AI-based cross-domain threat intelligence correlation attribution method and system

By constructing and merging multi-source threat datasets and using machine learning models to generate cross-domain threat mapping models, the problem that traditional threat intelligence analysis methods cannot identify cross-domain threats has been solved. This enables automatic correlation of cross-domain threat data and construction of attack chains, thereby improving the network security response capabilities.

CN122394855APending Publication Date: 2026-07-14GUANGDONG YIDIAN TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUANGDONG YIDIAN TECHNOLOGY CO LTD
Filing Date
2026-04-15
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Traditional threat intelligence analysis methods are limited to a single security domain, making it difficult to effectively identify and respond to cross-domain threats. Furthermore, their reliance on manual rules results in low accuracy and efficiency, hindering timely responses to complex cybersecurity threats.

Method used

By collecting real-time threat data and historical threat archives from multiple security domains, a multi-source threat data set is constructed. A cross-domain threat mapping model is generated using machine learning models to identify and construct cross-domain attack chains, extract evidence data, and generate cross-domain threat intelligence association attribution results.

Benefits of technology

It improves the accuracy and adaptability of cross-domain threat correlation, can automatically mine the correlation between threat data in different domains, identify threat correlation fragments scattered in different domains, form a complete attack chain, and improve the ability and efficiency of responding to cross-domain threats.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394855A_ABST
    Figure CN122394855A_ABST
Patent Text Reader

Abstract

The application provides an AI-based cross-domain threat intelligence correlation attribution method and system, relating to the technical field of network security, which first synchronously collects real-time and historical threat data in multiple security fields and integrates them into a multi-source threat data set, then generates a cross-domain threat mapping model through machine learning model training based on the multi-source threat data set, calls the cross-domain threat mapping model to search real-time threat data, identifies threat correlation segments to form an attack chain segment set, correlates and matches the attack chain segment set according to a threat mapping factor set and performs time sequence sorting, connects them into a cross-domain attack chain, extracts evidence data from each link of the cross-domain attack chain to construct an evidence chain correlation graph, and finally generates a cross-domain threat intelligence correlation attribution result. The application can comprehensively and accurately correlate and attribute cross-domain threats and improve network security protection capability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of cybersecurity technology, and more specifically, to an AI-based method and system for cross-domain threat intelligence correlation and attribution. Background Technology

[0002] In today's digital age, cybersecurity faces increasingly complex and diverse threats. Different security domains, such as network communications, industrial control, and financial transactions, each face unique threats and challenges. Moreover, these threats are not isolated but interconnected and spread across domains.

[0003] Traditional threat intelligence analysis methods are often limited to a single security domain, collecting and analyzing threat data only within that domain. For example, the network communications domain primarily focuses on threats such as cyberattacks and malware propagation, while the industrial control domain focuses on threats such as equipment failure and control command tampering. This single-domain analysis approach overlooks the correlation between threats across different domains, making it difficult to discover the complete attack path and source of cross-domain threats.

[0004] Meanwhile, most existing threat intelligence correlation technologies rely on manually set rules and experience, lacking the ability to automatically learn and mine massive amounts of multi-source threat data. Faced with constantly changing threat forms and complex attack methods, manual rules are unable to comprehensively cover all possible threat correlation situations, resulting in low accuracy and efficiency of threat intelligence correlation, and an inability to respond to cross-domain threats in a timely and effective manner, posing a huge hidden danger to cybersecurity. Summary of the Invention

[0005] In view of the aforementioned problems, and in conjunction with the first aspect of the present invention, embodiments of the present invention provide an AI-based cross-domain threat intelligence association attribution method, the method comprising: Simultaneously collect real-time threat data and historical threat archives from multiple security domains, and integrate the collected data to obtain a multi-source threat data set, which includes threat behavior records, associated carrier information and impact trajectory data from multiple domains; Based on the multi-source threat data set, a cross-domain feature association training is performed through a machine learning model to generate a cross-domain threat mapping model. The cross-domain threat mapping model contains the association correspondence and mapping weights between threat data from different domains, forming a set of threat mapping factors. The cross-domain threat mapping model is invoked to perform cross-domain correlation retrieval on the real-time collected threat data, identify threat correlation fragments scattered in different domains, and form a set of attack chain fragments. The set of attack chain fragments contains threat data fragments with correlation relationships and mapping correlation information between fragments. Based on the mapping relationship in the threat mapping factor set, each segment in the attack chain segment set is associated, matched, and sorted in time sequence. The matched segments are connected to form a cross-domain attack chain. The cross-domain attack chain includes complete link information such as the threat origin, cross-domain propagation nodes, the association method of each node, and the final impact on the terminal. Evidence data is extracted from the threat data corresponding to each link of the cross-domain attack chain, and the correlation between evidence data is established based on the node relationship of the cross-domain attack chain to construct an evidence chain correlation graph. Cross-domain threat intelligence correlation attribution results are generated based on the cross-domain attack chain and the evidence chain correlation graph.

[0006] In another aspect, embodiments of the present invention also provide an AI-based cross-domain threat intelligence association and attribution system, including a processor and a machine-readable storage medium connected to the processor. The machine-readable storage medium is used to store programs, instructions, or code, and the processor is used to run the programs, instructions, or code in the machine-readable storage medium to implement the above-described method.

[0007] Based on the above, this invention integrates real-time threat data and historical threat archives from multiple security domains to obtain a multi-source threat data set, covering threat behavior records, associated carrier information, and impact trajectory data from different domains. Based on this multi-source threat data set, a machine learning model is used for cross-domain feature association training to generate a cross-domain threat mapping model. This model can automatically mine the correlation and mapping weights between threat data from different domains, forming a threat mapping factor set, which improves the accuracy and adaptability of threat association. The cross-domain threat mapping model is then used to perform cross-domain association retrieval on real-time threat data, identifying threat association fragments scattered across different domains and forming a set of attack chain fragments. Based on the threat mapping factor set, the attack chain fragments are associated, matched, and sorted chronologically, connecting them into a cross-domain attack chain containing complete link information, presenting the threat propagation path and source. Finally, evidence data is extracted from each link of the cross-domain attack chain, and an evidence chain association graph is constructed to generate cross-domain threat intelligence association attribution results, effectively improving the ability and efficiency of responding to cross-domain threats. Attached Figure Description

[0008] Figure 1 This is a schematic diagram of the execution flow of the AI-based cross-domain threat intelligence association and attribution method provided in an embodiment of the present invention.

[0009] Figure 2 This is a schematic diagram of the hardware architecture of the AI-based cross-domain threat intelligence association and attribution system provided in an embodiment of the present invention. Detailed Implementation

[0010] The present invention will now be described in detail with reference to the accompanying drawings. Figure 1This is a flowchart illustrating an AI-based cross-domain threat intelligence association and attribution method provided in one embodiment of the present invention. The following is a detailed description of this AI-based cross-domain threat intelligence association and attribution method.

[0011] Step S110: Synchronously collect real-time threat data and historical threat archives from multiple security domains, and integrate the collected data to obtain a multi-source threat data set. The multi-source threat data set includes threat behavior records, associated carrier information, and impact trajectory data from multiple domains.

[0012] In this embodiment, cross-domain threat intelligence attribution between infrastructure and blockchain is used as an application scenario. A distributed data collection architecture is adopted, with data collection achieved through autonomous collection agents deployed on different network nodes. For the infrastructure domain, real-time threat data includes abnormal connection records in firewall logs, attack events reported by intrusion detection systems, and dynamic behavior analysis reports of malware. Historical threat files cover known malicious IP databases, domain blacklists, and virus signature databases. Real-time threat data in the blockchain domain includes transaction records of suspicious wallet addresses, abnormal smart contract call logs, and markers of abnormal on-chain transfer behavior. Historical threat files include a database of wallet addresses associated with tagged hacker groups and a database of historical fraudulent transaction cases.

[0013] During the data collection process, differential privacy technology is used to process sensitive data involving user privacy, and appropriate noise is added to the dataset to prevent the deduction of specific personal information from the collected data. All collected data is transmitted to the data center via SSL encryption. In the data integration phase, threat data in the infrastructure field is preprocessed, converting unstructured text records into structured data containing fields such as source IP, destination IP, connection time, protocol type, and attack type; key information fields such as file hash, execution path, registry operations, and network connection are extracted from malware sample behavior reports. For blockchain data, transaction records are parsed into structured data containing fields such as transaction initiator address, recipient address, transaction amount, transaction timestamp, and block height; static analysis is performed on smart contract code to extract feature information such as function call relationships and access control logic.

[0014] A unified data identifier is added to all integrated data, including metadata such as data source domain tags, data collection timestamps, and data credibility scores. The processed infrastructure and blockchain domain data are stored in a distributed relational database, forming a multi-source threat data set. Threat behavior records in this set include basic information such as behavior type, occurrence time, and associated carrier identifiers; associated carrier information covers IP addresses, domain names, and ports in the infrastructure, and wallet addresses and contract addresses in the blockchain; impact trajectory data records the path information of the threat from its initial appearance to subsequent propagation.

[0015] Step S120: Based on the multi-source threat data set, cross-domain feature association training is performed through a machine learning model to generate a cross-domain threat mapping model. The cross-domain threat mapping model includes the correlation and mapping weights between threat data from different domains, forming a threat mapping factor set.

[0016] After obtaining a multi-source threat data set, a cross-domain threat mapping model is constructed by mining the potential correlation between infrastructure and blockchain threat data through machine learning models.

[0017] Step S121: Standardize the format of various threat data in the multi-source threat dataset, convert unstructured threat descriptions from different domains into structured data formats, retain the core attributes and correlation fields of threat behavior, and output the standardized structured threat data.

[0018] For unstructured threat descriptions in the infrastructure field, such as natural language behavior descriptions in malware analysis reports, a BERT-based text classification and named entity recognition model is used. The text description is input into the BERT model, and text features are extracted using a pre-trained language model. A classification layer identifies threat behavior types, and a named entity recognition layer extracts core entities. The identified threat behavior type is used as the "behavior type" field in the structured data, and the extracted entities are used as the corresponding associated carrier information fields. For unstructured data in the blockchain field, such as vulnerability description text in smart contract audit reports, a similar processing method is used to identify vulnerability types and related entity information such as contract addresses and function names, constructing structured threat data records.

[0019] A unified data field mapping rule is established, mapping "attack initiation time" in the infrastructure domain and "transaction timestamp" in the blockchain domain to a unified "event time" field; "malware MD5 hash" in the infrastructure domain and "transaction hash" in the blockchain domain are unified as a unified "unique identifier" field. Domain-specific fields, such as "port number" in the infrastructure domain and "token type" in the blockchain domain, are retained and prefixed with domain identifiers for differentiation. After format conversion, the structured data undergoes integrity verification, checking for missing core attribute fields. Missing non-critical fields are marked as "unknown." Data records missing critical attribute fields are temporarily stored in an abnormal data pool for subsequent manual review or supplementary collection. After the above processing, structured threat data with a standardized format is output, with each data entry containing core attribute fields and relational fields in a unified format.

[0020] Step S122: Receive the structured threat data after format normalization, perform cross-domain feature mining on the structured threat data, extract the core feature items of each threat data, the core feature items include threat implementation method features, associated carrier identification features, impact range features and time series features, and output a cross-domain feature set containing all core feature items.

[0021] After receiving structured threat data that has been formatted and standardized, multi-dimensional feature extraction is performed on each data entry. Regarding threat implementation methods, in the infrastructure domain, attack methods, exploited vulnerability numbers, and malicious code behavior characteristics are extracted from attack event records; in the blockchain domain, vulnerability exploitation methods and attack patterns (such as flash loan attacks and sandwich attacks) are extracted from smart contract vulnerability descriptions. Regarding associated carrier identification features, IP addresses, domain names, port numbers, and file hashes are extracted in the infrastructure domain; wallet addresses, contract addresses, and transaction hashes are extracted in the blockchain domain. These identification information are then standardized, such as converting IP addresses to integers and uniformly processing hash values ​​to lowercase.

