An ai intelligent autonomous defense system for cyber security attack path prediction
By constructing a dynamic heterogeneous knowledge graph, identifying cyberspace assets and attack paths, and generating dynamic defense instructions, the problem of existing technologies being unable to adapt to dynamic changes in cyberspace is solved, achieving precise defense and timely response to cyberattacks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAMEN KUAIKUAI NETWORK TECH CO LTD
- Filing Date
- 2026-05-15
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies cannot adjust defense commands according to the dynamic changes in cyberspace assets and attack paths over time, resulting in defense measures that are not flexible and effective enough.
A dynamic heterogeneous knowledge graph is constructed. By identifying asset nodes, determining the probability of vulnerability propagation and the threat coefficient of attack paths, a dynamic defense instruction set is generated, and the defense strategy is updated in real time.
It enables real-time response to dynamic changes in cyberspace, improves the timeliness and effectiveness of defense, accurately identifies key defense targets, prevents potential attacks in advance, and enhances overall defense effectiveness.
Smart Images

Figure CN122394942A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cybersecurity technology, and in particular to an AI-powered intelligent autonomous defense system for predicting cybersecurity attack paths. Background Technology
[0002] Current technologies, while evaluating defenses through the construction of flow attack models and attack behavior detection, do not consider the impact of dynamic changes in cyberspace assets and attack paths over time. In other words, they cannot adjust defense commands based on these dynamic changes.
[0003] The information disclosed in the background section of this application is intended only to enhance the understanding of the general background of this application and should not be construed as an admission or in any way implying that the information constitutes prior art known to those skilled in the art. Summary of the Invention
[0004] This invention provides an AI-powered intelligent autonomous defense system for predicting network security attack paths, which can solve the technical problem that related technologies cannot adjust defense commands according to the dynamic changes of cyberspace assets and attack paths over time.
[0005] According to the present invention, an AI-powered intelligent autonomous defense system for predicting network security attack paths is provided, comprising: an asset node module for identifying asset nodes in cyberspace, extracting a static attribute set, and obtaining a dynamic relational edge set, wherein the static attribute set includes a port list and a set of known vulnerabilities; a dynamic heterogeneous knowledge graph module for constructing a dynamic heterogeneous knowledge graph based on the asset nodes, the static attribute set, and the dynamic relational edge set; an exposure duration module for obtaining the exposure duration of each vulnerability in the set of known vulnerabilities at the current moment; a vulnerability propagation probability module for determining the vulnerability propagation probability based on the exposure duration and the static attribute set; and a candidate attack path module for determining the vulnerability propagation probability based on the exposure duration and the static attribute set. The vulnerability propagation probability and the dynamic heterogeneous knowledge graph are used to determine candidate attack paths; the attack path threat coefficient module is used to determine the attack path threat coefficient based on the vulnerability propagation probability and the candidate attack paths; the most likely attack path module is used to sort the attack path threat coefficients to obtain multiple most likely attack paths; the location number module is used to obtain the location number of multiple asset nodes in multiple most likely attack paths; the path dependency center coefficient module is used to determine the path dependency center coefficient of multiple asset nodes based on the location number and the attack path threat coefficient; and the dynamic defense instruction set module is used to generate a dynamic defense instruction set based on the path dependency center coefficient.
[0006] Further, based on the exposure duration and the static attribute set, the vulnerability propagation probability is determined, including: obtaining fixed severity weights for multiple vulnerabilities based on the baseline score mapping of the Common Vulnerability Scoring System (CVSS); obtaining the average application cycle of security patches for multiple asset nodes; obtaining the standard security patch application cycle; obtaining the number of ports currently open and the total number of ports on multiple asset nodes based on the port list; and determining the vulnerability propagation probability based on the fixed severity weights, the average application cycle of security patches, the standard security patch application cycle, the number of open ports, the total number of ports, and the exposure duration.
[0007] Furthermore, based on the fixed severity weight, the average application cycle of the security patch, the application cycle of the standard security patch, the number of open ports, the total number of ports, and the exposure duration, the vulnerability propagation probability is determined, including: according to the formula: Determine the vulnerability propagation probability of the dynamic relationship edge between asset node i and asset node j at the current moment. Where the i-th asset node and the j-th asset node are adjacent asset nodes, and t is the current time. For the x-th vulnerability, a fixed severity weight is assigned. Let i be the set of known vulnerabilities for the i-th asset node. Let x be the duration of exposure of the x-th vulnerability at the current moment. Let be the average application cycle of security patches for the i-th asset node. For the standard security patch application cycle, Let the fixed severity weight be the y-th vulnerability. Let j be the set of known vulnerabilities for the j-th asset node. Let y be the duration of exposure of the y-th vulnerability at the current moment. Let j be the average application cycle of security patches for the j-th asset node. This represents the number of ports that are open on the i-th asset node at the current moment. Let be the total number of ports on the i-th asset node. This represents the number of ports that are open on the j-th asset node at the current moment. Let y be the total number of ports on the j-th asset node, where i, j, x, and y are all positive integers.
