Artificial intelligence security analysis system based on structured security events
The AI-powered security analysis system for structured security events addresses the shortcomings of existing security analysis systems in identifying unknown and variant attacks. It achieves efficient event aggregation and redundancy elimination, improves the automation and interpretability of security analysis, and reduces operating costs.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHANDONG XUZHENG INFORMATION TECH CO LTD
- Filing Date
- 2026-04-25
- Publication Date
- 2026-07-14
AI Technical Summary
Existing security analysis systems are unable to effectively identify unknown or variant attacks, have high rule base maintenance costs, face difficulties in cross-source correlation, and security analysts are unable to respond to real threats in a timely manner, resulting in alarm fatigue and excessively long response times.
An AI-based security analysis system based on structured security events is adopted. Through alarm collection, aggregation, purification, and AI analysis, combined with blockchain-style hash chain storage, it realizes automatic structured representation, real-time aggregation, and redundancy elimination of events, and provides in-depth analysis and situation prediction.
It significantly improves the robustness and security of the security analysis system, reduces operating costs, enhances security protection levels, and can automatically focus on real threats and provide interpretable handling recommendations.
Smart Images

Figure CN122394907A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cybersecurity technology, and in particular to an artificial intelligence security analysis system based on structured security events. Background Technology
[0002] With the continuous evolution of cyberattack methods and the increasing level of enterprise informatization, Security Operations Centers (SOCs) need to process massive amounts of security alerts and log data every day. According to industry statistics, large enterprise SOCs generate tens of thousands to millions of alerts daily, of which less than 1% are actually valid attacks, with the majority being duplicate alerts, false alarms, or low-risk events. Existing security analysis systems mainly rely on rule-based detection engines (such as Snort, Suricata, and SIEM association rules): matching known attacks through preset signature features or association conditions. Their advantages are fast detection speed and intuitive logic; their disadvantages are inability to identify unknown or variant attacks, high rule base maintenance costs, and difficulty in dealing with complex, multi-stage attacks.
[0003] Furthermore, existing systems generally suffer from the following problems: the log formats output by devices such as firewalls, IDS, WAF, and EDR vary (Syslog, JSON, CEF, etc.), and field definitions are inconsistent, making cross-source correlation difficult. Alarm fatigue occurs, with a large number of repetitive, low-quality alarms overwhelming real threats, preventing security analysts from responding promptly, and resulting in excessively long mean time to response (MTTR).
[0004] Therefore, there is an urgent need for an intelligent security analysis system that can automatically transform massive heterogeneous security logs into structured security events and integrate artificial intelligence models to achieve event aggregation, redundancy cleanup, in-depth analysis, and situation prediction. Summary of the Invention
[0005] In view of the above problems, this disclosure provides an artificial intelligence security analysis system based on structured security events to overcome or at least partially solve the above problems. It aims to solve the following key technical problems existing in the prior art: the problem of structured representation of heterogeneous security logs, the problem of real-time aggregation and redundancy elimination under high-concurrency event streams, the problem of low quality of security alarms, the problem of interpretability and dynamic adaptability of AI analysis, and the contradiction between purification processing and audit tracing.
[0006] The objective of this invention can be achieved through the following technical solutions:
[0007] A first aspect of the present invention provides an artificial intelligence security analysis system based on structured security events, comprising:
[0008] The alarm collection module is used to collect raw alarms and add collection metadata to each raw alarm;
[0009] The alarm aggregation module is used to aggregate multiple similar original alarms into a single aggregated record based on a time window aggregation key with multi-dimensional features.
[0010] The structured modeling module is used to convert the aggregated records into standardized Incident objects, which at least include a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score.
[0011] The input purification module is used to perform a four-fold purification operation on each field of the Incident object. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and unstructured content stripping.
[0012] The AI analysis module is used to receive the cleaned Incident object and output security assessment results through a pre-trained deep learning model. The security assessment results include attack type determination, risk level, confidence level and handling suggestions.
[0013] The audit module is used to record the hash value of the original alarm, the cleanup rule log, the snapshot of the Incident object, and the AI analysis results, and uses a blockchain-style hash chain structure to store the audit records.
