An APT attack analysis method for a software-defined deception defense system
By constructing an APT knowledge graph and dynamically optimizing decoy defense strategies, the analysis challenges of existing APT attack analysis methods under conditions of dispersion and lack of relationships are solved. This enables systematic identification and risk assessment of attack behaviors, and improves the dynamic perception and resource utilization efficiency of the defense system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY HUANGPU RESEARCH INSTITUTE
- Filing Date
- 2026-04-20
- Publication Date
- 2026-07-14
AI Technical Summary
Existing APT attack analysis methods rely on manual rules and existing attack knowledge, making it difficult to analyze new attack entities in a timely manner when attack behaviors are highly dispersed and relationships are missing. Furthermore, the analysis results are difficult to directly support defense decisions, making it difficult for deception defense systems to leverage their advantages in the early detection stage.
Construct an APT knowledge graph, extract threat intelligence entities and relationships, identify high-confidence related entities, predict the types of relationships between entities, construct attack chain paths, and quantitatively assess risks based on the paths to dynamically optimize decoy defense strategies.
It enables systematic identification of the attack phase evolution process, improves the overall identification capability of attack analysis, provides an objective risk quantification model, dynamically optimizes defense strategies, and improves the resource utilization efficiency of deception defense.
Smart Images

Figure CN122394874A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer and cyberspace security technology, specifically to an APT attack analysis method for software-defined deception defense systems. Background Technology
[0002] With the continuous expansion of information systems and the widespread application of technologies such as cloud computing, Advanced Persistent Threats (APTs) are exhibiting a trend towards high organization, long-term persistence, and stealth. APT attacks typically approach core assets gradually through multi-stage penetration. A single security device cannot fully reflect the overall situation of attack activities; therefore, effective correlation analysis of dispersed attack behaviors has become a key technical issue in defense. To enhance the early detection capability of advanced attacks, deception defense technology has been gradually introduced and is evolving towards a software-defined deception defense system. This system provides crucial input for attack analysis and defense decisions by centrally controlling the dynamic orchestration of decoy resources and continuously collecting attack interaction data.
[0003] However, existing APT attack analysis methods have many limitations when dealing with continuously generated attack behavior data. Existing analysis methods based on kill chains or ATT&CK models heavily rely on pre-built attack phase divisions and attack feature sets. Because APT attack techniques and paths are constantly evolving, newly emerging attack methods are often not yet incorporated into existing rule systems in their early stages, resulting in a significant lag in rule construction and updates, making it difficult to accurately map new behaviors into established models. Furthermore, methods centered on attack behavior correlation are mostly based on aggregation of time spans or surface-level behavioral features. When attack behaviors are highly dispersed and vary significantly in terms of temporal distribution and technical performance, relying solely on behavioral-level correlations is easily affected by changes in the attack rhythm, leading to severely insufficient stability in the correlation results.
[0004] Furthermore, some semantic analysis methods that incorporate attack knowledge modeling typically assume that existing attack knowledge relationships are relatively complete. When deceptive nodes capture novel attack behaviors that exist only in log or text form in the early stages of an attack, these new entities often lack clear structured relationships. Existing analysis methods struggle to reflect the potential connections of new entities in a timely manner when faced with insufficient relational information, leading to significant delays in knowledge updates and analysis processes. These issues make it difficult for existing attack analysis results to directly support the dynamic needs of software-defined deception defense systems for adjusting decoy deployments and formulating defense strategies, and hinder the full utilization of the advantages of deception defense in acquiring attack information in the early detection phase. Summary of the Invention
[0005] The purpose of this invention is to provide an APT attack analysis method for software-defined deception defense systems, aiming to solve the problems of existing technologies that rely heavily on manual rules and existing attack knowledge, make it difficult to analyze new attack entities in a timely manner under conditions of highly dispersed attack behavior and lack of relationships, and make it difficult for analysis results to directly support defense decisions.
[0006] To achieve the above objectives, the present invention provides the following technical solution: an APT attack analysis method for a software-defined deception defense system, the method comprising the following steps:
[0007] S1: Extract threat intelligence entities and relationships to construct an APT knowledge graph;
[0008] S2: Integrate the newly captured attack entities into the graph and identify and filter out the set of related entities with high confidence.