[0022] Impact scope characteristics are obtained by analyzing data such as the number of assets affected and the scale of affected users in a threat event. In the infrastructure field, the number of affected hosts and the range of network devices are counted based on attack event logs; in the blockchain field, the scale of funds involved and the number of affected wallet addresses are calculated based on transaction records. Time series characteristics are extracted by extracting time-related attributes such as the occurrence time, duration, and recurrence interval of the threat event, converting timestamps into a unified time format, and calculating the duration of the event by subtracting the start time from the end time.

[0023] Feature selection is performed on the extracted features to remove redundant and low-relevance features. A variance selection method is used to calculate the variance of each feature, discarding features with variances below a set threshold. Mutual information is used to calculate the mutual information value between features and threat types, retaining features with high mutual information values. The filtered features are combined into feature vectors. Each threat data point corresponds to a multi-dimensional feature vector containing threat implementation methods, associated carrier identifiers, impact range, and time-series characteristics. All feature vectors constitute a cross-domain feature set.

[0024] Step S123: Receive the cross-domain feature set, pair the core feature items of different domains to generate a cross-domain feature pairing set, each pairing contains two core feature items of different domains and the corresponding threat data association identifier.

[0025] After receiving the cross-domain feature set, it iterates through the infrastructure domain features and blockchain domain features. According to preset feature pairing rules, each core feature from the infrastructure domain is paired with a core feature from the blockchain domain. For example, the "malicious IP address" feature from the infrastructure domain is paired with features from the blockchain domain such as "suspicious wallet address" and "abnormal transaction hash"; the "malicious domain name" feature from the infrastructure domain is paired with features from the blockchain domain such as "smart contract address" and "token type".

[0026] Each pair contains two core feature items from different domains, and records the association identifiers of the threat data corresponding to these two feature items. The association identifiers include the threat data ID to which the feature item belongs, the data source domain, and the collection time, for subsequent traceability and verification. For the paired feature pairs, an initial screening process is performed to remove obviously unrelated feature pairs. For example, if an IP address in the infrastructure domain and a wallet address in the blockchain domain have no temporal overlap and belong to significantly different threat event types, then this feature pair is removed. After the above processing, a cross-domain feature pair set is generated.

[0027] Step S124: Input the cross-domain feature pairing set into the deep learning algorithm, and train the cross-domain association network through the deep learning algorithm. The input of the cross-domain association network is the pairing core feature terms in the cross-domain feature pairing set, and the output is the association matching degree and mapping relationship parameters between features.

[0028] Step S1241: Construct a hierarchical structure for a cross-domain association network, which includes a feature input layer, a cross-domain fusion layer, an association calculation layer, and an output layer. Each layer achieves feature transfer and information interaction through a fully connected channel.

[0029] The cross-domain association network's feature input layer comprises two parallel sub-input layers, receiving core feature vectors from the infrastructure and blockchain domains, respectively. The number of neurons in each sub-input layer matches the dimension of the feature vectors from the corresponding domain. Following the feature input layer is a cross-domain fusion layer, which includes a multi-head attention mechanism and a gated recurrent unit (GRU) module. The multi-head attention mechanism captures long-distance dependencies between feature terms from the two domains, while the GRU controls the flow of feature information and suppresses interference from noisy features. Next is the association computation layer, which contains multiple fully connected sub-networks, each responsible for calculating the association strength of a specific set of feature pairs. The output layer has two branches: one outputs the association matching degree between features, and the other outputs the mapping parameters. All layers are connected via fully connected channels, with the output of one layer serving as the input to the next, enabling feature transfer and information exchange.

[0030] Step S1242: Receive the core feature items in the cross-domain feature pairing set, perform vector encoding processing on each core feature item, and convert the text-type features into numerical feature vectors.

[0031] For text-based core features, such as threat implementation descriptions and vulnerability names, word embedding techniques are used for encoding. A pre-trained word vector model is used to convert each word in the text into a fixed-dimensional vector. Then, average pooling is performed on the vectors of all words in the text to obtain numerical feature vectors for the text-based features. For numerical features, such as the integer representation of IP addresses and timestamps, normalization is performed to map their numerical range to the [0,1] interval. For categorical features, such as attack type and token type, one-hot encoding is used to convert them into numerical feature vectors. After the above processing, each core feature is converted into a fixed-dimensional numerical feature vector, facilitating processing by cross-domain interconnected networks.

[0032] Step S1243: Receive numerical feature vectors, and use a combination of attention and gating mechanisms to perform cross-domain information fusion on paired numerical feature vectors, strengthen the correspondence between features in different domains, suppress interference from irrelevant features, and output the fused feature vectors.

[0033] Numerical feature vectors from the infrastructure and blockchain domains are input into the multi-head attention mechanism module of the cross-domain fusion layer. This module determines the importance of each feature in the fusion process by calculating the attention weight between two feature vectors. The attention weight is calculated based on the similarity between feature vectors; the higher the similarity, the greater the attention weight. Then, each feature vector is multiplied by its corresponding attention weight and the results are weighted and summed to obtain the preliminary fused feature vector. The preliminary fused feature vector is input into the gating loop unit module, which contains update and reset gates. The update gate controls the influence of the feature information from the previous time step on the fused features at the current time step, while the reset gate determines whether to ignore the feature information from the previous time step. Through the gating mechanism, cross-domain feature information is further filtered and integrated, strengthening the correspondence between features from different domains, suppressing interference from irrelevant features, and finally outputting the fused feature vector.

[0034] Step S1244: Call the domain adaptation factor, adjust the fusion weights of different domain features through the domain adaptation factor, and output the feature vector after adjusting the fusion weights. The domain adaptation factor is preset and configured based on the distribution status and association frequency of threat data in each domain.

[0035] Domain adaptation factors are a set of pre-defined weight parameters based on the distribution and correlation frequency of threat data from the infrastructure and blockchain domains. During cross-domain information fusion, the pre-defined domain adaptation factors are invoked and multiplied by the domain feature components in the fused feature vector, adjusting the weights of different domain features in the fused vector. For example, if threat data from the infrastructure domain has a high correlation frequency with blockchain data in historical correlation cases, the fusion weight of the infrastructure domain feature is increased; conversely, its weight is decreased. By adjusting the domain adaptation factors, the fused feature vector better reflects the true correlation between the two domain features, outputting a feature vector with adjusted fusion weights.

[0036] Step S1245: Receive the feature vector after adjusting the fusion weights, perform association strength transformation on each pair of paired feature vectors through multiple parallel association calculation units, and use a nonlinear mapping algorithm to convert the feature vector after adjusting the fusion weights into association strength values.

[0037] The feature vectors with adjusted fusion weights are input into the association computation layer, which contains multiple parallel association computation units, each corresponding to a type of feature pair. Each association computation unit contains multiple fully connected layers. The first few layers use the ReLU activation function for non-linear transformation, mapping the feature vectors to a high-dimensional space. The last layer uses a linear activation function to output a correlation strength value. Through multiple parallel association computation units, targeted correlation strength calculations are performed for different types of feature pairs. A non-linear mapping algorithm is used to convert the feature vectors with adjusted fusion weights into correlation strength values, which reflect the tightness of the association between paired feature terms.

[0038] Step S1246: Perform a nonlinear transformation on the correlation strength value using an activation function to generate a preliminary correlation matching degree between features.

[0039] The association strength value output by the association calculation unit is input into the activation function, here the Sigmoid activation function is selected. This function maps the association strength value to the interval [0,1] to obtain the preliminary association matching degree between features. The closer the preliminary association matching degree is to 1, the higher the degree of association between the two feature items; the closer it is to 0, the lower the degree of association.

[0040] Step S1247: Receive the preliminary association matching degree, perform unified value range processing on the preliminary association matching degree, and extract the mapping relationship parameters based on the feature mapping trajectory in the association calculation process. The mapping relationship parameters include the feature dimension mapping matrix, the association strength adjustment coefficient and the cross-domain adaptation parameter. The feature dimension mapping matrix, the association strength adjustment coefficient and the cross-domain adaptation parameter together describe the association logic and transformation rules between paired features. Output the association matching degree and mapping relationship parameters after the unified value range.

[0041] The initial association matching degree is processed to unify the value range, ensuring that the association matching degree of all feature pairs is within the range [0,1], facilitating subsequent comparison and analysis. During the association calculation process, the mapping trajectory of feature vectors in each network layer is recorded. Through gradient calculation using the backpropagation algorithm, mapping relationship parameters such as the feature dimension mapping matrix, association strength adjustment coefficient, and cross-domain adaptation parameter are extracted. The feature dimension mapping matrix describes the transformation relationship between feature vectors from two domains in the dimensional space; the association strength adjustment coefficient is used to adjust the contribution of different feature components to the association matching degree; the cross-domain adaptation parameter reflects the degree of adaptation of features from different domains during the fusion process. These parameters together describe the association logic and transformation rules between paired features, outputting the association matching degree and mapping relationship parameters after unifying the value range.

[0042] Step S1248: Call the real association results in the historical cross-domain association cases as supervision data, compare the association matching degree and mapping relationship parameters after unifying the value range with the real association results, and output the deviation data after comparison.

[0043] Confirmed real-world association results are extracted from a historical cross-domain association case database as supervision data. These results contain known cross-domain feature pairs and their corresponding actual association matching degrees and mapping parameters. The association matching degrees and mapping parameters output by the cross-domain association network within a unified value range are compared with the real values ​​in the supervision data. The difference between the two is calculated to obtain bias data. Bias data can be measured using metrics such as mean squared error and mean absolute error, reflecting the gap between the model output and the reality.

[0044] Step S1249: Based on the deviation data, adjust the weight parameters and domain adaptation factors of each level of the cross-domain association network through the backpropagation algorithm, and repeatedly perform feature encoding processing, cross-domain information fusion, association strength conversion, nonlinear transformation, value interval unification processing and deviation comparison operations until the deviation data meets the preset convergence correspondence conditions, and output stable association matching degree and mapping relationship parameters.

[0045] Based on the deviation data, the backpropagation algorithm is used to calculate the gradient of each neuron in each layer, starting from the output layer. The weight parameters and domain adaptation factors of each layer of the cross-domain association network are adjusted using gradient descent. After adjustment, feature encoding, cross-domain information fusion, association strength transformation, nonlinear transformation, value range unification, and deviation comparison are re-executed to calculate new deviation data. This process is repeated, continuously adjusting the network parameters until the deviation data is less than a preset threshold, thus satisfying the convergence condition. At this point, the association matching degree and mapping relationship parameters output by the model tend to stabilize, resulting in stable output association matching degree and mapping relationship parameters.

[0046] Step S125: Receive the association matching degree and mapping relationship parameters, call the cross-domain association verification data in the historical attribution cases, iteratively adjust the association matching degree and mapping relationship parameters, and output the adjusted mapping relationship parameters.

[0047] For example, step S1251: collect a set of verification data from historical cross-domain threat intelligence association attribution cases, the set of verification data includes confirmed cross-domain association relationships, real mapping logic and association result evaluation data, and output the set of verification data.

[0048] Representative cases were selected from the historical cross-domain threat intelligence attribution case library. Cross-domain correlation data was collected from these cases, including paired features, actual correlation matching degree, mapping parameters, etc. The true mapping logic describes the inherent mechanism and rules of correlation between features. Correlation result evaluation data includes markers of successful or unsuccessful correlation and correlation accuracy scores. The above data was compiled into a validation dataset to ensure data completeness and accuracy.

[0049] Step S1252: Extract the cross-domain feature pairings and corresponding real mapping relationships for each case from the verification dataset, and construct a mapping relationship verification library. The mapping relationship verification library records feature pairings, real mapping parameters, and successful association data.