[0014] Furthermore, the aggregation key of the alarm aggregation module consists of a 5-tuple consisting of the source IP address, the target IP address, the target port number, the event type identifier, and the time window index; the time window index is calculated by dividing the difference between the collection timestamp and the starting reference time by the time window length and then rounding down; the aggregation record also includes the first occurrence time, the last occurrence time, and the aggregation count.
[0015] Furthermore, the initial risk score in the structured modeling module is calculated using a nonlinear weighted model, and the calculation formula is as follows:
[0016] Where A represents asset criticality, F represents attack frequency factor, D represents attack duration factor, and T represents prior risk of attack type. , , , These are weighted coefficients, and their sum is 1. , , , These are the corresponding nonlinear transformation functions.
[0017] Furthermore, the transformed value of the asset keyness is calculated using the asset keyness transformation function, which is expressed as: ;
[0018] The transformation value of the attack frequency factor is calculated using an attack frequency transformation function, which is expressed as follows: ;
[0019] The transformation value of the attack frequency factor is calculated using an attack duration transformation function, which is expressed as follows: ;
[0020] The transformation value of the attack frequency factor is calculated using the attack type prior risk transformation function, which is expressed as follows: .
[0021] Furthermore, the four-stage purification operation of the input purification module includes:
[0022] Field whitelist filtering allows only fields from a predefined field set to proceed with subsequent processing;
[0023] Field format validation checks the compliance of values based on field type; if validation of critical fields fails, the entire Incident object is rejected.
[0024] Length limit truncation: Set a maximum length threshold for string type fields; if the length is exceeded, truncate the string and append an ellipsis marker.
[0025] Unstructured content is stripped, dangerous character sequences are removed, URL parameters are escaped, and excessively long texts are truncated.
[0026] Furthermore, when the AI analysis module detects that the current Incident object lacks key information fields required for analysis, it adds a structured suggestion field to the output result. The structured suggestion field includes a list of missing field names, an explanation of the reason for the missing field, and a suggestion confidence level. The structured modeling module periodically processes the structured suggestions in the feedback queue. When the missing field meets the confidence level, frequency, and extractability conditions, it dynamically expands the standard field set of the Incident object and synchronously updates the whitelist and format validation rules of the input purification module.
[0027] Furthermore, the audit module includes a dual-path parallel architecture. The first path of the dual-path parallel architecture is the purification processing path, which sends the purified Incident object to the AI analysis module. The second path of the dual-path parallel architecture is the audit recording path, which records the original alarm summary and purification rule log without purification. The two paths are executed in parallel to achieve the synergy between adversarial purification and non-destructive auditing.
[0028] Furthermore, the blockchain-style hash chain storage structure is represented as: the hash value of the i-th audit record. ,in For audit log content, The hash value of the previous record. To record the generation time.
[0029] A second aspect of the present invention provides an artificial intelligence security analysis method based on structured security events, comprising the following steps:
[0030] Step S1: Receive raw alarms from security devices through the alarm acquisition module and add acquisition metadata to each raw alarm;
[0031] Step S2: Using the alarm aggregation module, multiple similar original alarms are merged into one aggregated record based on the time window aggregation key of multi-dimensional features;
[0032] Step S3: Convert the aggregated records into standardized Incident objects using the structured modeling module. Each Incident object contains at least a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score.
[0033] Step S4: Perform a four-fold purification operation on each field of the Incident object through the input purification module. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and stripping of unstructured content.
[0034] Step S5: Receive the cleaned Incident object through the AI analysis module, and output the security assessment result through the pre-trained deep learning model. The security assessment result includes attack type determination, risk level, confidence level and handling suggestions.
[0035] Step S6: Record the hash value of the original alarm, the cleanup rule log, the Incident object snapshot and the AI analysis results through the audit module, and store the audit records using a blockchain-style hash chain structure.
[0036] A third aspect of the present invention provides a computer-readable storage medium having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform the artificial intelligence security analysis method based on structured security events as described in the second aspect.
[0037] The technical solution proposed in this application can bring the following beneficial effects:
[0038] 1. By using the five-tuple time window aggregation mechanism, multiple similar alarms triggered by the same attack behavior are merged into one aggregate record; at the same time, the first occurrence time, the last occurrence time, and the aggregation count are retained to provide key duration and frequency information for risk scoring and avoid information loss.
[0039] 2. The four-stage purification process filters maliciously constructed alarm data layer by layer from the field level, format level, length level, and content level, significantly enhancing the robustness and security of the system.