[0008] Furthermore, based on the vulnerability propagation probability and the dynamic heterogeneous knowledge graph, candidate attack paths are determined, including: starting from the asset node of the attack source, multiple attack paths to key asset nodes are randomly generated according to the dynamic heterogeneous knowledge graph; attack paths of asset nodes with vulnerability propagation probabilities lower than preset vulnerability propagation probabilities are eliminated, and the remaining attack paths are determined as candidate attack paths.
[0009] Further, based on the vulnerability propagation probability and the candidate attack paths, the attack path threat coefficient is determined, including: obtaining the path lengths of multiple candidate attack paths; obtaining the information entropy of multiple candidate attack paths at the current moment based on the vulnerability propagation probability; and determining the attack path threat coefficient based on the path length, the information entropy, and the vulnerability propagation probability.
[0010] Further, based on the path length, the information entropy, and the vulnerability propagation probability, the attack path threat coefficient is determined, including: according to the formula: Determine the path threat coefficient of the r-th candidate attack path at the current moment. Where t is the current time, Let r be the r-th candidate attack path. , … These are the dynamic relationship edges from the first asset node to the second asset node in the r-th candidate attack path, the dynamic relationship edges from the second asset node to the third asset node in the r-th candidate attack path, ..., and the dynamic relationship edges from the ith asset node to the (i+1)-th asset node in the r-th candidate attack path. Let be the probability of vulnerability propagation at the current moment for the dynamic relationship edge between the i-th asset node and the (i+1)-th asset node in the r-th candidate attack path. Let r be the path length of the r-th candidate attack path. Let be the information entropy of the r-th candidate attack path at the current moment, where i ≥ 1, and i and r are both positive integers.
[0011] Further, based on the location sequence number and the attack path threat coefficient, the path dependency center coefficient of multiple asset nodes is determined, including: obtaining the length of the most likely attack path of multiple most likely attack paths; determining the occurrence result of multiple asset nodes in the most likely attack path based on whether the asset node appears in the most likely attack path; and determining the path dependency center coefficient of multiple asset nodes based on the length of the most likely attack path, the occurrence result, the location sequence number, and the attack path threat coefficient.
[0012] Furthermore, based on the most probable attack path length, the occurrence result, the location sequence number, and the attack path threat coefficient, the path dependency centrality coefficients of multiple asset nodes are determined, including: according to the formula: Determine the path dependency centrality coefficient of the i-th asset node at the current time. Where t is the current time, Let be the path threat coefficient of the most likely attack path s at the current moment. Let i be the occurrence result of the i-th asset node in the s-th most probable attack path. Let be the position index of the i-th asset node in the s-th most probable attack path. Let i be the length of the most likely attack path of the s-th most likely attack path, and S be the number of most likely attack paths, where s ≤ S, and i, s, and S are all positive integers.
[0013] Technical Effects: According to this invention, the dynamic heterogeneous knowledge graph can be updated in real time through the dynamic changes of asset nodes and relationships. The vulnerability propagation probability can assess the probability that a vulnerability existing on each dynamic relationship edge can be exploited in the network. The attack path threat coefficient comprehensively considers the propagation risk of vulnerabilities and the characteristics of attack paths, accurately assessing the threat level of each candidate attack path. Based on the path dependency center coefficient, the critical defense level of each asset node in the attack path is obtained, ultimately generating a dynamic defense instruction set, which can better adapt to the ever-changing attack environment and defense needs in cyberspace. When determining the vulnerability propagation probability, the probability of vulnerability propagation between adjacent asset nodes can be accurately quantified by the risk quantity measured by ideal repair capability, the repair multiple, and the number of open ports. Continuous monitoring of the dynamic changes in the vulnerability propagation probability allows for timely detection of changes in the security state, more accurately assessing the security risks faced by dynamic relationship edges. When determining the attack path threat coefficient, the cumulative effect of vulnerability propagation probability on candidate attack paths, path length, and information entropy, among other key factors, can be comprehensively considered to determine the attack path threat coefficient. This accurately quantifies the threat level of candidate attack paths, thereby assessing the complexity and uncertainty of candidate attack paths, reflecting changes in network security status in a timely manner, and improving the timeliness and effectiveness of security protection. When determining the path dependency center coefficient, it can be based on the length of the most likely attack path, the occurrence result, the position number, and the attack path threat coefficient. This can accurately identify asset nodes that are in early breakthrough positions on high-threat paths, providing dynamic and accurate decision-making basis for proactive defense resource deployment, preventing potential attacks in advance, and improving overall defense effectiveness.
