An intelligent decision optimization method and system for network security situation awareness

By constructing a set of network state nodes and a recursive attack path structure, the problem of lacking a phased structural expression of the attack process in existing technologies is solved. This enables the modeling and risk assessment of the progressive relationship of complex attack chains, thereby improving the intelligent decision-making and protection capabilities of network security.

CN122394929APending Publication Date: 2026-07-14FUJIAN HUADIAN KEMEN POWER GENERATION CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
FUJIAN HUADIAN KEMEN POWER GENERATION CO LTD
Filing Date
2026-05-07
Publication Date
2026-07-14

Smart Images

  • Figure CN122394929A_ABST
    Figure CN122394929A_ABST
Patent Text Reader

Abstract

The application discloses an intelligent decision optimization method and system for network security situation awareness, relates to the technical field of intelligent decision optimization, and comprises the following steps: collecting log data, traffic data and security event data in a network, performing standardization processing on the collected data, and constructing a network state node set and a correlation between nodes based on the standardized data; based on the network state node set, a recursive component with a unique entrance and exit is constructed, a calling relationship and a return path are generated between the recursive components, a hierarchical recursive attack path structure is formed, a risk value is set for each node in the recursive attack path structure, and the risk value is propagated layer by layer forward according to the correlation, so that a global network security situation result is obtained; and the application changes network security protection from passive response to active optimization, and significantly improves intelligent decision capability and overall protection effect.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of intelligent decision optimization technology, and in particular to an intelligent decision optimization method and system for network security situation awareness. Background Technology

[0002] With the rapid development of information technology and network infrastructure, network systems are increasingly characterized by high interconnectivity, complex coupling, and dynamic changes. Network attacks have evolved from traditional single-point intrusions to multi-stage, cross-node, and persistent attack chains. Therefore, network security situation awareness technology has gradually become a crucial support for network security protection. Its core lies in comprehensively analyzing network status data, log data, and traffic data to depict the evolution of potential threats within the network and assess the overall security status. Currently, related technologies primarily rely on attack graph models, Bayesian networks, and Markov models to model attack paths and quantify overall network risk through risk propagation mechanisms. Furthermore, with the development of artificial intelligence and big data analytics, some research has begun to introduce machine learning methods to classify and predict attack behaviors, thereby improving the accuracy and real-time performance of situation awareness.

[0003] However, existing technologies often focus on static modeling of attack paths or local risk assessment, lacking the ability to express the phased structure of the attack process and the unified modeling of cross-phase propagation relationships, making it difficult to reflect the progressive relationships and hierarchical structure between the stages in a complex attack chain. Summary of the Invention

[0004] In view of the aforementioned existing problems, the present invention is proposed.

[0005] Therefore, this invention provides an intelligent decision optimization method and system for network security situation awareness, which solves the problem that existing technologies lack the ability to express the phased structure of the attack process and the unified modeling capability of cross-phase propagation relationships, making it difficult to reflect the progressive relationship and hierarchical structure between the stages in a complex attack chain.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution: In a first aspect, the present invention provides an intelligent decision-making optimization method for network security situation awareness, comprising, Collect log data, traffic data, and security event data from the network, standardize the collected data, and construct a set of network status nodes and the relationships between nodes based on the standardized data; Based on the set of network state nodes, a recursive component with a unique entry and exit point is constructed. Call relationships and return paths are generated between the recursive components to form a hierarchical recursive attack path structure. A risk value is set for each node in the recursive attack path structure, and the risk value is propagated forward layer by layer according to the relationship to obtain the global network security situation result. Based on the overall network security situation, an initial defense strategy is constructed, and after node-by-node evaluation and strategy updates, a deterministic defense strategy is formed. Based on the deterministic defense strategy, after generating defense strategy variants, the probability distribution is obtained to determine the final defense strategy and then distributed to network security devices; As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the process of collecting log data, traffic data, and security event data from the network and standardizing the collected data is as follows: Configure a log collection interface on the network device to receive device log data through the log protocol; deploy a traffic collection probe on the switching device to obtain network traffic data through port mirroring; and obtain host behavior data through a background program. All collected data is converted and standardized in a unified format, and then divided into asset data according to asset type, including network equipment data, server data, and terminal equipment data, to obtain an asset dataset.

[0007] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the step of constructing a set of network state nodes and the relationships between nodes based on standardized data is as follows: Based on asset data, identify device nodes in the network, perform vulnerability scanning, generate vulnerability information, and label vulnerability attributes for each device node; Collect node behavior data, extract behavioral features, including access frequency, number of operations, and number of abnormal behaviors. After attaching the behavioral features to the nodes, generate a multi-dimensional attribute structure for each node, integrate all nodes, construct a network state node set, and set the association relationships between the nodes.

[0008] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the following steps are taken: Based on a set of network state nodes, a recursive component with a unique entry and exit point is constructed. Call relationships and return paths are generated between the recursive components, forming a hierarchical recursive attack path structure, as detailed below: The attack phases are divided based on the set of network state nodes, and then sub-paths are set for each attack phase. Based on the sub-path, recursive components are generated, and after setting a unique entry and exit point, a call relationship is established between the recursive components, and the recursive attack path structure is formed by connecting them according to the call relationship.

