An artificial intelligence-based automated security policy adjustment method

By constructing an incomplete information game structure and topology model, and combining security situation data to simulate deployment strategies in a digital twin environment, the problems of disconnect between strategy generation and verification and weak adaptability in existing technologies are solved, thereby improving the stability and adaptability of complex network environments.

CN122394894APending Publication Date: 2026-07-14HANGZHOU BINGHAN TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU BINGHAN TECHNOLOGY CO LTD
Filing Date
2026-04-23
Publication Date
2026-07-14

Smart Images

  • Figure CN122394894A_ABST
    Figure CN122394894A_ABST
Patent Text Reader

Abstract

The application discloses an automatic security policy adjustment method based on artificial intelligence, and relates to the technical field of network security, comprising the following steps: collecting security posture basic data and constructing an incomplete information game structure; constructing a topology graph model based on the security posture basic data, mapping the incomplete information game structure to the topology graph model, and obtaining a candidate security policy instruction set; simulating deployment and deduction of the candidate security policy instruction set in a digital twin environment, and generating a strategy prior evaluation report; selecting an optimal strategy from the strategy prior evaluation report, converting the optimal strategy into specific configuration commands, and deploying and executing the specific configuration commands in a production environment; monitoring actual effects of the optimal strategy in the production environment, collecting actual operation data, and generating a strategy aftereffect monitoring report. The application realizes stereoscopic and fine-grained modeling of a complex network attack and defense scene, and dynamic quantitative representation of uncertainty of an attacker's identity and intention.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to an automated security policy adjustment method based on artificial intelligence. Background Technology

[0002] As cyberattacks become increasingly complex and dynamic, traditional passive defense systems based on static rules and signature matching are no longer sufficient to cope with advanced persistent threats and zero-day attacks. In recent years, artificial intelligence technologies, especially machine learning and deep learning, have been widely applied to intrusion detection, anomaly behavior analysis, and threat intelligence correlation, significantly improving the efficiency of security incident detection and response. Building on this foundation, the concept of automated security response has emerged, aiming to partially automate security operations by connecting detection, analysis, and response actions through scripted processes. Further research focuses on introducing a game theory framework to model attack and defense as a dynamic game of incomplete information, enabling defense mechanisms to simulate the attacker's perspective and generate optimal or near-optimal defense strategies. Simultaneously, digital twin technology provides a new path for security policy verification, making it possible to conduct risk-free "sandbox simulations" before implementing strategies in a real production environment by constructing a high-fidelity virtual network mirror.

[0003] However, existing AI-integrated automated security policy adjustment methods have significant shortcomings in data security protection. First, there is a disconnect between "decision-verification" and "policy generation." Policy generation models based on game theory or reinforcement learning lack forward-looking comprehensive verification in a high-fidelity digital environment before deployment in production. Due to environmental complexity and the uncertainty of attacks, directly deploying such "black box" policies can easily lead to business interruptions, performance degradation, or policy conflicts, exposing the production environment to unknown risks. Second, there is a general lack of an effective "perception-learning" closed loop. Most methods do not conduct systematic comparative analysis and attribution of actual operational effects and predicted effects in the virtual environment after policy deployment. This results in the AI ​​model driving the decision and the digital twin environment being unable to continuously optimize using real feedback. Model accuracy decays over time, making it difficult to adapt to dynamic threats and limiting the method's adaptability and long-term effectiveness. Summary of the Invention

[0004] In view of the aforementioned existing problems, the present invention is proposed.

[0005] Therefore, this invention provides an automated security policy adjustment method based on artificial intelligence to solve the problems of high policy deployment risk and weak model adaptability in the prior art.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution:

[0007] This invention provides an automated security strategy adjustment method based on artificial intelligence, comprising: collecting basic security situation data and constructing an incomplete information game structure; constructing a topology graph model based on the basic security situation data and mapping the incomplete information game structure to the topology graph model to obtain a set of candidate security strategy instructions; simulating and deploying the set of candidate security strategy instructions in a digital twin environment to generate a strategy prior evaluation report; selecting the optimal strategy from the strategy prior evaluation report and converting the optimal strategy into specific configuration commands for deployment and execution in the production environment; monitoring the actual effect of the optimal strategy in the production environment and collecting actual operation data to generate a strategy post-effect monitoring report; comparing and analyzing the strategy prior evaluation report and the strategy post-effect monitoring report to calibrate the digital twin environment and update the incomplete information game structure.

[0008] As a preferred embodiment of the AI-based automated security policy adjustment method described in this invention, the basic security situation data includes network status, asset information, and threat intelligence.

[0009] As a preferred embodiment of the AI-based automated security strategy adjustment method of the present invention, the specific steps for constructing the incomplete information game structure are as follows:

[0010] Collect basic security situation data and construct a dynamic multi-layer attribute graph;

[0011] Calculate the prior probability of attacker type based on dynamic multi-layer attribute graph;

[0012] Based on the prior probability of attacker type and asset information, combined with historical adversarial logs, a multi-dimensional payoff matrix is ​​generated.

[0013] By combining the prior probability of the attacker type with a multi-dimensional payoff matrix, an incomplete information game structure is obtained.

[0014] As a preferred embodiment of the automated security strategy adjustment method based on artificial intelligence described in this invention, the specific steps for constructing a topology graph model based on basic security situation data are as follows:

[0015] Based on the device identifier and business attributes in the asset information, an asset layer is constructed based on the asset instance attributes. A connection layer reflecting the communication connection relationship is built using the communication connection data and traffic transmission data in the network status.

[0016] By utilizing vulnerability attribute data from asset information and attack characteristic data from threat intelligence, a risk layer is constructed to identify potential risk elements.

[0017] By using a heterogeneous information network fusion mechanism, the asset layer, connection layer, and risk layer are linked in multiple dimensions to construct a topology graph model.

