A terminal detection response platform intelligent management and control system

By constructing an intelligent management and control system for the endpoint detection and response platform, the problems of high false alarm rate, difficulty in capturing multi-step attack chains, and lack of collaborative management in existing technologies have been solved. This has enabled efficient and accurate threat response and business continuity, and improved the system's adaptive defense capabilities.

CN122394958APending Publication Date: 2026-07-14JIADI WEIZHI (BEIJING) TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIADI WEIZHI (BEIJING) TECH CO LTD
Filing Date
2026-06-03
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing terminal detection and response platforms suffer from high false alarm rates, difficulty in capturing multi-step attack chains, lack of dynamic evaluation capabilities and collaborative management mechanisms in terms of intelligent control, resulting in rigid response actions, high resource consumption, and potential disruption of core business operations.

Method used

An intelligent management and control system for the terminal detection and response platform is constructed, including a terminal data acquisition module, a multi-source data fusion module, an intelligent analysis engine module, a dynamic response decision module, a strategy orchestration and execution module, and a visualization control module. Through multi-source data fusion, dynamic confidence assessment, and adaptive strategy orchestration, collaborative defense is achieved.

Benefits of technology

It significantly improves threat response speed and accuracy, achieves an intelligent balance between security protection and business continuity, reduces alarm fatigue, enables refined and differentiated dynamic control, protects critical business assets, and allows defense strategies between modules within the system to self-optimize.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394958A_ABST
    Figure CN122394958A_ABST
Patent Text Reader

Abstract

The application discloses a kind of terminal detection response platform intelligent management and control system, including terminal data acquisition module, multi-source data fusion module, intelligent analysis engine module, dynamic response decision module, strategy arrangement execution module, visual general control module, self-learning optimization module.The application constructs the closed loop architecture of multi-source data fusion analysis, dynamic confidence evaluation and self-adaptive strategy arrangement, significantly improves the threat response speed and accuracy, realizes the intelligent balance of security protection and business continuity.The application can greatly reduce the alarm fatigue of security operation personnel, and changes passive response into active defense through predictive algorithm;The risk score based on terminal context realizes fine and differentiated dynamic control, and protects key business assets;The collaborative feedback mechanism between modules in the system enables the overall defense strategy to be self-optimized and adapt to the changing attack surface.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and more specifically to an intelligent management and control system for a terminal detection and response platform. Background Technology

[0002] Currently, with the increasing sophistication and covertness of cyberattacks, traditional endpoint security solutions, such as antivirus software that relies on signature-based matching, are no longer effective in dealing with unknown threats and advanced persistent attacks. To address this, endpoint detection and response platforms have emerged, providing threat detection and investigation capabilities by continuously monitoring endpoint behavior.

[0003] However, existing endpoint detection and response platforms still have significant shortcomings in intelligent management and control. Most platforms use static, rule-based behavior analysis engines, resulting in high false positive rates and difficulty in capturing multi-step, multi-stage attack chains. During the response and handling phase, the system can usually only execute preset isolation or removal actions, lacking the ability to dynamically assess the development of threats and cannot differentiate strategies based on the endpoint context and asset importance. This leads to rigid response actions, high resource consumption, and may even interrupt core business operations. Furthermore, the detection and response logic between different endpoints is independent, lacking an efficient collaborative management and control mechanism, making it difficult to form a globally optimal defense posture. Summary of the Invention

[0004] To address this issue, the present invention provides an intelligent management and control system for a terminal detection and response platform, which solves the problem in the prior art where the detection and response logics of different terminals are independent, lack an efficient collaborative management and control mechanism, and are difficult to form a globally optimal defense posture.

[0005] To achieve the above objectives, the present invention provides the following technical solution:

[0006] An intelligent management and control system for a terminal detection and response platform includes:

[0007] The terminal data acquisition module is configured to acquire real-time logs of process creation, network connection, file operation, and registry change behavior of the managed terminals.

[0008] A multi-source data fusion module is connected to the terminal data acquisition module and is configured to perform spatiotemporal correlation between the behavior log and network traffic log and threat intelligence database data to generate a fusion event.

[0009] The intelligent analysis engine module, connected to the multi-source data fusion module, is configured to extract multi-dimensional feature vectors of the fused events and, according to the formula... Calculate the overall threat confidence level ,in, For the first One characteristic, These are the preset weight coefficients for the corresponding features. For the normalization function, when A structured alarm is generated when the first threshold is exceeded;

[0010] The dynamic response decision module, connected to the intelligent analysis engine module, is configured to acquire the structured alarms and their corresponding confidence levels. And by combining the asset value level in the dynamic risk profile database of the controlled terminals with the current business sensitivity, dynamic response decision instructions are generated.

[0011] The strategy orchestration and execution module is connected to the dynamic response decision module and is configured to receive the dynamic response decision instruction, parse and combine it into an execution sequence of one or more preset atomic actions, and send it to the terminal for execution.