[0009] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the method involves setting a risk value for each node in the recursive attack path structure and propagating the risk value forward layer by layer according to the correlation relationship to obtain the global network security situation result, as detailed below: Based on the recursive attack path structure, the path risk value is calculated using preset weights. Find the risk value of the path with the highest risk value as the risk value of the entry node, and select the risk value of the entry node with the highest risk value as the global situation value for the recursive component. Then, perform defense strategy optimization and generate the current network security situation status as the global network security situation result.

[0010] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the step of constructing an initial defense strategy based on the global network security situation results, performing node-by-node evaluation and strategy updates, and then forming a deterministic defense strategy is as follows: Based on the overall network security situation, a set of defense actions is constructed, and after executing each defense action in the set, a modified recursive attack path structure is generated. Based on the modified recursive attack path structure, the global stability risk value of the nodes is recalculated, and the changes before and after are compared to generate a deterministic defense strategy.

[0011] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the comparison of changes before and after is based on the modified recursive attack path structure. After regenerating the global stable risk value of the defense node, the difference between the modified global stable risk value and the unmodified global stable risk value is calculated and defined as the risk reduction amount.

[0012] As a preferred embodiment of the intelligent decision-making optimization method for network security situation awareness described in this invention, the step of generating a variant of the defense strategy based on a deterministic defense strategy, obtaining a probability distribution to determine the final defense strategy, and then distributing it to the network security device is as follows: Select a defense strategy based on the probability distribution of the defense strategy; The selected defense strategy is parsed into control commands, and the control commands are sent to the corresponding network security devices for confirmation and recording through the device management interface.

[0013] As a preferred embodiment of the intelligent decision optimization method for network security situation awareness described in this invention, the following steps are taken: the selection of defense strategy involves applying each variant of the defense strategy set to the recursive attack path structure one by one, simulating the execution of each variant, and after obtaining the path risk value, converting the path risk value into an evaluation index of the defense strategy variant; the defense strategy variants are weighted according to the evaluation index of each variant, and the execution probability of each variant is generated through normalization processing to form a probability distribution; Random sampling is performed based on the execution probability corresponding to each defense strategy variant to obtain the final defense strategy that needs to be executed.

[0014] Secondly, the present invention provides an intelligent decision-making optimization system for network security situation awareness, comprising, A correlation module is built to collect log data, traffic data, and security event data in the network. The collected data is standardized, and a set of network status nodes and the correlation relationships between nodes are built based on the standardized data. The hierarchical generation module is used to construct recursive components with unique entry and exit points based on a set of network state nodes. It generates call relationships and return paths between recursive components, forming a hierarchical recursive attack path structure. It sets a risk value for each node in the recursive attack path structure and propagates the risk value forward layer by layer according to the relationship to obtain the global network security situation result. The assessment and update module is used to construct an initial defense strategy based on the overall network security situation, conduct node-by-node assessments and policy updates, and then form a deterministic defense strategy. The strategy execution module is used to generate defense strategy variants based on deterministic defense strategies, obtain probability distributions to determine the final defense strategy, and then distribute it to network security devices.

[0015] The beneficial effects of this invention are as follows: By dividing the attack path into recursive components with unique entry and exit points, and establishing call relationships and return paths between components, the stage evolution process of attack behavior can be expressed in a structured way, providing a clear data foundation for subsequent decision optimization. Simultaneously, by distinguishing different propagation relationships and assigning differentiated propagation weights, the precise propagation and accumulation of risk in the path can be achieved. Secondly, by simulating the execution of defensive actions and calculating the risk reduction, node-by-node strategy evaluation and iterative optimization of each defensive node can be achieved, enabling defensive decisions to accurately target key nodes in the attack path. Therefore, this invention realizes a closed-loop process from situational awareness and risk assessment to defense strategy generation and optimization, transforming network security protection from passive response to proactive optimization, significantly improving intelligent decision-making capabilities and overall protection effectiveness. Attached Figure Description

[0016] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 This is a flowchart of the intelligent decision-making optimization method for network security situation awareness in Example 1.

[0018] Figure 2 This is a structural diagram of the intelligent decision-making optimization system for network security situation awareness in Example 1.

[0019] Figure 3 This is a flowchart of the output deterministic defense strategy in Example 1.

[0020] Figure 4 This is a flowchart of the defense strategy deployment in Example 1. Detailed Implementation

[0021] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

[0022] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.

[0023] Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. The phrase "in one embodiment" appearing in different places in this specification does not necessarily refer to the same embodiment, nor is it a single or selective embodiment that is mutually exclusive with other embodiments.

[0024] Example 1, referring to Figures 1-4 This is the first embodiment of the present invention, which provides an intelligent decision-making optimization method for network security situation awareness, including the following steps: S1. Collect log data, traffic data, and security event data from the network, standardize the collected data, and construct a set of network status nodes and the relationships between nodes based on the standardized data; S1.1 Configure a log collection interface on the network device to receive device log data through the log protocol, deploy a traffic collection probe on the switching device to obtain network traffic data through port mirroring, and obtain host behavior data through a background running program; Specifically, log data from network devices is obtained through log protocols, including log generation time, device identifier, event type, source address, destination address, and behavior type. Network data traffic is collected by port mirroring and parsed layer by layer according to the network protocol to generate communication connections. The communication connections are then split into independent connection records, including source IP address, destination IP address, source port, destination port and protocol type. The system obtains host behavior data by running a background program, including the name of the currently running process, the file path accessed, the type of operation performed, and the identity of the user performing the operation. It should be noted that when obtaining log data from network devices through log protocols, the log output function should be enabled on the network devices; while when collecting network data traffic through port mirroring, a traffic collection probe needs to be deployed on the switching device, and then the network data traffic is copied and transmitted to the collection probe through port mirroring.