[0040] 3. This invention features a dual-path parallel architecture. It ensures system security through a purification processing path and fully preserves the original alarm summary, purification rule logs, and hash chain without purification through an audit logging path. Auditors can trace the actual form of AI input and retrieve complete evidence from object storage based on the original hash value.
[0041] 4. This invention enables security analysts to escape from massive noise and focus on real threats through alarm aggregation, purification and filtering, automated AI analysis, and structured handling suggestions; this invention reduces operating costs while improving the overall level of security protection.
[0042] The above description is merely an overview of the technical solution disclosed herein. In order to better understand the technical means of this disclosure and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this disclosure more apparent and understandable, specific embodiments of this disclosure are described below. Attached Figure Description
[0043] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the scope of this disclosure. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:
[0044] Figure 1 This is a flowchart of the steps of the artificial intelligence security analysis system based on structured security events provided in the embodiments of this specification;
[0045] Figure 2 This is a schematic diagram of the structure of the artificial intelligence security analysis system based on structured security events provided in the embodiments of this specification. Detailed Implementation
[0046] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. The technical solutions provided by various embodiments of this application will be described in detail below with reference to the accompanying drawings.
[0047] Example 1
[0048] like Figure 1The diagram shows the steps of an AI-based security analysis system for structured security events.
[0049] The present invention provides an artificial intelligence security analysis method based on structured security events, comprising the following steps:
[0050] Step S1: Receive raw alarms from security devices through the alarm acquisition module and add acquisition metadata to each raw alarm;
[0051] Step S2: Using the alarm aggregation module, multiple similar original alarms are merged into one aggregated record based on the time window aggregation key of multi-dimensional features;
[0052] Step S3: Convert the aggregated records into standardized Incident objects using the structured modeling module. Each Incident object contains at least a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score.
[0053] Step S4: Perform a four-fold purification operation on each field of the Incident object through the input purification module. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and stripping of unstructured content.
[0054] Step S5: Receive the cleaned Incident object through the AI analysis module, and output the security assessment result through the pre-trained deep learning model. The security assessment result includes attack type determination, risk level, confidence level and handling suggestions.
[0055] Step S6: Record the hash value of the original alarm, the cleanup rule log, the Incident object snapshot and the AI analysis results through the audit module, and store the audit records using a blockchain-style hash chain structure.
[0056] like Figure 2 The diagram shown is a structural schematic of an artificial intelligence security analysis system based on structured security events. A first aspect of the present invention provides an artificial intelligence security analysis system 200 based on structured security events, comprising:
[0057] The alarm acquisition module 201 is used to collect raw alarms and add acquisition metadata to each raw alarm;
[0058] The alarm collection module receives raw alarms from security devices and adds collection metadata to each raw alarm. Specifically, the alarm collection module supports three access methods: Syslog protocol reception (e.g., UDP / TCP port 514), Kafka message queue consumption, and REST API polling. For each collected raw alarm, the module automatically adds the following metadata fields, including: source type identifier, used to mark the device from which the alarm originates (e.g., Snort, firewall, WAF, EDR, etc.); and collection timestamp, used to record the moment the alarm was received by the system with a timestamp accurate to milliseconds.
[0059] The collector identifier is used to identify the number of the collection node that handles the alarm, enabling source tracing and load balancing in distributed deployments.
[0060] The encapsulated original alarm records are written to a downstream message queue (such as Kafka) for consumption by the alarm aggregation module; the complete content of the original alarm is also archived to object storage and retained for a preset duration (for example, 30 days) to support post-event evidence collection.
[0061] Alarm aggregation module 202 is used to aggregate multiple similar original alarms into one aggregate record based on the time window aggregation key of multi-dimensional features.
[0062] Furthermore, the aggregation key of the alarm aggregation module consists of a 5-tuple consisting of the source IP address, the target IP address, the target port number, the event type identifier, and the time window index; the time window index is calculated by dividing the difference between the collection timestamp and the starting reference time by the time window length and then rounding down; the aggregation record also includes the first occurrence time, the last occurrence time, and the aggregation count.