[0050] The validation dataset is parsed to extract cross-domain feature pairs for each case, i.e., combinations of infrastructure domain features and blockchain domain features. Simultaneously, the true mapping relationship corresponding to each feature pair is extracted, including the true mapping relationship parameters and successful association data. The feature pairs, true mapping parameters, and successful association data are stored in a specific format to construct a mapping relationship validation library. In this library, the corresponding true mapping parameters and successful association status can be quickly queried through feature pairings, facilitating subsequent comparison with the mapping relationship parameters output by the model.

[0051] Step S1253: Compare the initial mapping parameters output by the cross-domain association network with the actual mapping parameters in the mapping verification library, and convert them to obtain parameter deviation data. The parameter deviation data reflects the difference between the initial parameters and the actual parameters.

[0052] For each feature pair in the mapping relationship validation library, the initial mapping relationship parameters output by the cross-domain association network are compared one by one with the true mapping parameters corresponding to that feature pair. The difference between each parameter component is calculated, and then these differences are combined into parameter bias data. The parameter bias data can be a vector, where each element corresponds to the bias value of a mapping relationship parameter, reflecting the difference between the initial parameters and the true parameters.

[0053] Step S1254: Based on the parameter deviation data, identify the feature pairing types in the initial mapping relationship parameters whose deviation exceeds a preset threshold, and output the feature pairing types that need to be optimized.

[0054] A deviation threshold is set, and the deviation value corresponding to each feature pair in the parameter deviation data is iterated. When the deviation value of a feature pair exceeds the preset threshold, the feature pair type is marked as a feature pair type that needs optimization. Feature pair types that need optimization indicate that the mapping relationship parameters of this type of feature pair in the model deviate significantly from the actual situation and need to be adjusted and optimized.

[0055] Step S1255: Analyze the reasons for the parameter deviation data corresponding to the feature pairing type that needs to be optimized, and output the deviation reason data.

[0056] For feature pairing types requiring optimization, the causes of parameter bias are analyzed by considering the structure and training process of the cross-domain association network. Possible causes include: inaccurate feature vector representation failing to fully capture the essential information of the features; unreasonable attention weight allocation in the cross-domain fusion layer leading to the neglect of important features; improper network structure or parameter settings in the association calculation layer affecting the calculation of association strength; and inappropriate values ​​for the domain adaptation factor failing to correctly reflect the association characteristics between domains. Through the investigation and analysis of these possible causes, bias cause data is output. Step S1256: Set parameter adjustment operation based on deviation cause data, and output parameter adjustment operation.

[0057] Based on the data on the causes of deviation, corresponding parameter adjustment operations are set for different causes of deviation. If the deviation is due to inaccurate feature vector representation, the parameters of feature encoding processing are adjusted, such as the dimension of the word embedding model and the normalization method; if the attention weight allocation is unreasonable, the parameters of the multi-head attention mechanism module are adjusted, such as the number of attention heads and the scaling factor of attention calculation; if the problem is with the association calculation layer, the number of layers, the number of neurons, and the activation function of the fully connected sub-network are adjusted; if the domain adaptation factor is inappropriate, the value of the domain adaptation factor is readjusted. The above parameter adjustment operations are output in the form of explicit instructions.

[0058] Step S1257: Correct the initial mapping relationship parameters according to the parameter adjustment operation, generate the optimized mapping relationship parameters, and record the specific content and basis of the parameter adjustment.

[0059] Based on the output parameter adjustment operations, the initial mapping parameters are corrected one by one. For example, for a certain element in the feature dimension mapping matrix, its value is increased or decreased according to the adjustment operation; for the correlation strength adjustment coefficient, it is adjusted according to a specified ratio. During the correction process, the adjustment content of each parameter is recorded in detail, including the value before adjustment, the value after adjustment, and the basis for adjustment, such as the specific analysis results in the deviation cause data. Optimized mapping parameters are generated to ensure the traceability of parameter adjustments.

[0060] Step S1258: Apply the optimized mapping parameters to the test cases in the mapping verification library to obtain the cross-domain association success data of the test cases.

[0061] A subset of cases from the mapping relationship validation library were selected as test cases, and the optimized mapping relationship parameters were applied to these test cases. A cross-domain association network was used to perform association analysis on the feature pairings in the test cases, calculating the association matching degree. The success of the association was determined based on the association matching degree, yielding cross-domain association success data for the test cases. This data includes metrics such as the number of successfully associated cases, the number of failed association cases, and the association accuracy rate.

[0062] Step S1259: Determine whether the successfully associated cross-domain data meets the preset standard. If it does not meet the preset standard, repeat the parameter comparison, deviation data conversion, optimization type identification, deviation cause analysis, adjustment operation setting and parameter correction operation until the successfully associated cross-domain data meets the preset standard, and output the final optimized mapping relationship parameters.

[0063] The system presets standards such as accuracy and recall, and compares the successful cross-domain association data of test cases with these standards. If the successful cross-domain association data meets the preset standards, the current optimized mapping relationship parameters are output as the final result; otherwise, the system returns to step S1253 to re-execute operations such as parameter comparison, deviation data conversion, identification of optimization types, deviation cause analysis, adjustment operation settings, and parameter correction, continuously iterating and optimizing the mapping relationship parameters until the successful cross-domain association data meets the preset standards, and then outputs the final optimized mapping relationship parameters.

[0064] Step S126: Extract the adjusted mapping relationship parameters and the corresponding feature association rules to form initial threat mapping factors. Each initial threat mapping factor includes feature pairing identifier, association matching degree and mapping parameter configuration.

[0065] The parameter values ​​for each feature pair are extracted from the final optimized mapping parameters, and combined with the feature association rules obtained during the training of the cross-domain association network, such as dependencies and association conditions between features. The feature pair identifier, association matching degree, and mapping parameter configuration are combined to form the initial threat mapping factor. The feature pair identifier uniquely identifies a cross-domain feature pair; the association matching degree indicates the strength of the association between the feature pairs; the mapping parameter configuration includes specific parameter values ​​such as the feature dimension mapping matrix, association strength adjustment coefficient, and cross-domain adaptation parameters. Each initial threat mapping factor is an independent entity describing the association relationship between specific feature pairs.

[0066] Step S127: Cluster and integrate the initial threat mapping factors, group the initial threat mapping factors with similar association logic into the same category, generate mapping factor category labels and category association descriptions, and output the classified threat mapping factors.

[0067] Hierarchical clustering algorithm is used to cluster and integrate the initial threat mapping factors. First, the similarity between each initial threat mapping factor is calculated, based on the similarity of feature association rules and mapping parameter configurations. Then, the initial threat mapping factors are progressively merged into different clusters according to the similarity until a preset number of clusters or an intra-cluster similarity threshold is reached. Each cluster is analyzed to summarize the common association logic of the threat mapping factors within the cluster, generating mapping factor category labels, such as "IP-wallet address association" and "domain-contract address association." Simultaneously, category association descriptions are written, describing the association characteristics and applicable scenarios of the threat mapping factors in that category. The clustered threat mapping factors are then organized according to their categories, and the categorized threat mapping factors are output.

[0068] Step S128: Execute the collaborative verification process, perform association tests between the classified threat mapping factors and the sample data in the multi-source threat data set, record the successful association data and the adaptation range data of the threat mapping factors, and output the threat mapping factors after the test.

[0069] A certain number of sample data points are selected from a multi-source threat dataset, covering different threat types, domain combinations, and associated scenarios. Each categorized threat mapping factor is applied to the sample data for association testing. For each sample data point, based on the feature pairing identifier in the threat mapping factor, the corresponding feature item is found, and the association matching degree is calculated using the mapping parameter configuration to determine whether the association is successful. The number of successful associations, the number of failed associations, the accuracy rate, and other successful association data for each threat mapping factor in the sample data are recorded, as well as the range of sample data that the threat mapping factor can successfully associate with, such as specific threat types, time ranges, and other suitable range data. Based on the successful association data and suitable range data, the threat mapping factors are evaluated, and threat mapping factors with excessively low association success rates or excessively narrow suitable ranges are removed. The tested threat mapping factors are then output.

[0070] Step S129: Integrate the threat mapping factors, mapping parameter configurations, successful association data, and adaptation range data after testing to form a threat mapping factor set.

[0071] The tested threat mapping factors, corresponding mapping parameter configurations, successful association data, and applicability data are integrated in a unified format. Each threat mapping factor in the set contains complete information, including feature pairing identifiers, association matching degree, mapping parameter configurations, successful association data (such as precision and recall), and applicability data (such as applicable threat types and domain combinations). This information is stored in a structured data table to form a threat mapping factor set. This set serves as the core component of the cross-domain threat mapping model and is used for subsequent cross-domain association retrieval and attack chain construction.

[0072] Step S130: Call the cross-domain threat mapping model to perform cross-domain association retrieval on the real-time collected threat data, identify threat association fragments scattered in different domains, and form an attack chain fragment set. The attack chain fragment set contains threat data fragments with correlation and mapping association information between fragments.

[0073] Once the cross-domain threat mapping model is built, when new real-time threat data is generated, the model is invoked to perform cross-domain correlation retrieval on the real-time data in order to discover potential threat correlation fragments between different domains.

[0074] Step S131: Capture new threat data in various fields in real time, extract core features from the new threat data, and generate a real-time threat feature set.

[0075] By deploying real-time monitoring agents across various domains, new threat data in the infrastructure and blockchain domains is captured in real time. For new threat data in the infrastructure domain, such as newly added malicious IP connection records and newly discovered virus samples, the cross-domain feature mining method described in step S122 is used to extract threat implementation characteristics, associated carrier identification characteristics, impact scope characteristics, and time series characteristics. Similarly, for new threat data in the blockchain domain, such as newly added suspicious transaction records and abnormal smart contract calls, corresponding core feature items are extracted. All extracted core feature items are combined to generate a real-time threat feature set, where each feature item contains a feature value and its domain information.

[0076] Step S132: Receive the real-time threat feature set, call the threat mapping factor set in the cross-domain threat mapping model, use each core feature item in the real-time threat feature set as the retrieval benchmark, match the corresponding cross-domain mapping factor, and output the matched cross-domain mapping factor.

[0077] Each core feature in the real-time threat feature set is iterated over and compared with feature pairing identifiers in the threat mapping factor set. For each core feature, feature pairs containing that feature are found in the threat mapping factor set to determine the corresponding cross-domain mapping factor. For example, if the real-time threat feature set contains a "malicious IP address" feature in the infrastructure domain, then all cross-domain mapping factors with that IP address as an infrastructure domain feature are searched in the threat mapping factor set. The matched cross-domain mapping factors are filtered out and output; these mapping factors indicate the likelihood of cross-domain associations related to the current real-time threat feature.

[0078] Step S133: Based on the matched cross-domain mapping factor, determine the target domain and target feature items for retrieval, and generate a cross-domain retrieval instruction. The cross-domain retrieval instruction includes the benchmark feature items, the target domain identifier, and the mapping matching conditions.

[0079] For each matched cross-domain mapping factor, its feature pairing identifier is analyzed to determine the corresponding domain (target domain) and target feature item. For example, if the feature pairing of the matched cross-domain mapping factor is "malicious IP address in the infrastructure domain - suspicious wallet address in the blockchain domain", then the target domain is the blockchain domain, and the target feature item is the suspicious wallet address. Based on the correlation matching degree and mapping parameter configuration in the mapping factor, mapping matching conditions are set, such as the minimum threshold for correlation matching degree and the similarity requirement for feature items. The baseline feature item (the core feature item in the real-time threat feature set), the target domain identifier, and the mapping matching conditions are combined to generate a cross-domain retrieval instruction, which guides the retrieval of threat data in the target domain.

[0080] Step S134: Receive cross-domain retrieval instructions, retrieve historical and real-time threat data matching the target features from the threat data repository of the corresponding domain, and extract the successfully matched data segments.

