A semantic correlation TTP scenario construction method for a software-defined deception defense system
By constructing a CVE-TTP semantic association model, the problem of insufficient information acquisition in APT attack TTP scenarios is solved, realizing dynamic adaptation and efficient trapping of honeypots, and improving the accuracy and adaptability of APT defense.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY HUANGPU RESEARCH INSTITUTE
- Filing Date
- 2026-04-20
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394875A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security deception defense technology, specifically involving TTP scenario construction and dynamic honey array adaptation technology under APT attack defense. It is applicable to the "Four Honeys" (H4SD3) software-defined deception defense system and solves three key technical problems: First, the standardization and fusion of multi-source heterogeneous threat intelligence and noise filtering to overcome the homogenization of TTP scenarios caused by a single data source; second, the accurate semantic association between CVE vulnerabilities and TTPs to achieve deep binding of vulnerability exploitation details and attack techniques, making up for the lack of semantic characterization of scenario attacks; and third, the adaptation and mapping of TTP scenario features and the layered trapping logic of "Four Honeys" to provide directly callable configuration parameters for dynamic honey array transformation, solving the problem of the disconnect between existing scenarios and defense decisions. Background Technology
[0002] As Advanced Persistent Threat (APT) attacks become more covert and multi-stage, their attack chains typically cover the entire process of "initial access - privilege escalation - lateral movement - data leakage," and the same attack group often evades traditional defense detection by fine-tuning the TTP environment configuration information (such as changing the exploit version or adjusting the process interaction logic).
[0003] First, "H4SD3" (Four Honeys) is the core architecture of software-defined deception defense, comprising four layers of trapping components: honey garden, honey point, honey array, and honey hole. In APT defense, the layered collaboration of "H4SD3" is key to breaking through traditional passive defense: through full-process coverage of "perception-guidance-capture-tracing," it can transform APT attacks from "black box" to "white box." However, the implementation of this capability highly depends on the TTP (Tactics, Techniques, and Procedures) scenario that is precisely matched with the APT attack process.
[0004] Secondly, as the core carrier of proactive defense, the dynamic transformation capability of honey arrays (including switching of service types of decoy nodes, updating of attack path guidance rules, and adjustment of permission configuration of depth traps) highly depends on refined TTP scenario information. If there is a lack of accurate characterization of the actual TTP utilization scenario (such as the activation of relevant files during the attack process, the software version applicable to the vulnerability, and the process dependencies required for the attack), honey arrays will be unable to simulate an environment that conforms to the real attack logic, resulting in decoy failure or being identified by attackers. Furthermore, existing TTP scenarios are highly homogenized and do not relate to vulnerability details, making it difficult to support the differentiated decoy strategies of honey arrays at different attack stages (such as honey courtyards needing to match the vulnerability scenario of initial APT access, and honey holes needing to recreate the process interaction scenario of privilege escalation).
[0005] Current technologies fail to effectively acquire TTP scenario information, often focusing on attack environment information. For APT attacks, TTP scenario information is frequently derived directly from descriptions in the MITRE ATT&CK knowledge base, leading to the following problems in existing TTP scenario construction: First, the problem of scenario data homogenization is prominent: existing TTP scenarios rely heavily on a single threat intelligence source (such as the MITRE ATT&CK public library) for feature extraction, lacking the fusion processing of heterogeneous intelligence. This results in overlapping scenario feature dimensions for different TTPs, making it impossible to distinguish the strategic differences of similar attack techniques and hindering the honeycomb's accurate identification of attack intent. Second, traditional TTP scenarios only focus on the abstract description of attack behavior (such as "exploiting vulnerabilities to execute code"), without associating and mapping it with specific CVE vulnerability exploitation scenario information (such as the applicable software platform, version range, process permissions required for exploitation, and registry keys relied upon for interaction). This results in the scenario failing to recreate the actual implementation of the attack technique. Finally, the environment simulated by the honeycomb deviates from the real attack logic, reducing the success rate of deception and causing a lack of adaptability between the scenario and the honeycomb defense architecture. Summary of the Invention
[0006] The purpose of this invention is to provide a semantic association TTP scenario construction method for software-defined deception defense systems. This method aims to overcome the shortcomings of existing technologies that cannot accurately and quickly extract TTP scenario information, address the severe homogenization of TTP scenario data, and overcome the inability to achieve fine-grained differentiation of attack strategies. It enhances the ability to characterize the attack semantics of TTP scenarios and coordinates with the honey array transformation of the core architecture of "four honeys" software-defined deception defense. By constructing CVE-TTP semantic associations, it integrates vulnerability attacks with the TTP scenario construction process, significantly improving the reliability of TTP scenario construction and the adaptability of the honey array defense architecture.