[0009] S3: Predict the relationship type between entities and construct the attack chain path through multi-hop concatenation;
[0010] S4: Quantitatively assess risk based on attack paths and dynamically optimize decoy defense strategies.
[0011] According to claim 1, the APT attack analysis method for a software-defined deception defense system is characterized in that step S1 specifically includes the following steps:
[0012] S1.1 Attack Entity Type Labeling: Extract entities such as attack organizations, attack patterns, malware, tools, vulnerabilities, and target objects from threat intelligence, and map the extracted entities to a standardized entity set based on a predefined entity type system (including Attacker, Attack Pattern, Campaign, Identity, etc.).
[0013] S1.2 Attack Relationship Construction: Based on the attack behavior language and predefined relationship rules, construct the association relationships between entities, including relationship types such as attributed to, authorized by, downloads, and exploits;
[0014] S1.3 APT Knowledge Graph Construction: The extracted attack information is organized into a structured graph model, and the semantic associations are characterized by a triple structure of "head entity - relation - tail entity". After consistency verification and entity alignment, it is stored in the graph database to complete the construction and storage of the APT knowledge graph.
[0015] According to claim 2, the APT attack analysis method for a software-defined deception defense system is characterized in that step S2 specifically includes the following steps:
[0016] S2.1 New Attack Entity Access: Let the original data set be... Entities and their type sets are obtained through named entity recognition. By standardizing names, merging aliases, and unifying attribute field encoding, a normalized mapping is performed on the extraction results. = To form a standardized set of entities ;
[0017] Construct a comprehensive similarity function for entity alignment: ,in , This represents the score for string matching. Indicates attribute similarity. Represents the cosine similarity of semantic vectors;
[0018] If an entity exists satisfy If the result is positive, the merge is performed; otherwise, a new node is created and an ID is assigned. At the same time, the data collection source, time and context information are recorded to build an entity attribute extension structure, and the new entity is included in the APT knowledge graph node set.
[0019] S2.2 Candidate Related Entity Filtering: Construct a domain-adaptive semantic model based on a pre-trained language model (such as BERT or RoBERTa). Through secondary pre-training on a secure corpus and fine-tuning through contrastive learning based on high-quality triples from a knowledge graph, the type, name, and descriptive text of new entities are mapped to an inductive representation space, generating semantic vectors. ; Calculate the vectors of the new entity and each node in the graph. Semantic cosine similarity between:
[0020]
[0021] A type constraint function Tallow(t) is introduced to limit the search space, eliminating entity types that are logically impossible to be related; the similarity scores are sorted and the Top-K entities are selected to form a preliminary candidate entity set. ;
[0022] S2.3 Constructing an interactive discriminant model With candidate set Entity pairs in As input, fine-grained tactical representations are learned through a cross-entity semantic alignment mechanism. And output the association probability of the entity pair:
[0023] =
[0024] The training sample set is constructed by using labeled real attack relation triples as positive samples, and generating semantically similar difficult negative samples by replacing entities or shuffling combinations. ;
[0025] The model parameters are optimized using binary cross-entropy loss:
[0026]
[0027] in Indicates whether the entity pair is associated with a real attack;
[0028] During the inference phase, when the association probability of candidate entity pairs satisfies If a candidate is deemed to have a potential attack association, it is retained to form the final high-confidence association candidate set. .
[0029] According to claim 3, the APT attack analysis method for a software-defined deception defense system is characterized in that step S3 specifically includes the following steps:
[0030] S3.1 Entity Pair Relationship Prediction: Obtain the candidate set of attack association discrimination output. This includes new entities There are entity pairs associated with high-confidence attacks; let the predefined set of relation types be...