[0081] Step S1341: Parse the cross-domain search command, extract the target feature items, matching conditions and search scope restrictions from the cross-domain search command, and output the parsed target feature items, matching conditions and search scope restrictions.

[0082] The system performs syntactic and semantic parsing on cross-domain search commands to extract the specific content of target features, such as the specific address value of "suspicious wallet address"; matching conditions, such as correlation matching degree greater than a set value, feature similarity within a set range, etc.; and search scope restrictions, such as the search time range (data within the past week), data source (specific blockchain network or infrastructure monitoring system), etc.

[0083] Step S1342: Invoke the index service of the corresponding domain threat data repository, and construct a search keyword combination based on the parsed target feature items. The search keyword combination includes the core attributes and related fields of the target feature items.

[0084] Based on the parsed target features, determine their core attributes and related fields. For example, for the target feature "suspicious wallet address," the core attribute is the wallet address string, and related fields might include transaction time, transaction amount, and associated contract address. Call the index service of the corresponding domain threat data repository to construct a combination of search keywords using the core attributes and related fields. For example, use the wallet address string as the primary keyword, combined with conditions such as transaction time range and transaction amount range as secondary keywords, to form a combined search condition.

[0085] Step S1343: Perform a preliminary search in the threat data repository using the search keyword combination to obtain a candidate threat data set containing the search keyword combination. The candidate threat data set includes historical threat files and real-time collected threat data.

[0086] The constructed keyword combination is submitted to the threat data repository's search engine for initial retrieval. The search engine performs matching queries in the database based on the keyword combination, returning all threat data records containing the search keyword combination, forming a candidate threat data set. This set includes data from historical threat archives as well as threat data collected in real time but not yet subjected to in-depth analysis, ensuring the comprehensiveness of the search results.

[0087] Step S1344: Perform feature analysis on each data point in the candidate threat dataset, extract the core features from the data, compare the extracted core features with the analyzed target features in multiple dimensions, and output the data corresponding to the compared features.

[0088] For each data point in the candidate threat dataset, its core features are extracted using the cross-domain feature mining method described in step S122. Then, these core features are compared with the parsed target features in multiple dimensions, including feature value similarity, data type matching, and consistency of associated fields. For example, for the wallet address feature, the exact match of the address string is compared; for the transaction amount feature, whether the amount is within a set range is compared. The comparison results are recorded as feature-corresponding data, including the matching degree of each comparison dimension and the overall matching score.

[0089] Step S1345: Based on the matched feature correspondence data, filter out the data that meet the matching conditions between the core feature items and the parsed target feature items, and output the filtered threat data. The matching conditions include feature overlap correspondence, related field correspondence, and logical association correspondence requirements.

[0090] Based on the matched feature data, check whether each candidate data meets the matching conditions in the cross-domain retrieval command. Feature overlap requires that the main feature values ​​of the core feature items match completely; correlation field matching requires that the values ​​of the correlation fields meet the set conditions; logical correlation matching requires that the logical relationship between the data is consistent with the correlation rules in the mapping factor. Data that simultaneously meets these requirements is filtered out, and the filtered threat data, which are threat data highly correlated with the target feature items, is output.

[0091] Step S1346: Extract key fragments related to cross-domain association from the filtered threat data. The key fragments include core content such as threat behavior description, association carrier information, time records, and description of the scope of impact.

[0092] Content analysis was performed on the filtered threat data to extract key segments related to cross-domain associations. Threat behavior description segments include the specific methods of threat implementation and the vulnerabilities exploited; association carrier information segments include identifying information such as involved IP addresses, domain names, and wallet addresses; time record segments include the timestamps of the events and their duration; and impact scope description segments include the scale of affected assets, users, or funds. When extracting these key segments, the core content of the original data was retained, and redundant information was removed to ensure the simplicity and relevance of the segments.

[0093] Step S1347: Supplement the information completeness of the key segments, add descriptions of missing related fields in the segments, and output the key segments with supplemented information.

[0094] Check the extracted key segments for missing related fields, such as a missing time record in a threat behavior description segment or missing domain registration information in a related carrier information segment. Retrieve the missing related field information by querying other related data in the threat data repository or external data sources, and add it to the key segments. For example, for domains missing registration information, supplement it with information such as the registrar, registration time, and DNS resolution records.

[0095] Step S1348: Add retrieval source identifier, retrieval timestamp, and target feature item matching details to the key fragments after information supplementation, determine the retrieval background and matching basis of the fragments, and output the key fragments with added identifiers.

[0096] Add a retrieval source identifier to the key fragments after information supplementation, indicating which domain's threat data repository and specific data source the fragment comes from; add a retrieval timestamp to record the execution time of the retrieval operation; add target feature matching details, including the name of the matched feature, the matching degree score, the matching fields, and other information. The above identifiers and details help to trace the source and matching process of the fragments, clarify the retrieval background and matching basis of the fragments, and improve the reliability of subsequent analysis.

[0097] Step S1349: Sort the key segments after adding the labels based on the feature overlap correspondence and the correlation field correspondence, and output the sorted key segments.

[0098] A comprehensive score is calculated based on the degree of feature overlap and correlation between key fragments and target features, as well as the degree of correlation between related fields. Fragments with higher feature overlap and closer correlation between related fields receive higher scores. The tagged key fragments are then sorted from highest to lowest score, and the sorted key fragments are output. This sorting facilitates prioritizing the processing of the most relevant threat data fragments, improving the efficiency of correlation analysis.

[0099] Step S13410: Integrate the sorted key segments and corresponding matching information to form a set of search results containing multiple valid data segments, and transmit it to the subsequent association analysis stage.

[0100] The sorted key fragments and their corresponding matching information, such as matching scores, retrieval source identifiers, and target feature matching details, are integrated to form a set of search results. Each data fragment in this set is a valid threat data fragment related to the target features, and it is transmitted to the subsequent correlation analysis stage to construct an attack chain fragment set.

[0101] Step S135: Mark the associated attributes of the successfully matched data fragments. The marking content includes the mapping relationship with the baseline feature items, details of the matching fields and the threat event identifier to which the data fragment belongs. Output the marked associated attribute data fragments.

[0102] For each data fragment in the search results set, based on the baseline features and matching conditions in the cross-domain search instruction, its mapping relationship with the baseline features is marked, such as "direct association" or "indirect association"; details of the matching fields are recorded, including which fields participated in the matching and the specific values ​​or content of the matches; a threat event identifier is added to the data fragment, which is used to associate the data fragment with a specific threat event. Through the association attribute marking, the association relationship between the data fragment and the original real-time threat data is clarified, and the marked association attribute data fragment is output.

[0103] Step S136: Use the marked associated attribute data fragments as candidate attack chain fragments, and record the source domain, core feature items and associated marking information of the candidate attack chain fragments.

[0104] The tagged, associated attribute data fragments are identified as candidate attack chain fragments because these fragments possess cross-domain association characteristics relevant to real-time threat data. The origin domain of each candidate attack chain fragment is recorded, i.e., whether the fragment originates from the infrastructure domain or the blockchain domain; core feature items, such as IP addresses and wallet addresses, are extracted from the fragments; and association tagging information, including mapping relationships with baseline feature items, details of matching fields, and threat event identifiers, is retained. This information will be used for subsequent fragment association and attack chain construction.

[0105] Step S137: Receive candidate attack chain fragments, call the association rules in the threat mapping factor set in the cross-domain threat mapping model, perform preliminary association on all candidate attack chain fragments, identify potential association links between candidate fragments, and output potential association link information.

[0106] The algorithm iterates through all candidate attack chain segments, invoking association rules from the threat mapping factor set to analyze potential associations between segments. Association rules include mapping relationships between features, association matching thresholds, and time series constraints. For example, if one candidate segment contains the "malicious IP address" feature from the infrastructure domain, and another candidate segment contains the "suspicious wallet address" feature from the blockchain domain, and if association rules for these two features exist in the threat mapping factor set with an association matching degree higher than the threshold, then these two segments may have a potential association link. By analyzing pairwise relationships between all candidate segments, potential association links are identified, and information on these potential association links is output, including the associated segment pairs, the mapping factors used for the association, and the association matching degree.

[0107] Step S138: Add association link identifiers to candidate segments corresponding to potential association link information, record the mapping association direction and association basis between segments, and form an attack chain segment group.

[0108] For each pair of related fragments in the potential association link information, an association link identifier is added to the relevant candidate fragments. This identifier is a unique identifier used to associate fragments belonging to the same association link. Simultaneously, the mapping association direction between fragments is recorded, such as from an infrastructure domain fragment to a blockchain domain fragment, or vice versa; the association basis is also recorded, i.e., the threat mapping factor and association rules upon which the association link is based. Candidate fragments with the same association link identifier are grouped together to form attack chain fragment groups, each fragment group representing a potential cross-domain threat association link.

[0109] Step S139: Filter the candidate segments in each attack chain segment group, retain the data segments with core features and associated tags, remove the data segments without core features, and output the filtered attack chain segment group.

[0110] Each attack chain segment group is checked to see if candidate segments contain core features. Core features are key characteristics that uniquely identify threat behavior or associated vectors, such as IP addresses, wallet addresses, and transaction hashes. Simultaneously, the segments are checked for valid association markers to ensure a clear correlation between the segments and other segments or real-time threat data. Segments lacking core features or with invalid association markers are removed, and data segments that meet the criteria are retained, resulting in a filtered attack chain segment group. Segments in the filtered group exhibit higher correlation and reliability.

[0111] Step S1310: Integrate all filtered attack chain fragment groups and single valid candidate attack chain fragments to form an attack chain fragment set containing multiple related fragment groups and independent valid fragments.

[0112] All filtered attack chain fragment groups, along with individual valid candidate attack chain fragments not included in any fragment group, are combined to form an attack chain fragment set. An individual valid candidate attack chain fragment refers to a fragment that, while not forming a link with other fragments, contains complete core feature items and associated marker information. The attack chain fragment set contains all potential fragments that could constitute a cross-domain attack chain; these fragments will be further associated and concatenated in subsequent steps.

[0113] Step S140: Based on the mapping relationship in the threat mapping factor set, perform association matching and temporal sorting on each segment in the attack chain segment set, and connect the matched segments into a cross-domain attack chain. The cross-domain attack chain includes complete link information such as the threat origin, cross-domain propagation nodes, the association method of each node, and the final impact on the terminal.

[0114] By utilizing the mapping relationships in the threat mapping factor set, in-depth correlation matching and temporal sorting are performed on the fragments in the attack chain fragment set, connecting the scattered fragments into a complete cross-domain attack chain.

[0115] Step S141: Receive the attack chain fragment set, extract the core feature anchor points of each fragment in the attack chain fragment set, and output the core feature anchor points.

[0116] For each segment in the attack chain fragment set, analyze its core features to identify those that can serve as association anchors, i.e., core feature anchors. Core feature anchors are the most representative and unique features in a segment, capable of establishing clear associations with features in other segments. For example, in infrastructure segments, core feature anchors might be malicious IP addresses or domain names; in blockchain segments, they might be suspicious wallet addresses or transaction hashes. Extract the core feature anchors for each segment and output a list of core feature anchors, where each anchor includes the feature name, feature value, and the segment identifier it belongs to.

[0117] Step S142: Based on the core feature anchor points, construct a fragment association index library, which records the core feature anchor point information, source domain, and associated fragment identifier of each fragment.

[0118] A fragment association index is constructed using core feature anchors as index keys. Each record in the index corresponds to a fragment, containing the fragment's core feature anchor information (feature name and feature value), source domain (infrastructure or blockchain), and associated fragment identifiers (identifiers of other fragments that may be associated with this fragment, initially empty). The fragment association index allows for quick retrieval of corresponding fragments based on core feature anchors.

[0119] Step S143: Receive the fragment association index library, select a fragment with initial propagation characteristics from the attack chain fragment set as the starting fragment, and extract the core feature anchor point and association marker information of the starting fragment.