[0012] The visualization control module is connected to the intelligent analysis engine module and the dynamic response decision module, providing an interactive dashboard to display the system's operating status, and receiving external intervention commands to adjust the weight coefficients of the intelligent analysis engine module or override the dynamic response decision commands.

[0013] Preferably, the terminal data acquisition module includes:

[0014] The kernel event subscription unit captures process creation and file write operations through operating system hook functions;

[0015] The network stack filtering unit is configured to detect the destination IP address and port of outbound connections and match them with a pre-set list of malicious IPs.

[0016] The log cache queue uses a circular buffer to store the behavior logs within the most recent preset time period. When the buffer occupancy rate exceeds a second threshold, the logs are compressed and sent in batches to the multi-source data fusion module.

[0017] Preferably, the multi-source data fusion module is configured as follows:

[0018] Receive a process creation event from the kernel event subscription unit, the process creation event including a parent process identifier and a child process identifier;

[0019] Extract network connection events that overlap with the time window of the process creation event from the log cache queue;

[0020] The process behavior tree is formed by associating processes based on their process identifiers, with each node of the process behavior tree being associated with a corresponding network connection target.

[0021] The process behavior tree is matched with malicious domain names or IP addresses stored in the external threat intelligence database. If a match is successful, the entire process behavior tree is marked as the fusion event.

[0022] Preferably, the intelligent analysis engine module incorporates a gradient boosting decision tree model, and the multidimensional feature vector includes process chain depth, file operation entropy value within a preset time window, proportion of non-standard network connections, and the credit score of the parent process, wherein the file operation entropy value is based on... calculate, This represents the total number of file operation types. For the first The intelligent analysis engine module also calculates the sequence correlation between the generated structured alarm and the contextual historical events, based on the frequency of occurrence of the type of operation within the preset time window, and adjusts the comprehensive threat confidence level accordingly. .

[0023] Preferably, the dynamic response decision module maintains a dynamic risk profile library indexed by terminal identifier. Each profile entry includes a static asset level, dynamic behavior baseline deviation, and business continuity tag. The dynamic response decision module determines the risk profile based on the comprehensive threat confidence level. In addition to retrieving asset value levels and current business sensitivity from the aforementioned profile database, a pre-set decision matrix table is queried, and the dynamic response decision instruction, containing response type, response latency, and response granularity, is output. The decision matrix table is defined as follows: when... When the value is greater than 0.9 and the asset value level is high, the response type is configured as deep isolation regardless of the level of business sensitivity; when the value is less than 0.7... When the value is ≤0.9 and the business sensitivity is high, the response type is configured as process suspension and a non-zero response delay time is set.

[0024] Preferably, the policy orchestration execution module includes an atomic action library and a policy compiler. The atomic action library stores at least process termination, network port blocking, file isolation, registry rollback, and memory forensics actions. The policy compiler receives the dynamic response decision instruction, parses the response type and response delay time in the instruction, selects one or more atomic actions from the atomic action library, and combines them into the execution sequence according to a preset logical order. The execution sequence is encapsulated in JSON format and includes action identifiers, action parameters, and conditional execution branches. The policy orchestration execution module is also configured to check the current resource utilization rate of the terminal before executing the execution sequence. If the CPU utilization rate exceeds a third threshold, the execution is postponed according to the response delay time.

[0025] Preferably, the visualization control module is configured as follows:

[0026] In the first display area, all structured alerts output by the intelligent analysis engine module and their overall threat confidence levels are shown in a time-series diagram format. The curve of change;

[0027] In the second display area, the process behavior tree generated by the multi-source data fusion module is displayed in the form of a tree diagram, and nodes matched as malicious are highlighted.

[0028] In response to the selection operation of the highlighted node, an overwrite interface is provided for receiving the external intervention instruction, which includes modifying the risk label of the node from malicious to false alarm, or forcibly replacing the dynamic response decision instruction output by the dynamic response decision module with a user-defined instruction.

[0029] Preferably, it further includes a self-learning optimization module connected to the intelligent analysis engine module and the visualization control module. The self-learning optimization module is configured to: collect all alarms output by the intelligent analysis engine module and their corresponding confidence levels within a preset period. The visualization control module receives all external intervention commands that overwrite the dynamic response decision commands, and the execution results of the strategy orchestration and execution module, forming a closed-loop feedback dataset. This closed-loop feedback dataset is used to incrementally train the gradient boosting decision tree model in the intelligent analysis engine module to update the weight coefficients corresponding to the multidimensional feature vectors. The updated weighting coefficients are then sent to the intelligent analysis engine module.

[0030] The present invention has the following advantages: by constructing a closed-loop architecture of multi-source data fusion analysis, dynamic confidence assessment and adaptive strategy orchestration, the present invention significantly improves the speed and accuracy of threat response and achieves an intelligent balance between security protection and business continuity.