[0018] As a preferred embodiment of the AI-based automated security policy adjustment method of the present invention, the specific steps for obtaining the candidate security policy instruction set are as follows:

[0019] The incomplete information game structure is mapped to a topological graph model to simulate the effect of each defensive action in the multi-dimensional payoff matrix on the changes in the state of hierarchical nodes and edges in the topological graph model, and to obtain the policy spectrum perturbation feature vector.

[0020] The strategy spectrum perturbation feature vector and the prior probability of the attacker type are combined, and the equilibrium probability density of each defense strategy is calculated.

[0021] Defense strategies are screened based on equilibrium probability density, and the screened defense strategies are decoded into specific atomic configuration instructions;

[0022] Conflict detection and syntax encapsulation are performed on atomic configuration instructions to generate a set of candidate security policy instructions.

[0023] As a preferred embodiment of the AI-based automated security policy adjustment method of the present invention, the specific steps for generating the policy prior evaluation report are as follows:

[0024] Load the set of candidate security policy instructions into the configuration interface of the digital twin environment, and instantiate the policy deployment scenario;

[0025] In a digital twin environment, the strategy deployment scenario and the baseline scenario without a set of candidate security policy instructions are run in parallel, and network status time-series data and abnormal event logs are collected.

[0026] Based on network state time series data, policy state trajectories and baseline state trajectories are constructed, and the policy security stability score is calculated using the causal counterfactual trajectory deviation integral mechanism.

[0027] By combining the policy security stability score with the abnormal event log, a policy prior assessment report is generated.

[0028] As a preferred embodiment of the automated security policy adjustment method based on artificial intelligence described in this invention, the specific steps for selecting the optimal policy from the policy prior evaluation report are as follows:

[0029] Based on the strategy prior assessment report and combined with the real-time state vector of the production environment, the production deployment confidence of each candidate defense strategy is calculated.

[0030] The candidate defense strategies are ranked according to the production deployment confidence level, and the candidate defense strategy ranked first is determined as the optimal strategy.

[0031] As a preferred embodiment of the AI-based automated security policy adjustment method of the present invention, the specific steps of converting the optimal policy into specific configuration commands and deploying them in the production environment are as follows:

[0032] Based on the optimal strategy and combined with the network topology of the production environment, the optimal strategy is mapped to specific configuration commands adapted to the production network devices.

[0033] The specific configuration commands are encapsulated into executable scripts and deployed to edge nodes in the production environment.

[0034] As a preferred embodiment of the AI-based automated security policy adjustment method of the present invention, the specific steps for generating the policy post-effect monitoring report are as follows:

[0035] Monitor the actual effect of the optimal strategy in the production environment and collect actual operating data corresponding to the evaluation indicators defined in the strategy prior evaluation report;

[0036] Based on actual operational data and predicted performance data in the strategy prior evaluation report, obtain the strategy execution deviation.

[0037] The strategy execution deviation is correlated with actual operating data in multiple dimensions and encapsulated in a structured manner to generate a strategy post-effect monitoring report.

[0038] As a preferred embodiment of the AI-based automated security strategy adjustment method of the present invention, the comparative analysis of the strategy prior evaluation report and the strategy post-effect monitoring report calibrates the digital twin environment and updates the incomplete information game structure. The specific steps are as follows:

[0039] Compare the strategy prior assessment report and the strategy post-effect monitoring report, and extract the deviation signal between the predicted effect data and the actual operation data;

[0040] The virtual-real mapping calibration factor is obtained based on the deviation signal, and the virtual-real mapping calibration factor is used to calibrate the digital twin environment;

[0041] The attacker's behavior distribution is re-simulated based on the calibrated digital twin environment, and the prior probability of the attacker type in the incomplete information game structure is updated.

[0042] The beneficial effects of this invention are as follows: by constructing a dynamic multi-layer attribute graph, calculating the prior probability of attacker types, and generating a multi-dimensional benefit matrix, it achieves three-dimensional and fine-grained modeling of complex network attack and defense scenarios, as well as dynamic quantitative representation of the uncertainty of attacker identity and intent; by conducting simulation deployment and deduction in a digital twin environment and generating a strategy prior evaluation report, it upgrades the evaluation method of strategy effectiveness from superficial statistical indicator comparison to in-depth causal impact attribution analysis, ensuring the continuity of data services in the production environment, the stability of data strategies, and the overall level of data security. Attached Figure Description

[0043] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0044] Figure 1 This is a flowchart of an automated security policy adjustment method based on artificial intelligence.

[0045] Figure 2 A flowchart for constructing a game structure with incomplete information.

[0046] Figure 3 A flowchart for generating a strategy prior evaluation report.

[0047] Figure 4 This is a heatmap of a multi-dimensional revenue matrix.

[0048] Figure 5 This is a comparison chart of interception success rates. Detailed Implementation

[0049] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0050] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.

[0051] Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places in this specification does not necessarily refer to the same embodiment, nor is it a single or selective embodiment that is mutually exclusive with other embodiments.

[0052] Reference Figures 1-5 This is one embodiment of the present invention, which provides an automated security policy adjustment method based on artificial intelligence, including the following steps:

[0053] S1. Collect basic security situation data and construct an incomplete information game structure.

[0054] Collect basic security situation data and construct a dynamic multi-layer attribute graph.

[0055] The specific process includes collecting basic security situation data, which involves real-time acquisition of communication connection data and traffic transmission data in network status, collecting device identifiers and business attributes in asset information, integrating attack feature data and vulnerability attribute data in threat intelligence, mapping device identifiers to nodes, mapping communication connection data to edges, assigning dynamic weight attributes to nodes and edges using business attributes and attack feature data, and organizing network status, asset information and threat intelligence in layers through layered modeling to construct a dynamic multi-layer attribute graph.