[0120] Analyze the segments in the attack chain fragment set to identify segments with initial propagation characteristics. These initial propagation characteristics include the earliest timestamp, the threat behavior belonging to the attack initiation phase (e.g., malware injection, phishing link distribution), and the associated carrier identifying the attack source (e.g., command and control server IP address). Select segments that meet these characteristics as starting segments, extract their core feature anchors and association markers, such as potential association markers with other segments and threat event identifiers, as the starting point for subsequent association matching.

[0121] Step S144: Based on the core feature anchor point of the starting segment, retrieve the target segment with complementary feature anchor points in the segment association index library. The complementary feature anchor point is a combination of feature terms that have a mapping relationship with the core feature anchor point of the starting segment.

[0122] Based on the core feature anchor of the initial fragment, combinations of feature terms that have a mapping relationship with it are searched in the threat mapping factor set. These combinations of feature terms are the complementary feature anchors. For example, if the core feature anchor of the initial fragment is a "malicious IP address" in the infrastructure field, then there may be a mapping relationship between this IP address and a "suspicious wallet address" in the blockchain field in the threat mapping factor set. In this case, the "suspicious wallet address" is a complementary feature anchor. Using complementary feature anchors as search criteria, fragments containing these complementary feature anchors are searched in the fragment association index library and selected as target fragments.

[0123] Step S145: Align the starting fragment with the target fragment by feature anchoring, call the mapping weights in the threat mapping factor set in the cross-domain threat mapping model, adjust the splicing order of the fragments, and output the preliminary spliced ​​fragment chain.

[0124] Align the core feature anchor points of the starting segment with the complementary feature anchor points of the target segment to ensure a clear correspondence between the two segments at the feature level. Invoke the mapping weights corresponding to the mapping relationship in the threat mapping factor set; these weights reflect the strength of the association between the two feature anchor points. Adjust the splicing order of the starting and target segments according to their mapping weights, prioritizing the splicing of the target segment with a higher mapping weight to the starting segment. Connect the starting and target segments in the adjusted order to form a preliminary spliced ​​segment chain.

[0125] Step S146: Using the core feature anchor point of the end segment of the initial spliced ​​fragment chain as the new benchmark, retrieve the next matching segment in the fragment association index library, continuously extend the initial spliced ​​fragment chain, and output the extended spliced ​​fragment chain.

[0126] Using the end segment of the initial spliced ​​fragment chain as a new starting point, extract its core feature anchor points, and repeat steps S144 and S145. Retrieve the next target segment with complementary feature anchor points from the fragment association index and splice it to the end of the fragment chain. Continue this process, extending the spliced ​​fragment chain until no new matching segment can be found or the preset fragment chain length limit is reached, and output the extended spliced ​​fragment chain.

[0127] Step S147: Receive the extended spliced ​​fragment chain, extract the time series features of each attack chain fragment in the extended spliced ​​fragment chain, the time series features include the occurrence time of the threat event, duration, propagation interval and associated trigger time point.

[0128] For each attack chain segment in the extended spliced ​​fragment chain, time series features are extracted from its associated attribute data. Threat event occurrence time is the timestamp of the start of the threat event corresponding to the segment; duration is the time elapsed from the start to the end of the threat event; propagation interval is the time interval between this segment and the previous segment; associated trigger time point refers to the time point that triggers the threat event described by this segment, such as the time when malware download is completed, the time when a transaction is initiated, etc.

[0129] Step S148: Adjust the position of the segments in the extended splicing fragment chain based on the time series characteristics so that the time arrangement of the segments in the splicing fragment chain conforms to the time evolution correspondence of cross-domain threat propagation, and output the time-adjusted splicing fragment chain.

[0130] Step S1481: Extract the time series features of each attack chain segment in the extended spliced ​​fragment chain. The time series features include the occurrence time of the threat event, the duration, the propagation interval, and the associated trigger time point.

[0131] Similar to step S147, the time series features of each attack chain segment are extracted again to ensure the accuracy and integrity of the data and provide reliable input for time adjustment.

[0132] Step S1482: Using the occurrence time of the starting segment of the cross-domain attack chain as the reference origin, set the time axis unit and time precision, unify the time representation format of each segment, and output the time reference coordinate system.

[0133] The time of the threat event in the initial segment is set as the origin of the time axis (time 0). Based on the time granularity of the threat event, the time axis unit is set, such as seconds, minutes, or hours, and the time precision is determined, such as to the second or millisecond. The time series characteristics of all segments are converted into time values ​​based on this time reference coordinate system, unifying the time representation and facilitating time comparison and sorting between segments.

[0134] Step S1483: Map the time coordinate interval of each segment to the time reference coordinate system to generate the time coordinate interval of each segment. The time coordinate interval includes the start time coordinate and end time coordinate of the segment.

[0135] Based on the occurrence time and duration of the threat event for each segment, calculate its start and end time coordinates in the time reference coordinate system. The start time coordinate is the offset of the threat event occurrence time relative to the reference origin, and the end time coordinate is the start time coordinate plus the duration. Combine the start and end time coordinates to form the time coordinate interval for each segment. This interval represents the position and duration of the threat event described by the segment on the timeline.

[0136] Step S1484: Based on the time coordinate intervals of each segment, analyze the time overlap and sequential correspondence between each segment, identify the segment combinations whose time arrangement does not conform to the time evolution correspondence of cross-domain threat propagation, and output the segment combinations with abnormal time arrangement.

[0137] Compare the time coordinate intervals of each segment to analyze the temporal overlap and chronological order between segments. The temporal evolution correspondence of cross-domain threat propagation requires that threat events occur sequentially in chronological order, with the start time of each subsequent event being later than that of the preceding event, and there may be a certain time interval between events (propagation interval). If a segment is found to have a start time earlier than the start time of the preceding segment, or if the time interval does not conform to the general pattern of threat propagation (e.g., the propagation interval is too long or too short), then the combination of that segment and the preceding segment is identified as a combination of segments with an abnormal temporal arrangement.

[0138] Step S1485: Re-extract the time series features of the segments with abnormal time arrangement, confirm the correspondence and completeness of the time data, and output the confirmed time series features.

[0139] For combinations of segments with anomalous time sequences, re-extract their time series features from the original data, checking for data extraction errors or time format conversion errors. Verify the accuracy and completeness of time data such as the occurrence time and duration of the threat event, ruling out time sequence anomalies caused by data issues. Output the confirmed time series features to ensure the accuracy of subsequent time adjustments.

[0140] Step S1486: Based on the confirmed time series characteristics, adjust the position of the time-arranged abnormal segment combination in the extended spliced ​​segment chain, or supplement the time connection description between segments, and output the spliced ​​segment chain after preliminary time adjustment.

[0141] Based on the confirmed time series characteristics, if the abnormal time arrangement of the combined segments is due to incorrect placement, the order of the segments in the spliced ​​segment chain is adjusted to conform to chronological order. If the abnormal time arrangement is due to the lack of intermediate propagation links, time connection descriptions are added between the segments to describe how the threat event transitions from one segment to another in time. The spliced ​​segment chain with preliminary time adjustment is output, making the time arrangement of the segments more consistent with the temporal evolution of cross-domain threat propagation.

[0142] Step S1487: Calculate the time interval between adjacent segments in the spliced ​​segment chain after preliminary time adjustment, call the propagation time correspondence in the threat mapping factor set in the cross-domain threat mapping model, compare the matching data of the time interval and the propagation time correspondence, and output the time interval matching data.

[0143] Calculate the time interval between two adjacent segments in the pre-adjusted spliced ​​segment chain, which is the difference between the start time coordinate of the latter segment and the end time coordinate of the former segment. Invoke the propagation time correspondence recorded in the threat mapping factor set; this correspondence describes the typical time range required for different types of cross-domain threats to propagate between two domains. Compare the calculated time interval with the propagation time correspondence to determine if the time interval falls within the typical time range, and output time interval matching data, such as a matching score and a mark indicating whether it is within a reasonable range.

[0144] Step S1488: Based on the time interval matching data, adjust the splicing order of the segments in the spliced ​​segment chain after the initial time adjustment, or supplement the time transition description of the intermediate propagation links, and output the spliced ​​segment chain after the secondary time adjustment.

[0145] If the time interval matching data indicates that the time interval between adjacent segments is not within the typical range of propagation time correspondence, analyze the reasons. If it may be due to an incorrect segment order, readjust the segment splicing order; if there are indeed cases where the time interval is too large or too small, supplement the time transition explanation for intermediate propagation links, explaining the reasons for the time delay or acceleration of threat propagation, such as network latency, attack tool preparation time, etc. Output the spliced ​​segment chain after secondary time adjustment to further optimize the time arrangement of segments.

[0146] Step S1489: Smooth the time series of the spliced ​​fragment chain after secondary time adjustment using a time series calibration algorithm, and output the smoothed spliced ​​fragment chain.

[0147] A time-series calibration algorithm, such as the moving average algorithm, is used to smooth the time series of the spliced ​​fragment chain after secondary time adjustment. This algorithm calculates the average time interval between adjacent fragments and adjusts the time intervals of individual anomalies, making the time series of the entire fragment chain more stable and reasonable. The smoothed spliced ​​fragment chain has better coherence in the time dimension and is more consistent with the actual temporal evolution of cross-domain threat propagation.

[0148] Step S14810: Output the time-adjusted spliced ​​segment chain, which includes the calibrated time coordinates and time interval descriptions of each segment, and transmit it to the redundant segment removal stage.

[0149] The smoothed spliced ​​segment chain is used as the time-adjusted spliced ​​segment chain, which includes the calibrated time coordinates (start and end times) of each segment and the time intervals between segments. This segment chain is then transferred to the redundant segment removal stage for further optimization.

[0150] Step S149: Remove redundant segments from the time-adjusted spliced ​​segment chain, delete duplicate segments and auxiliary segments unrelated to the core attack chain, extract cross-domain jump nodes in the spliced ​​segment chain, record the domain conversion information and association method corresponding to each cross-domain jump node, supplement node association metadata, and output the supplemented spliced ​​segment chain.

[0151] The process involves examining the time-adjusted spliced ​​fragment chain, identifying duplicate fragments (those with identical content or core feature anchors), retaining only one, and deleting the rest. Simultaneously, the correlation between the fragments and the core attack chain is analyzed. The core attack chain refers to the main propagation path from the origin of the threat to the final impact on the terminal. Auxiliary fragments unrelated to this path, such as minor attack attempts or irrelevant normal transaction records, are eliminated. Cross-domain jump nodes from one domain to another are extracted from the spliced ​​fragment chain, such as nodes jumping from an IP address in the infrastructure domain to a wallet address in the blockchain domain. The domain conversion information (e.g., from infrastructure to blockchain) and association method (e.g., initiating a blockchain transaction through a server corresponding to a malicious IP address) of each cross-domain jump node are recorded, supplementing node association metadata, such as the associated threat mapping factor identifier and association trust level. The supplemented spliced ​​fragment chain is then output, which is more concise and accurate, highlighting the core attack chain and cross-domain jump nodes.

[0152] Step S1410: Integrate all the supplemented spliced ​​fragment chains, cross-domain jump node information, and node association metadata to obtain the cross-domain attack chain.

[0153] All supplemented spliced ​​fragment chains are aggregated. In cases with multiple potential attack chains, fragments are filtered and merged based on factors such as correlation strength, temporal coherence, and the rationality of cross-domain jump nodes, retaining the most probable attack chain. Cross-domain jump node information and node association metadata are integrated and added to the corresponding positions in the attack chain to form a complete cross-domain attack chain. The cross-domain attack chain demonstrates the complete link information of a threat from its origin, through a series of cross-domain propagation nodes, ultimately affecting the terminal, including the threat behavior, associated carrier, time information, and cross-domain association method of each node.