[0007] To achieve the above objectives, the present invention provides the following technical solution: a semantic association TTP scenario construction method for a software-defined deception defense system, the method comprising the following steps:
[0008] S1: Construct and train the CVE-TTP semantic association model;
[0009] S2: Perform structured parsing on CVE / TTP multi-source data;
[0010] S3: Implementing TTP scenario reasoning and construction based on semantic association;
[0011] S4: TTP scenario construction adapts to honeycomb dynamic defense system.
[0012] 2. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 1, characterized in that step S1 specifically includes the following steps:
[0013] S1.1 uses the Neo4j knowledge graph to read TTPs (Attack_Pattern nodes) and CVEs (Vulnerability nodes) and their descriptions. It integrates structured data containing CVE / TP entity attributes (identifier, description) and related data (source entity, target entity, association type) of CVE-TTP relationships, extracting non-empty CVE / TTP natural language description text to construct a basic corpus pool.
[0014] S1.2 Extract truly associated CVE-TTP text description pairs from the CVE-TTP association data as positive samples (label=1.0), select CVE-TTP text description pairs without true association under the same tactical / technical category as hard negative samples (label=0.0), and select CVE-TTP text description pairs without semantic association as random negative samples (label=0.0). Configure positive samples and negative samples in a 1:1 ratio to form a class-balanced training dataset, and then randomly divide the dataset into training set and validation set in a 9:1 ratio.
[0015] S1.3 Selects the Sentence-BERT pre-trained semantic model as the basic encoder, configures the training hyperparameters and sets a multi-dimensional evaluation index system including accuracy, F1 score, AUC, MRR, and Hit@N, designs a custom loss function that integrates cosine similarity loss and classification loss and introduces a temperature coefficient, performs supervised training on the training set, monitors the training process through a training process callback mechanism, and selects and saves semantic association models that can quantify the degree of CVE-TTP semantic association based on the optimal index of the validation set.
[0016] The custom loss function formula, which integrates cosine similarity loss and classification loss and incorporates a temperature coefficient, is as follows:
[0017]
[0018] in For cosine similarity, For temperature coefficient,
[0019]
[0020] in For the Sigmoid function, Mapped to [0,1] For sample labels, This represents the number of samples in the batch.
[0021] 3. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 2, characterized in that step S2 specifically includes the following steps:
[0022] S2.1 Establish a secure connection with the graph database, batch load nodes and entities (CVE / TTP) from the Neo4j graph database, batch extract valid CVE entity data containing identifiers and descriptions and description data of specified TTP entities, filter invalid data and perform integrity verification;
[0023] S2.2 parses CVE execution environment information based on CPE standards. First, it designs a rate-limiting avoidance mechanism with random delay, exponential backoff retries, and status code filtering. Then, it calls the vulnerability database open API to obtain the original CPE data corresponding to the CVE. The CPE string is parsed into standardized platform attributes containing vendor, product, version, and platform type, and the version range information is extracted. Finally, a unique identifier is generated based on the platform attributes to remove duplicates from the parsed CPE information and output structured CVE execution environment information.