[0056] It should be noted that the dynamic multi-layer attribute graph constructs a three-dimensional map containing asset layer, connection layer, and risk layer by integrating network state asset information and threat intelligence. This enables real-time panoramic mapping and dynamic evolution tracking of the network security situation, thereby providing structured data support for accurately identifying potential threats and quickly formulating response strategies.

[0057] Based on a dynamic multi-layer attribute graph, the prior probability of the attacker type is calculated using the following expression:

[0058] ;

[0059] in, Indicates the first Prior probability of attacker type, This indicates the index of the specific attacker type to be calculated. This represents the natural exponential function. This indicates the total number of layers in a dynamic multi-layer attribute graph. The index number represents the layer number in a dynamic multi-level attribute graph. This represents the sensitivity adjustment coefficient for the probability distribution. Indicates the first Layer weight coefficients, This represents the index of the potential attacker type traversed when summing the denominator. This represents the total number of potential attacker types. Indicates the first Attacker Types and Dynamic Multi-Layer Attribute Graph Feature matching degree of the layer Indicates the first Attacker Types and Dynamic Multi-Layer Attribute Graph Feature matching degree of the layer.

[0060] It should be noted that the probability distribution sensitivity adjustment coefficient is a preset parameter used to control the smoothness of the probability distribution (usually initialized to 1 or determined through grid search trial and error). Indicates the first The weight coefficient of a layer is a numerical value used to quantify the importance of the layer's attributes in attacker identification. It is derived by the Analytic Hierarchy Process (AHP) or by using the entropy weight method based on the dispersion of the data in that layer. Is by passing the first The known tactical and technical process profile and dynamic multi-layer attribute graph of the attacker The quantitative score is obtained by calculating the asset vulnerability, interaction path and value attributes mapped by the layer using multi-dimensional vector similarity (such as cosine similarity or weighted matching algorithm); By the first The tactical and technical process profile and dynamic multi-layer attribute graph of attackers The quantitative score is obtained by calculating the asset vulnerability, interaction path and value attributes mapped by the layer using multi-dimensional vector similarity (such as cosine similarity or weighted matching algorithm).

[0061] The specific process includes, when calculating the prior probability of attacker type based on dynamic multi-layer attribute graph, integrating the feature matching degree and weight coefficient of each level in the dynamic multi-layer attribute graph, constructing a normalized probability distribution using the natural exponential function and probability distribution sensitivity adjustment coefficient, thereby quantifying the relative probability of the current specific attacker type index relative to the total number of potential attacker types in the overall environment, and finally outputting the prior probability of attacker type to characterize the chance of a specific attacker type appearing.

[0062] It should be noted that attackers can be categorized into automated scanners, misconfigured sources of abnormal access, internal test verification accounts, and authorized penetration testing teams.

[0063] Based on the prior probability of attacker type and asset information, combined with historical adversarial logs, a multi-dimensional profit matrix is ​​generated.

[0064] The specific process includes determining the probability of various attacker types based on the prior probability of attacker types, clarifying the value attributes and vulnerability characteristics of different assets by combining asset information, extracting the actual interaction results of past attack behaviors and defense measures using historical adversarial logs, mapping the above three together to obtain the expected utility value of each attacker type when taking specific strategies against each type of asset, and finally arranging and combining these quantified expected utility values ​​according to the dimensions of attacker type, asset category and strategy combination to generate a multi-dimensional benefit matrix.

[0065] It should be noted that historical adversarial logs are structured log collections formed by continuously recording detailed data such as attack time, attack type, exploited vulnerabilities, defensive actions, and final results generated during past interactions between the network defense system and attackers, and then storing them in a formatted manner; value attributes refer to quantitative indicators of the importance of assets in terms of business continuity, data confidentiality, and service availability, while vulnerability characteristics refer to specific descriptions of exploitable technical defects, configuration errors, or logical vulnerabilities in the asset itself and the probability of successful attacks.

[0066] Figure 4 The multi-dimensional payoff matrix heatmap is a multi-dimensional payoff matrix obtained by arranging dimensions such as "attacker type × strategy combination". Each matrix cell represents the expected utility value of adopting a candidate defense strategy under a specific attacker type. This figure is used to illustrate how the present invention maps historical adversarial logs and asset information to the payoff space, and further integrates them with the prior probability of attacker type to construct an incomplete information game structure, thereby providing a calculable and interpretable basis for subsequent strategy selection.

[0067] By combining the prior probability of the attacker type with a multi-dimensional payoff matrix, an incomplete information game structure is obtained.

[0068] The specific process involves using the prior probability of the attacker type as a measure of the defender's uncertainty about the attacker's true type in the incomplete information game structure, and directly mapping it to the row vector of the corresponding attacker type in the multi-dimensional payoff matrix. This results in each payoff value in the multi-dimensional payoff matrix being associated with the probability weight of the attacker type, thereby constructing an incomplete information game structure that includes a type space, probability distribution, and weighted payoff function.

[0069] It should be noted that the incomplete information game structure is a mathematical framework describing the interactive deduction of decision-making participants under the condition that they cannot grasp the complete type characteristics and strategy space of the opponent. Its core significance lies in quantifying information asymmetry through probability distribution to simulate the uncertainty in the real adversarial environment, so that the defender can still derive a robust optimal defense strategy and effectively improve the proactive adaptability of the overall security situation when there is a lack of data on the attacker's exact intentions.

[0070] S2. Construct a topology graph model based on basic security situation data, and map the incomplete information game structure to the topology graph model to obtain a set of candidate security policy instructions.

[0071] Based on the device identifier and business attributes in the asset information, an asset layer is constructed using asset instance attributes. A connection layer reflecting communication connection relationships is built using communication connection data and traffic transmission data in the network status.