[0154] Step S150: Extract evidence data from the threat data corresponding to each link of the cross-domain attack chain, establish the association between evidence data based on the node relationship of the cross-domain attack chain, construct an evidence chain association graph, and generate cross-domain threat intelligence association attribution results based on the cross-domain attack chain and the evidence chain association graph.

[0155] After the cross-domain attack chain is constructed, evidence data is extracted from each link of the attack chain, the correlation between the evidence is established, an evidence chain correlation graph is constructed, and finally, cross-domain threat intelligence correlation attribution results are generated.

[0156] Step S151: Receive the cross-domain attack chain, traverse the cross-domain attack chain, and extract the corresponding threat evidence data for each threat node. The threat evidence data includes threat behavior logs, associated carrier identification records, impact result credentials, and cross-domain propagation trace data.

[0157] The process iterates through each threat node in the cross-domain attack chain, with each node corresponding to a link in the chain. For each threat node, corresponding threat evidence data is searched and extracted from a multi-source threat dataset. Threat behavior logs, including firewall logs, intrusion detection system alert logs, and malware execution logs, record the specific process of the threat behavior; associated carrier identification records include original records of identification information such as IP address, domain name, wallet address, and transaction hash; impact outcome evidence includes damage reports from attacked systems, data breach records, and fund transfer records, proving the impact of the threat; cross-domain propagation trace data includes records of the intermediate processes of threat propagation between different domains, such as communication records between malware and command and control servers, and broadcast records of blockchain transactions. This extracted evidence data is then correlated with the corresponding threat nodes to ensure that each link has sufficient supporting evidence.

[0158] Step S152: Classify and label the threat evidence data according to the evidence type, the attack stage to which it belongs, and the associated node identifier, and generate an evidence classification index table.

[0159] Threat evidence data is categorized and labeled according to its nature and purpose. Based on evidence type, it can be divided into log-type evidence, identifier-type evidence, credential-type evidence, and trace-type evidence, etc.; based on the attack stage it belongs to, the evidence data is associated with specific stages in the cross-domain attack chain (such as initial intrusion, command and control, lateral movement, data theft, fund transfer, etc.); based on the associated node identifier, the evidence data is linked to threat node identifiers in the cross-domain attack chain. Based on this classification and labeling information, an evidence classification index table is generated. The index table records the classification label, attack stage, associated node identifier, and storage location of each piece of evidence data, facilitating rapid querying and management of evidence data.

[0160] Step S153: Receive the evidence classification index table and cross-domain attack chain. Based on the node association relationship of the cross-domain attack chain, establish the association link between each threat evidence data, record the correspondence between threat evidence data and attack nodes, and between threat evidence data, and output the evidence association link information.

[0161] Based on the node relationships in the cross-domain attack chain, i.e., the sequence and causal relationships between threat nodes, the relationships between various threat evidence data are determined. For example, if the evidence data of a previous threat node (such as connection logs of a malicious IP address) and the evidence data of a subsequent threat node (such as blockchain transaction records initiated by the server corresponding to that IP address) are causally related, they form an evidence association chain. The correspondence between threat evidence data and attack nodes is recorded, i.e., which attack node each piece of evidence data belongs to; the correspondence between threat evidence data is also recorded, such as causal relationships and accompanying relationships. The evidence association chain information is output, describing the network of connections between evidence.

[0162] Step S154: Treat each threat evidence data as a graph node, the relationship between threat evidence data as graph edges, record the association basis and mapping factor identifier in the edge attributes, and output the evidence chain association graph.

[0163] Each piece of threat evidence data is represented as a graph node, with node attributes including evidence ID, evidence type, attack stage it belongs to, and associated node identifiers. The relationships between threat evidence data are represented as graph edges, with the edge direction indicating the direction of the relationship (e.g., cause points to effect in a causal relationship). The edge attributes record the basis for the association, such as the threat mapping factor on which the association is based, common characteristics between the evidence, etc.; they also record the mapping factor identifier, indicating the ID of the threat mapping factor on which the association is based. This method constructs an evidence chain association graph, visually displaying the association structure and dependencies between evidence, and outputting the evidence chain association graph.

[0164] Step S155: Receive the evidence chain association diagram and the multi-source threat data set, extract the core identification information of each evidence node in the evidence chain association diagram, the core identification information includes the threat event identifier, the associated node identifier and the evidence type corresponding to the evidence, and retrieve supporting data related to the evidence in the multi-source threat data set based on the core identification information, the supporting data being related data from different fields that can support the validity of the evidence.

[0165] For each evidence node in the evidence chain graph, its core identification information is extracted, including the threat event identifier corresponding to the evidence (used to associate it with a specific threat event), the associated node identifier (associated with a threat node in the cross-domain attack chain), and the evidence type. Using this core identification information as search criteria, a search is performed in a multi-source threat data set to find supporting data related to the evidence. Supporting data can be related data from different fields that can support the validity of the evidence, such as logs of the same threat event recorded by other security devices, analysis reports of the threat event from a third-party threat intelligence platform, and other transaction records related to the wallet address in a blockchain explorer.

[0166] Step S156: Associate and bind the supporting data with the corresponding evidence nodes, supplement the information of the evidence nodes, enrich the descriptive dimensions of the evidence, and output the enhanced evidence chain association diagram.

[0167] Step S1561: Extract the core identification information of each evidence node in the evidence chain association graph. The core identification information includes the threat event identifier, the associated node identifier, and the evidence type corresponding to the evidence.

[0168] Similar to step S155, the core identification information of each evidence node is extracted again to ensure the accuracy of the retrieved supporting data.

[0169] Step S1562: Based on the core identification information, retrieve supporting data related to the evidence from the multi-source threat data set. The supporting data is related data from different fields that can support the validity of the evidence.

[0170] Similar to step S155, supporting data is retrieved from the multi-source threat data set based on the core identification information to ensure the comprehensiveness and relevance of the supporting data.

[0171] Step S1563: Classify and filter the supporting data according to the type of supporting evidence, the source field, and the corresponding relationship. Retain the supporting data that is related to the target evidence and output the filtered supporting data.

[0172] The retrieved supporting data is categorized and filtered according to supporting data type (e.g., log evidence, intelligence evidence, transaction evidence, etc.), source domain (infrastructure or blockchain), and correlation (direct or indirect correlation). The relevance of the supporting data to the target evidence is evaluated, retaining supporting data with high relevance and reliable information, and removing irrelevant or low-credibility supporting data, outputting the filtered supporting data.

[0173] Step S1564: Extract the core supporting information of the filtered supporting data. The core supporting information includes key descriptions and data records that can verify the authenticity of the target evidence and are associated with it.

[0174] Extracting core supporting information from the filtered corroborating data is crucial for directly verifying the authenticity and relevance of the target evidence. For example, for connection log evidence from a malicious IP address, the supporting data might be connection logs from another firewall recording the same IP address, with core supporting information including connection time, source port, destination port, etc., matching the target evidence. Similarly, for blockchain transaction record evidence, the supporting data might be the transaction details on a blockchain explorer, with core supporting information including transaction hash, transfer amount, block height, etc., matching the target evidence.

[0175] Step S1565: Associate and bind the core supporting information with the target evidence node, add supporting data association edges to the target evidence node in the evidence chain association graph, record the supporting data identifier and supporting logic in the edge attributes, and output the evidence chain association graph after adding association edges.

[0176] Associate the extracted core supporting information with the target evidence node. Create an edge in the evidence chain graph connecting the supporting data node (if the supporting data itself is also an evidence node) to the target evidence node, or directly add the core supporting information of the supporting data as an attribute to the target evidence node. Record the identifier (e.g., evidence ID) and supporting logic of the supporting data in the attributes of the edge, explaining how the supporting data supports the authenticity or relevance of the target evidence, such as "the IP address of the supporting data is consistent with the target evidence, and the timestamp is within a reasonable range." Output the evidence chain graph after adding the edge.

[0177] Step S1566: Supplement and improve the information of the target evidence node, integrate the key information in the supporting data into the details field of the evidence node, enrich the descriptive dimensions of the evidence, and output the evidence chain relationship diagram after information supplementation.

[0178] Key information from supporting data, such as the source of the data and the specific content of core supporting information, is integrated into the details field of the target evidence node. For example, "Supporting information: A report from a third-party threat intelligence platform shows that this IP address was marked as malicious at the same time" can be added to the details of the target evidence node. By supplementing this information, the descriptive dimensions of the evidence node are enriched, making the evidence more sufficient and credible, and an evidence chain diagram with supplemented information is output.

[0179] Step S1567: Based on the quantity of supporting data and its relevance to the target evidence, calculate the credibility value of the target evidence node and output the credibility value.

[0180] Based on the quantity of supporting data (more supporting data likely indicates higher credibility) and its relevance to the target evidence (stronger relevance likely indicates higher credibility), a weighted summation method is used to calculate the credibility value of the target evidence node. Different weights are assigned to different types of supporting data; for example, directly related supporting data has a higher weight than indirectly related supporting data, and supporting data from authoritative sources has a higher weight than supporting data from ordinary sources. The credibility value of the target evidence node is obtained by multiplying the weight of each supporting data piece by its relevance score and summing the results. This value is typically in the range [0,1], with higher values ​​indicating more credible evidence.

[0181] Step S1568: Add the credibility value to the attribute information of the evidence node as a quantitative correspondence of the validity of the evidence, and output the evidence chain association diagram after adding the credibility value.

[0182] The calculated credibility value is added to the attribute information of the target evidence node as a quantitative indicator to measure the validity of the evidence. In the evidence chain graph, each evidence node contains a credibility value attribute, which facilitates the rapid assessment of the reliability of the evidence in subsequent analysis, and outputs the evidence chain graph with the credibility value added.

[0183] Step S1569: Perform the following operations sequentially on all evidence nodes in the evidence chain association graph: supporting data retrieval, classification and filtering, core supporting information extraction, association binding, information supplementation, credibility value conversion and credibility value addition, and output the evidence chain association graph with all nodes strengthened.

[0184] The process iterates through all evidence nodes in the evidence chain graph, performing steps S1562 to S1568 for each node sequentially. This involves retrieving supporting data, filtering supporting data, extracting core supporting information, associating and binding supporting data, supplementing node information, calculating the credibility value, and adding it to the node attributes. After processing all nodes, the enhanced evidence chain graph is output, where each evidence node has received supplementary information and a credibility assessment.

[0185] Step S15610: Update the evidence chain graph, retain the evidence nodes after full node enhancement, the supporting edges and the credibility values, to form an enhanced evidence chain graph.

[0186] Based on the evidence chain graph strengthened by all nodes, the original evidence chain graph is updated, retaining the strengthened evidence nodes (including supplementary information and credibility values) and supporting edges (including supporting data identifiers and supporting logic), while deleting any redundant or invalid nodes and edges, thus forming the final strengthened evidence chain graph.

[0187] Step S157: Receive the enhanced evidence chain association diagram and cross-domain attack chain, trace the evidence set corresponding to the starting node of the cross-domain attack chain, and determine the core evidence group of the threat origin. The core evidence group contains key evidence data that can prove the source attribution.

[0188] Starting from the initial node of the cross-domain attack chain, all corresponding evidence nodes in the enhanced evidence chain graph are traced to form an evidence set. These evidence sets are analyzed to select key evidence data that can directly prove the origin of the threat, such as raw logs recording the IP address of the attack initiation, malware samples related to the attack source, and clues pointing to the attacker's identity. This core evidence set constitutes the core evidence group for determining the origin of the threat. The core evidence group is the key basis for determining the source of the threat and has the highest credibility and relevance.

[0189] Step S158: Extract evidence data corresponding to each cross-domain jump node in the cross-domain attack chain to form a cross-domain association evidence group.

[0190] The process iterates through each cross-domain jump node in the cross-domain attack chain; these nodes are key points for the threat to propagate from one domain to another. Evidence data corresponding to each cross-domain jump node is extracted from the enhanced evidence chain graph, such as communication records proving the association between IP addresses and wallet addresses, and DNS resolution records supporting the association between domain names and contract addresses. This evidence data is then combined to form a cross-domain association evidence set, which is used to prove the authenticity and relevance of domain transitions in the cross-domain attack chain.