[0014] It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and are not intended to limit the invention. Other features and aspects of the invention will become clearer from the following detailed description of exemplary embodiments with reference to the accompanying drawings. Attached Figure Description
[0015] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other embodiments can be obtained based on these drawings without creative effort. Figure 1 An exemplary block diagram of an AI-powered intelligent autonomous defense system for predicting cybersecurity attack paths according to an embodiment of the present invention is shown. Detailed Implementation
[0016] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0017] The technical solution of the present invention will be described in detail below with reference to specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.
[0018] Figure 1 An exemplary block diagram of an AI-powered intelligent autonomous defense system for predicting network security attack paths according to an embodiment of the present invention is shown. The system includes: an asset node module for identifying asset nodes in cyberspace, extracting static attribute sets, and obtaining dynamic relationship edge sets, wherein the static attribute set includes a port list and a set of known vulnerabilities; a dynamic heterogeneous knowledge graph module for constructing a dynamic heterogeneous knowledge graph based on the asset nodes, the static attribute set, and the dynamic relationship edge set; an exposure duration module for obtaining the exposure duration of each vulnerability in the set of known vulnerabilities at the current moment; a vulnerability propagation probability module for determining the vulnerability propagation probability based on the exposure duration and the static attribute set; and a candidate attack path module. The system comprises the following modules: a module for determining candidate attack paths based on the vulnerability propagation probability and the dynamic heterogeneous knowledge graph; an attack path threat coefficient module for determining attack path threat coefficients based on the vulnerability propagation probability and the candidate attack paths; a most probable attack path module for sorting the attack path threat coefficients to obtain multiple most probable attack paths; a location number module for obtaining the location numbers of multiple asset nodes in the multiple most probable attack paths; a path dependency center coefficient module for determining the path dependency center coefficients of multiple asset nodes based on the location numbers and the attack path threat coefficients; and a dynamic defense instruction set module for generating a dynamic defense instruction set based on the path dependency center coefficients.
[0019] The AI-powered intelligent autonomous defense system for predicting network security attack paths according to embodiments of the present invention can update a dynamic heterogeneous knowledge graph in real time through the dynamic changes of asset nodes and relationships. The vulnerability propagation probability can assess the probability that a vulnerability existing on each dynamic relationship edge can be exploited in the network. The attack path threat coefficient comprehensively considers the propagation risk of vulnerabilities and the characteristics of attack paths, and can accurately assess the threat level of each candidate attack path. Based on the path dependency center coefficient, the critical defense level of each asset node in the attack path is obtained, and finally a dynamic defense instruction set is generated, which can better adapt to the ever-changing attack environment and defense needs in cyberspace.
[0020] According to one embodiment of the present invention, in the asset node module, a professional network scanning tool, such as Nmap, is used to perform a comprehensive scan of the network space. Physical servers, virtual machines, containers, network devices, and terminals are all considered asset nodes. For each asset node, its static attribute set, including a port list and a set of known vulnerabilities, is extracted. Professional vulnerability scanning tools, such as OpenVAS and Nessus, are then used to scan the asset node for vulnerabilities, detecting known security vulnerabilities present on the asset node. Simultaneously, the real-time dynamic interaction relationships between asset nodes are captured, forming a set of directed edges, i.e., a dynamic relationship edge set. Each edge represents a logical or physical access path from one asset node to an adjacent asset node.
[0021] According to one embodiment of the present invention, in the dynamic heterogeneous knowledge graph module, entities are extracted from asset node data and mapped to entity types defined in the knowledge graph. For example, scanned physical servers are mapped to the "physical server" entity in the knowledge graph, and virtual machines are mapped to the "virtual machine" entity. Attribute information is extracted from the static attribute set and associated with the corresponding entities. For example, the port list of physical servers is used as the "port list" attribute of the "physical server" entity, and the known vulnerability set is used as the "known vulnerability set" attribute of the "physical server" entity. Relationship information is extracted from the dynamic relationship edge set and mapped to the dynamic interaction relationships defined in the knowledge graph. For example, asset node A → asset node B has a temporal attribute, thereby constructing an attributed dynamic heterogeneous knowledge graph, enabling real-time monitoring of asset nodes and dynamic relationships, and timely updating of entity and relationship information in the dynamic heterogeneous knowledge graph.
[0022] According to one embodiment of the present invention, in the exposure duration module, the first discovery time of each vulnerability is obtained, and the time interval from the first discovery time of the vulnerability to the current time can be obtained by subtracting the first discovery time from the current time, i.e., the exposure duration.
[0023] According to one embodiment of the present invention, in the vulnerability propagation probability module, the vulnerability propagation probability is determined based on the exposure duration and the static attribute set.
[0024] According to one embodiment of the present invention, determining the vulnerability propagation probability based on the exposure duration and the static attribute set includes: obtaining fixed severity weights for multiple vulnerabilities based on the baseline score mapping of the Common Vulnerability Scoring System (CVSS); obtaining the average application cycle of security patches for multiple asset nodes; obtaining the standard security patch application cycle; obtaining the number of ports in an open state and the total number of ports on multiple asset nodes at the current time based on the port list; and determining the vulnerability propagation probability based on the fixed severity weights, the average application cycle of security patches, the standard security patch application cycle, the number of ports in an open state, the total number of ports, and the exposure duration.