[0072] The specific process includes extracting the unique identity features and key value of the services carried by each device based on the device identifier and business attributes in the asset information, aggregating these features into an asset layer that describes the static attributes of individual assets, and using communication connection data and traffic transmission data in the network status to analyze the interaction paths and data flow between devices, mapping the analyzed interaction relationships into dynamic links between nodes to build a connection layer that reflects the communication connection relationships, forming a two-layer architecture composed of the asset layer describing static attributes and the connection layer describing dynamic links.

[0073] By utilizing vulnerability attribute data from asset information and attack characteristic data from threat intelligence, a risk layer is constructed to identify potential risk factors.

[0074] The specific process includes extracting details of security flaws in the device itself using vulnerability attribute data from asset information, and analyzing commonly used exploitation methods and behavioral patterns of external attackers from attack feature data in threat intelligence (e.g., remote code execution scripts targeting specific versions of middleware, brute-force sequences using weak passwords, and SQL injection or XSS cross-site scripting attack payloads disguised as normal traffic). The details of security flaws are matched and correlated with exploitation methods and behavioral patterns to identify potentially exploitable vulnerabilities. These identified potentially exploitable vulnerabilities are then aggregated into a risk layer describing the potential sources of threats and exploitable paths.

[0075] It should be noted that vulnerability attribute data is a structured set of information describing the characteristics of known security weaknesses in network assets, mainly including the vulnerability's unique identifier, severity rating, affected software version, exploitation difficulty coefficient, and potential business impact scope; attack characteristic data is a structured set of information describing network attack behavior patterns, technical means, and malicious payload fingerprints, mainly including abnormal traffic behavior, attack payload fingerprints, protocol violation characteristics, attack timing correlation patterns, and threat intelligence tags.

[0076] By using a heterogeneous information network fusion mechanism, the asset layer, connection layer, and risk layer are linked in multiple dimensions to construct a topology graph model.

[0077] The specific process includes: using a heterogeneous information network fusion mechanism to perform cross-dimensional mapping and alignment of device nodes in the asset layer (describing static attributes), interactive links in the connection layer (reflecting communication connection relationships), and vulnerable nodes in the risk layer (identifying potential risk elements); using device identifiers in the asset layer as unique anchors to bind dynamic links in the connection layer (generated based on communication connection data and traffic transmission data) to specific devices; and based on the matching results of vulnerability attribute data in asset information and attack feature data in threat intelligence, attaching potential risk elements in the risk layer to corresponding device nodes or interactive links. This integrates individual asset characteristics, dynamic interaction paths, and vulnerability relationships into a graph structure containing multiple node types and edge types, constructing a topology graph model that can simultaneously represent device business attributes, network communication topology, and potential attack paths.

[0078] It should be noted that the heterogeneous information network fusion mechanism is a data integration method for handling complex graph structures containing multiple types of nodes and edges. Its core lies in using network patterns to define mapping rules for different object types and relationship types, capturing high-order semantic relationships between different node types through methods such as meta-path analysis, and mapping heterogeneous data from asset layers, connection layers, and risk layers with different attribute characteristics and relationship definitions to a unified graph space for alignment and interaction. While preserving the unique semantics of each layer's data, it establishes cross-dimensional connection bridges, thereby achieving deep complementarity and structured fusion of multi-source heterogeneous information to support upper-layer analysis tasks. Individual asset characteristics originate from static mapping of device attributes, configuration status, and business importance; dynamic interaction paths come from real-time tracking and analysis of network traffic logs and communication behavior sequences; and vulnerability relationships are derived by logically mapping asset weaknesses to potential attack chains through vulnerability scanning results, threat intelligence databases, and topology dependency analysis.

[0079] By mapping the incomplete information game structure to a topological graph model, the effects of each defensive action in the multi-dimensional payoff matrix on the state changes of hierarchical nodes and edges in the topological graph model are simulated, and the perturbation feature vector of the strategy spectrum is obtained.

[0080] The specific process includes mapping the strategy space and uncertainty information of participants in the incomplete information game structure to a topological graph model. During the simulation, the effects of each defensive action on the attribute values ​​and connectivity of asset layer nodes, connection layer edges, and risk layer nodes in the topological graph model are quantified based on a multi-dimensional payoff matrix. The offset trajectory of the overall state of the topological graph model after the execution of different defensive actions is recorded. These feature data reflecting the magnitude and direction of state changes are aggregated into a strategy spectrum perturbation feature vector that describes the interference capability of the defensive strategy.

[0081] The strategy spectrum perturbation feature vector and the prior probability of the attacker type are combined, and the equilibrium probability density of each defense strategy is calculated. The expression is as follows:

[0082] ;

[0083] in, Indicates the first The equilibrium probability density of a defense strategy The index number representing the defense strategy. Indicates the first The expected return of a defense strategy, This represents the index of the candidate defense strategy traversed during the summation of the denominator. This represents the total number of candidate defense strategies. Indicates the first The expected return of each candidate defense strategy Indicates the risk-sensitive adjustment factor. Indicates the first The potential risk exposure value of each defense strategy.

[0084] It should be noted that, Indicates the first The expected return value of a defense strategy is the value obtained by weighting the possible returns of the defense strategy when facing different types of attackers according to the prior probability of the attacker's appearance. Indicates the first The expected return value of a candidate defense strategy is the sum of the returns of the candidate defense strategy in each scenario when dealing with different types of attackers, weighted by the prior probability of the corresponding attacker type; the risk sensitivity adjustment factor is a parameter that quantifies the defender's aversion to potential losses, and is obtained by fitting risk preference analysis in historical attack and defense data. Indicates the first The potential risk exposure value of a defense strategy is the maximum loss or variance that the defense strategy may suffer when facing the most unfavorable attack scenario. It is obtained by simulating the worst performance or profit fluctuation of the defense strategy against various known attack vectors.