[0191] Step S159: Integrate the core evidence group, cross-domain related evidence group, and other stage evidence data; organize the evidence chain according to the propagation order of the cross-domain attack chain; generate an ordered evidence chain set; bind the ordered evidence chain set to the cross-domain attack chain; supplement the attack chain stage identifier and association weight corresponding to each piece of evidence; form an evidence chain-attack chain mapping relationship; and output the evidence chain-attack chain mapping relationship.

[0192] This process integrates core evidence, cross-domain related evidence, and evidence data from other links in the cross-domain attack chain. Following the propagation order of the cross-domain attack chain—from the origin of the threat to its final impact on the endpoint—this evidence data is organized into an ordered evidence chain set. Each piece of evidence in this ordered evidence chain set is then linked to a corresponding link in the cross-domain attack chain, adding an attack chain link identifier to each piece of evidence to indicate which link in the attack chain it belongs to. Simultaneously, based on the credibility value of the evidence and its closeness to the attack link, a correlation weight is assigned to each piece of evidence; a higher weight indicates greater support for the corresponding attack link. Through these operations, an evidence chain-attack chain mapping relationship is established, demonstrating the correspondence between evidence and attack chain links, and outputting the evidence chain-attack chain mapping relationship.

[0193] Step S1510: Based on the evidence chain-attack chain mapping relationship, the source information of the cross-domain attack chain, and the enhanced evidence chain association diagram, generate a cross-domain threat intelligence association attribution result containing the path of the cross-domain attack chain, evidence chain data, cross-domain association basis, and source identifier according to a preset format.

[0194] By integrating the evidence chain-attack chain mapping relationship, the source information of cross-domain attack chains (such as threat origin, propagation path, affected terminals, etc.), and the evidence nodes and relationships in the enhanced evidence chain association diagram, cross-domain threat intelligence association attribution results are generated according to a preset report format. This result includes a complete path description of the cross-domain attack chain, i.e., which cross-domain propagation nodes ultimately affect the terminals from the threat origin; evidence chain data, i.e., all evidence information and its credibility in the ordered evidence chain set; cross-domain association basis, i.e., the threat mapping factors, supporting data, and association rules used to prove the cross-domain association; and source identifier, i.e., the core evidence group of the threat origin and its attribution judgment. The generated cross-domain threat intelligence association attribution results can comprehensively and accurately reflect the association relationships and attribution information of cross-domain threats.

[0195] Figure 2 The diagram illustrates the hardware architecture of an AI-based cross-domain threat intelligence association and attribution system 100 provided in an embodiment of the present invention, as shown below. Figure 2 As shown, the AI-based cross-domain threat intelligence association and attribution system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.

[0196] In the specific implementation process, one or more processors 110 execute computer-executable instructions stored in the machine-readable storage medium 120, enabling the processor 110 to execute the AI-based cross-domain threat intelligence association and attribution method as described in the above method embodiment. The processor 110, the machine-readable storage medium 120, and the communication unit 140 are connected via a bus 130, and the processor 110 can be used to control the sending and receiving actions of the communication unit 140. The specific implementation process of the processor 110 can be found in the various method embodiments executed by the AI-based cross-domain threat intelligence association and attribution system 100 described above, and their implementation principles and technical effects are similar, so they will not be repeated here.

[0197] Furthermore, this embodiment of the invention also provides a readable storage medium containing computer-executable instructions. When the processor executes the computer-executable instructions, the above-mentioned AI-based cross-domain threat intelligence association and attribution method is implemented.

[0198] It should be noted that, in order to simplify the description of this invention and thus aid in the understanding of one or more embodiments, the foregoing description of the embodiments of this invention sometimes combines multiple features into a single embodiment, drawing, or description thereof. Similarly, it should be noted that, in order to simplify the description of this invention and thus aid in the understanding of one or more embodiments, the foregoing description of the embodiments of this invention sometimes combines multiple features into a single embodiment, drawing, or description thereof.

Claims

1. An AI-based cross-domain threat intelligence association and attribution method, characterized in that, The method includes: Simultaneously collect real-time threat data and historical threat archives from multiple security domains, and integrate the collected data to obtain a multi-source threat data set, which includes threat behavior records, associated carrier information and impact trajectory data from multiple domains; Based on the multi-source threat data set, a cross-domain feature association training is performed through a machine learning model to generate a cross-domain threat mapping model. The cross-domain threat mapping model contains the association correspondence and mapping weights between threat data from different domains, forming a set of threat mapping factors. The cross-domain threat mapping model is invoked to perform cross-domain correlation retrieval on the real-time collected threat data, identify threat correlation fragments scattered in different domains, and form a set of attack chain fragments. The set of attack chain fragments contains threat data fragments with correlation relationships and mapping correlation information between fragments. Based on the mapping relationship in the threat mapping factor set, each segment in the attack chain segment set is associated, matched, and sorted in time sequence. The matched segments are connected to form a cross-domain attack chain. The cross-domain attack chain includes complete link information such as the threat origin, cross-domain propagation nodes, the association method of each node, and the final impact on the terminal. Evidence data is extracted from the threat data corresponding to each link of the cross-domain attack chain, and the correlation between evidence data is established based on the node relationship of the cross-domain attack chain to construct an evidence chain correlation graph. Cross-domain threat intelligence correlation attribution results are generated based on the cross-domain attack chain and the evidence chain correlation graph.

2. The AI-based cross-domain threat intelligence association and attribution method according to claim 1, characterized in that, Based on the multi-source threat data set, a cross-domain threat mapping model is generated through cross-domain feature association training using a machine learning model. This model includes the correlation and mapping weights between threat data from different domains, forming a threat mapping factor set, including: The format of various threat data in the multi-source threat dataset is standardized, and unstructured threat descriptions from different fields are converted into structured data formats. The core attributes and correlation fields of threat behavior are retained, and the standardized structured threat data is output. The system receives structured threat data after it has been formatted and performs cross-domain feature mining on the structured threat data. It extracts the core feature items of each threat data, which include threat implementation method features, associated carrier identification features, impact range features and time series features. The system outputs a cross-domain feature set containing all core feature items. Receive cross-domain feature sets, pair the core feature items of different domains to generate cross-domain feature pair sets, each pair containing two core feature items of different domains and the corresponding threat data association identifier; The cross-domain feature pairing set is input into a deep learning algorithm, and a cross-domain association network is trained through the deep learning algorithm. The input of the cross-domain association network is the core feature terms of the cross-domain feature pairing set, and the output is the association matching degree and mapping relationship parameters between features. Receive the correlation matching degree and mapping relationship parameters, call the cross-domain correlation verification data in the historical attribution cases, iteratively adjust the correlation matching degree and mapping relationship parameters, and output the adjusted mapping relationship parameters; Extract the adjusted mapping relationship parameters and corresponding feature association rules to form initial threat mapping factors. Each initial threat mapping factor includes feature pairing identifier, association matching degree and mapping parameter configuration. Clustering and integrating the initial threat mapping factors, grouping initial threat mapping factors with similar association logic into the same category, generating mapping factor category labels and category association descriptions, and outputting the classified threat mapping factors; Execute the collaborative verification process, perform association tests between the classified threat mapping factors and sample data in the multi-source threat data set, record the successful association data and the adaptation range data of the threat mapping factors, and output the threat mapping factors after the test; The threat mapping factors, mapping parameter configurations, successful association data, and adaptation range data after integration testing are combined to form a set of threat mapping factors.

3. The AI-based cross-domain threat intelligence association and attribution method according to claim 1, characterized in that, The method involves invoking a cross-domain threat mapping model to perform cross-domain correlation retrieval on real-time collected threat data, identifying threat correlation fragments scattered across different domains, and forming a set of attack chain fragments. This set of attack chain fragments includes related threat data fragments and mapping correlation information between the fragments, including: Real-time capture of new threat data in various fields, extraction of core features from the new threat data, and generation of real-time threat feature sets; Receive a set of real-time threat features, call the set of threat mapping factors in the cross-domain threat mapping model, use each core feature item in the set of real-time threat features as the retrieval benchmark, match the corresponding cross-domain mapping factor, and output the matched cross-domain mapping factor. Based on the matched cross-domain mapping factors, the target domain and target feature items for retrieval are determined, and a cross-domain retrieval instruction is generated. The cross-domain retrieval instruction includes the benchmark feature items, the target domain identifier, and the mapping matching conditions. Upon receiving a cross-domain retrieval command, retrieve historical and real-time threat data that match the target features from the threat data repository of the corresponding domain, and extract the successfully matched data segments. The successfully matched data fragments are labeled with associated attributes. The labeling content includes the mapping relationship with the baseline feature items, details of the matching fields, and the threat event identifier to which the data fragment belongs. The labeled associated attribute data fragments are then output. The labeled associated attribute data fragments are used as candidate attack chain fragments, and the source domain, core feature items and associated labeling information of the candidate attack chain fragments are recorded. Receive candidate attack chain fragments, call the association rules in the threat mapping factor set in the cross-domain threat mapping model, perform preliminary association on all candidate attack chain fragments, identify potential association links between candidate fragments, and output potential association link information; Add association link identifiers to candidate segments corresponding to potential association link information, record the mapping association direction and association basis between segments, and form an attack chain segment group; Filter the candidate segments in each attack chain segment group, retain the data segments with core features and association tags, remove the data segments without core features, and output the filtered attack chain segment group. All filtered attack chain fragment groups and individual valid candidate attack chain fragments are integrated to form an attack chain fragment set containing multiple related fragment groups and independent valid fragments.

4. The AI-based cross-domain threat intelligence association and attribution method according to claim 1, characterized in that, The step of performing association matching and temporal sorting on each segment in the attack chain segment set based on the mapping relationship in the threat mapping factor set, and connecting the matched segments into a cross-domain attack chain, includes: Receive a set of attack chain fragments, extract the core feature anchor points of each fragment in the attack chain fragment set, and output the core feature anchor points; Based on core feature anchors, a fragment association index library is constructed, which records the core feature anchor information, source domain, and associated fragment identifier of each fragment. The system receives a fragment association index library, selects a fragment with initial propagation characteristics from the attack chain fragment set as the starting fragment, and extracts the core feature anchor points and associated marker information of the starting fragment. Based on the core feature anchor point of the starting segment, target segments with complementary feature anchor points are retrieved from the segment association index library. The complementary feature anchor point is a combination of feature terms that have a mapping relationship with the core feature anchor point of the starting segment. The starting fragment and the target fragment are aligned by feature anchoring. The mapping weights in the threat mapping factor set in the cross-domain threat mapping model are called to adjust the splicing order of the fragments and output the preliminary spliced ​​fragment chain. Using the core feature anchor point of the last segment of the initial spliced ​​fragment chain as a new benchmark, the next matching segment is retrieved in the fragment association index library, the initial spliced ​​fragment chain is continuously extended, and the extended spliced ​​fragment chain is output. Receive the extended spliced ​​fragment chain, extract the time series features of each attack chain fragment in the extended spliced ​​fragment chain, the time series features include the occurrence time of the threat event, duration, propagation interval and associated trigger time point; The positions of segments in the extended splicing fragment chain are adjusted based on time series characteristics so that the temporal arrangement of segments in the splicing fragment chain conforms to the temporal evolution correspondence of cross-domain threat propagation, and the time-adjusted splicing fragment chain is output. Redundant segments are removed from the time-adjusted spliced ​​segment chain. Duplicate segments and auxiliary segments unrelated to the core attack chain are deleted. Cross-domain jump nodes in the spliced ​​segment chain are extracted. Domain conversion information and association method corresponding to each cross-domain jump node are recorded. Node association metadata is supplemented and the supplemented spliced ​​segment chain is output. By integrating all the supplemented spliced ​​fragment chains, cross-domain jump node information, and node association metadata, a cross-domain attack chain is obtained.