[0025] S1.2. All collected data are converted and standardized in a unified format, and divided into asset data according to asset type, including network equipment data, server data, and terminal equipment data, to obtain the asset dataset. Specifically, a list of security event types is preset. The system queries whether the event type in the log data belongs to this list. If it does, the log data is retained; otherwise, it is deleted. Perform statistical operations on the connection records to generate the total data transmission volume, number of data packets, and connection duration for the connection, and use the historical normal traffic baseline to confirm whether the connection is abnormal traffic; If any one of the total data transmission volume, number of data packets, and connection duration of the connection is greater than the historical normal traffic baseline, the network data traffic is marked as abnormal traffic; if the total data transmission volume, number of data packets, and connection duration are all less than or equal to the historical normal traffic baseline, the traffic is marked as normal traffic. Based on host behavior data, query host behavior data at multiple consecutive time points. If the same operation occurs multiple times at multiple consecutive time points, the host behavior data is marked as high-risk behavior; otherwise, it is marked as normal behavior. Align log data, network traffic data, and host behavior data in chronological order; The aligned log data, network traffic data, and host behavior data are mapped to a unified field through a preset unified field mapping table; The rule matching engine calls the preset security rule base to match the mapped unified fields one by one, generating a risk identifier for each data, including normal, medium risk, and high risk. It queries the unified fields of each data and divides the data into corresponding asset data, including network device data, server data, or terminal device data, according to the asset identifier field in the unified fields, to obtain the asset dataset. It should be noted that the preset security event type list includes unauthorized login attempts, exceeding the limit for failed login attempts, access control policy denial, abnormal port scanning, abnormal connection establishment, data outflow behavior, privilege escalation operations, and unauthorized access. Furthermore, the preset security event type list is generated based on historical security event data and existing security device log rules. For example, historical log data is exported from existing network security devices (including firewalls, intrusion detection systems, and log auditing systems), and statistical analysis is performed on the event types in the logs to filter out the most frequent event types that have been marked as security events, thus forming the security event type list. The historical normal traffic baseline is the average value of the total data transmission volume, the number of data packets, and the connection duration. For example, under normal network conditions, the total data transmission volume, the number of data packets, and the connection duration of each connection are continuously collected, and their average value over the time period is calculated as the normal traffic baseline. The pre-defined unified field mapping table is set according to the security information event management data specifications to ensure compatibility between different data sources; its exemplary mapping rules are as follows: Source IP in the log Mapped to asset identifier field; event type in logs Mapped to behavior type field; target address in the log. Mapped to behavior object fields; timestamps in logs Mapped to a time field; Source IP in the traffic Mapped to asset identifier field; traffic connection type Mapped to behavior type field; target port in traffic Mapped to behavior object fields; packet statistics Convert to connection count field; traffic size Convert to a data transfer volume field; Host IP Mapped to asset identifier field; Operation type Mapped to behavior type field; file or process Mapped to behavior object fields; number of operations Mapped to a behavior frequency field; The asset identification field includes network equipment, servers, and terminal equipment; The preset security rule base is built based on the detection rules of existing security devices. For example, rule configurations are extracted from firewalls, intrusion detection systems and security audit systems, and the rules are screened and organized in conjunction with relevant network security level protection specifications to form a unified security rule base. Secondly, the preset security rule base includes rules for abnormal access frequency, port scanning, abnormal connection establishment, and abnormal data transmission. Example, abnormal access frequency rules: Read the following fields from the unified fields: asset identifier, behavior frequency, and time; count the behavior frequency within 60 consecutive seconds; if the behavior frequency exceeds twice the historical average, it is marked as medium risk; if it exceeds three times, it is marked as high risk. Port scanning rules: Read unified fields: asset identifier field, number of accessed ports field, and time field; count the number of accessed ports within 60 seconds. If the number exceeds 20, it is marked as medium risk; if it exceeds 50, it is marked as high risk. Abnormal connection establishment rules: Read the unified field: number of connections; within 60 seconds, more than 50 connections are marked as medium risk, and more than 100 connections are marked as high risk; Data transmission anomaly rules: Read the unified field: data transmission volume field; if it exceeds twice the historical average within a unit of time, it is marked as medium risk, and if it exceeds three times, it is marked as high risk.

[0026] S1.3. Identify device nodes in the network based on asset data, perform vulnerability scanning, generate vulnerability information, and label vulnerability attributes for each device node; Specifically, based on the asset dataset, the IP address, MAC address, and device type of each device are extracted to uniquely identify the device. After creating a corresponding node object for each device, network scanning technology is used to obtain the device's operating system type, open ports, and running service information. Vulnerability scanning tools are used to scan devices in the network to obtain vulnerability information of each device. During the scan, the vulnerability number, vulnerability level and vulnerability impact range are recorded. Then, the vulnerability information is attached to the corresponding node object, so that the vulnerability information is associated with the node object and each node object has a complete vulnerability attribute description. It should be noted that when vulnerability scanning tools scan devices in a network, they need to perform scans based on the device type, the security domain it belongs to, and the importance of the business. For example, a full vulnerability scan should be performed on servers, terminals, and network devices in the management information network; a weak scan for non-intrusive vulnerability identification should be performed on production control areas, industrial control hosts, and business devices; and for devices that are prohibited from being actively scanned, vulnerability risks should be indirectly identified through log information, traffic fingerprints, and existing asset ledger information.