[0025] According to one embodiment of the present invention, the baseline score of the Common Vulnerability Scoring System (CVSS) is a standardized scoring system used to measure the severity of vulnerabilities, comprehensively considering multiple factors such as exploitability and impact scope. The CVSS baseline score for each vulnerability is converted into a corresponding fixed severity weight, with a value range of [0, 10]. For each asset node, based on historical patch application records, the average time interval from patch release to actual application is calculated, i.e., the average security patch application cycle. For example, for a certain asset node, the release-to-application time difference of 10 patches applied in the past year is calculated, and the average of the 10 time differences is taken as the average security patch application cycle of that asset node, i.e., the actual remediation capability of the asset node. The standard security patch application cycle can be 7200 seconds, representing the ideal remediation capability. Port scanning is performed on multiple asset nodes, and the number of open ports on each asset node and the total number of ports on that asset node are extracted from the scan results. The vulnerability propagation probability represents the probability that a vulnerability existing on each dynamic relationship edge can be exploited in the network, and is also the probability of being attacked.
[0026] According to one embodiment of the present invention, determining the vulnerability propagation probability based on the fixed severity weight, the average application cycle of the security patch, the standard security patch application cycle, the number of open ports, the total number of ports, and the exposure duration includes: determining the vulnerability propagation probability of the dynamic relationship edge from the i-th asset node to the j-th asset node at the current moment according to formula (1). , (1), Where the i-th asset node and the j-th asset node are adjacent asset nodes, and t is the current time. For the x-th vulnerability, a fixed severity weight is assigned. Let i be the set of known vulnerabilities for the i-th asset node. Let x be the duration of exposure of the x-th vulnerability at the current moment. Let be the average application cycle of security patches for the i-th asset node. For the standard security patch application cycle, Let the fixed severity weight be the y-th vulnerability. Let j be the set of known vulnerabilities for the j-th asset node. Let y be the duration of exposure of the y-th vulnerability at the current moment. Let j be the average application cycle of security patches for the j-th asset node. This represents the number of ports that are open on the i-th asset node at the current moment. Let be the total number of ports on the i-th asset node. This represents the number of ports that are open on the j-th asset node at the current moment. Let y be the total number of ports on the j-th asset node, where i, j, x, and y are all positive integers.
[0027] According to an embodiment of the present invention, in formula (1), To represent the severity of vulnerability exposure, we perform a weighted summation of the exposure durations of multiple known vulnerabilities in the i-th asset node at the current moment. Let be the ratio between the severity of the vulnerability exposure of the i-th asset node and the standard security patch application cycle. It represents the risk measured by ideal remediation capability. That is, based on ideal remediation capability, how many "standard cycles" are needed to digest the current accumulated vulnerability risk under "ideal remediation capability". The larger the ratio, the higher the vulnerability risk. The ratio between the average application cycle of security patches for the i-th asset node and the standard application cycle of security patches indicates how many times the actual repair capability of the node is greater than the ideal repair capability, i.e., the repair multiple. The larger the ratio, the slower the patch repair. The product of the risk level (measured by ideal repair capability) and the repair multiplier represents the timeliness risk of vulnerability exposure for the i-th asset node. The larger this product, the higher the probability that the vulnerability in the i-th asset node will be exploited. Similarly, This indicates the timeliness risk of vulnerability exposure in the j-th asset node. The larger the value, the higher the probability that the vulnerability of the j-th asset node will be exploited. This represents the average risk of vulnerability exposure timeliness for the i-th and j-th asset nodes. The larger this average value is, the higher the probability that the vulnerability in the dynamic relationship edge from the i-th asset node to the j-th asset node will be attacked. The ratio between the sum of the number of open ports on the i-th and j-th asset nodes and the sum of the total number of ports on the i-th and j-th asset nodes represents the immediate attack surface expansion risk brought about by open ports. The larger this ratio, the more interactive interfaces there are, and the higher the probability of being attacked in real time. and The negative value of the sum is used as the exponent of the exponential function. Subtracting the exponent from 1 gives the vulnerability propagation probability of the dynamic relationship edge from the i-th asset node to the j-th asset node at the current moment. The higher the vulnerability propagation probability, the greater the probability that the vulnerability on the dynamic relationship edge can be attacked in the network.
[0028] In this way, the probability of vulnerability propagation between adjacent asset nodes can be precisely quantified by the risk level measured by ideal repair capability, the repair multiplier, and the number of open ports. This allows for continuous monitoring of the dynamic changes in vulnerability propagation probability, timely detection of changes in the security state, and more accurate assessment of the security risks faced by dynamic relationship edges.