[0085] The specific process includes combining the strategy spectrum perturbation feature vector with the prior probability of the attacker type to evaluate the relative value of each defense strategy; calculating the proportion of the expected return value of the defense strategy to the sum of the expected return values ​​of all candidate defense strategies to reflect the degree of advantage of the defense strategy in the whole; and then combining the correction term determined by the risk sensitivity adjustment factor and the potential risk exposure value of the defense strategy to weaken high-risk strategies. The result is the equilibrium probability density of the defense strategy.

[0086] Defense strategies are screened based on balanced probability density, and the screened defense strategies are decoded into specific atomic configuration instructions.

[0087] The specific process includes: screening defense strategies based on equilibrium probability density by using the probability distribution of each attack behavior under game equilibrium as weights to obtain a comprehensive score of the expected return value and potential risk exposure value of each candidate defense strategy; eliminating inefficient candidate defense strategies based on the comprehensive score and retaining the optimal subset (e.g., prioritizing defense combinations that can significantly reduce system losses in high-frequency "brute force" and "vulnerability exploitation" attack scenarios, while effectively blocking critical paths in low-frequency "advanced persistent threat" scenarios, although costly); mapping the screened defense strategies to a predefined instruction space; and converting abstract strategy parameters into specific atomic configuration instructions, thereby completing the decoding operation from theoretical strategy to actual execution action.

[0088] It should be noted that the equilibrium state of a game refers to a stable situation in an adversarial game where neither the attacker nor the defender can obtain a higher gain by unilaterally changing their own strategy; the predefined instruction space is predefined based on the hardware architecture characteristics of the protected environment, the operating system interface specifications, and the set of atomic operations supported by security components, by enumerating all legal configuration parameter combinations and establishing a mapping table between policy parameters and specific execution commands.

[0089] Conflict detection and syntax encapsulation are performed on atomic configuration instructions to generate a set of candidate security policy instructions.

[0090] The specific process includes conflict detection and syntax encapsulation of atomic configuration instructions. This involves traversing each atomic configuration instruction in the candidate security policy instruction set, using dynamic dependency graph analysis to identify parameter mutual exclusions or logical contradictions between atomic configuration instructions to complete conflict detection. Simultaneously, according to the syntax specifications defined by the predefined instruction space, conflict-free atomic configuration instructions are wrapped within a standard execution framework to complete syntax encapsulation. The final output is a candidate security policy instruction set containing all validated and legally formatted instructions.

[0091] It should be noted that the predefined instruction space is pre-built based on the official technical documents, operation manuals, and actual supported command line interface (CLI) or application programming interface (API) specifications of various network devices (such as firewalls, switches, routers, etc.) in the target production environment. It is constructed by extracting the legal command keywords, parameter value ranges, syntax structures, and execution constraints corresponding to the device model, and then performing structured parsing and standardized mapping.

[0092] S3. Simulate and deploy the candidate security policy instruction set in a digital twin environment to generate a policy prior assessment report.

[0093] Load the set of candidate security policy instructions into the configuration interface of the digital twin environment and instantiate the policy deployment scenario.

[0094] The specific process includes calling the standard data import function provided by the digital twin environment to transfer all instructions in the candidate security policy instruction set to the configuration interface, and then creating and activating the corresponding policy deployment scenario in the digital twin environment according to the specific parameters contained in the candidate security policy instruction set, thereby completing the construction of the instantiated policy deployment scenario.

[0095] In a digital twin environment, the policy deployment scenario and the baseline scenario without a set of candidate security policy instructions are run in parallel, and network status time-series data and abnormal event logs are collected.

[0096] The specific process includes activating the multi-instance concurrent execution mechanism within the digital twin environment to enable the policy deployment scenario and the baseline scenario without loaded candidate security policy instruction sets to run independently on the same timeline. At the same time, the built-in data acquisition function of the digital twin environment is invoked to record in real time the network status time-series data and abnormal event logs generated during the operation of the policy deployment scenario and the baseline scenario without loaded candidate security policy instruction sets.

[0097] It should be noted that network status time-series data is a sequence of dynamic performance indicators such as network bandwidth utilization, latency, and packet loss rate recorded in chronological order; abnormal event logs are a collection of text records detailing unexpected events such as unauthorized access, connection interruption, or resource overrun that occur during the execution of security policies.

[0098] Based on network state time series data, a policy state trajectory and a baseline state trajectory are constructed. Then, using a causal counterfactual trajectory deviation integral mechanism, a policy security stability score is calculated, expressed as:

[0099] ;

[0100] in, This indicates the strategy's security and stability score. This indicates the total duration of the digital twin simulation. This indicates that the trajectory deviates from the attenuation coefficient. Indicates at time The policy state vector, Indicates time The baseline state vector, This represents the risk sensitivity adjustment factor. Indicates at time The real-time risk loss value.

[0101] It should be noted that the trajectory deviation attenuation coefficient is an adjustment parameter used to control the degree of influence of the difference in state vector distance on the score, and is a fixed constant set according to the statistical characteristics of the historical simulation error distribution of the digital twin environment; the risk sensitivity adjustment factor is a constant used to quantify the degree of suppression of the integral weight by the real-time risk loss value, and is determined through statistical regression analysis of historical risk event data; Indicates at time The real-time risk loss value is a dynamic quantitative indicator that is collected in real time from the risk layer of the digital twin environment and is obtained by matching the asset vulnerability attribute data at the current moment with the attack feature data in the threat intelligence.