[0027] S1.4 Statistical node behavior data, extracting behavior features, including access frequency, number of operations and number of abnormal behaviors, attaching the behavior features to the nodes, generating a multi-dimensional attribute structure for each node, integrating all nodes, constructing a network state node set, and setting association relationships between nodes; Specifically, based on the asset dataset, the behavioral data corresponding to each node is extracted and statistically analyzed to obtain the access frequency, number of operations, and number of abnormal behaviors for each node; The access frequency, number of operations, and number of abnormal behaviors are encapsulated as dynamic attributes and attached to the corresponding nodes. After forming a multi-dimensional attribute structure with the basic attributes and vulnerability information of the nodes, the risk identifier of each node is extracted, and a unique status identifier of the node is generated based on the risk identifier. All nodes are aggregated to form a network status node set, and connections are established between the nodes in the network status node set according to the network topology and the communication relationships between devices, forming node association relationships; It should be noted that when performing statistical analysis on the behavioral data corresponding to a node, the behavioral data needs to be aggregated based on a preset time window. For example, in one implementation, the time window is preferably a sliding window of fixed duration or a segmented time window, such as 60 to 300 seconds for example; then, within each time window, the behavioral data corresponding to the node is statistically analyzed to calculate the node's access frequency, number of operations, and number of abnormal behaviors. The access frequency is the number of times the node initiates or receives communication requests per unit time, the number of operations is the total number of times the node performs operations per unit time, and the number of abnormal behaviors is the number of data records marked as abnormal behaviors per unit time.

[0028] S2. Based on the set of network state nodes, construct a recursive component with a unique entry and exit point, generate call relationships and return paths between recursive components, form a hierarchical recursive attack path structure, set a risk value for each node in the recursive attack path structure, and propagate the risk value forward layer by layer according to the association relationship to obtain the global network security situation result. S2.1. Divide the attack into multiple stages based on the set of network state nodes, and then set sub-paths for each attack stage; Specifically, based on the set of network state nodes, the multidimensional attribute structure of each node is read and matched using a preset attack phase rule table. The attack phases include the initial intrusion phase, the lateral movement phase, and the data leakage phase, with the initial intrusion phase being the most significant. Lateral movement phase Data breach stage; During matching, for each node, the multidimensional attribute structure is queried to see if it meets a certain attack stage in the attack stage rule table. If it does, the node is marked as belonging to that attack stage; otherwise, it is marked as a random node. If a node meets multiple attack stages simultaneously, they are sorted by priority (initial intrusion stage). Lateral movement phase (Data leakage stage), forming attack stage labels for each node; Iterate through all nodes in the initial intrusion stage, query the directly associated nodes based on the relationship, and then check whether the attack stage label of the associated node is a progressive stage (i.e., whether it is a lateral movement stage and irreversible), whether the associated nodes are duplicated, and whether the communication relationship is satisfied, and use them as path generation rules and constraints. If the path generation rules and constraints are met (i.e., whether it is a stage progression, whether the associated nodes are repeated, and whether the communication relationship is satisfied), then it is used as a node in the next stage; if any one of them is not met, then it is not used as a node in the next stage. Once the nodes for the next stage are determined, the nodes for the data leakage stage are searched to generate an attack path. The nodes in the attack path are read and a node sequence is formed. Then, the attack stage label of each node is obtained again. Based on the attack stage label, other nodes in each attack stage label are defined as sub-paths. It should be noted that the preset attack phase rule table is constructed through historical security event data analysis, network security specifications, and security device rule extraction. For example, attack behavior samples are extracted from historical security event data, including log data, traffic data, and host behavior data. Statistical analysis is performed on historical attack samples, and they are classified according to the position of the attack behavior in the attack chain to obtain attack feature sets for different phases. Combined with network security level protection specifications, attack behaviors are categorized to form attack phase division standards, including the initial intrusion phase, lateral movement phase, and data leakage phase. For each attack phase, the following rules can be set as an example: Initial Intrusion Phase Rules: An initial intrusion phase is determined when any of the following conditions are met: external IP access to the internal network, unauthorized login attempts or exceeding the login failure limit, port scanning, or unauthorized access. Lateral movement phase rules: A lateral movement phase is determined when any of the following conditions are met: abnormal connection establishment between internal network devices, the same node accessing multiple internal nodes within a unit of time, remote command execution, or cross-host file access behavior. Data breach stage rules: A data breach stage is determined when any of the following conditions are met: large-scale data transmission to external networks, data transmission volume exceeding historical baseline, access to sensitive data followed by immediate external transmission, or abnormally long-term data connection. And targeting the initial intrusion phase Lateral movement phase The priority of data breach stages is determined by the evolution of the attack from entering the network and spreading internally to data leakage, and this order is irreversible. For example, the initial intrusion stage describes the process of the attacker entering the target network, which is the starting stage of the attack; the lateral movement stage describes the process of the attacker expanding and spreading within the compromised network, which occurs after the initial intrusion; and the data leakage stage describes the process of the attacker transmitting or leaking data after acquiring the target resources, which is the final stage of the attack.