[0024] 4. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 3, characterized in that step S3 specifically includes the following steps:
[0025] S3.1 Input the CVE / TTP description text to be inferred into the semantic association model saved in step S1.3 to generate a semantic vector, calculate the semantic similarity value between the two through the cosine similarity algorithm, and filter out the valid CVE-TTP association pairs based on the preset threshold;
[0026] The formula for calculating semantic cosine similarity is:
[0027] in This represents the normalized vector embedding described by the CVE. This represents the normalized vector embedding described by TTP.
[0028] S3.2 integrates the CPE execution environment attributes of CVEs and the ATT&CK tactical attributes of TTPs in effective CVE-TTP association pairs, performs joint reasoning from three dimensions: tactics, technology, and environment, and then integrates the information from each dimension in a structured way to generate structured TTP scenario information containing associated files, associated processes, associated registry entries, associated services, associated windows, and associated versions, and outputs it in a standardized format.
[0029] The core scenario information for S3.3TTP must include:
[0030] Related_files;
[0031] Related_processes;
[0032] Related_registry_keys;
[0033] Related_services;
[0034] Related_windows;
[0035] Related_versions.
[0036] Finally, scene information is filled in according to different TTP_ids to obtain specific scene information under specific TTPs.
[0037] 5. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 4, characterized in that step S4 specifically includes the following steps:
[0038] S4.1 organizes and summarizes the specific scenario information under the specific TTPs obtained in 3.3 to form a TTP scenario information database, and builds an automatic update mechanism. When new CVE vulnerability parsing results or new TTP scenario inference information are added, the feature database is automatically supplemented and iterated to keep up with the latest attack situation.
[0039] The TTP scenario library is constructed into a knowledge graph using Neo4j, and the node information includes:
[0040] Node name: TTP_id
[0041] Node associated with CVE: CVE_id node attribute: Related_files (NULL / specific instance file);
[0042] Related_processes (NULL / specific instance process);
[0043] Related_registry_keys (NULL / specific instance registry key);
[0044] Related_services (NULL / specific instance services);
[0045] Related_windows (NULL / specific instance window);
[0046] Related_versions (NULL / specific instance version).
[0047] S4.2 delivers the disassembled TTP scenario information database through the central honey array standard data interface, adapting to its unified data interaction format. After the central honey array summarizes the attack alarm information collected from honey gardens, honey points, and honey holes, it infers the current TTP asset allocation and matches it with the TTP scenario information database to obtain the environmental configuration asset list.
[0048] The technical effects and advantages provided by the present invention in the above technical solution are as follows:
[0049] 1. The invention adopts a supervised training method based on a pre-trained semantic model and constructs a class-balanced dataset containing positive samples, hard negative samples, and random negative samples. By strengthening semantic difference learning through a joint loss function, it can identify CVE-TTP associations that are semantically related but have different textual expressions. This overcomes the problem that traditional keyword matching is not capable of identifying synonyms and implicit relationships, thereby improving the accuracy and robustness of association identification between CVE and TTP.
[0050] 2. This invention adopts a semantic association-driven reasoning mechanism. Once the model is trained, CVE data can be input in batches, and the entire process of semantic matching, environment parsing, and scene generation can be completed automatically. There is no need for manual maintenance of the rule base or annotation of each rule. This significantly improves the efficiency and scalability of vulnerability and attack scene mapping, realizes the automated and large-scale extraction of TTP scene information, and greatly reduces manual dependence.
[0051] 3. Based on semantic association, this invention further integrates the CPE execution environment information of CVE with the ATT&CK tactical attributes of TTP, and performs joint reasoning from three dimensions: attack tactics, attack techniques, and operating environment. It can output structured scenario information containing content such as affected platforms, version range, associated processes, and registry entries. Existing technologies can only provide simple correspondences, making the obtained TTP scenario information more complete and detailed, and possessing practical application value.