5. The AI-based cross-domain threat intelligence association and attribution method according to claim 1, characterized in that, The process of extracting evidence data from threat data corresponding to each link in the cross-domain attack chain, establishing associations between evidence data based on the node relationships of the cross-domain attack chain, constructing an evidence chain association graph, and generating cross-domain threat intelligence association attribution results based on the cross-domain attack chain and the evidence chain association graph includes: Receive cross-domain attack chain, traverse the cross-domain attack chain, and extract corresponding threat evidence data for each threat node in the chain. The threat evidence data includes threat behavior logs, associated carrier identification records, impact result credentials, and cross-domain propagation trace data. Threat evidence data is categorized and labeled according to evidence type, attack stage, and associated node identifier, generating an evidence classification index table; Receive the evidence classification index table and cross-domain attack chain, establish the association link between each threat evidence data based on the node association relationship of the cross-domain attack chain, record the correspondence between threat evidence data and attack nodes, and between threat evidence data, and output the evidence association link information; Each threat evidence data is treated as a graph node, and the relationships between threat evidence data are treated as graph edges. The association basis and mapping factor identifier are recorded in the edge attributes, and the evidence chain association graph is output. Receive the evidence chain association diagram and the multi-source threat data set, extract the core identification information of each evidence node in the evidence chain association diagram. The core identification information includes the threat event identifier, the associated node identifier and the evidence type corresponding to the evidence. Based on the core identification information, retrieve the supporting data related to the evidence in the multi-source threat data set. The supporting data is related data from different fields that can support the validity of the evidence. The supporting data is associated and bound with the corresponding evidence nodes, the information of the evidence nodes is supplemented, the descriptive dimensions of the evidence are enriched, and the enhanced evidence chain association diagram is output. Receive the enhanced evidence chain association diagram and cross-domain attack chain, trace the evidence set corresponding to the starting node of the cross-domain attack chain, and determine the core evidence group of the threat origin. The core evidence group contains key evidence data that can prove the source attribution. Extract evidence data corresponding to each cross-domain jump node in the cross-domain attack chain to form a cross-domain related evidence group; Integrate core evidence groups, cross-domain related evidence groups, and other stage evidence data, organize the evidence chain according to the propagation order of the cross-domain attack chain, generate an ordered evidence chain set, bind the ordered evidence chain set with the cross-domain attack chain, supplement the attack chain stage identifier and association weight corresponding to each piece of evidence, form an evidence chain-attack chain mapping relationship, and output the evidence chain-attack chain mapping relationship. Based on the evidence chain-attack chain mapping relationship, the source information of the cross-domain attack chain, and the enhanced evidence chain association diagram, a cross-domain threat intelligence association attribution result containing the path of the cross-domain attack chain, evidence chain data, cross-domain association basis, and source identifier is generated in a preset format.

6. The AI-based cross-domain threat intelligence association and attribution method according to claim 2, characterized in that, The process involves inputting a cross-domain feature pairing set into a deep learning algorithm to train a cross-domain association network. The input to the cross-domain association network consists of the core feature terms from the cross-domain feature pairing set, and the output includes the association matching degree and mapping relationship parameters between features, including: A hierarchical structure for a cross-domain association network is constructed, comprising a feature input layer, a cross-domain fusion layer, an association calculation layer, and an output layer. Each layer achieves feature transfer and information interaction through a fully connected channel. Receive core feature terms from the cross-domain feature pairing set, perform vector encoding processing on each core feature term, and convert textual features into numerical feature vectors; It receives numerical feature vectors and uses a combination of attention and gating mechanisms to perform cross-domain information fusion on paired numerical feature vectors, strengthens the correspondence between features in different domains, suppresses interference from irrelevant features, and outputs the fused feature vector. The domain adaptation factor is invoked to adjust the fusion weights of different domain features, and the adjusted feature vector is output. The domain adaptation factor is preset based on the distribution status and association frequency of threat data in each domain. The system receives the feature vectors after adjusting the fusion weights, performs association strength transformation on each pair of paired feature vectors through multiple parallel association calculation units, and uses a nonlinear mapping algorithm to convert the feature vectors after adjusting the fusion weights into association strength values. The association strength values ​​are nonlinearly transformed by an activation function to generate a preliminary association matching degree between features. The system receives the initial association matching degree, performs unified value range processing on the initial association matching degree, and extracts the mapping relationship parameters based on the feature mapping trajectory in the association calculation process. The mapping relationship parameters include the feature dimension mapping matrix, the association strength adjustment coefficient, and the cross-domain adaptation parameter. The feature dimension mapping matrix, the association strength adjustment coefficient, and the cross-domain adaptation parameter together describe the association logic and transformation rules between paired features. The system outputs the association matching degree and mapping relationship parameters after the unified value range. The system calls real association results from historical cross-domain association cases as supervision data, compares the association matching degree and mapping relationship parameters after unifying the value range with the real association results, and outputs the deviation data after comparison. Based on the deviation data, the weight parameters and domain adaptation factors of each layer of the cross-domain association network are adjusted through the backpropagation algorithm. Feature encoding processing, cross-domain information fusion, association strength conversion, nonlinear transformation, value interval unification processing and deviation comparison operations are repeatedly performed until the deviation data meets the preset convergence correspondence conditions, and stable association matching degree and mapping relationship parameters are output.

7. The AI-based cross-domain threat intelligence association and attribution method according to claim 3, characterized in that, The method of receiving cross-domain retrieval instructions involves retrieving historical and real-time threat data matching the target features from a threat data repository in the corresponding domain, and extracting successfully matched data segments, including: Parse cross-domain search commands, extract target features, matching conditions, and search scope restrictions from the cross-domain search commands, and output the parsed target features, matching conditions, and search scope restrictions; The index service of the corresponding domain threat data repository is invoked to construct a combination of search keywords based on the parsed target features. The combination of search keywords includes the core attributes and related fields of the target features. A preliminary search is performed in the threat data repository using a combination of search keywords to obtain a set of candidate threat data containing the combination of search keywords. The set of candidate threat data includes historical threat files and threat data collected in real time. For each data point in the candidate threat dataset, perform feature analysis, extract the core feature items from the data, compare the extracted core feature items with the analyzed target feature items in multiple dimensions, and output the data corresponding to the compared features. Based on the matched feature data, the core feature items and the parsed target feature items that meet the matching conditions are selected, and the selected threat data is output. The matching conditions include feature overlap correspondence, related field correspondence and logical association correspondence requirements. Key fragments related to cross-domain associations are extracted from the filtered threat data. These key fragments include core content such as threat behavior descriptions, association carrier information, time records, and descriptions of the scope of impact. Supplement the information completeness of key segments, add descriptions of missing related fields in the segments, and output the key segments with supplemented information; Add retrieval source identifiers, retrieval timestamps, and target feature matching details to the key segments after information supplementation, determine the retrieval background and matching basis of the segments, and output the key segments with added identifiers; Based on the correspondence of overlapping features and the correspondence of associated fields, the key segments after adding labels are sorted, and the sorted key segments are output. The key fragments and their corresponding matching information are integrated and sorted to form a set of search results containing multiple valid data fragments, which are then transmitted to the subsequent association analysis stage.

8. The AI-based cross-domain threat intelligence association and attribution method according to claim 4, characterized in that, The process of adjusting the positions of segments in the extended spliced ​​fragment chain based on time series features, so that the temporal arrangement of segments in the spliced ​​fragment chain conforms to the temporal evolution correspondence of cross-domain threat propagation, and outputting a time-adjusted spliced ​​fragment chain includes: Extract the time-series features of each attack chain segment in the extended spliced ​​fragment chain. The time-series features include the occurrence time of the threat event, the duration, the propagation interval, and the associated triggering time point. Using the occurrence time of the starting segment of the cross-domain attack chain as the reference origin, the time axis unit and time precision are set, the time representation of each segment is unified, and the time reference coordinate system is output. The time series features of each segment are mapped to a time reference coordinate system to generate a time coordinate interval for each segment. The time coordinate interval includes the start time coordinate and end time coordinate corresponding to the segment. Based on the time coordinate intervals of each segment, the time overlap and sequential correspondence between each segment are analyzed, and the segment combinations whose time arrangement does not conform to the time evolution correspondence of cross-domain threat propagation are identified, and the segment combinations with abnormal time arrangement are output. Re-extract the time series features of the segments with anomalous time arrangement, confirm the correspondence and completeness of the time data, and output the confirmed time series features. Based on the confirmed time series characteristics, the positions of the segments with abnormal time arrangement in the extended spliced ​​segment chain are adjusted, or the time connection between segments is supplemented, and the spliced ​​segment chain with preliminary time adjustment is output. Calculate the time interval between adjacent segments in the spliced ​​segment chain after preliminary time adjustment, call the propagation time correspondence in the threat mapping factor set in the cross-domain threat mapping model, compare the matching data of the time interval and the propagation time correspondence, and output the time interval matching data; Based on the time interval matching data, adjust the splicing order of the segments in the spliced ​​segment chain after the initial time adjustment, or supplement the time transition description of the intermediate propagation link, and output the spliced ​​segment chain after the second time adjustment. The time series of the spliced ​​fragment chain after secondary time adjustment is smoothed by a time series calibration algorithm, and the smoothed spliced ​​fragment chain is output. The time-adjusted spliced ​​segment chain is output, which includes the calibrated time coordinates and time interval descriptions of each segment, and is transmitted to the redundant segment removal stage.

9. The AI-based cross-domain threat intelligence association and attribution method according to claim 5, characterized in that, The process of associating and binding supporting data with corresponding evidence nodes, supplementing the information of evidence nodes, enriching the descriptive dimensions of evidence, and outputting a strengthened evidence chain diagram includes: Extract the core identification information of each evidence node in the evidence chain graph. The core identification information includes the threat event identifier corresponding to the evidence, the associated node identifier, and the evidence type. Based on the core identification information, corroborating data related to the evidence is retrieved from the multi-source threat data set. The corroborating data consists of related data from different fields that can support the validity of the evidence. The supporting data is classified and filtered according to the type of supporting evidence, the field of origin, and the correlation. The supporting data that is related to the target evidence is retained, and the filtered supporting data is output. Extract the core supporting information from the filtered supporting data. The core supporting information includes key descriptions and data records that can verify the authenticity of the target evidence and are associated with it. Associate and bind the core supporting information with the target evidence node, add supporting data association edges to the target evidence node in the evidence chain association graph, record the supporting data identifier and supporting logic in the edge attributes, and output the evidence chain association graph after adding association edges. The information of the target evidence node is supplemented and improved, and the key information in the supporting data is integrated into the details field of the evidence node to enrich the descriptive dimensions of the evidence and output the evidence chain relationship diagram after the information is supplemented. Based on the quantity of supporting data and its relevance to the target evidence, calculate the credibility value of the target evidence node and output the credibility value. Add the credibility value to the attribute information of the evidence node as a quantitative correspondence of the validity of the evidence, and output the evidence chain relationship graph after adding the credibility value; For all evidence nodes in the evidence chain association graph, perform the following operations in sequence: supporting data retrieval, classification and filtering, core supporting information extraction, association binding, information supplementation, credibility value conversion and credibility value addition, and output the evidence chain association graph with all nodes strengthened. Update the evidence chain graph, retaining the evidence nodes after full node enhancement, supporting edges, and credibility values ​​to form an enhanced evidence chain graph.

10. An AI-based cross-domain threat intelligence association and attribution system, characterized in that, The AI-based cross-domain threat intelligence association and attribution system includes a processor and a memory, the memory and the processor being connected. The memory is used to store programs, instructions or code, and the processor is used to run the programs, instructions or code in the memory to implement the AI-based cross-domain threat intelligence association and attribution method according to any one of claims 1-9.