[0029] According to one embodiment of the present invention, in the candidate attack path module, candidate attack paths are determined based on the vulnerability propagation probability and the dynamic heterogeneous knowledge graph.
[0030] According to one embodiment of the present invention, determining candidate attack paths based on the vulnerability propagation probability and the dynamic heterogeneous knowledge graph includes: starting from the asset node of the attack source, randomly generating multiple attack paths to key asset nodes based on the dynamic heterogeneous knowledge graph; eliminating attack paths to asset nodes where the vulnerability propagation probability is lower than a preset vulnerability propagation probability, and determining the remaining attack paths as candidate attack paths.
[0031] According to one embodiment of the present invention, the asset node of the attack source is the asset node whose access permissions have just been triggered by the attacker. This asset node has security vulnerabilities, improper configuration, and other issues, making it easily controllable or exploitable by the attacker. Critical asset nodes are assets of significant value in the system that would have serious consequences if attacked, such as core servers and databases. A dynamic heterogeneous knowledge graph can comprehensively reflect the relationships between asset nodes and the dynamic changes in the network environment. Using this dynamic heterogeneous knowledge graph and a random algorithm, starting from the attack source asset node, the attacker explores along the dynamic relationship edges in the knowledge graph, gradually generating multiple different attack paths from the starting point to the target endpoint. These attack paths represent different attack routes that the attacker might take. Traverse all generated attack paths and check if there are any asset nodes on each attack path with a vulnerability propagation probability lower than the preset vulnerability propagation probability (e.g., 0.2). If an attack path contains an asset node with a vulnerability propagation probability lower than the preset vulnerability propagation probability, it indicates that there is a relatively safe link in the attack path. From the attacker's perspective, this may not be the optimal attack choice. Therefore, this attack path is removed from the candidate list. The remaining attack paths are the candidate attack paths. All asset nodes on the candidate attack paths have a vulnerability propagation risk of not less than the preset vulnerability propagation probability, which means that the possibility of attackers attacking along the candidate attack paths is relatively high, posing a greater threat to system security. These are attack routes that need to be focused on and prevented.
[0032] According to one embodiment of the present invention, in the attack path threat coefficient module, the attack path threat coefficient is determined based on the vulnerability propagation probability and the candidate attack paths.
[0033] According to one embodiment of the present invention, determining the attack path threat coefficient based on the vulnerability propagation probability and the candidate attack paths includes: obtaining the path lengths of multiple candidate attack paths; obtaining the information entropy of the multiple candidate attack paths at the current moment based on the vulnerability propagation probability; and determining the attack path threat coefficient based on the path lengths, the information entropy, and the vulnerability propagation probability.
[0034] According to one embodiment of the present invention, the path length of a candidate attack path is the number of dynamic relation edges traversed by the candidate attack path. If the success probability of some steps in an attack path is very high (close to 1), while the success probability of others is very low (close to 0), then the attacker has virtually no choice but to attack a few high-probability points in a fixed order. Although this attack path may succeed, it is predictable and protectable. Conversely, if the success probability of each step in an attack path is "approximate" (e.g., all between 0.6 and 0.7), then the attacker has similar success rates at each stage. The entire path is more flexible, adaptable, and harder to completely block for the attacker. This "attack resilience" or "optionality" itself poses a greater threat. Therefore, it is necessary to obtain the information entropy of multiple candidate attack paths at the current moment. For example, the vulnerability propagation probability of each dynamic relation edge on the r-th candidate attack path can be normalized to form a distribution of "relative success rate," i.e., ,in, Let be the normalized vulnerability propagation probability of the dynamic relationship edge between the i-th asset node and the (i+1)-th asset node in the r-th candidate attack path at the current moment. Let be the probability of vulnerability propagation at the current moment for the dynamic relationship edge between the i-th asset node and the (i+1)-th asset node in the r-th candidate attack path. Let r be the r-th candidate attack path. , … These are the dynamic relationship edges from the 1st asset node to the 2nd asset node, the 2nd asset node to the 3rd asset node, ..., the i-th asset node to the (i+1)-th asset node. ,in, Let be the information entropy of the r-th candidate attack path at the current moment. The threat coefficient of the attack path allows for a direct comparison of the degree of threat posed to system security by different candidate attack paths.
[0035] According to an embodiment of the present invention, determining the attack path threat coefficient based on the path length, the information entropy, and the vulnerability propagation probability includes: determining the path threat coefficient of the r-th candidate attack path at the current moment according to formula (2). , (2), Where t is the current time, Let r be the r-th candidate attack path. , … These are the dynamic relationship edges from the first asset node to the second asset node in the r-th candidate attack path, the dynamic relationship edges from the second asset node to the third asset node in the r-th candidate attack path, ..., and the dynamic relationship edges from the ith asset node to the (i+1)-th asset node in the r-th candidate attack path. Let be the probability of vulnerability propagation at the current moment for the dynamic relationship edge between the i-th asset node and the (i+1)-th asset node in the r-th candidate attack path. Let r be the path length of the r-th candidate attack path. Let be the information entropy of the r-th candidate attack path at the current moment, where i ≥ 1, and i and r are both positive integers.