[0063] Specifically, the rules for forming aggregation bonds are as follows:
[0064] The aggregation key consists of a 5-tuple comprising the source IP address, destination IP address, destination port number, event type identifier, and time window index. The time window index is calculated using the following formula:
[0065] ;
[0066] in, Indicates the timestamp of alarm collection;
[0067] This indicates the system's set start reference time (for example, Unix epoch time 0).
[0068] This indicates the length of the time window. In this embodiment, the system defaults to 60 seconds, which can be dynamically adjusted according to the alarm density.
[0069] This represents the floor function.
[0070] For multiple alarms with the same aggregation key, the system merges them into a single aggregation record and adds the following aggregation statistics:
[0071] The first occurrence time is the earliest collection timestamp of the alarm corresponding to the aggregation key;
[0072] The last occurrence time is the latest collection timestamp of the alarm corresponding to the aggregation key;
[0073] The aggregate count is the total number of original alarms that were merged.
[0074] The aggregated record retains the original values of each field in the aggregate key, while adding the aforementioned statistical fields, and passes them to the structured modeling module in a structured format.
[0075] The structured modeling module 203 is used to convert the aggregated records into standardized Incident objects, wherein the Incident objects contain at least a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score.
[0076] Furthermore, the initial risk score in the structured modeling module is calculated using a nonlinear weighted model, and the calculation formula is as follows:
[0077] Where A represents the criticality of the asset, and its value is based on the criticality level mapping, with high criticality values tending towards 100, medium criticality values tending towards 50, and low criticality values tending towards 10.
[0078] F is the attack frequency factor, calculated based on the aggregation count; to avoid high-frequency attacks dominating the score, logarithmic compression is used, and the formula is as follows: ; where count is the value of the aggregate count.
[0079] D is the attack duration factor, calculated based on the time difference (in seconds) between the last occurrence time and the first occurrence time:
[0080] ;
[0081] T represents the prior risk of the attack type, which is assigned a value based on the event type event_type. For example, vulnerability exploitation is assigned a value of 90, port scanning is assigned a value of 30, and data theft is assigned a value of 100.
[0082] , , , These are weighted coefficients, and their sum is 1. , , , These are the corresponding nonlinear transformation functions.
[0083] The value range is [0, 100], and the higher the value, the greater the risk. It is calculated by the initial risk score before the AI analysis module intervenes, and is used for preliminary screening and priority ranking.
[0084] Furthermore, the transformed value of the asset keyness is calculated using the asset keyness transformation function, which is expressed as: ;
[0085] The transformation value of the attack frequency factor is calculated using an attack frequency transformation function, which is expressed as follows: ;
[0086] The transformation value of the attack frequency factor is calculated using an attack duration transformation function, which is expressed as follows: ;
[0087] The transformation value of the attack frequency factor is calculated using the attack type prior risk transformation function, which is expressed as follows: .
[0088] The Incident object contains at least the following:
[0089] The event unique identifier is generated by combining a timestamp and a sequence number, in the format "INC-YYYYMMDD-xxxxxx", where YYYYMMDD is the processing date and xxxxxx is the six-digit incrementing sequence number for that day.
[0090] The asset information uses a structured dictionary, which includes asset identifier (asset_id), IP address (ip_address), hostname (hostname), asset type (asset_type), and criticality level (criticality_level).
[0091] The directed graph of the attack timeline uses a directed acyclic graph (DAG) structure to describe the multi-step evolution of the attack. Graph G=(V,E), where V={v1,v2,...,vn} is a set of nodes, each node representing an attack event, including event type (event_type), timestamp (timestamp), and source IP (source_ip); where E⊆V×V is a set of directed edges, representing the temporal relationship between events.
[0092] If the source_ip of event vi is equal to the target_ip of event vj, and the timestamp of vi is less than the timestamp of vj, then add a directed edge vi→vj.
[0093] The input purification module 204 is used to perform a four-fold purification operation on each field of the Incident object. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and unstructured content stripping.
[0094] Furthermore, the four-stage purification operation of the input purification module includes:
[0095] Field whitelist filtering allows only fields from a predefined field set to enter subsequent processing; maintaining a predefined field whitelist allows only fields within the whitelist to enter the subsequent processing flow; the whitelist is defined based on the standard field set of the Incident object, including event unique identifier, asset information related fields, attack timeline related fields, risk score fields, and aggregated information fields, etc.