[0031] For sets Each entity pair in ( Construct the "entity-relation-entity" triple hypothesis; for candidate relations... The input sequence is constructed using a discriminative language model:
[0032]
[0033] in The textual representation of entities includes name, type label, and behavioral description, enabling the model to understand triple structures within a unified semantic space; the language model outputs a holistic semantic representation vector. The relation score is obtained through linear mapping:
[0034]
[0035] Scoring is performed on all candidate relations for the same entity pair, and the relation type with the highest score is selected:
[0036]
[0037] When the maximum score meets the threshold constraint, a predicted triplet is generated. During the model training phase, semantically similar negative samples constructed using labeled attack triples and replacement relation labels are optimized using the cross-entropy loss function; the final output is a set of relation triples with scores. ;
[0038] S3.2 with new entities Starting from this point, the predicted directed edges are connected in a multi-hop manner to construct an ordered sequence of entities that reflects the attack evolution logic.
[0039]
[0040] During the path expansion process, relational direction constraints are applied, retaining only the entity type combinations that satisfy the attack semantic logic, and combining entity time attributes to ensure consistent evolution order, avoiding the generation of chain structures with structural conflicts or time reversals.
[0041] The confidence scores of each relation edge in the path are aggregated to measure the path's credibility, and the path score is defined as:
[0042]
[0043] Path search is performed under the maximum hop count constraint. Paths with scores below a threshold are pruned during the expansion process to control the search space and suppress noise propagation. After the path search is completed, a set of attack paths sorted by score is obtained. Each path corresponds to a potential attack chain;
[0044] According to claim 4, the APT attack analysis method for a software-defined deception defense system is characterized in that step S4 specifically includes the following steps:
[0045] S4.1 Attack Landscape Identification: Based on the constructed attack path The system analyzes the sequential relationships, distribution of attack types, and node evolution characteristics of attack behaviors along the path; it identifies the current life cycle stage of the attack activity by recognizing tactical categories, technology switching frequency, and changes in target node types along the path; it calculates the path length L to characterize the depth of attack advancement and the proportion of nodes involving high-risk technologies or high-value targets along the path to reflect the concentration of attack activities; it also identifies whether there are multi-branch diffusion or concurrent behavior paths to determine whether the attack shows a diffusion trend.
[0046] S4.2 Risk Assessment Modeling: After obtaining the attack phase labels and path structure characteristics, a quantitative risk assessment of the attack activity is performed; using path length L to represent the attack depth and the proportion of key behaviors H to represent the proportion of high-risk technologies or high-value nodes in the path, an attack posture scoring function is constructed:
[0047]
[0048] in , The weighting parameter is used to characterize the overall strength and threat level of the attack activity. The larger the value, the more complete the attack chain and the more concentrated the attack behavior is in high-risk links. The attack risk is classified according to the scoring range, corresponding risk level labels are generated, and structured risk assessment results are output.
[0049] S4.3 Decoy Strategy Optimization: Based on risk assessment results and attack phase determination results, the deployment method and configuration parameters of deception resources are dynamically adjusted; when the risk level is high, the deployment density and visibility of decoy nodes in key areas are increased to guide attack behavior to a controlled environment; when the risk level is low, the basic decoy layout is maintained to ensure resource utilization efficiency; combining the high-frequency technology types and target node types in the attack path, decoy categories (including service-type, vulnerability-type, credential-type, or data-type decoys) that match the attack behavior characteristics are selected, and their open ports, system fingerprint characteristics, and behavioral response strategies are adjusted to ensure that the decoy environment is structurally consistent with the expected attack target; the scale of decoy deployment is optimized under resource constraints, and executable strategy adjustment results are output to achieve dynamic guidance and intervention of APT attack behavior.
[0050] The technical effects and advantages provided by the present invention in the above technical solution are as follows:
[0051] 1. This invention constructs an attack path-based analysis mechanism. Unlike existing technologies that are mostly based on rule or single-action analysis and do not form a path-level modeling mechanism, this invention integrates scattered attack behaviors into a continuous structural expression, enabling a systematic characterization of the depth of APT attack progression and the concentration of key behaviors, significantly improving the overall ability to identify the evolution process of attack stages.
[0052] 2. This invention establishes an objective risk quantification model. Existing solutions typically use fixed thresholds for judgment, lacking a functional mapping between structural features and risk outcomes. In contrast, this invention extracts path structural features, transforming path length and the proportion of key behaviors into calculable indicators, providing a clear basis for attack intensity assessment and making attack states comparable and gradable.
