vulnerability node used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in a system; Weakness: A vulnerability node used to represent the general defect type corresponding to a vulnerability, supporting the classification and abstract modeling of different vulnerabilities; ThreatTechnique: A threat technology node that represents the attack techniques or methods that an attacker can employ, serving as an initial element for risk propagation. Control: Security measures node, used to represent security protection measures such as access control, patches, firewalls, and auditing, which serve as inhibitors in the risk propagation process; Evidence: Evidence nodes are used to represent evidence data such as security alerts, log events, or threat intelligence, providing observational basis for risk reasoning; Risk: Risk event node, used to represent a risk event resulting from a threat successfully exploiting a vulnerability in an asset.
[0030] Then, to express the propagation relationships between cybersecurity risk elements, seven types of propagation relationships are designed, as described below: Asset–runs->Product: “runs” indicates that the asset runs specific software or components, which is used to establish the basis for the association between the asset and the vulnerability; Product–has_vuln->Vulnerability: “has_vuln” indicates that a software or component version contains a specific vulnerability, reflecting the scope of the vulnerability’s impact. Vulnerability-mapped_to->Weakness: "mapped_to" represents the mapping relationship between a vulnerability and its corresponding general defect type, which is used to support the abstraction and classification analysis of vulnerabilities; ThreatTechnique-exploits->Weakness / Vulnerability: "exploits" indicates that the attack technique can exploit a certain type of defect or specific vulnerability, which is a key exploitation relationship in the risk propagation chain; Control -mitigates->Vulnerability: "mitigates" refers to the effect of security control measures on suppressing or mitigating vulnerability exploitation behavior, and is used for subsequent risk probability modulation; Evidence -observes->ThreatTechnique: "observes" refers to the observational or indicative relationship between evidence and threat behavior, used to map security events into observed inputs for risk reasoning; Vulnerability -cause->Risk: "cause" indicates that the vulnerability was successfully exploited, leading to a risk event.
[0031] This invention uses OWL (Web Ontology Language) for formal ontology description and defines node attribute constraints through RDFS (Resource Description Framework Schema). This ontology framework clarifies the causal propagation chain of "threat—vulnerability—asset—control measures—evidence", providing a unified semantic standard for the next step of cross-source data fusion.
[0032] This invention achieves a unified semantic fusion and structured expression of multi-source cybersecurity risk knowledge. By constructing a cybersecurity knowledge graph, it unifies and organizes multi-source data such as assets, vulnerabilities, threats, security control measures, and security evidence to form structured, interconnected knowledge that systematically reflects the mechanisms of risk formation and propagation. It unifies information previously scattered across vulnerability databases, asset ledgers, alert platforms, log systems, and policy systems, explicitly expressing the relationships and propagation chains between risk elements. This provides a queryable and scalable knowledge foundation for risk analysis, avoiding the problems of information silos and semantic fragmentation.
[0033] Knowledge extraction and fusion are performed on the five categories of data after standardization in step S1 to generate "node-relationship-attribute" knowledge triples, supporting the subsequent generation of a cybersecurity knowledge graph. The core processing flow is as follows: S221. Perform basic extraction under ontology constraints on structured data, use a rule engine to extract structured relational knowledge from semi-structured data, and use a large language model to perform complex semantic extraction on unstructured text to generate knowledge triples. Specifically, basic extraction under ontology constraints is performed on structured data: Based on rule engines and regular expressions, structured relational knowledge (such as cve_id of Vulnerability and asset_id of has_vuln relational association) is extracted from semi-structured data such as CVE, CWE, and CVSS, generating triples (Subject-Predicate-Object). On the other hand, LLM is used to extract complex semantics from unstructured text: For unstructured text, the three major LLaMA language models are adopted, combined with few-shot prompting, to construct input instruction prompt templates from a small number of cybersecurity domain labeled sample data for fine-tuning, deeply analyze unstructured text, identify nodes such as Intrusion Indicators (IOC) and attack paths, map them to node types such as ThreatTechnique, Vulnerability, and Risk, and record the evidence source, timestamp, and credibility score to make up for the shortcomings of rule engines in extracting complex semantics.