[0096] Field format validation checks the compliance of values based on field type; if validation of critical fields fails, the entire Incident object is rejected.
[0097] Length limit truncation: Set a maximum length threshold for string type fields; if the length is exceeded, truncate and append an ellipsis marker; set a maximum length threshold for all string type fields. The truncation function is defined as follows:
[0098] ;
[0099] Among them, The number of characters in string s. Example thresholds for each field: incident_id is 32, hostname is 128, asset_id is 64, event_type in the attack timeline node is 64, and other string fields are 256.
[0100] Unstructured content is stripped, dangerous character sequences are removed, URL parameters are escaped, and excessively long text is truncated; text content exceeding 256 characters is truncated, retaining the first 256 characters and appending ellipses.
[0101] The cleaned-up Incident object is sent to both the AI analysis module and the audit module.
[0102] AI analysis module 205 is used to receive the cleaned Incident object and output security assessment results through a pre-trained deep learning model. The security assessment results include attack type determination, risk level, confidence level and handling suggestions.
[0103] Furthermore, when the AI analysis module detects that the current Incident object lacks key information fields required for analysis, it adds a structured suggestion field to the output result. The structured suggestion field includes a list of missing field names, an explanation of the reason for the missing field, and a suggestion confidence level. The structured modeling module periodically processes the structured suggestions in the feedback queue. When the missing field meets the confidence level, frequency, and extractability conditions, it dynamically expands the standard field set of the Incident object and synchronously updates the whitelist and format validation rules of the input purification module.
[0104] The AI analysis module receives the cleaned Incident object and outputs security assessment results through a pre-trained deep learning model. The security assessment results include attack type determination, risk level, confidence level, and handling recommendations.
[0105] Attack type determination includes: the model outputs a classification label for the attack type; the classification system is based on the MITREATT&CK tactical phase and is defined as seven categories: information gathering, vulnerability exploitation, privilege escalation, lateral movement, data theft, privilege maintenance, and denial of service.
[0106] Risk level: Based on initial risk score The attack type y output by the model is used for comprehensive judgment; further, a risk level function is defined:
[0107] ;
[0108] Confidence score: The model outputs a continuous value c∈[0,1], representing the degree of certainty regarding the current decision result; the confidence score is calculated based on the probability distribution entropy of the model output.
[0109] ;
[0110] in, To predict the Shannon entropy of probability distribution p, then ; In this embodiment, the total number of categories is [number]. (Take 7); when the probability distribution is extremely concentrated (low entropy), c tends to 1; when the distribution is uniform (high entropy), c tends to 0.
[0111] Output structured processing suggestions, including the following subfields:
[0112] action_type: Suggested action type;
[0113] target: The specific target of the action (such as IP address, asset identifier, or user account, etc.);
[0114] duration: Suggested duration (in seconds) for the action to take effect; 0 indicates permanent.
[0115] rationale: A brief textual description of the basis for the judgment (no more than 256 characters).
[0116] Audit module 206 is used to record the hash value of the original alarm, the cleanup rule log, the snapshot of the Incident object and the AI analysis results, and uses a blockchain-style hash chain structure to store the audit records.
[0117] Two-way dynamic structuring mechanism
[0118] When the AI analysis module detects that the current Incident object lacks key information fields required for analysis, it appends structured suggestion fields to the output; the structured suggestion fields include:
[0119] missing_fields: A list of missing field names (e.g., process_relationship, registry_change, dns_query);
[0120] missing_reason: Explanation of the reason for the missing information (e.g., "This attack involves process injection and requires the parent-child process context").
[0121] suggestion_confidence: The model's evaluation value for the importance of missing information, cs∈[0,1];
[0122] The structured modeling module periodically processes structured suggestions in the feedback queue; when a missing field meets all of the following conditions, it dynamically expands the standard field set of the Incident object and synchronously updates the whitelist and format validation rules of the input cleansing module:
[0123] Confidence level condition: The average confidence level of the most recent N (e.g., 5) suggestions for this field. ( Take 0.7);
[0124] Frequency criterion: The cumulative number of times the same field has been suggested. ( Take 3 times);
[0125] Extractability criteria: The system verifies that this field can be reliably extracted from raw alarms of at least one source type, verified by a predefined extraction rule template.