[0102] The specific process includes: extracting dynamic operation records within the digital twin simulation cycle from network state time series data; using a causal counterfactual trajectory deviation integral mechanism to perform quantitative analysis of the difference between the policy state trajectory and the baseline state trajectory; characterizing the degree of state deviation by calculating the squared distance between the policy state vector and the baseline state vector in Euclidean space and applying an exponential transformation of the trajectory deviation attenuation coefficient; constructing a radical denominator term by combining real-time risk loss value and risk sensitivity adjustment factor to correct the integral weight; and performing Riemann integral operation on the integrand containing the state deviation term and risk penalty term within the total duration of the digital twin simulation to obtain the policy security stability score of network environment stability and security.

[0103] It should be noted that the causal counterfactual trajectory deviation integral mechanism is an evaluation method that constructs a counterfactual comparison trajectory by collecting network state time-series data of strategy deployment and baseline scenario in parallel, quantifies the cumulative deviation of strategy state relative to baseline state over the entire cycle using integral calculation, and dynamically corrects it through real-time risk loss value, thereby outputting a strategy security stability score.

[0104] By combining the policy security stability score with the abnormal event log, a policy prior assessment report is generated.

[0105] The specific process includes associating and matching the policy security stability score as a numerical indicator with the text information of abnormal event logs that record specific events such as network attacks, service interruptions, or configuration errors. By aligning the timestamps, the score values ​​are mapped to the corresponding time windows in the abnormal event logs to analyze whether high-score periods are accompanied by low-frequency or low-severity abnormal events and whether low-score periods correspond to high-frequency or high-severity abnormal events. Finally, the numerical trends and event descriptions are combined to form a policy prior assessment report that includes quantitative results of policy stability and contextual information of corresponding risk events.

[0106] S4. Select the optimal strategy from the strategy prior assessment report and convert the optimal strategy into specific configuration commands for deployment and execution in the production environment.

[0107] Based on the strategy prior assessment report and combined with the real-time state vector of the production environment, the production deployment confidence of each candidate defense strategy is calculated, and the expression is as follows:

[0108] ;

[0109] in, Indicates the first Production deployment confidence of each candidate defense strategy Indicates the first The strategy security stability score of each candidate defense strategy. Indicates the sensitivity coefficient to environmental differences. This represents the real-time state vector of the production environment. This indicates the corresponding number in the digital twin environment. The state vector of each candidate defense strategy Indicates the upper limit of resource points. Indicates the resource penalty factor. Indicates the first Each candidate defense strategy in resource variables Resource utilization function at the location, This represents the resource points variable.

[0110] It should be noted that the environmental difference sensitivity coefficient is a weighted parameter used to measure the impact of state differences between the production environment and the digital twin environment on the confidence of the defense strategy deployment. It is obtained through regression analysis of environmental state deviation and strategy performance decay rate. The resource penalty factor is a weighted coefficient used to quantify the negative impact on deployment confidence when the resource consumption of the defense strategy exceeds expectations. It is obtained based on historical overload failure rate or through reinforcement learning feedback mechanism. Indicates the first Each candidate defense strategy in resource variables The resource utilization rate function is a mathematical mapping relationship that describes the proportion of resource consumption for a specific candidate defense strategy under a given value of resource variable. It is used to dynamically quantify the resource load level when the strategy is executed.

[0111] The specific process includes combining the safety stability score with the environmental difference sensitivity coefficient and the state vector distance to form a numerator that reflects the degree of matching between the strategy quality and the environment. At the same time, the resource penalty factor and the resource occupancy rate function are used to construct a denominator that reflects the cost of resource consumption within the upper limit of the resource points. The production deployment confidence is obtained by calculating the ratio of the numerator and the denominator.

[0112] It should be noted that each candidate defense strategy corresponds to a set of candidate security strategy instructions.

[0113] The candidate defense strategies are ranked according to the production deployment confidence level, and the candidate defense strategy ranked first is determined as the optimal strategy.

[0114] It should be noted that all candidate defense strategies are arranged in descending order of production deployment confidence value, and the candidate defense strategy ranked first in the order is directly selected as the final optimal strategy.

[0115] Based on the optimal strategy and combined with the network topology of the production environment, the optimal strategy is mapped to specific configuration commands adapted to the production network devices.

[0116] The specific process includes, based on the optimal strategy and combined with the network topology of the production environment, analyzing the device types and port connection relationships of each production network device in the network topology of the production environment, matching the instruction set syntax supported by different production network devices according to the defense action logic defined in the optimal strategy, and converting the abstract defense rules in the optimal strategy into specific configuration commands adapted to the operation interface of specific production network devices (for example, converting the abstract rule of "blocking malicious sources" into the specific instruction of "adding an access control list to the trusted zone interface and rejecting packets from specific source addresses" in a certain brand of firewall, or converting the strategy of "isolating infected ports" into the configuration statement of "closing a specified physical port" or "limiting the maximum number of devices accessing this port" in a certain model of switch).

[0117] It should be noted that the network topology of the production environment is a graph describing all production network devices and their logical connections in the production environment. It is obtained by collecting configuration information and traffic data of the production network devices and then parsing and processing them.

[0118] The specific configuration commands are encapsulated into executable scripts and deployed to edge nodes in the production environment.

[0119] The specific process includes encapsulating the specific configuration commands into an executable script according to the scripting language syntax specification, using a secure transmission protocol to distribute the executable script to the edge nodes in the production environment, triggering the runtime environment on the edge nodes to parse and execute the executable script to complete the deployment of the defense strategy.

[0120] S5. Monitor the actual effect of the optimal strategy in the production environment, collect actual operation data, and generate a strategy post-effect monitoring report.

[0121] Monitor the actual effect of the optimal strategy in the production environment and collect actual operational data corresponding to the evaluation indicators defined in the strategy prior evaluation report.