[0034] S222. Introduce a confidence filtering mechanism to filter out low-quality knowledge triples with confidence levels below a threshold, thereby obtaining high-quality knowledge triples. Specifically, assign a fixed confidence level (e.g., 0.9) to triples extracted by the rule engine, and assign a dynamic confidence level (e.g., 0.7~0.95) to triples extracted by the LLM based on the output probability, filtering out low-quality triples with confidence levels below a threshold (e.g., 0.6).
[0035] S223. A node linking and semantic disambiguation algorithm is used to calculate node attribute similarity, return the top-n candidate nodes after sorting, and take the highest score as the final linking result. Duplicate nodes in heterogeneous data are merged into unified identifier nodes to obtain high-quality knowledge triples after fusion, avoiding redundant modeling. This embodiment uses Jaccard similarity to calculate node attribute similarity, but cosine similarity and Levenshtein distance can also be used to calculate node similarity.
[0036] S224. Import the fused high-quality knowledge triples into the graph database for storage, and construct a network security knowledge graph containing eight node types and seven propagation relationships.
[0037] The risk propagation subgraph is a directed, interconnected substructure extracted from the global cybersecurity knowledge graph based on key risk assessment elements, causal logic of risk propagation, and probabilistic reasoning requirements. It depicts the propagation path of threats exploiting system vulnerabilities to impact assets and trigger security risks, supporting Bayesian network probabilistic modeling. This embodiment uses Neo4j to store the graph. Neo4j supports Cypher for node relationship queries and risk path traversal. After generating the global cybersecurity knowledge graph, subgraphs directly related to risk propagation are extracted as input for Bayesian network modeling. Other graph databases, such as ArangoDB and JanusGraph, can also be used.
[0038] The specific method for extracting the risk propagation subgraph can be described as follows: S231 limits the core node types to six categories: ThreatTechnique, Vulnerability, Asset, Risk, Control, and Evidence. It retains seven core propagation relationships that support the causal logic of risk propagation: exploits, has_vuln, runs, misigates, observes, mapped_to, and cause. It extracts quantitative features of nodes and propagation relationships (such as the CVSS availability score of Vulnerability, the effectiveness coefficient of Control, and the confidence level of Evidence) to provide direct input for the initialization of Bayesian network parameters.
[0039] S232. Based on quantified features, this embodiment employs a bidirectional breadth-first search (BFS) algorithm. First, a forward traversal is performed: starting from the ThreatTechnique node, traversing the Vulnerability nodes associated with exploits, and then traversing the Asset nodes associated with Vulnerability through has_vuln; then, a reverse traversal is performed: starting from the Asset node, traversing the Vulnerability nodes associated with has_vuln, and then traversing the ThreatTechnique nodes associated with Vulnerability by exploits. Alternatively, depth-first search (DFS) or community detection algorithms such as the GN algorithm can be used to filter nodes and relationships directly related to risk propagation and generate a risk propagation subgraph.
[0040] S233. Automatically incorporate the Risk (which has a cause relationship with Vulnerability), Control (which has a mitigates relationship with Vulnerability), and Evidence (which has an observes relationship with ThreatTechnique) nodes encountered during the traversal into the risk propagation subgraph.
[0041] S234. Perform structural verification on the risk propagation subgraph and check whether the risk propagation subgraph satisfies the complete causal chain of "ThreatTechnique→Vulnerability→Asset→Risk". If there is a broken link (such as a Vulnerability having no associated ThreatTechnique), then supplement the associated node (query the threat technology node corresponding to the Vulnerability from the complete graph).
[0042] This invention explicitly represents the "threat-vulnerability-risk event" propagation path within assets in a cybersecurity knowledge graph, and binds evidence to key nodes in the path. Risk assessment results can output corresponding key propagation paths and supporting evidence, answering questions such as "why the risk increased and what factors caused it," which is beneficial for forming an evidence chain for compliance audits, improving the credibility of risk conclusions, and supporting the tracking and verification of the effectiveness of remedial measures.
[0043] Taking the risk propagation subgraph output from the network security knowledge graph construction layer as input, the semantic relationships in the risk propagation subgraph are transformed into a reasonable Bayesian network through network structure mapping, generating reasonable probability parameters, so that the formation and propagation relationship of network security risks has clear probabilistic semantics, realizing the quantification of uncertain risks. The process includes two steps: network structure mapping and parameter generation, and finally outputs a complete Bayesian network.