[0126] After adoption, the structured modeling module adds new fields and their data type definitions to the standard field set, and updates the whitelist and validation rules of the input cleanup module; for previously stored historical Incident objects, the default value of the new fields is empty or null.
[0127] Furthermore, the audit module includes a dual-path parallel architecture. The first path of the dual-path parallel architecture is the purification processing path, which sends the purified Incident object to the AI analysis module. The second path of the dual-path parallel architecture is the audit recording path, which records the original alarm summary and purification rule log without purification. The two paths are executed in parallel to achieve the synergy between adversarial purification and non-destructive auditing.
[0128] Furthermore, the blockchain-style hash chain storage structure is represented as: the hash value of the i-th audit record. ,in For audit log content, The hash value of the previous record. To record the generation time, This is for string concatenation operations.
[0129] Specifically, the audit log path records the following information:
[0130] The SHA256 hash and first 512 character digest of the original alarm;
[0131] Cleanup rule log: Field names, operation type (escape, truncate, whitelist_drop), original length, retention length, and hash value of the removed content for each cleanup operation;
[0132] Incident object snapshot (cleaned-up complete JSON object);
[0133] AI analysis results (attack type, risk level, confidence level, remedial recommendations, model version number).
[0134] To prevent audit logs from being tampered with, the audit module uses a hash chain structure for storage. The hash value of the i-th audit record is defined as:
[0135] ,in:
[0136] The complete content of the i-th audit record is presented as a JSON string.
[0137] All hash values are periodically uploaded to external tamper-proof storage (e.g., immutable buckets in cloud object storage or blockchain evidence storage services); the audit module also provides a query interface that supports searching by time range, event identifier, source IP address, attack type, cleanup operation type, etc., and returns complete audit records and hash chain verification status.
[0138] A third aspect of the present invention provides a computer-readable storage medium having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform the artificial intelligence security analysis method based on structured security events as described in the second aspect.
[0139] This embodiment can divide the method into functional modules based on the above method example. For example, each function can be assigned to a separate module, or two or more functions can be integrated into one processing module. The integrated module can be implemented in hardware. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods.
[0140] When dividing each function into modules according to its corresponding functions, it should be noted that all relevant content of each step involved in the above method embodiment can be referenced from the functional description of the corresponding functional module, and will not be repeated here.
[0141] This embodiment also provides a computer-readable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) storing computer program code. When the computer program code is run on a computer, the computer executes the above-mentioned related method steps to realize the artificial intelligence security analysis system and system based on structured security events provided in the above embodiment.
[0142] This embodiment also provides a computer program product that, when run on a computer, causes the computer to perform the aforementioned steps to realize the artificial intelligence security analysis system and system based on structured security events provided in the above embodiment. The beneficial effects of the above embodiments can be found in the corresponding methods described above, and will not be repeated here.
[0143] Through the above description of the embodiments, those skilled in the art will understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above.
[0144] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of modules or units is merely a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another device, or some features may be ignored or not executed. Furthermore, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms. In the description of this disclosure, it should be understood that if terms such as "upper," "lower," "front," "rear," "left," and "right" are used to indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings, they are only for the convenience of describing the invention and simplifying the description, and do not indicate or imply that the indicated position or element must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of this disclosure.
[0145] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes the element.
[0146] The above are merely embodiments of this disclosure and are not intended to limit the scope of this disclosure. Various modifications and variations can be made to this disclosure by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this disclosure should be included within the scope of the claims of this disclosure.
Claims
1. An AI-based security analysis system for structured security events, characterized in that: include: The alarm collection module is used to collect raw alarms and add collection metadata to each raw alarm; The alarm aggregation module is used to aggregate multiple similar original alarms into a single aggregated record based on a time window aggregation key with multi-dimensional features. The structured modeling module is used to convert the aggregated records into standardized Incident objects, which at least include a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score. The input purification module is used to perform a four-fold purification operation on each field of the Incident object. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and unstructured content stripping. The AI analysis module is used to receive the cleaned Incident object and output security assessment results through a pre-trained deep learning model. The security assessment results include attack type determination, risk level, confidence level and handling suggestions. The audit module is used to record the hash value of the original alarm, the cleanup rule log, the snapshot of the Incident object, and the AI analysis results, and uses a blockchain-style hash chain structure to store the audit records.