[0053] 3. This invention achieves dynamic linkage of defense strategies and optimization of decoy resources. Existing deception defenses are mostly fixed deployment modes, lacking a linkage mechanism with attack analysis results. This invention directly uses risk assessment results to adjust decoy resource configuration, and can dynamically optimize decoy types, deployment scale, and exposure strategies according to changes in attack intensity, significantly improving deception guidance effectiveness and resource utilization efficiency. Attached Figure Description
[0054] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this invention. For those skilled in the art, other drawings can be obtained based on these drawings.
[0055] Figure 1 This is a flowchart of the method of the present invention. Detailed Implementation
[0056] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0057] like Figure 1 As shown in this embodiment, an APT attack analysis method for a software-defined deception defense system includes the following steps:
[0058] In some embodiments, the process of performing step S1 includes:
[0059] S1: Extract threat intelligence entities and relationships to construct an APT knowledge graph;
[0060] S2: Integrate the newly captured attack entities into the graph and identify and filter out the set of related entities with high confidence.
[0061] S3: Predict the relationship type between entities and construct the attack chain path through multi-hop concatenation;
[0062] S4: Quantitatively assess risk based on attack paths and dynamically optimize decoy defense strategies.
[0063] In some specific embodiments, step S1 specifically includes the following steps:
[0064] S1.1 Extracts entities such as attack organizations, attack patterns, malware, tools, vulnerabilities, and target objects from threat intelligence, and maps the extracted entities to a predefined entity type system to form a standardized entity set. The specific entity types include: Attacker (attack organization), representing the organization that carried out the attack activities;
[0065] Attack Pattern refers to a specific attack technique or attack behavior, which corresponds to recurring techniques such as lateral movement, privilege escalation, and information gathering.
[0066] A campaign is a series of attack actions carried out by the same attacker within a certain time frame, used to describe the phased or mission-oriented characteristics of an attack campaign.
[0067] Identity (identity entity) refers to a subject object with independent behavioral capacity or organizational attributes, including organizations, individuals or groups, and is used to identify the subject or target of an attack.
[0068] Malware refers to malicious programs or components used to carry out attacks.
[0069] Tool (attack tool) refers to the tool program or script used in the attack process, including situations where legitimate tools are abused;
[0070] Vulnerability refers to a system or software flaw that can be exploited in an attack.
[0071] Location refers to the geographical location of the attacking organization and the identity entity, usually within a country.
[0072] Course of Action: This refers to the mitigation or defense measures taken against attack techniques, vulnerabilities, or attack activities. It typically includes attributes such as the measure name, description, external identification number, and source citation.
[0073] S1.2 Based on the attack behavior language and predefined relationship rules, construct the association relationships between entities. The specific relationship types include: attributed to: Campaign → Attacker, Attacker → Identity, used to attribute attack activities to a specific attacker, or to associate an attacker's organization with a specific real identity;
[0074] Authored by: Malware / Tool → Attacker, used to identify the developer, writer, or original distribution organization of malware or attack tools;
[0075] downloads: Malware → Tool / Malware, indicating auxiliary penetration tools or subsequent payloads downloaded by malware during its runtime;
[0076] exploits: Attacker → Vulnerability, indicating the specific security vulnerabilities that an attacker exploits during the penetration process;
[0077] impersonates: Attacker → Identity, used to describe the actions of attacking organizations to impersonate legitimate individuals or organizations;
[0078] Located at: Attacker / Identity → Location, used to mark the geographical location, country, or region to which the attacker's organization or specific identity entity belongs;
[0079] Mitigates: Course of Action → Attack Pattern, indicating that specific measures or defenses can effectively mitigate or block a certain attack pattern;
[0080] Related to: Attacker → Attacker, used to indicate that there is a connection, overlap, or collaboration between different attack groups;
[0081] targets: Attacker → Location / Identity, which clearly defines the attacker's target, including specific geographical areas or specific individuals or industry targets;
[0082] uses: Attacker → Malware / Attack Pattern / Tool, describes the specific arsenal used by the attacker in the operation, including malicious code, attack techniques and auxiliary tools.