[0122] The specific process includes monitoring the actual effect of the optimal strategy in the production environment. This requires continuously tracking key performance indicators such as the success rate of the optimal strategy in intercepting attack requests, the number of false alarms, and the response latency. At the same time, it involves activating the pre-built logging components and traffic analysis probes in the production environment to capture actual operating data that fully corresponds to the evaluation indicators defined in the policy prior evaluation report. This ensures that the actual operating data obtained covers the access request characteristics and attack behavior samples in real business scenarios, thereby directly quantifying the defense capability and resource consumption of the optimal strategy in complex network environments.

[0123] It should be noted that the pre-configured logging component is installed and configured on the server or network node of the production environment during the production environment deployment phase by using configuration management tools or automated scripts, based on the evaluation indicator requirements defined in the policy prior assessment report.

[0124] Figure 5 The interception success rate comparison chart shows the change in interception success rate over time between the "baseline scenario" (referring to the control environment in the digital twin environment, which maintains the current network state and existing security policies without introducing any new candidate policies, and is used to compare with the scenario where new policies are deployed to evaluate the actual effect of the policies) and the "invented scenario" under parallel simulation in the digital twin environment. The upper chart shows the global trend and selects the time window with the most significant difference with a red dashed box. The lower chart magnifies the local time window, marking the characteristic peak, the point of maximum difference, and the Δ value, to intuitively illustrate that the invention can maintain a higher interception effect more stably during the dynamic attack and defense fluctuation stage, thereby supporting the quantitative presentation of the "policy effect evaluation" and "business continuity / stability" indicators.

[0125] Based on actual operational data and predicted performance data in the strategy prior evaluation report, the deviation of strategy execution is obtained.

[0126] The specific process involves comparing the values ​​of various evaluation indicators obtained from the actual operation data with the corresponding predicted values ​​in the prediction effect data of the strategy prior evaluation report item by item. By obtaining the difference or ratio between the two in key dimensions such as interception success rate, false alarm rate and response latency, the gap between the actual performance and the expected target is quantified, thereby directly obtaining the strategy execution deviation degree, which reflects the degree of deviation of the optimal strategy in the production environment.

[0127] The strategy execution deviation is correlated with actual operating data in multiple dimensions and encapsulated in a structured manner to generate a strategy post-effect monitoring report.

[0128] The specific process includes using statistical correlation algorithms to uncover the intrinsic relationship between strategy execution deviation and indicators such as interception success rate, false alarm count, and response latency in actual operating data. The analyzed correlations, along with the strategy execution deviation and details of actual operating data, are then organized and packaged in an orderly manner according to a preset report template format to form a complete post-strategy effect monitoring report that records the execution deviation and operational performance details of the optimal strategy in the production environment.

[0129] It should be noted that the preset report template format is based on the evaluation indicator dimensions and data structure requirements to be displayed in the post-strategy monitoring report. Before the report generation task starts, a standardized document structure containing fixed field layouts, statistical chart placeholders, and text description framework is defined and stored in the configuration library of the report generation component through configuration management tools or automated scripts.

[0130] S6. Compare and analyze the prior evaluation report and the post-strategy monitoring report to calibrate the digital twin environment and update the incomplete information game structure.

[0131] The prior evaluation report of the strategy is compared with the post-strategy monitoring report, and the deviation signal between the predicted effect data and the actual operation data is extracted.

[0132] The specific process involves aligning the predicted performance data recorded in the strategy prior assessment report with the actual operational data contained in the strategy post-performance monitoring report item by item. By obtaining the numerical differences between the two in key indicators such as interception success rate, number of false alarms, and response latency, the specific direction and magnitude of the deviation of the actual performance from the expected target can be identified, thereby directly extracting the deviation signal that reflects the inconsistency between the predicted performance data and the actual operational data.

[0133] The virtual-real mapping calibration factor is obtained based on the deviation signal, and the virtual-real mapping calibration factor is used to calibrate the digital twin environment.

[0134] The specific process includes generating a virtual-real mapping calibration factor by quantifying the difference ratio between the predicted effect data and the actual operating data in the deviation signal through statistical regression analysis, directly applying the virtual-real mapping calibration factor to the simulation parameter adjustment of the digital twin environment, and correcting the state variables and logic rules in the digital twin environment to make the simulation results output by the digital twin environment converge to the level of the actual operating data in order to complete the calibration of the digital twin environment.

[0135] It should be noted that the virtual-real mapping calibration factor is a dynamic weighting coefficient used to quantify and correct the deviation between the physical network asset status and the digital twin model, aiming to ensure that the risk simulation results in the virtual space can reflect the real security situation in the physical world in real time and accurately.

[0136] The attacker's behavior distribution is re-simulated based on the calibrated digital twin environment, and the prior probability of the attacker type in the incomplete information game structure is updated.

[0137] The specific process includes running multiple attack scenario simulations in a calibrated digital twin environment to generate behavioral distribution data that reflects real attack patterns. The behavioral distribution data is then used as observational evidence and input into an incomplete information game structure. The posterior probability of different attacker types under the newly generated behavioral distribution is obtained through Bayesian inference. The posterior probability is then used to directly replace the prior probability of the attacker type originally set in the incomplete information game structure, thereby completing the update of the prior probability of the attacker type in the incomplete information game structure.

[0138] In summary, this invention achieves three-dimensional, fine-grained modeling of complex network attack and defense scenarios and dynamic quantitative representation of the uncertainty of attacker identity and intent by constructing a dynamic multi-layer attribute graph, calculating the prior probability of attacker type, and generating a multi-dimensional benefit matrix. Furthermore, by conducting simulation deployment and deduction in a digital twin environment and generating a strategy prior evaluation report, it upgrades the evaluation method of strategy effectiveness from superficial statistical indicator comparison to in-depth causal impact attribution analysis, ensuring the continuity of data services in the production environment, the stability of data strategies, and the overall level of data security.