[0029] S2.2 Based on sub-paths, generate recursive components, and after setting a unique entry and exit point, establish call relationships between recursive components and connect them according to the call relationships to form a recursive attack path structure; Specifically, a sub-path is treated as a recursive component, with the first node of the sub-path set as the entry node and the last node as the exit node. If multiple path branches exist for the same attack stage label, the risk indicator of each branch is counted, and the node with the highest risk is set as the exit, while other exit connections are deleted. For recursive components of the same attack stage in different attack paths, the corresponding asset data is extracted. If the asset data belongs to the same asset, they are merged into the same recursive component to obtain a set of recursive components. Based on a collection of recursive components, establish calling relationships between different recursive components; Connect the exit node of the previous component to the entry node of the next component, establish a call edge between the exit node and the entry node, and then add a return path to the call relationship to form an attack path structure; The calling relationship is expressed as follows:

[0030] In the formula, Indicates the first A recursive component, Indicates the first A recursive component; It should be noted that a subpath refers to a sequence of consecutive nodes from a starting node to an ending node under the same attack phase label. The call relationship can be established according to the order of the attack phases. For example, the exit node of the previous recursive component can be connected to the entry node of the next recursive component, and a call edge can be established between them to represent the process of the attack moving from the previous phase to the next phase. At the same time, in order to ensure the integrity of the recursive structure, after each call edge is established, a return path is also established between the corresponding entry node and exit node to represent the logical relationship of returning to the upper-level path after the attack completes the current phase, thus forming a hierarchical attack path structure.

[0031] S2.3 Based on the recursive attack path structure, calculate the path risk value using preset weights; Specifically, for the attack path structure, the risk identifier of each node in the attack path structure is extracted, and the initial risk value of each node is set, including normal initial value, medium risk initial value, and high risk initial value; Read all exit nodes at each stage of data leakage and mark such nodes as termination nodes (the risk value of termination nodes remains fixed). For each recursive component, read all nodes within the recursive component, and then read the entry node and exit node to obtain the internal connection relationship of the recursive component. Based on the internal connection relationship of the recursive component, establish a propagation path from the entry node to the exit node to generate the internal propagation relationship of the recursive component. Read the call relationship between recursive components, connect the exit node of the previous component to the entry node of the next component to form the risk propagation direction, and then perform reverse backtracking on the call relationship to generate the return propagation path between recursive components; Propagate backwards from the termination node. For each node, read all the next nodes that the node can reach and obtain the initial risk value of each next node. Then, calculate the propagation risk value of the node to the next node using the preset propagation weight. Repeat the operation to generate a set of propagation risk values ​​for each node. Select the next node corresponding to the highest propagation risk value from the set of propagation risk values ​​as the attack node, and select the next node corresponding to the lowest propagation risk value as the defense node; For a set of propagation risk values, the average value of the propagation risk values ​​in the set is used as the updated value of the propagation risk value of the current node. After iterating to the maximum number of times, output the global stability risk value for each node; For each recursive component, after reading all nodes and the connections between nodes within the recursive component, find the entry node and the exit node. Then, starting from the entry node, traverse along the propagation relationship within the recursive component, record all paths from the entry node to the exit node, and obtain the path set. Based on the path set, the global stability risk value of each node in each path is read and accumulated node by node to obtain the path risk value of each path; The initial risk value is set using the following expression:

[0032] In the formula, Indicates the first The initial risk value of each node, , , These represent normal initial values, medium-risk initial values, and high-risk initial values, respectively. , , These respectively represent the normal, medium, and high risk categories in the risk assessment. The preset propagation weight is expressed as:

[0033] In the formula, Represents a node With the next node Propagation weight between , , These represent the first, second, and third propagation weights, respectively. This indicates the propagation relationship within a recursive component. This indicates the calling relationship between recursive components. This indicates the return propagation path relationship; The transmission risk value is calculated using the following expression:

[0034] In the formula, Represents a node Next node The risk value of transmission. Indicates the next node The initial risk value; The path risk value for each path is obtained using the following expression:

[0035] In the formula, Representing a path Path risk value, This represents the total number of nodes in the path. Indicates the first in the path The global stability risk value of each node. Indicates the first in the path The node to the first Propagation weights between nodes; It should be noted that: initial risk value A hierarchical quantification method is adopted for setting; by converting the risk identifier of a node into a discrete value, it can be used to characterize the contribution of node risk in the propagation process; and the value satisfies a monotonically increasing relationship, which is used to ensure that high-risk nodes can generate a greater risk accumulation effect in the risk propagation calculation process. For example, in one implementation, numerical values ​​are mapped to... , , This allows us to differentiate the impact of nodes at different risk levels on the overall situation; The preset propagation weight is set by the connection relationship between nodes. For example, different connection types can be understood as corresponding to different attack behaviors. In the propagation relationship within a recursive component, the attack characteristics belong to the same stage behavior, so the risk impact can be considered stable propagation. However, in the call relationship between recursive components, the attack characteristics belong to the stage rise and fall (such as privilege escalation, lateral movement), so the risk impact can be considered risk amplification. In the return propagation path relationship, the attack characteristics belong to state backtracking, which does not have a risk impact, so it is not amplified. For example, in one implementation, the propagation weight can be set to 1 for the propagation relationship within a recursive component, while the propagation weight can be set to 2 for the call relationship between recursive components, and the propagation weight can be set to 1 for the return propagation path relationship. This not only makes cross-component attacks more powerful, but also amplifies the risk.