[0044] This invention uses "threat layer (T) - vulnerability layer (V) - risk layer (R)" as the core quantitative assessment elements, and combines a hierarchical Bayesian risk graph model with parameters adjusted by three types of modulation variables in a Bayesian network. Through weighted normalization, CVSS feature mapping and parameter generation algorithms, probability parameters are generated to achieve quantitative analysis of uncertainty risk.
[0045] S31. Based on the node and relationship structure in the risk propagation subgraph, generate a Bayesian network that is logically consistent with the risk propagation subgraph. The Bayesian network includes a threat layer (T), a vulnerability layer (V), and a risk layer (R).
[0046] The graphical model will be explained in detail below: Threat Layer T: Corresponding to the ThreatTechnique node in the subgraph, it represents the activity level of a certain type of attack technique within a given evaluation time window. Based on the historical trigger count or alarm observation frequency of the attack technique in the subgraph, it is divided into a finite number of states: "inactive, low-activity, medium-activity, and high-activity" according to the activity frequency. The state division threshold can be determined based on the activity frequency characteristics of ThreatTechnique in the subgraph. For example, an activity frequency of 1-3 times is classified as a low-activity state and assigned a value of 3. Vulnerability layer V: corresponds to the Vulnerability node in the subgraph. Based on the "CVSS base score" and "exposure surface parameter" of the Vulnerability in the subgraph, it represents the probability that the vulnerability can be successfully exploited under the asset environment and security configuration.
[0047] Risk layer R: Corresponding to the Risk node in the subgraph, it represents the possibility that an attack will cause an insecure or illegal state to the system or data assets after successfully exploiting system vulnerabilities, and directly reflects the degree of damage to network security and data security objectives.
[0048] In addition, the following three types of modulation variables are introduced, corresponding to the exposure surface features of the Control, Evidence nodes, and Assets in the subgraph, to enhance the model's ability to characterize the real network environment: Exposure surface variable (E): Extract features such as network reachability and number of open ports of the Asset in the subgraph to quantify the degree of exposure of the asset to attacks; Control measures variable (C): Based on the effectiveness coefficient of the Control node in the subgraph, quantify the inhibitory effect of security measures on vulnerability exploitation; Evidence observation variable (O): The confidence level of the Evidence node in the mapping subgraph, which transforms observation data such as alarms and IOC matching into observation inputs for the probabilistic model.
[0049] This invention models Bayesian networks as a hierarchical graph model, treating "whether a vulnerability can be exploited" as an intermediate state, rather than directly deriving risk based solely on the existence or severity score of a vulnerability. Vulnerability exploitability is comprehensively determined by vulnerability attributes, asset exposure surface, and the status of control measures. This method can reduce the artificially high risk caused by "high-scoring vulnerabilities that are unreachable," strengthen the consistency between risk assessment and real attack conditions, and make the results more consistent with actual protection and attack / defense situations.
[0050] S32. Based on the quantitative attribute features of the risk propagation subgraph, generate the probability parameters of a Bayesian network, and improve the objectivity of the quantitative data through calibration with historical data. The probability parameters are generated as follows: S321. Based on the activity frequency characteristics of ThreatTechnique and the credibility of threat intelligence in the risk propagation subgraph, the prior probability of threat nodes is calculated using a weighted summation and normalization algorithm. The prior probability of threat nodes is expressed as follows: (1) In formula (1), This represents the prior probability of a threat node. Normalize is a Min-Max normalization function with an output range of [0,1]. Indicates the frequency of activity of threatening technologies. This indicates the credibility of threat intelligence.