[0139] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

Claims

1. A method for adjusting automated security policies based on artificial intelligence, characterized in that, include: Collect basic security situation data and construct a game structure with incomplete information; A topology graph model is constructed based on basic security situation data, and the incomplete information game structure is mapped to the topology graph model to obtain a set of candidate security policy instructions. The candidate security policy instruction set is simulated, deployed, and extrapolated in a digital twin environment to generate a policy prior assessment report; Select the optimal strategy from the strategy prior assessment report, and translate the optimal strategy into specific configuration commands for deployment and execution in the production environment; Monitor the actual effect of the optimal strategy in the production environment, collect actual operation data, and generate a strategy post-effect monitoring report; By comparing and analyzing the prior evaluation report and the post-strategy monitoring report, the digital twin environment is calibrated and the incomplete information game structure is updated.

2. The automated security policy adjustment method based on artificial intelligence as described in claim 1, characterized in that, The basic security posture data includes network status, asset information, and threat intelligence.

3. The automated security policy adjustment method based on artificial intelligence as described in claim 1, characterized in that, The specific steps for constructing the incomplete information game structure are as follows: Collect basic security situation data and construct a dynamic multi-layer attribute graph; Calculate the prior probability of attacker type based on dynamic multi-layer attribute graph; Based on the prior probability of attacker type and asset information, combined with historical adversarial logs, a multi-dimensional payoff matrix is ​​generated. By combining the prior probability of the attacker type with a multi-dimensional payoff matrix, an incomplete information game structure is obtained.

4. The automated security policy adjustment method based on artificial intelligence as described in claim 3, characterized in that, The specific steps for constructing the topology graph model based on security situation data are as follows: Based on the device identifier and business attributes in the asset information, an asset layer is constructed based on the asset instance attributes. A connection layer reflecting the communication connection relationship is built using the communication connection data and traffic transmission data in the network status. By utilizing vulnerability attribute data from asset information and attack characteristic data from threat intelligence, a risk layer is constructed to identify potential risk elements. By using a heterogeneous information network fusion mechanism, the asset layer, connection layer, and risk layer are linked in multiple dimensions to construct a topology graph model.

5. The automated security policy adjustment method based on artificial intelligence as described in claim 1 or 4, characterized in that, The specific steps for obtaining the candidate security policy instruction set are as follows: By mapping the incomplete information game structure to a topological graph model, the effects of each defensive action in the multi-dimensional payoff matrix on the state changes of hierarchical nodes and edges in the topological graph model are simulated, and the perturbation feature vector of the strategy spectrum is obtained. The strategy spectrum perturbation feature vector and the prior probability of the attacker type are combined, and the equilibrium probability density of each defense strategy is calculated. Defense strategies are screened based on equilibrium probability density, and the screened defense strategies are decoded into specific atomic configuration instructions; Conflict detection and syntax encapsulation are performed on atomic configuration instructions to generate a set of candidate security policy instructions.

6. The automated security policy adjustment method based on artificial intelligence as described in claim 1, characterized in that, The specific steps for generating the prior evaluation report of the strategy are as follows: Load the set of candidate security policy instructions into the configuration interface of the digital twin environment, and instantiate the policy deployment scenario; In a digital twin environment, the strategy deployment scenario and the baseline scenario without a set of candidate security policy instructions are run in parallel, and network status time-series data and abnormal event logs are collected. Based on network state time series data, policy state trajectories and baseline state trajectories are constructed, and the policy security stability score is calculated using the causal counterfactual trajectory deviation integral mechanism. By combining the policy security stability score with the abnormal event log, a policy prior assessment report is generated.

7. The automated security policy adjustment method based on artificial intelligence as described in claim 1 or 6, characterized in that, The specific steps for selecting the optimal strategy from the strategy prior evaluation report are as follows: Based on the strategy prior assessment report and combined with the real-time state vector of the production environment, the production deployment confidence of each candidate defense strategy is calculated. The candidate defense strategies are ranked according to the production deployment confidence level, and the candidate defense strategy ranked first is determined as the optimal strategy.

8. The automated security policy adjustment method based on artificial intelligence as described in claim 7, characterized in that, The specific steps for converting the optimal strategy into concrete configuration commands and deploying them in the production environment are as follows: Based on the optimal strategy and combined with the network topology of the production environment, the optimal strategy is mapped to specific configuration commands adapted to the production network devices. The specific configuration commands are encapsulated into executable scripts and deployed to edge nodes in the production environment.

9. The automated security policy adjustment method based on artificial intelligence as described in claim 1 or 8, characterized in that, The specific steps for generating the post-strategy monitoring report are as follows: Monitor the actual effect of the optimal strategy in the production environment and collect actual operating data corresponding to the evaluation indicators defined in the strategy prior evaluation report; Based on actual operational data and predicted performance data in the strategy prior evaluation report, obtain the strategy execution deviation. The strategy execution deviation is correlated with actual operating data in multiple dimensions and encapsulated in a structured manner to generate a strategy post-effect monitoring report.

10. The automated security policy adjustment method based on artificial intelligence as described in claim 9, characterized in that, The comparative analysis strategy prior evaluation report and strategy post-effect monitoring report are used to calibrate the digital twin environment and update the incomplete information game structure. The specific steps are as follows: Compare the strategy prior assessment report and the strategy post-effect monitoring report, and extract the deviation signal between the predicted effect data and the actual operation data; The virtual-real mapping calibration factor is obtained based on the deviation signal, and the virtual-real mapping calibration factor is used to calibrate the digital twin environment; The attacker's behavior distribution is re-simulated based on the calibrated digital twin environment, and the prior probability of the attacker type in the incomplete information game structure is updated.