[0036] S2.4 Find the risk value of the maximum path as the risk value of the entry node, and select the risk value of the maximum entry node as the global situation value for the recursive component. Then, perform defense strategy optimization and generate the current network security situation status as the global network security situation result. Specifically, find the path with the highest risk value as the risk value of the entry node; For all recursive components, read the risk values ​​of all entry nodes and take the risk value of the entry node with the largest risk value as the global situation value; Based on the global situational awareness value, the current network security situation is assessed through preset judgment thresholds; If the global situational awareness value is less than the judgment threshold, the current network security situational awareness is determined to be normal and no defense strategy optimization is performed; otherwise, the current network security situational awareness is determined to be at risk and defense strategy optimization is performed. The current cybersecurity situation is taken as the overall cybersecurity situation result; It should be noted that: the judgment threshold is used to classify the global situational awareness value; after calculating the path risk value, the path risk values ​​of all paths are first statistically analyzed to obtain a set of path risk values, and then the statistical characteristics of this set are calculated, including the minimum, maximum, and average values; based on this, the judgment threshold can be set to the average value for example; and this average value can be adjusted later according to security requirements, for example, by... The principles have been adjusted.

[0037] S3. Based on the overall network security situation, an initial defense strategy is constructed, and after node-by-node evaluation and strategy updates, a deterministic defense strategy is formed. S3.1 Based on the global network security situation results, construct a set of defense actions, and after executing each defense action in the set, generate a modified recursive attack path structure; Specifically, if the overall network security situation is at risk, each node is extracted from the recursive attack path structure. For each node, if the node belongs to a network device (such as a firewall, switch, or server) or is an entry point in the attack path, then the node is marked as a defense node; otherwise, it is not marked, thus forming a set of defense nodes. Set defense actions and attributes for each defense node in the defense node set; The defensive actions include blocking communication (blocking IPs and ports), adjusting access control (ACL policies), isolating hosts (isolating infected hosts), rate limiting (limiting bandwidth), and mandatory authentication (adding identity authentication), forming a set of defensive actions. The attributes include scope of effect (node ​​level / path level), execution cost (resource consumption), and risk reduction capability (degree of suppression of risk propagation). For the set of defensive actions, the defensive node simulates the execution of each defensive action to generate a modified recursive attack path structure; The simulation execution includes modifying node connection relationships (such as blocking edges), modifying propagation weights (such as reducing propagation capacity), and modifying path structure (such as cutting off paths). It should be noted that when making a judgment on each node, the judgment can be made through the node attribute fields (such as device_type, is_entry), and the result is stored in the node's tag field; Execution costs can be obtained through historical execution data, and the ability to reduce risks can be quantified by the degree of impact on the probability of attack propagation. For example, in one implementation, the risk reduction capability can be set by reducing the risk reduction resulting from lowering the propagation weight or cutting off the propagation path; To block communication, the connection edges between corresponding nodes can be deleted from the path structure replica, thus removing the connection relationship between nodes and blocking the attack propagation path. For access control adjustment, the access permissions between nodes can be modified in the path structure replica, setting the reachability of some connection edges to unreachable or restricting access. For host isolation, the target node is directly marked as an inaccessible node in the path structure, and all its inbound and outbound edges are removed. For rate limiting, the impact of bandwidth limitation on the attack propagation speed is reflected by reducing the propagation weight of the edges. For mandatory authentication, the probability of successful attack propagation is reduced by adding additional verification conditions on the nodes, which is reflected in the path structure by reducing the propagation weight of the connection edges.

[0038] S3.2 Based on the modified recursive attack path structure, recalculate the global stability risk value of the node and compare the changes before and after to generate a deterministic defense strategy. Specifically, based on the modified recursive attack path structure, after regenerating the global stable risk value of the defense node, the difference between the global stable risk value before modification and the value before modification is calculated and defined as the risk reduction amount. Based on the risk reduction amount, select the defense action with the largest risk reduction amount from all defense actions, and then use this defense action as the new defense action strategy (i.e. defense action) for the defense node. Repeat the process to generate new defense action strategies for each defense node, and organize them into a set of strategies to be optimized. Each new defense action in the set of strategies to be optimized is applied to the defense node again. The defense node then simulates the execution of each new defense action and calculates the risk reduction. When the maximum number of iterations is reached, a deterministic defense strategy (i.e., defense action, and each defense node corresponds to a deterministic defense strategy) is output. It should be noted that when calculating the risk reduction amount, the node identifier can be used as an index, a risk value storage table can be constructed, the corresponding risk value can be read from the risk value storage table, and the risk reduction amount can be obtained by subtraction, thereby quantifying the inhibitory effect of the defensive action on risk propagation. Secondly, during the iteration process, this invention adopts a node-by-node update method, that is, only the defense action of one defense node is adjusted each time, while keeping the defense actions of other nodes unchanged, thereby ensuring the stability of the strategy optimization process.