[0036] According to an embodiment of the present invention, in formula (2), This represents the result of multiplying the vulnerability propagation probabilities of all dynamic relationship edges between adjacent asset nodes on the r-th candidate attack path at the current moment. It represents the cumulative probability of vulnerability propagation on the entire candidate attack path. If the vulnerability propagation probability of a certain dynamic relationship edge on the candidate attack path is very high, the entire multiplication result increases significantly, indicating that the candidate attack path has a high risk of being attacked. Conversely, if the vulnerability propagation probabilities of each dynamic relationship edge on the candidate attack path are low, the multiplication result is small, indicating that the candidate attack path is relatively safe. This indicates that the above product result will be performed... The operation of the power root, where... Let be the path length of the r-th candidate attack path. To normalize the product of these paths, since longer candidate attack paths typically result in larger product values (even if the vulnerability propagation probability is the same for each dynamic relation edge), but longer candidate attack paths do not necessarily imply a higher actual threat, taking the power root eliminates the excessive influence of path length on the cumulative probability, making candidate attack paths of different lengths comparable in threat assessment. If the vulnerability propagation probability of all dynamic relation edges is equal, then the normalized vulnerability propagation probabilities are equal, and the maximum entropy value is [value missing]. The higher the information entropy, the more even the success rate of each stage of the candidate attack path, the more operational space and alternative options the attacker has, and the stronger the "robustness" (from the attacker's perspective) of the candidate attack path. Therefore, it poses a greater threat to the defender. The result is the ratio of the information entropy of the r-th candidate attack path at the current moment to the maximum entropy value, plus 1. The larger this result is, the higher the uncertainty of the path, thus increasing the threat.
[0037] In this way, the threat coefficient of an attack path can be determined by comprehensively considering multiple key factors such as the cumulative effect of vulnerability propagation probability, path length, and information entropy on candidate attack paths. This allows for precise quantification of the threat level of candidate attack paths, thereby assessing their complexity and uncertainty, reflecting changes in network security status in a timely manner, and improving the timeliness and effectiveness of security protection.
[0038] According to one embodiment of the present invention, in the most probable attack path module, the attack path threat coefficients of candidate attack paths are sorted. The sorting rule is to arrange the attack paths in descending order of threat coefficient, with the attack path with the highest threat coefficient being placed at the top of the list. The top S candidate attack paths are selected as the most probable attack paths, where the value of S can be determined according to actual needs and security resources. For example, if the security team has limited resources and can only focus on a few attack paths, the top 3 or top 5 candidate attack paths with the highest attack path threat coefficients can be selected. If more comprehensive coverage of potential threats is required, more candidate attack paths can be selected for analysis and prevention.
[0039] According to one embodiment of the present invention, in the location sequence module, the location sequence numbers (counting from 1) of multiple asset nodes in multiple most likely attack paths are obtained.
[0040] According to one embodiment of the present invention, in the path dependency center coefficient module, the path dependency center coefficients of multiple asset nodes are determined based on the location sequence number and the attack path threat coefficient.
[0041] According to one embodiment of the present invention, determining the path dependency centrality coefficient of multiple asset nodes based on the location sequence number and the attack path threat coefficient includes: obtaining the length of the most likely attack path of multiple most likely attack paths; determining the occurrence result of multiple asset nodes in the most likely attack paths based on whether the asset nodes appear in the most likely attack paths; and determining the path dependency centrality coefficient of multiple asset nodes based on the length of the most likely attack path, the occurrence result, the location sequence number, and the attack path threat coefficient.
[0042] According to one embodiment of the present invention, the length of the most likely attack path is the number of dynamic relation edges traversed by the most likely attack path. If the i-th asset node appears in the s-th most likely attack path... If the i-th asset node appears in the s-th most likely attack path, then the result is 1; if the i-th asset node does not appear in the s-th most likely attack path, then the result is 1. In this case, the occurrence result of the i-th asset node in the s-th most probable attack path is determined to be 0. The path dependency centrality coefficient reflects the critical defense level of the asset node.
[0043] According to an embodiment of the present invention, determining the path dependency centrality coefficients of multiple asset nodes based on the most likely attack path length, the occurrence result, the position number, and the attack path threat coefficient includes: determining the path dependency centrality coefficient of the i-th asset node at the current moment according to formula (3). , (3), Where t is the current time, Let be the path threat coefficient of the most likely attack path s at the current moment. Let i be the occurrence result of the i-th asset node in the s-th most probable attack path. Let be the position index of the i-th asset node in the s-th most probable attack path. Let i be the length of the most likely attack path of the s-th most likely attack path, and S be the number of most likely attack paths, where s ≤ S, and i, s, and S are all positive integers.