2. The AI-based security analysis system based on structured security events according to claim 1, characterized in that, The aggregation key of the alarm aggregation module consists of a 5-tuple consisting of the source IP address, the target IP address, the target port number, the event type identifier, and the time window index; the time window index is calculated by dividing the difference between the collection timestamp and the starting reference time by the time window length and then rounding down; the aggregation record also includes the first occurrence time, the last occurrence time, and the aggregation count.
3. The AI-based security analysis system based on structured security events according to claim 1, characterized in that, The initial risk score in the structured modeling module is calculated using a nonlinear weighted model, and the calculation formula is as follows: Where A represents asset criticality, F represents attack frequency factor, D represents attack duration factor, and T represents prior risk of attack type. , , , These are weighted coefficients, and their sum is 1. , , , These are the corresponding nonlinear transformation functions.
4. The AI-based security analysis system for structured security events according to claim 3, characterized in that, The transformed value of asset keyness is calculated using an asset keyness transformation function, which is expressed as follows: ; The transformation value of the attack frequency factor is calculated using an attack frequency transformation function, which is expressed as follows: ; The transformation value of the attack frequency factor is calculated using an attack duration transformation function, which is expressed as follows: ; The transformation value of the attack frequency factor is calculated using the attack type prior risk transformation function, which is expressed as follows: .
5. The AI-based security analysis system for structured security events according to claim 1, characterized in that, The four-stage purification operation of the input purification module includes: Field whitelist filtering allows only fields from a predefined field set to proceed with subsequent processing; Field format validation checks the compliance of values based on field type; if validation of critical fields fails, the entire Incident object is rejected. Length limit truncation: Set a maximum length threshold for string type fields; if the length is exceeded, truncate the string and append an ellipsis marker. Unstructured content is stripped, dangerous character sequences are removed, URL parameters are escaped, and excessively long texts are truncated.
6. The AI-based security analysis system for structured security events according to claim 1, characterized in that, When the AI analysis module detects that the current Incident object lacks key information fields required for analysis, it adds a structured suggestion field to the output result. The structured suggestion field includes a list of missing field names, an explanation of the reason for the missing field, and a suggestion confidence level. The structured modeling module periodically processes the structured suggestions in the feedback queue. When the missing field meets the confidence level, frequency, and extractability conditions, it dynamically expands the standard field set of the Incident object and synchronously updates the whitelist and format validation rules of the input purification module.
7. The AI-based security analysis system for structured security events according to claim 1, characterized in that, The auditing module includes a dual-path parallel architecture. The first path of the dual-path parallel architecture is the purification processing path, which sends the purified Incident object to the AI analysis module. The second path of the dual-path parallel architecture is the audit recording path, which records the original alarm summary and purification rule log without purification. The two paths are executed in parallel to achieve the synergy between adversarial purification and non-destructive auditing.
8. The AI-based security analysis system based on structured security events according to claim 1, characterized in that, The blockchain-style hash chain storage structure is represented as: the hash value of the i-th audit record. ,in For audit log content, The hash value of the previous record. To record the generation time.
9. An AI-based security analysis method based on structured security events, characterized in that: Includes the following steps: Step S1: Receive raw alarms from security devices through the alarm acquisition module and add acquisition metadata to each raw alarm; Step S2: Using the alarm aggregation module, multiple similar original alarms are merged into one aggregated record based on the time window aggregation key of multi-dimensional features; Step S3: Convert the aggregated records into standardized Incident objects using the structured modeling module. Each Incident object contains at least a unique event identifier, asset information, a directed graph of the attack timeline, and an initial risk score. Step S4: Perform a four-fold purification operation on each field of the Incident object through the input purification module. The four-fold purification operation includes field whitelist filtering, field format validation, length limit truncation, and stripping of unstructured content. Step S5: Receive the cleaned Incident object through the AI analysis module, and output the security assessment result through the pre-trained deep learning model. The security assessment result includes attack type determination, risk level, confidence level and handling suggestions. Step S6: Record the hash value of the original alarm, the cleanup rule log, the Incident object snapshot and the AI analysis results through the audit module, and store the audit records using a blockchain-style hash chain structure.
10. A computer-readable storage medium, characterized in that, It stores instructions that, when executed by one or more processors, cause the processors to perform the AI security analysis method based on structured security events as described in claim 9.