[0052] 4. The invention is based on semantic models rather than fixed rules. When new vulnerabilities or attack techniques are added, only a small number of samples need to be added or the model inference can be used directly to extract scenario information of new CVEs and TTPs without rewriting the rules. The system's scalability and lifespan are far superior to traditional solutions. It has good scalability and adaptability and can adapt to constantly updated CVE and TTP data. Attached Figure Description
[0053] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this invention. For those skilled in the art, other drawings can be obtained based on these drawings.
[0054] Figure 1 This is a flowchart of the method of the present invention. Detailed Implementation
[0055] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0056] like Figure 1 As shown in this embodiment, a semantic association TTP scenario construction method for a software-defined deception defense system includes the following steps:
[0057] In some embodiments, the process of performing step S1 includes:
[0058] S1: Construct and train the CVE-TTP semantic association model;
[0059] S2: Perform structured parsing on CVE / TTP multi-source data;
[0060] S3: Implementing TTP scenario reasoning and construction based on semantic association;
[0061] S4: TTP scenario construction adapts to honeycomb dynamic defense system.
[0062] In some specific embodiments, step S1 specifically includes the following steps:
[0063] S1.1 loads the entity table nodes.csv and edge table edges.csv, and reads TTPs (Attack Pattern nodes) and CVEs (Vulnerability nodes) and their description information (description) from the knowledge graph built by Neo4j to form a description list. It integrates structured data containing CVE / TTP entity attributes (identifier, description) and related data of CVE-TTP relationships (source entity, target entity, association type), and extracts non-empty CVE / TTP natural language description text to construct a basic corpus pool.
[0064] S1.2 Extract truly associated CVE-TTP text description pairs from the CVE-TTP association data as positive samples (label=1.0), and select CVE-TTP text description pairs without true association under the same tactical / technical category as hard negative samples (label=0.0). Since some TTPs can correspond to more than 10,000 CVEs, a limit of up to 100 positive samples are set for each TTP. Select CVE-TTP text description pairs without semantic association as random negative samples (label=0.0). Configure positive samples and negative samples in a 1:1 ratio to form a class-balanced training dataset. Then, randomly divide the dataset into training set and validation set in a 9:1 ratio.
[0065] S1.3 selects the Sentence-BERT pre-trained semantic model as the basic encoder, configures training hyperparameters (such as hard negative sample ratio = 0.5, random negative sample ratio = 0.5, temperature coefficient = 10, learning rate = 0.00001, number of training rounds = 3, batch size = 64, gradient accumulation steps = 1, evaluation steps = 500, maximum text encoding length = 256) and sets a multi-dimensional evaluation index system including accuracy, F1 score, AUC, MRR, and Hit@N. A custom loss function that integrates cosine similarity loss and classification loss and introduces temperature coefficient is designed. Supervised training is performed on the training set. The training process is monitored through a training process callback mechanism. Based on the optimal index of the validation set, the semantic association model that can quantify the semantic association degree of CVE-TTP is selected and saved.
[0066] The custom loss function formula, which integrates cosine similarity loss and classification loss and incorporates a temperature coefficient, is as follows:
[0067]
[0068] in For cosine similarity, For temperature coefficient,
[0069]
[0070] in For the Sigmoid function, Mapped to [0,1] For sample labels, This represents the number of samples in the batch.
[0071] In some embodiments, step S2 specifically includes the following steps:
[0072] S2.1 Establish a secure connection with the graph database, batch load nodes and entities (CVE / TTP) from the Neo4j graph database, batch extract valid CVE entity data containing identifiers and descriptions and description data of specified TTP entities, filter invalid data and perform integrity verification;
[0073] S2.2 is based on the general platform enumeration CPE standard to parse CVE execution environment information. First, a rate limiting avoidance mechanism of random delay + exponential backoff retries + status code filtering is designed. Then, the vulnerability database open API is called to obtain the original CPE data corresponding to the CVE. The CPE string is parsed into standardized platform attributes containing vendor, product, version and platform type and the version range information is extracted. Finally, a unique identifier is generated based on the platform attributes (vendor, product, version and platform type) to remove duplicates from the parsed CPE information and output structured CVE execution environment information.