[0039] S4. Based on the deterministic defense strategy, after generating a variant of the defense strategy, obtain the probability distribution to determine the final defense strategy and send it to the network security device; S4.1 Select a defense strategy based on the probability distribution of the defense strategy; Specifically, the deterministic defense strategies corresponding to each defense node are combined to form an initial defense strategy scheme, and multiple defense strategy variants are generated by adjusting the defense actions, thereby forming a defense strategy set; Each defense strategy variant in the defense strategy set is applied to the recursive attack path structure one by one. The execution of each defense strategy variant is simulated, and after obtaining the path risk value, the path risk value is transformed into the evaluation index of the defense strategy variant. Subsequently, the defense strategy variants are weighted according to the evaluation index of each defense strategy variant, and the execution probability of each defense strategy variant is generated through normalization processing to form a probability distribution. Random sampling is performed based on the execution probability of each defense strategy variant to obtain the final defense strategy that needs to be executed. The evaluation metric for converting path risk values ​​into variants of defense strategies is expressed as follows:

[0040] In the formula, Indicates evaluation indicators, Indicates the first A variant of the defense strategy, Indicates the relationship with the first The path risk value corresponding to each defense strategy variant This indicates an extremely small positive number that prevents the denominator from being zero; The defense strategy variants are weighted according to their evaluation metrics, and the execution probability of each variant is generated through normalization, expressed as:

[0041] In the formula, Indicates the probability of execution. This represents the total number of variants of the defense strategy. Indicates the relationship with the first The path risk value corresponding to each defense strategy variant; It should be noted that when generating multiple defense strategy variants, the defense actions of each defense node in the initial defense strategy should be replaced or combined and adjusted one by one. For example, the communication blocking action of a certain node can be replaced with an access control adjustment action, or a rate limiting action can be superimposed on the original action to form a new strategy combination. Furthermore, only the defense actions of one or more defense nodes should be changed each time, while the remaining nodes remain unchanged, thereby systematically generating multiple defense strategy variants.

[0042] S4.2. Parse the selected defense strategy into control commands, and send the control commands to the corresponding network security devices for confirmation and recording through the device management interface; Specifically, the defense actions corresponding to each defense node in the defense strategy are parsed into control commands; Control commands are sent to the corresponding network security devices (firewalls, intrusion detection systems, and host protection systems) through the device management interface, and the execution results of the commands are confirmed and recorded. It should be noted that the process of parsing defense strategies into control commands and issuing them to network security devices is achieved by converting abstract defense actions into specific executable commands for the devices. This process includes four stages: defense action parsing, command generation, command issuance, and execution result confirmation. Phase 1: When parsing defense actions, the defense actions corresponding to each defense node in the policy should be extracted one by one. When the defense node is a firewall device, extract its corresponding communication blocking or access control actions; when the defense node is a switch or network device, extract its corresponding rate limiting or access control adjustment actions; when the defense node is a server or terminal device, extract its corresponding host isolation or forced authentication actions. Phase Two: When generating control commands, defense actions should be converted into corresponding control commands for different devices based on their types and defensive actions. For communication blocking actions, firewall access control rules should be generated, such as constructing a denial rule composed of source IP address, destination IP address, and port number, and encapsulating it into firewall configuration commands. For access control adjustment actions, access control list update commands should be generated, including adding or modifying access control entries. For host isolation actions, endpoint protection system control commands should be generated, such as isolating network interfaces or restricting host communication permissions. For rate limiting actions, network device bandwidth control commands should be generated to limit the rate of specified traffic. For mandatory authentication actions, identity authentication policy update commands should be generated, such as enabling multi-factor authentication or upgrading the authentication level. In the third stage, the command issuance stage, the control commands are sent to the corresponding network security devices through the device management interface; for devices that support remote interfaces (such as firewalls or intrusion detection systems), the control commands are sent by calling their provided management interfaces (such as REST interfaces or command-line interfaces); for network devices (such as switches), a connection is established through the network management protocol and configuration commands are sent; for host protection systems, the control commands are received and corresponding operations are executed through the terminal agent program. The fourth stage, when confirming the execution result, uses a device feedback mechanism to confirm the execution result of the instruction. For example, the execution status information returned by the device is used to determine whether the instruction was executed successfully. This can be done by checking the interface return code, device response information, or status change detection. At the same time, the device status after execution is checked again. For example, the firewall rules are checked to see if they are effective, whether the network connection is blocked, and whether the host is successfully isolated, thereby ensuring the effectiveness of the instruction execution.

[0043] This embodiment also provides an intelligent decision-making optimization system for network security situation awareness, including: A correlation module is built to collect log data, traffic data, and security event data in the network. The collected data is standardized, and a set of network status nodes and the correlation relationships between nodes are built based on the standardized data. The hierarchical generation module is used to construct recursive components with unique entry and exit points based on a set of network state nodes. It generates call relationships and return paths between recursive components, forming a hierarchical recursive attack path structure. It sets a risk value for each node in the recursive attack path structure and propagates the risk value forward layer by layer according to the relationship to obtain the global network security situation result. The assessment and update module is used to construct an initial defense strategy based on the overall network security situation, conduct node-by-node assessments and policy updates, and then form a deterministic defense strategy. The strategy execution module is used to generate defense strategy variants based on deterministic defense strategies, obtain probability distributions to determine the final defense strategy, and then distribute it to network security devices.

[0044] In summary, by dividing the attack path into recursive components with unique entry and exit points, and establishing call relationships and return paths between components, the phased evolution of attack behavior can be expressed in a structured manner, providing a clear data foundation for subsequent decision optimization. Simultaneously, by distinguishing different propagation relationships and assigning differentiated propagation weights, the precise propagation and accumulation of risk within the path can be achieved. Furthermore, by simulating the execution of defensive actions and calculating risk reduction, node-by-node strategy evaluation and iterative optimization of each defensive node can be achieved, enabling defensive decisions to accurately target key nodes in the attack path. Therefore, this invention realizes a closed-loop process from situational awareness and risk assessment to defense strategy generation and optimization, transforming network security protection from passive response to proactive optimization, significantly improving intelligent decision-making capabilities and overall protection effectiveness.