[0083] S1.3 organizes the attack information after entity extraction and relation identification into a structured graph model, constructing an APT knowledge graph that supports association analysis and reasoning. Specifically, the knowledge graph uses a triple structure to represent attack knowledge, depicting the semantic relationships between entities in the form of "head entity—relation—tail entity," where the head and tail entities are attack-related entity nodes, and relations describe the semantic connections between entities. A node set is constructed based on a predefined entity type system, and each entity is assigned a unique identifier and attribute information. An edge set is constructed based on relation type constraint rules, allowing only directed associations between entities that satisfy the type constraints, while also recording the relation types. Consistency checks, entity alignment, and duplicate elimination are performed on nodes and relations to ensure the integrity of the graph structure. The final entity nodes and relation triples are written to the graph database system for persistent storage and dynamic updates.
[0084] In some embodiments, step S2 specifically includes the following steps:
[0085] S2.1 New Attack Entity Access: New attack information comes from external threat intelligence data and attack behavior data captured by decoy nodes in the software-defined deception defense system. Let the original dataset be... For each piece of text data Execute the named entity recognition function To obtain the set of entities and their types To ensure consistency in entity representation, normalization mapping is performed on the extraction results. = To form a standardized set of entities To avoid duplicate writes, it is necessary to compare the new entity with the existing entity set in the graph. Alignment is performed. A comprehensive similarity function is constructed:
[0086]
[0087] in This represents the score for string matching. Indicates attribute similarity. This represents the cosine similarity of semantic vectors. If entities exist... satisfy If the condition is met, the entity merging operation will be performed; otherwise, a new node will be created and a unique identifier ID will be assigned.
[0088] During entity writing, the data source, collection time, and associated context information are recorded simultaneously to construct an extended entity attribute structure for subsequent association analysis and credibility assessment. After integration, the new attack entity is included in the APT knowledge graph node set and participates as a candidate analysis node in the subsequent candidate associated entity screening and attack association discrimination process.
[0089] S2.2 The goal of candidate associated entity screening is to select entities from the graph entity set. Identification and New Entities Candidate set with potential attack strict relations The system utilizes a semantic model pre-trained on a massive secure corpus to perform domain-adaptive training. It organizes the type, name, and descriptive text of new entities into a unified semantic sequence, mapping it to an inductive representation space to generate semantic vectors. .
[0090] This model is based on a general pre-trained language model (such as BERT or RoBERTa). It undergoes secondary pre-training on millions of threat intelligence reports and other texts, and is fine-tuned through contrastive learning using high-quality triples already present in the knowledge graph. This allows the model to learn implicit patterns of association between attacking entities. Each node in the knowledge graph pre-stores semantic vectors. Semantic similarity between entities is calculated using cosine similarity.
[0091]
[0092] Before semantic similarity calculation, a type constraint function `Tallow(t)` is introduced to limit the search space, preventing logically unrelated entities from entering the candidate set. For example, when a new entity is of type `malware`, its search space is forcibly limited to entity types such as `Attacker`, `Attack Pattern`, or `Tool`, quickly eliminating logically unrelated nodes and reducing the search space. The entities are sorted by score, and the Top-K are selected to form a candidate set. This set controls its size while ensuring coverage of potential associations, providing input for the subsequent fine-grained discrimination stage.
[0093] S2.3 Candidate Set The system still contains entities that are similar only at the terminological level but lack logical connection in their attack patterns, requiring binary judgment. An interactive discriminant model needs to be constructed. The input is an entity pair. The model learns fine-grained tactical representations through a cross-entity semantic alignment mechanism. and output the association probability: =
[0094] Training sample set Positive samples are constructed from labeled triples representing real attack relationships. Difficult negative samples are generated by replacing entities or shuffling combinations, ensuring that the negative samples are semantically close to the positive samples. Model parameters are optimized using binary cross-entropy loss.