[0074] In some embodiments, step S3 specifically includes the following steps:
[0075] S3.1 Input the CVE / TTP description text to be inferred into the semantic association model saved in step S1.3 to generate a semantic vector, calculate the semantic similarity value between the two through the cosine similarity algorithm, and filter out the valid CVE-TTP association pairs based on the preset threshold;
[0076] The formula for calculating semantic cosine similarity is:
[0077] in This represents the normalized vector embedding described by the CVE. This represents the normalized vector embedding described by TTP.
[0078] S3.2 integrates the CPE execution environment attributes of CVEs and the ATT&CK tactical attributes of TTPs in effective CVE-TTP association pairs, performs joint reasoning from three dimensions: tactics, technology, and environment, and then integrates the information from each dimension in a structured way to generate structured TTP scenario information containing associated files, associated processes, associated registry entries, associated services, associated windows, and associated versions, and outputs it in a standardized format.
[0079] The core scenario information for S3.3TTP must include:
[0080] Related_files;
[0081] Related_processes;
[0082] Related_registry_keys;
[0083] Related_services;
[0084] Related_windows;
[0085] Related_versions.
[0086] Finally, scene information is filled in according to different TTP_ids to obtain specific scene information under specific TTPs.
[0087] In some embodiments, step S4 specifically includes the following steps:
[0088] S4.1 organizes and summarizes the specific scenario information under the specific TTPs obtained in 3.3 to form a TTP scenario information database, and builds an automatic update mechanism. When new CVE vulnerability parsing results or new TTP scenario inference information are added, the feature database is automatically supplemented and iterated to keep up with the latest attack situation.
[0089] The TTP scenario library is constructed into a knowledge graph using Neo4j, and the node information includes:
[0090] Node name: TTP_id
[0091] Node associated with CVE: CVE_id node attribute: Related_files (NULL / specific instance file);
[0092] Related_processes (NULL / specific instance process);
[0093] Related_registry_keys (NULL / specific instance registry key);
[0094] Related_services (NULL / specific instance services);
[0095] Related_windows (NULL / specific instance window);
[0096] Related_versions (NULL / specific instance version).
[0097] S4.2 delivers the disassembled TTP scenario information database through the central honey array standard data interface, adapting to its unified data interaction format. After the central honey array summarizes the attack alarm information collected from honey gardens, honey points, and honey holes, it infers the current TTP asset allocation and matches it with the TTP scenario information database to obtain the environmental configuration asset list.
[0098] In the description of this specification, references to terms such as "an embodiment," "example," "specific example," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.
[0099] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to specific implementations. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims
1. A semantic association TTP scenario construction method for software-defined deception defense systems, applicable to "four-honey" software-defined deception defense systems: the method includes the following steps: S1: Construct and train the CVE-TTP semantic association model; S2: Perform structured parsing on CVE / TTP multi-source data; S3: Implementing TTP scenario reasoning and construction based on semantic association; S4: TTP scenario construction adapts to honeycomb dynamic defense system.
2. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 1, characterized in that, Step S1 specifically includes the following steps: S1.1 reads TTPs (Attack Pattern nodes) and CVEs (Vulnerability nodes) and their descriptions using the Neo4j knowledge graph. It integrates structured data containing CVE / TTP entity attributes (identifier, description) and related data (source entity, target entity, association type) of CVE-TTP relationships, extracting non-empty CVE / TTP natural language description text to construct a basic corpus pool. S1.2 Extract truly correlated CVE-TTP text description pairs from the CVE-TTP association data as positive samples (label=1.0), while selecting CVE-TTP text description pairs without true correlation under the same tactical / technical category as hard negative samples (label=0.0) and selecting CVE-TTP text description pairs without semantic correlation as random negative samples (label=0.0). Configure positive samples and negative samples in a 1:1 ratio to form a class-balanced training dataset, and then randomly divide the dataset into a training set and a validation set in a 9:1 ratio. S1.3 Selects the Sentence-BERT pre-trained semantic model as the basic encoder, configures the training hyperparameters and sets a multi-dimensional evaluation index system including accuracy, F1 score, AUC, MRR, and Hit@N, designs a custom loss function that integrates cosine similarity loss and classification loss and introduces a temperature coefficient, performs supervised training on the training set, monitors the training process through a training process callback mechanism, and selects and saves semantic association models that can quantify the degree of CVE-TTP semantic association based on the optimal index of the validation set. The custom loss function formula, which integrates cosine similarity loss and classification loss and incorporates a temperature coefficient, is as follows: in For cosine similarity, For temperature coefficient, For the Sigmoid function, Mapped to [0,1] For sample labels, This represents the number of samples in the batch.
3. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 2, characterized in that, Step S2 specifically includes the following steps: S2.1 Establish a secure connection with the graph database, batch load nodes and entities (CVE / TTP) from the Neo4j graph database, batch extract valid CVE entity data containing identifiers and descriptions and description data of specified TTP entities, filter invalid data and perform integrity verification; S2.2 parses CVE execution environment information based on the CPE standard. First, it designs a rate-limiting avoidance mechanism with random delay, exponential backoff retries, and status code filtering. Then, it calls the vulnerability database open API to obtain the original CPE data corresponding to the CVE. The CPE string is parsed into standardized platform attributes containing vendor, product, version, and platform type, and the version range information is extracted. Finally, a unique identifier is generated based on the platform attributes to deduplicate the parsed CPE information and output structured CVE execution environment information.
4. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 3, characterized in that, Step S3 specifically includes the following steps: S3.1 Input the CVE / TTP description text to be inferred into the semantic association model saved in step S1.3 to generate a semantic vector, calculate the semantic similarity value between the two through the cosine similarity algorithm, and filter out the valid CVE-TTP association pairs based on the preset threshold; The formula for calculating semantic cosine similarity is: in This represents the normalized vector embedding described by the CVE. This represents the normalized vector embedding described by TTP. S3.2 integrates the CPE execution environment attributes of CVEs and the ATT&CK tactical attributes of TTPs in effective CVE-TTP association pairs, performs joint reasoning from three dimensions: tactics, technology, and environment, and then integrates the information from each dimension in a structured way to generate structured TTP scenario information containing associated files, associated processes, associated registry entries, associated services, associated windows, and associated versions, and outputs it in a standardized format. The core scenario information for S3.3TTP must include: Related_files; Related_processes; Related_registry_keys; Related_services; Related_windows; Related_versions. Finally, scene information is filled in according to different TTP_ids to obtain specific scene information under specific TTPs.
5. The semantic association TTP scenario construction method for a software-defined deception defense system according to claim 4, characterized in that, Step S4 specifically includes the following steps: S4.1 organizes and summarizes the specific scenario information under the specific TTPs obtained in 3.3 to form a TTP scenario information database, and builds an automatic update mechanism. When new CVE vulnerability parsing results or new TTP scenario inference information are added, the feature database is automatically supplemented and iterated to keep up with the latest attack situation. The TTP scenario library is constructed into a knowledge graph using Neo4j, and the node information includes: Node name: TTP_id Node associated with CVE: CVE_id node attribute: Related_files (NULL / specific instance file); Related_processes (NULL / specific instance process); Related_registry_keys (NULL / specific instance registry key); Related_services (NULL / specific instance services); Related_windows (NULL / specific instance window); Related_versions (NULL / specific instance version). S4.2 delivers the disassembled TTP scenario information database through the central honey array standard data interface, adapting to its unified data interaction format. After the central honey array summarizes the attack alert information collected from honey gardens, honey points, and honey holes, it infers the current TTP asset allocation and matches it with the TTP scenario information database to obtain the environmental configuration asset list.