[0051] S322. Using the Common Vulnerability Scoring System (CVSS) feature mapping mechanism, the CVSS exploitability index of the vulnerability in the risk propagation subgraph is transformed into a vulnerability exploitability benchmark value. This benchmark value is then linearly weighted by combining exposure surface variables and control variables, and mapped to probability values using the Sigmoid function. The conditional probability of a vulnerable node is calculated as follows: (2) In formula (2), This represents the conditional probability of a vulnerable node. , , The sigmoid coefficient represents the relative weight of vulnerability exploitability, asset exposure level, and security measures on the probability of successful exploitation. The sigmoid function ensures the output probability is in the range [0,1]. Indicates the threat layer. Indicates the vulnerability layer. Represents the control measures variable. Represents the exposure surface variable. This represents the vulnerability exploitability baseline value, which is a value obtained by quantifying CVSS exploitability metrics (attack vector AV, attack complexity AC, privilege requirement PR, and user interaction UI) according to quantification rules.
[0052] S323. Combining the probability of a risk event's occurrence with its impact on assets, and based on the asset's importance level, business impact, and Vulnerability utilization probability in the risk propagation sub-graph, the weights are determined using the analytic hierarchy process (AHP), and the conditional probability of risk nodes is calculated. The conditional probability of a risk node is expressed as follows: (3) In formula (3), This represents the conditional probability of a risk node. , and The weighting coefficients represent the contribution weights of asset importance, business impact, and vulnerability exploitation probability to the occurrence of risk, respectively. The weights are determined through scoring and consistency checks. Indicates the vulnerability layer. Indicates the risk layer. Indicates the level of importance. Indicates the degree of business impact. This represents the conditional probability of a vulnerable node.
[0053] The final output is a Bayesian network that can be directly used for inference, including network structure (nodes, directed edges, variable values), probability parameters (prior probabilities, CPT table), evidence observation mapping relationship, and is aligned with the core features of the risk propagation subgraph.
[0054] This invention uses the probability parameters output by a Bayesian network as its core, and integrates standardized multi-source data in real time to achieve real-time quantitative inference of risk. The introduction of real-time observation data allows evidence such as alarms and logs detected at the current moment to be injected as observation variables into the existing Bayesian probability model, dynamically correcting the occurrence probability of relevant nodes to obtain a posterior probability result that matches the current network environment. Posterior inference does not require repeated calculations such as full-spectrum extraction, structure reconstruction, and parameter initialization; instead, it updates local or global probabilities based on the existing model, thus offering better computational efficiency and real-time response capabilities. By integrating multi-source data in real time as inference input, and outputting multi-dimensional quantitative results through posterior probability calculation and risk aggregation, this invention achieves interpretable output by combining risk propagation subgraphs, ensuring timely risk assessment. This invention allows risk assessment to move beyond offline periodic calculations, updating with new evidence and reflecting short-term changes in threat activity and vulnerability exploitation, making it suitable for continuous monitoring, situational awareness, and risk warning scenarios. The following provides a detailed explanation of each step.
[0055] The data access channel adopts the Kafka streaming data processing framework, receiving two types of data in real time, maintaining consistency with the output format of the multi-source data standardization layer, and achieving dynamic updates of evidence chain traceability and risk probability. The two types of data include: (1) Observational evidence data: security alarm trigger status, intrusion index (IOC) matching results, log anomaly characteristics, etc., with credibility weight and timestamp.
[0056] (2) Status variable data: patch update status, security control measures enabled or disabled status, changes in asset exposure, etc., used to dynamically adjust the probability parameters of relevant nodes.
[0057] The sliding window aggregation technique is used to deduplicate and reduce noise in high-frequency data, and weights are assigned through evidence credibility quantification technology to ensure the authenticity and reliability of the input data.
[0058] The posterior probability is calculated as follows: (4) In formula (4), Let be the posterior risk probability, representing the probability of a safety risk event R occurring given the observed evidence O. The likelihood probability represents the probability of observing evidence O given that the risk event R has occurred, reflecting the degree of correlation between the evidence and the risk event. The prior risk probability represents the initial probability of the risk event R occurring before any observational evidence is obtained. The marginal probability of evidence represents the global probability of observing the current evidence O in the entire network environment. It is used to normalize the results and ensure that the posterior probability falls within the interval [0,1].