[0095]
[0096] in This indicates whether there is a genuine attack association between entity pairs. During the inference phase, the association probability is calculated for each candidate entity pair. If the condition is met, the entity is determined to have a potential attack association and retained for inclusion in the relationship type prediction module; otherwise, it is discarded. After this stage of judgment, entity pairs with a high-confidence attack association with the new entity are retained, resulting in a candidate set. .
[0097] In some embodiments, step S3 specifically includes the following steps:
[0098] S3.1 Attack correlation determination yields candidate set This includes new entities. For entity pairs associated with high-confidence attacks, further determination of the specific relationship type is needed. Based on the predetermined relationship types, let the set of relationship types be...
[0099]
[0100] For candidate set Each entity pair in ( We construct the "entity-relation-entity" triple hypothesis and use a discriminative language model for scoring. For candidate relations... Construct the input sequence:
[0101]
[0102] in The textual representation of entities includes names, type labels, and behavioral descriptions, enabling models to understand triple structures within a unified semantic space.
[0103] The language model outputs a global semantic representation vector. The relation score is obtained through linear mapping:
[0104]
[0105] Score all candidate relationships for the same entity pair and select the relationship type with the highest score:
[0106]
[0107] Predicted triples are generated when the maximum score meets the threshold constraint. Otherwise, it will not be generated.
[0108] The training data comes from labeled attack triples. By replacing the relation labels, negative samples with similar semantics but logically invalidity are constructed, enabling the model to learn to distinguish fine-grained differences in the semantic relationships of different attacks. The optimization objective uses the cross-entropy loss function. The output is a set of relation triples with scores, providing structured relation edges with clear semantic types for attack path construction and multi-hop inference.
[0109] S3.2 Obtaining the set of relation triples with confidence levels Then, in the form of a new entity Starting from this point, the predicted directed edges are connected in a multi-hop manner to construct an ordered sequence of entities that reflects the attack evolution logic. The path represents the propagation process of an attack activity between an organization, technology, tools, vulnerabilities, and the target system.
[0110] Path expansion is performed under relational direction constraints, retaining only entity type combinations that satisfy the attack semantic logic. Simultaneously, entity temporal attributes are considered to ensure consistent evolution order, avoiding chain structures with structural conflicts or temporal reversals. To measure path credibility, the confidence scores of each relation edge in the path are aggregated, and the path score is defined as:
[0111]
[0112] Paths with scores below a threshold are pruned during expansion to control the search space and suppress noise propagation. After completing the path search under the maximum hop count constraint, a set of attack paths sorted by score is obtained. Each path corresponds to a potential attack chain, providing a basis for attack tracing analysis and subsequent trend inference.
[0113] In some embodiments, step S4 specifically includes the following steps:
[0114] S4.1 Based on the constructed attack path The study analyzes the sequential relationships, distribution of attack types, and node evolution characteristics along the attack path. By identifying tactical categories, technology switching frequencies, and changes in target node types within the path, the current lifecycle stage of the attack activity is determined.
[0115] During the analysis, the path length L is statistically analyzed to characterize the depth of the attack; the proportion of nodes involving high-risk technologies or high-value targets in the path is calculated to reflect the concentration of the attack activities; at the same time, it is identified whether there are multi-branch diffusion or concurrent behavior paths to determine whether the attack shows a diffusion trend.
[0116] S4.2 After obtaining the attack phase labels and path structure characteristics, a quantitative risk assessment of the attack activity is performed. Path length L represents the attack depth, and the proportion of key behaviors H represents the proportion of high-risk technologies or high-value nodes in the path. An attack posture scoring function is constructed:
[0117]
[0118] in , The weighting parameter is used to characterize the overall strength and threat level of the attack activity. A higher value indicates a more complete attack chain and that the attack behavior is more concentrated in high-risk links.
[0119] The attack risk is classified into levels based on the scoring range, corresponding risk level labels are generated, and structured risk assessment results are output, providing quantitative basis for adjusting the allocation of decoy resources and optimizing defense strategies.