[0044] According to one embodiment of the present invention, in formula (3), Subtract 1 from the position index of the i-th asset node in the s-th most probable attack path. The ratio between these values represents the asset node weight. Asset nodes that are earlier in the attack sequence have higher dynamic strategic value and therefore a larger weight. , and Multiplying the three terms and summing them, we can obtain the path dependence centrality coefficient of the i-th asset node at the current moment. The larger the path dependence centrality coefficient, the greater the critical defense of the asset node among multiple most likely attack paths. This indicates that the asset node that is at the forefront of the path with a high degree of threat is more important in terms of defense.
[0045] In this way, the path dependency center coefficient can be determined based on the length of the most likely attack path, the occurrence result, the position number, and the attack path threat coefficient. This can accurately identify asset nodes in early breakthrough positions on high-threat paths, providing dynamic and accurate decision-making basis for proactive defense resource deployment, preventing potential attacks in advance, and improving overall defense effectiveness.
[0046] According to one embodiment of the present invention, in the dynamic defense instruction set module, the critical defense level of each asset node in the most likely attack path is determined by the path dependency center coefficient, and then a dynamic defense instruction set is generated. For example, temporary access isolation is implemented for asset nodes whose path dependency center coefficient exceeds a preset path dependency center coefficient (e.g., 0.49) to achieve dynamic autonomous defense and improve the overall security of the network.
[0047] The AI-powered intelligent autonomous defense system for predicting network security attack paths, according to embodiments of the present invention, can update a dynamic heterogeneous knowledge graph in real time through the dynamic changes of asset nodes and relationships. The vulnerability propagation probability assesses the probability that a vulnerability existing on each dynamic relationship edge can be exploited in the network. The attack path threat coefficient comprehensively considers the propagation risk of vulnerabilities and the characteristics of attack paths, accurately assessing the threat level of each candidate attack path. Based on the path dependency center coefficient, the critical defense level of each asset node in the attack path is obtained, ultimately generating a dynamic defense instruction set that can better adapt to the ever-changing attack environment and defense needs in cyberspace. When determining the vulnerability propagation probability, the probability of vulnerability propagation between adjacent asset nodes can be precisely quantified by the risk quantity measured by ideal repair capability, the repair multiple, and the number of open ports. Continuous monitoring of the dynamic changes in the vulnerability propagation probability allows for timely detection of changes in the security state, and more accurate assessment of the security risks faced by dynamic relationship edges. When determining the threat coefficient of an attack path, multiple key factors such as the cumulative effect of vulnerability propagation probability, path length, and information entropy on candidate attack paths can be considered. This allows for precise quantification of the threat level of candidate attack paths, assessing their complexity and uncertainty, reflecting changes in network security status in a timely manner, and improving the timeliness and effectiveness of security protection. When determining the path dependency center coefficient, it can be based on the length of the most likely attack path, its occurrence outcome, its position number, and the attack path threat coefficient. This accurately identifies asset nodes at early entry points on high-threat paths, providing dynamic and precise decision-making basis for proactive defense resource deployment, enabling early prevention of potential attacks and improving overall defense effectiveness.
[0048] This invention can be a method, apparatus, system, and / or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions loaded thereon for performing various aspects of the invention.
[0049] Those skilled in the art should understand that the embodiments of the present invention described above and shown in the accompanying drawings are merely examples and do not limit the present invention. The objectives of the present invention have been fully and effectively achieved. The functions and structural principles of the present invention have been demonstrated and explained in the embodiments, and any variations or modifications may be made to the implementation of the present invention without departing from the stated principles.
Claims
1. An AI-powered intelligent autonomous defense system for predicting network security attack paths, characterized in that, include: The system includes several modules: an asset node module for identifying asset nodes in the network space, extracting static attribute sets, and obtaining dynamic relationship edge sets, wherein the static attribute sets include a port list and a set of known vulnerabilities; a dynamic heterogeneous knowledge graph module for constructing a dynamic heterogeneous knowledge graph based on the asset nodes, the static attribute sets, and the dynamic relationship edge sets; an exposure duration module for obtaining the exposure duration of each vulnerability in the set of known vulnerabilities at the current moment; a vulnerability propagation probability module for determining the vulnerability propagation probability based on the exposure duration and the static attribute sets; and a candidate attack path module for determining the vulnerability propagation probability based on the dynamic heterogeneous knowledge graph. The system comprises the following modules: a spectrum module for determining candidate attack paths; an attack path threat coefficient module for determining the attack path threat coefficient based on the vulnerability propagation probability and the candidate attack paths; a most probable attack path module for sorting the attack path threat coefficients to obtain multiple most probable attack paths; a location number module for obtaining the location numbers of multiple asset nodes in the multiple most probable attack paths; a path dependency center coefficient module for determining the path dependency center coefficient of multiple asset nodes based on the location number and the attack path threat coefficient; and a dynamic defense instruction set module for generating a dynamic defense instruction set based on the path dependency center coefficient.
2. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 1, characterized in that, The vulnerability propagation probability is determined based on the exposure duration and the static attribute set, including: obtaining fixed severity weights for multiple vulnerabilities based on the baseline score mapping of the Common Vulnerability Scoring System (CVSS); obtaining the average application cycle of security patches for multiple asset nodes; obtaining the standard security patch application cycle; obtaining the number of ports currently open and the total number of ports on multiple asset nodes based on the port list; and determining the vulnerability propagation probability based on the fixed severity weights, the average application cycle of security patches, the standard security patch application cycle, the number of open ports, the total number of ports, and the exposure duration.
3. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 2, characterized in that, The vulnerability propagation probability is determined based on the fixed severity weight, the average application cycle of security patches, the standard application cycle of security patches, the number of open ports, the total number of ports, and the exposure duration, including: according to the formula: Determine the vulnerability propagation probability of the dynamic relationship edge between asset node i and asset node j at the current moment. Where the i-th asset node and the j-th asset node are adjacent asset nodes, and t is the current time. For the x-th vulnerability, a fixed severity weight is assigned. Let i be the set of known vulnerabilities for the i-th asset node. Let x be the duration of exposure of the x-th vulnerability at the current moment. Let be the average application cycle of security patches for the i-th asset node. For the standard security patch application cycle, Let y be the fixed severity weight of the y-th vulnerability. Let j be the set of known vulnerabilities for the j-th asset node. Let y be the duration of exposure of the y-th vulnerability at the current moment. Let j be the average application cycle of security patches for the j-th asset node. This represents the number of ports that are open on the i-th asset node at the current moment. Let be the total number of ports on the i-th asset node. This represents the number of ports that are open on the j-th asset node at the current moment. Let y be the total number of ports on the j-th asset node, where i, j, x, and y are all positive integers.
4. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 1, characterized in that, Based on the vulnerability propagation probability and the dynamic heterogeneous knowledge graph, candidate attack paths are determined, including: starting from the asset node of the attack source, multiple attack paths to key asset nodes are randomly generated according to the dynamic heterogeneous knowledge graph; attack paths of asset nodes with vulnerability propagation probabilities lower than preset vulnerability propagation probabilities are eliminated, and the remaining attack paths are determined as candidate attack paths.
5. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 1, characterized in that, Determining the attack path threat coefficient based on the vulnerability propagation probability and the candidate attack paths includes: obtaining the path lengths of multiple candidate attack paths; obtaining the information entropy of multiple candidate attack paths at the current moment based on the vulnerability propagation probability; and determining the attack path threat coefficient based on the path length, the information entropy, and the vulnerability propagation probability.
6. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 5, characterized in that, The attack path threat coefficient is determined based on the path length, the information entropy, and the vulnerability propagation probability, including: according to the formula: Determine the path threat coefficient of the r-th candidate attack path at the current moment. Where t is the current time, Let r be the r-th candidate attack path. , … These are the dynamic relationship edges from the first asset node to the second asset node in the r-th candidate attack path, the dynamic relationship edges from the second asset node to the third asset node in the r-th candidate attack path, ..., and the dynamic relationship edges from the ith asset node to the (i+1)-th asset node in the r-th candidate attack path. Let be the probability of vulnerability propagation at the current moment for the dynamic relationship edge between the i-th asset node and the (i+1)-th asset node in the r-th candidate attack path. Let r be the path length of the r-th candidate attack path. Let be the information entropy of the r-th candidate attack path at the current moment, where i ≥ 1, and both i and r are positive integers.
7. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 1, characterized in that, Determining the path dependency centrality coefficient of multiple asset nodes based on the location sequence number and the attack path threat coefficient includes: obtaining the length of the most likely attack path of multiple most likely attack paths; determining the occurrence result of multiple asset nodes in the most likely attack paths based on whether the asset nodes appear in the most likely attack paths; and determining the path dependency centrality coefficient of multiple asset nodes based on the length of the most likely attack path, the occurrence result, the location sequence number, and the attack path threat coefficient.
8. The AI-powered intelligent autonomous defense system for predicting network security attack paths according to claim 7, characterized in that, Based on the most probable attack path length, the occurrence result, the location sequence number, and the attack path threat coefficient, the path dependency center coefficients of multiple asset nodes are determined, including: according to the formula: Determine the path dependency centrality coefficient of the i-th asset node at the current time. Where t is the current time, Let be the path threat coefficient of the most likely attack path s at the current moment. Let i be the occurrence result of the i-th asset node in the s-th most probable attack path. Let be the position index of the i-th asset node in the s-th most probable attack path. Let i be the length of the most likely attack path of the s-th most likely attack path, and S be the number of most likely attack paths, where s ≤ S, and i, s, and S are all positive integers.