[0059] This invention employs Bayesian networks to model the conditional dependencies between risk factors, outputting the posterior probability of risk events, rather than simple linear scoring or rule-based threshold judgment. Introducing Bayesian quantitative inference enables the output of probabilistically meaningful assessment results even when information is missing, evidence is incomplete, or noise is present. It can express the conditional dependencies of risk under the combined influence of multiple factors (e.g., "external network exposure + vulnerability exploitability + lack of control" jointly increase risk), and the risk results can be expressed with confidence and subjected to sensitivity analysis, which is more conducive to security management and decision-making.
[0060] A weighted summation algorithm is used to aggregate the posterior probabilities of multiple risk events to obtain the total cybersecurity risk, which is expressed as: (5) In formula (5), Risk event Influence weight, Indicates a risk event The posterior probability, This represents the total cybersecurity risk, with an output range of [0,10], corresponding to three risk levels: high (7,10], medium (3,7], and low [0,3].
[0061] Based on Bayesian networks, the maximum a posteriori probability path algorithm is used to output the top-n propagation paths that contribute the most to risk level mapping and risk propagation paths, thereby obtaining risk quantification inference results and providing interpretable and auditable basis for risk assessment results.
[0062] Based on the same inventive concept, this invention also provides a knowledge graph-driven Bayesian network security risk quantification reasoning system, which is applied to the knowledge graph-driven Bayesian network security risk quantification reasoning method provided in the above embodiments. The method is described above, and the similarities will not be repeated.
[0063] See attached document Figure 2 This Bayesian cybersecurity risk quantification inference system includes: Multi-source data standardization module: used to collect multi-source network security data and standardize it to obtain standardized multi-source data; Cybersecurity Knowledge Graph Module: Used to construct a cybersecurity knowledge graph using standardized multi-source data, and extract risk propagation subgraphs from the cybersecurity knowledge graph; Bayesian Network Module: Used to transform semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, generating reasonable probability parameters; Risk Quantification Inference Module: This module uses probability parameters as its core, accesses standardized multi-source data in real time, and obtains risk quantification inference results by calculating and aggregating posterior probabilities based on Bayesian networks.
[0064] This invention employs a modular structure of "network security knowledge graph + Bayesian network," allowing for expansion of knowledge increments and adjustments to the model structure and parameters as data is updated. The system design is adaptable to different organizations' asset types, business systems, and threat characteristics. When new data sources (new alarm types, vulnerability database fields, control measures) are needed, they can be accessed through graph expansion, facilitating reuse and migration in different application scenarios such as enterprise networks, cloud environments, and big data platforms.
[0065] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any modifications, equivalent substitutions, and improvements made by those skilled in the art within the scope of the technology disclosed in the present invention, and within the spirit and principles of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A knowledge graph-driven Bayesian method for quantifying and reasoning about cybersecurity risks, characterized in that, Including the following steps: S1. Collect multi-source network security data and standardize the processing to obtain standardized multi-source data; S2. Construct a cybersecurity knowledge graph using the standardized multi-source data, and extract the risk propagation subgraph from the cybersecurity knowledge graph; S3. Transform the semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, and generate reasonable probability parameters. S4. Using the probability parameters as the core, access the standardized multi-source data in real time, and obtain the risk quantification inference result by calculating and aggregating the posterior probability based on the Bayesian network.
2. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 1, characterized in that, Step S2 includes: S21: Define node types and propagation relationships through network security ontology modeling, and clarify causal propagation links; S22: Extract and fuse knowledge from the standardized multi-source data to generate "node-relationship-attribute" knowledge triples, and construct a network security knowledge graph that includes the node type and the propagation relationship; S23: Extract the risk propagation subgraph from the cybersecurity knowledge graph based on the key elements of risk assessment, the causal logic of risk propagation, and the probability requirements of inference.
3. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 2, characterized in that, In step S21, the node types include: Asset: Asset nodes are used to represent the objects being evaluated, including hosts, systems, services, containers, or business systems. They are the carriers of risk propagation and the objects ultimately affected. Product: Product node, used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in the system; Vulnerability: A vulnerability node used to represent publicly disclosed security vulnerabilities and characterize potential security flaws in a system; Weakness: A vulnerability node used to represent the general defect type corresponding to a vulnerability, supporting the classification and abstract modeling of different vulnerabilities; ThreatTechnique: A threat technology node that represents the attack techniques or methods that an attacker can employ, serving as an initial element for risk propagation. Control: Security measures node, used to represent security protection measures, which act as inhibitors in the risk propagation process; the security protection measures include: access control, patches, firewalls, and auditing; Evidence: Evidence node, used to represent evidence data, providing observational basis for risk reasoning; the evidence data includes security alerts, log events, and threat intelligence; Risk: Risk event node, used to represent a risk event resulting from a threat successfully exploiting a vulnerability in an asset.
4. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 2, characterized in that, In step S21, the propagation relationship includes: Asset – runs -> Product: "runs" indicates that the asset runs specific software or components, which is used to establish the basis for the association between the asset and the vulnerability; Product – has_vuln -> Vulnerability: "has_vuln" indicates that a software or component version contains a specific vulnerability, reflecting the scope of the vulnerability's impact; Vulnerability-mapped_to-> Weakness: "mapped_to" represents the mapping relationship between a vulnerability and its corresponding general defect type, which is used to support the abstraction and classification analysis of vulnerabilities; ThreatTechnique-exploits->Weakness / Vulnerability: "exploits" indicates that the attack technique can exploit a certain type of flaw or specific vulnerability, which is a key exploitation relationship in the risk propagation chain; Control -mitigates -> Vulnerability: "mitigates" indicates the inhibitory or mitigating effect of security control measures on vulnerability exploitation behavior, which is used for subsequent risk probability modulation; Evidence -observes->TheatTechnique: "observes" refers to the observational or indicative relationship between evidence and threatening behavior, used to map security events into observed inputs for risk reasoning; Vulnerability -cause->Risk: "cause" indicates that the vulnerability has been successfully exploited, leading to a risk event.
5. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 2, characterized in that, Step S22 includes: S221. Perform basic extraction under ontology constraints on structured data, use a rule engine to extract structured relational knowledge from semi-structured data, and use a large language model to perform complex semantic extraction on unstructured text to generate knowledge triples. S222. Introduce a confidence filtering mechanism to filter out low-quality knowledge triples with confidence scores below the threshold, and obtain high-quality knowledge triples. S223. Using a node linking and semantic disambiguation algorithm, the similarity of node attributes is calculated, and the ranked candidate nodes are returned. The highest-scoring candidate node is taken as the final linking result. Duplicate nodes in heterogeneous data are merged into unified identifier nodes to obtain high-quality knowledge triples after fusion. S224. Import the fused high-quality knowledge triples into the database for storage, and construct a network security knowledge graph that includes the node type and the propagation relationship.
6. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 2, characterized in that, Step S23 includes: S231, limiting the six core node types to ThreatTechnique, Vulnerability, Asset, Risk, Control, and Evidence, retaining the seven propagation relationships that support the causal logic of risk propagation: exploits, has_vuln, runs, misigates, observes, mapped_to, and cause, and extracting the quantitative features of nodes and propagation relationships; S232. Based on the quantization features, a bidirectional breadth-first search algorithm is adopted. Forward traversal: starting from the ThreatTechnique node, traversing the Vulnerability nodes associated with exploits, and then traversing the Asset nodes associated with Vulnerability through has_vuln; Reverse traversal: starting from the Asset node, traversing the Vulnerability nodes associated with has_vuln, and then traversing the ThreatTechnique nodes associated with Vulnerability by exploits. S233. Automatically incorporate the Risk, Control, and Evidence nodes encountered during the traversal into the risk propagation subgraph; S234. Perform structural verification on the risk propagation subgraph, and check whether the risk propagation subgraph satisfies the complete causal chain of "ThreatTechnique→Vulnerability→Asset→Risk". If there is a broken link, supplement the associated nodes.
7. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 1, characterized in that, Step S3 includes: S31. Based on the nodes and propagation relationship structure in the risk propagation subgraph, generate a Bayesian network that is logically consistent with the risk propagation subgraph. The Bayesian network includes a threat layer, a vulnerability layer, and a risk layer. The threat layer corresponds to the ThreatTechnique node in the risk propagation subgraph, the vulnerability layer corresponds to the Vulnerability node in the risk propagation subgraph, and the risk layer corresponds to the Risk node in the risk propagation subgraph. S32. Based on the quantitative attribute features of the risk propagation subgraph, generate the probability parameters of the Bayesian network, and improve the objectivity of the quantitative data through historical data calibration.
8. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 7, characterized in that, Step S32 includes: S321. Based on the activity frequency characteristics of ThreatTechnique and the credibility of threat intelligence in the risk propagation subgraph, the prior probability of the threat node is calculated using a weighted summation and normalization algorithm. The calculated prior probability of the threat node is expressed as: (1) In formula (1), This represents the prior probability of a threat node. Normalize is a Min-Max normalization function with an output range of [0,1]. Indicates the frequency of activity of threatening technologies. Indicates the credibility of threat intelligence; S322. Using the feature mapping mechanism of the general vulnerability scoring system, the CVSS exploitability index of Vulnerability in the risk propagation subgraph is transformed into a vulnerability exploitability benchmark value. This benchmark value is then linearly weighted by combining the exposure surface variable and the control variable, and mapped to a probability value using the Sigmoid function. The conditional probability of the vulnerable node is calculated, and the conditional probability of the vulnerable node is expressed as follows: (2) In formula (2), This represents the conditional probability of a vulnerable node. , , The sigmoid coefficient represents the relative weight of vulnerability exploitability, asset exposure level, and security measures on the probability of successful exploitation. The sigmoid function ensures the output probability is in the range [0,1]. Indicates the threat layer. Indicates the vulnerability layer. Represents the control measures variable. Represents the exposure surface variable. This represents a baseline value for vulnerability exploitability; S323. Combining the probability of a risk event's occurrence with its impact on assets, and based on the Asset's importance level, business impact, and Vulnerability utilization probability in the risk propagation subgraph, weights are determined using the analytic hierarchy process (AHP) to calculate the conditional probability of risk nodes. The conditional probability of risk nodes is expressed as follows: (3) In formula (3), This represents the conditional probability of a risk node. , and The weighting coefficients represent the contribution weights of asset importance, business impact, and vulnerability exploitation probability to the occurrence of risk, respectively. The weights are determined through scoring and consistency checks. Indicates the vulnerability layer. Indicates the risk layer. Indicates the level of importance. Indicates the degree of business impact. This represents the conditional probability of a vulnerable node.
9. The knowledge graph-driven Bayesian network security risk quantification reasoning method according to claim 1, characterized in that, Step S4 includes: The posterior probability is calculated as follows: (4) In formula (4), Let be the posterior risk probability, representing the probability of a safety risk event R occurring given the observed evidence O. The likelihood probability represents the probability of observing evidence O given that the risk event R has occurred, reflecting the degree of correlation between the evidence and the risk event. The prior risk probability represents the initial probability of the risk event R occurring before any observational evidence is obtained. The marginal probability of evidence represents the global probability of observing the current evidence O in the entire network environment. It is used to normalize the results and ensure that the posterior probability falls within the interval [0,1]. A weighted summation algorithm is used to aggregate the posterior probabilities of multiple risk events to obtain the total cybersecurity risk, which is expressed as: (5) In formula (5), Risk event Influence weight, Indicates a risk event The posterior probability, This represents the total cybersecurity risk, with an output range of [0,10], corresponding to three risk levels: high (7,10], medium (3,7], and low [0,3]. Based on the Bayesian network, the top-n propagation paths that contribute the most to risk level mapping and risk propagation path are output using the maximum a posteriori probability path algorithm, thus obtaining the risk quantification inference result.
10. A knowledge graph-driven Bayesian network security risk quantification reasoning system, characterized in that, include: Multi-source data standardization module: used to collect multi-source network security data and standardize it to obtain standardized multi-source data; Cybersecurity knowledge graph construction module: used to construct a cybersecurity knowledge graph using the standardized multi-source data, and extract risk propagation subgraphs from the cybersecurity knowledge graph; Bayesian network building module: used to transform the semantic relationships in the risk propagation subgraph into a reasonable Bayesian network through network structure mapping, and generate reasonable probability parameters; Risk quantification reasoning module: It is used to obtain risk quantification reasoning results by calculating and aggregating posterior probabilities based on the probability parameters, with the standardized multi-source data in real time and the Bayesian network.