[0120] S4.3 Based on the risk assessment results and attack phase determination results, the deployment method and configuration parameters of decoy resources are dynamically adjusted. The deployment strength and response priority of decoy resources are determined according to the risk level; when the risk level is high, the deployment density and visibility of decoy nodes in key areas are increased to guide attack behavior towards a controlled environment; when the risk level is low, the basic decoy layout is maintained to ensure resource utilization efficiency.
[0121] By combining frequently occurring technology types and target node types in the attack path, decoy categories matching the attack behavior characteristics are selected, including service-based decoys, vulnerability-based decoys, credential-based decoys, or data-based decoys. Their open ports, system fingerprint characteristics, and behavioral response strategies are adjusted to ensure the decoy environment is structurally consistent with the expected attack target, thereby improving the attack guidance success rate. Under resource constraints, the decoy deployment scale is optimized to balance deception resources among risk level, attack stage, and system load, outputting executable policy adjustment results to achieve dynamic guidance and intervention of APT attack behavior.
[0122] In the description of this specification, references to terms such as "an embodiment," "example," "specific example," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.
[0123] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to any specific implementation. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims
1. An APT attack analysis method for software-defined deception defense systems: The selection method includes the following steps: S1: Extract threat intelligence entities and relationships to construct an APT knowledge graph; S2: Integrate the newly captured attack entities into the graph and identify and filter out the set of related entities with high confidence. S3: Predict the relationship type between entities and construct the attack chain path through multi-hop concatenation; S4: Quantitatively assess risk based on attack paths and dynamically optimize decoy defense strategies.
2. The APT attack analysis method for a software-defined deception defense system according to claim 1, characterized in that, Step S1 specifically includes the following steps: S1.1 Attack Entity Type Labeling: Extract entities such as attack organizations, attack patterns, malware, tools, vulnerabilities, and target objects from threat intelligence, and map the extracted entities to a standardized entity set based on a predefined entity type system (including Attacker, Attack Pattern, Campaign, Identity, etc.). S1.2 Attack Relationship Construction: Based on the attack behavior language and predefined relationship rules, construct the association relationships between entities, including relationship types such as attributed to, authorized by, downloads, and exploits; S1.3 APT Knowledge Graph Construction: The extracted attack information is organized into a structured graph model, and the semantic relationships are characterized by a triple structure of "head entity - relation - tail entity". After consistency verification and entity alignment, it is stored in the graph database, thus completing the construction and storage of the APT knowledge graph.
3. The APT attack analysis method for a software-defined deception defense system according to claim 2, characterized in that, Step S2 specifically includes the following steps: S2.1 New Attack Entity Access: Let the original data set be... Entities and their type sets are obtained through named entity recognition. By standardizing names, merging aliases, and unifying attribute field encoding, a normalized mapping is performed on the extraction results. = To form a standardized set of entities ; Construct a comprehensive similarity function for entity alignment: ,in , This represents the score for string matching. Indicates attribute similarity. Represents the cosine similarity of semantic vectors; If an entity exists satisfy If the result is positive, the merge is performed; otherwise, a new node is created and an ID is assigned. At the same time, the data collection source, time and context information are recorded to build an entity attribute extension structure, and the new entity is included in the APT knowledge graph node set. S2.2 Candidate Related Entity Filtering: Construct a domain-adaptive semantic model based on a pre-trained language model (such as BERT or RoBERTa). Through secondary pre-training on a secure corpus and fine-tuning through contrastive learning based on high-quality triples from a knowledge graph, the type, name, and descriptive text of new entities are mapped to an inductive representation space, generating semantic vectors. ; Calculate the vectors of the new entity and each node in the graph. Semantic cosine similarity between: A type constraint function Tallow(t) is introduced to limit the search space, eliminating entity types that are logically impossible to be related; the similarity scores are sorted and the Top-K entities are selected to form a preliminary candidate entity set. ; S2.3 Constructing an interactive discriminant model With candidate set Entity pairs in As input, fine-grained tactical representations are learned through a cross-entity semantic alignment mechanism. And output the association probability of the entity pair: = The training sample set is constructed by using labeled real attack relation triples as positive samples, and generating semantically similar difficult negative samples by replacing entities or shuffling combinations. ; The model parameters are optimized using binary cross-entropy loss: in Indicates whether the entity pair is associated with a real attack; During the inference phase, when the association probability of candidate entity pairs satisfies If a candidate is deemed to have a potential attack association, it is retained to form the final high-confidence association candidate set. .