[0045] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.

Claims

1. An intelligent decision-making optimization method for network security situation awareness, characterized in that: include, Collect log data, traffic data, and security event data from the network, standardize the collected data, and construct a set of network status nodes and the relationships between nodes based on the standardized data; Based on the set of network state nodes, a recursive component with a unique entry and exit point is constructed. Call relationships and return paths are generated between the recursive components to form a hierarchical recursive attack path structure. A risk value is set for each node in the recursive attack path structure, and the risk value is propagated forward layer by layer according to the relationship to obtain the global network security situation result. Based on the overall network security situation, an initial defense strategy is constructed, and after node-by-node evaluation and strategy updates, a deterministic defense strategy is formed. Based on a deterministic defense strategy, after generating variants of the defense strategy, the probability distribution is obtained to determine the final defense strategy and then distributed to network security devices.

2. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: The collected network log data, traffic data, and security event data undergo standardized processing as follows: Configure a log collection interface on the network device to receive device log data through the log protocol; deploy a traffic collection probe on the switching device to obtain network traffic data through port mirroring; and obtain host behavior data through a background program. All collected data is converted and standardized in a unified format, and then divided into asset data according to asset type, including network equipment data, server data, and terminal equipment data, to obtain an asset dataset.

3. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: The construction of the network state node set and the relationships between nodes based on the standardized data is as follows: Based on asset data, identify device nodes in the network, perform vulnerability scanning, generate vulnerability information, and label vulnerability attributes for each device node; Collect node behavior data, extract behavioral features, including access frequency, number of operations, and number of abnormal behaviors. After attaching the behavioral features to the nodes, generate a multi-dimensional attribute structure for each node, integrate all nodes, construct a network state node set, and set the association relationships between the nodes.

4. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: Based on the set of network state nodes, a recursive component with a unique entry and exit point is constructed. This generates call relationships and return paths between the recursive components, forming a hierarchical recursive attack path structure, as detailed below: The attack phases are divided based on the set of network state nodes, and then sub-paths are set for each attack phase. Based on the sub-path, recursive components are generated, and after setting a unique entry and exit point, a call relationship is established between the recursive components, and the recursive attack path structure is formed by connecting them according to the call relationship.

5. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: The process involves assigning a risk value to each node in the recursive attack path structure and propagating the risk value forward layer by layer based on the correlation to obtain the overall network security situation result, as detailed below: Based on the recursive attack path structure, the path risk value is calculated using preset weights. Find the risk value of the path with the highest risk value as the risk value of the entry node, and select the risk value of the entry node with the highest risk value as the global situation value for the recursive component. Then, perform defense strategy optimization and generate the current network security situation status as the global network security situation result.

6. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: Based on the overall network security situation, an initial defense strategy is constructed. After node-by-node evaluation and strategy updates, a deterministic defense strategy is formed, as follows: Based on the overall network security situation, a set of defense actions is constructed, and after executing each defense action in the set, a modified recursive attack path structure is generated. Based on the modified recursive attack path structure, the global stability risk value of the nodes is recalculated, and the changes before and after are compared to generate a deterministic defense strategy.

7. The intelligent decision-making optimization method for network security situation awareness as described in claim 6, characterized in that: The comparison of changes before and after is based on the modified recursive attack path structure. After regenerating the global stable risk value of the defense node, the difference between the global stable risk value before the modification and the value before modification is calculated and defined as the risk reduction amount.

8. The intelligent decision-making optimization method for network security situation awareness as described in claim 1, characterized in that: The deterministic defense strategy, after generating variants of the defense strategy, obtains the probability distribution to determine the final defense strategy and distributes it to the network security device, as follows: Select a defense strategy based on the probability distribution of the defense strategy; The selected defense strategy is parsed into control commands, and the control commands are sent to the corresponding network security devices for confirmation and recording through the device management interface.

9. The intelligent decision-making optimization method for network security situation awareness as described in claim 8, characterized in that: The selected defense strategy involves applying each defense strategy variant in the defense strategy set to the recursive attack path structure one by one, simulating the execution of each defense strategy variant, and after obtaining the path risk value, converting the path risk value into an evaluation index for the defense strategy variant. The defense strategy variants are weighted according to the evaluation index of each variant, and the execution probability of each variant is generated by normalization, forming a probability distribution. Random sampling is performed based on the execution probability corresponding to each defense strategy variant to obtain the final defense strategy that needs to be executed.

10. An intelligent decision-making optimization system for network security situation awareness, based on the intelligent decision-making optimization method for network security situation awareness as described in any one of claims 1 to 9, characterized in that: include, A correlation module is built to collect log data, traffic data, and security event data in the network. The collected data is standardized, and a set of network status nodes and the correlation relationships between nodes are built based on the standardized data. The hierarchical generation module is used to construct recursive components with unique entry and exit points based on a set of network state nodes. It generates call relationships and return paths between recursive components, forming a hierarchical recursive attack path structure. It sets a risk value for each node in the recursive attack path structure and propagates the risk value forward layer by layer according to the relationship to obtain the global network security situation result. The assessment and update module is used to construct an initial defense strategy based on the overall network security situation, conduct node-by-node assessments and policy updates, and then form a deterministic defense strategy. The strategy execution module is used to generate defense strategy variants based on deterministic defense strategies, obtain probability distributions to determine the final defense strategy, and then distribute it to network security devices.