4. The APT attack analysis method for a software-defined deception defense system according to claim 3, characterized in that, Step S3 specifically includes the following steps: S3.1 Entity Pair Relationship Prediction: Obtain the candidate set of attack association discrimination output. This includes new entities There are entity pairs associated with high-confidence attacks; let the predefined set of relation types be... For sets Each entity pair in ( Construct the "entity-relation-entity" triple hypothesis; for candidate relations... The input sequence is constructed using a discriminative language model: in The textual representation of entities includes name, type label, and behavioral description, enabling the model to understand triple structures within a unified semantic space; the language model outputs a holistic semantic representation vector. The relation score is obtained through linear mapping: Scoring is performed on all candidate relations for the same entity pair, and the relation type with the highest score is selected: When the maximum score meets the threshold constraint, a predicted triplet is generated. During the model training phase, semantically similar negative samples constructed using labeled attack triples and replacement relation labels are optimized using the cross-entropy loss function; the final output is a set of relation triples with scores. ; S3.2 with new entities Starting from this point, the predicted directed edges are connected in a multi-hop manner to construct an ordered sequence of entities that reflects the attack evolution logic. During the path expansion process, relational direction constraints are applied, retaining only the entity type combinations that satisfy the attack semantic logic, and combining entity time attributes to ensure consistent evolution order, avoiding the generation of chain structures with structural conflicts or time reversals. The confidence scores of each relation edge in the path are aggregated to measure the path's credibility, and the path score is defined as: Path search is performed under the maximum hop count constraint. Paths with scores below a threshold are pruned during the expansion process to control the search space and suppress noise propagation. After the path search is completed, a set of attack paths sorted by score is obtained. Each path corresponds to a potential attack chain.
5. The APT attack analysis method for a software-defined deception defense system according to claim 4, characterized in that, Step S4 specifically includes the following steps: S4.1 Attack Landscape Identification: Based on the constructed attack path The system analyzes the sequential relationships, distribution of attack types, and node evolution characteristics of attack behaviors along the path; it identifies the current life cycle stage of the attack activity by recognizing tactical categories, technology switching frequency, and changes in target node types along the path; it calculates the path length L to characterize the depth of attack advancement and the proportion of nodes involving high-risk technologies or high-value targets along the path to reflect the concentration of attack activities; it also identifies whether there are multi-branch diffusion or concurrent behavior paths to determine whether the attack shows a diffusion trend. S4.2 Risk Assessment Modeling: After obtaining the attack phase labels and path structure characteristics, a quantitative risk assessment of the attack activity is performed; using path length L to represent the attack depth and the proportion of key behaviors H to represent the proportion of high-risk technologies or high-value nodes in the path, an attack posture scoring function is constructed: in , The weighting parameter is used to characterize the overall strength and threat level of the attack activity. The larger the value, the more complete the attack chain and the more concentrated the attack behavior is in high-risk links. The attack risk is classified according to the scoring range, corresponding risk level labels are generated, and structured risk assessment results are output. S4.3 Decoy Strategy Optimization: Based on risk assessment results and attack phase determination results, the deployment method and configuration parameters of deception resources are dynamically adjusted; when the risk level is high, the deployment density and visibility of decoy nodes in key areas are increased to guide attack behavior to a controlled environment; when the risk level is low, the basic decoy layout is maintained to ensure resource utilization efficiency; combining the high-frequency technology types and target node types in the attack path, decoy categories (including service-type, vulnerability-type, credential-type, or data-type decoys) that match the attack behavior characteristics are selected, and their open ports, system fingerprint characteristics, and behavioral response strategies are adjusted to ensure that the decoy environment is structurally consistent with the expected attack target; the scale of decoy deployment is optimized under resource constraints, and executable strategy adjustment results are output to achieve dynamic guidance and intervention of APT attack behavior.