[0031] This invention can significantly reduce the alarm fatigue of security operations personnel, transforming passive response into proactive defense through predictive algorithms; risk scoring based on terminal context enables refined and differentiated dynamic control, protecting critical business assets; and the collaborative feedback mechanism between modules within the system enables the overall defense strategy to self-optimize and adapt to the ever-changing attack surface. Attached Figure Description

[0032] To more intuitively illustrate the prior art and this application, exemplary drawings are provided below. It should be understood that the specific shapes and structures shown in the drawings should not generally be regarded as limiting conditions for implementing this application; for example, based on the technical concept disclosed in this application and the exemplary drawings, those skilled in the art are able to easily make conventional adjustments or further optimizations to the addition / reduction / classification, specific shapes, positional relationships, connection methods, size ratios, etc. of certain units (components).

[0033] Figure 1 This is a block diagram of an intelligent management and control system for a terminal detection and response platform provided in an embodiment of this application. Detailed Implementation

[0034] The following specific embodiments illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. It should be understood that these embodiments are merely for further explanation of the present invention and should not be construed as limiting the scope of protection of the present invention. Technical engineers in the field can make some non-essential improvements and adjustments to the present invention based on the above-described content. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0035] Please see Figure 1 An intelligent management and control system for a terminal detection and response platform, comprising:

[0036] The terminal data acquisition module is configured to acquire real-time logs of process creation, network connection, file operation, and registry change behavior of the managed terminals.

[0037] A multi-source data fusion module is connected to the terminal data acquisition module and is configured to perform spatiotemporal correlation between the behavior log and network traffic log and threat intelligence database data to generate a fusion event.

[0038] The intelligent analysis engine module, connected to the multi-source data fusion module, is configured to extract multi-dimensional feature vectors of the fused events and, according to the formula... Calculate the overall threat confidence level ,in, For the first One characteristic, These are the preset weight coefficients for the corresponding features. For the normalization function, when A structured alarm is generated when the first threshold is exceeded;

[0039] The dynamic response decision module, connected to the intelligent analysis engine module, is configured to acquire the structured alarms and their corresponding confidence levels. In conjunction with the asset value level in the dynamic risk profile database of the controlled terminals and the current business sensitivity (by identifying whether the process name contains specific keywords or reading the business tags registered by the terminal to determine business sensitivity), dynamic response decision instructions are generated.

[0040] The strategy orchestration and execution module is connected to the dynamic response decision module and is configured to receive the dynamic response decision instruction, parse and combine it into an execution sequence of one or more preset atomic actions, and send it to the terminal for execution.

[0041] The visualization control module is connected to the intelligent analysis engine module and the dynamic response decision module, providing an interactive dashboard to display the system's operating status, and receiving external intervention commands to adjust the weight coefficients of the intelligent analysis engine module or override the dynamic response decision commands.

[0042] The following embodiments are provided, in which the system is deployed in an enterprise security center and connected to agents distributed across various terminal devices via a network.

[0043] In one specific implementation, the system includes the following core modules: a terminal data acquisition module, a multi-source data fusion module, an intelligent analysis engine module, a dynamic response decision-making module, a strategy orchestration and execution module, and a visualization control module.

[0044] The terminal data acquisition module is configured to acquire real-time logs of process creation, network connections, file operations, and registry changes of the managed terminals. This module incorporates a lightweight filter that only reports events that meet preset initial screening criteria, such as accessing sensitive paths or connecting to untrusted domains, to reduce system overhead.

[0045] The multi-source data fusion module receives raw events from the terminal data acquisition module and correlates them with external data from network traffic probes and threat intelligence databases. For example, it spatiotemporally correlates an abnormal process event of a terminal with suspicious domain name resolution requests detected by the network side within the same time period to form a complete security event context.

[0046] The intelligent analysis engine module is the core processing unit of the system. This module deploys a lightweight classification model based on Gradient Boosting Decision Tree (GBDT). For each input fusion event, the engine extracts N feature vectors, including process chain depth, file operation entropy, and network connection frequency. File operation types include creation, reading, writing, deletion, and attribute modification, denoted as V(f1,f2,...,fN). The engine uses the following formula:

[0047]

[0048] Calculate the overall threat confidence level of this event. ,in, Features Pre-trained weight coefficients, This is the Min-Max normalization function. When the calculated confidence level C exceeds the first threshold (e.g., 0.75), the intelligent analysis engine module determines it as a high-risk threat and generates a structured alert containing the threat type, scope of impact, and confidence level.

[0049] The dynamic response decision module receives alarms and confidence levels from the intelligent analysis engine module. This module maintains a dynamic endpoint risk profile database, recording each endpoint's historical security score, asset value level (high, medium, low), and current business sensitivity (e.g., whether a critical transaction process is currently running). The decision-making module relies on a comprehensive decision function, which is not a simple threshold comparison but a multi-factor weighted score. For example, regarding confidence level... For alarms with a value of 0.85, if the corresponding terminal asset value is high and the business sensitivity is low, the comprehensive decision score is "immediate response"; if the asset value is high and the business sensitivity is also high, the score is "delayed confirmation and handling during business downtime", thereby avoiding interruption of critical business.

[0050] The strategy orchestration and execution module is responsible for converting the scoring results from the dynamic response decision module into specific, executable instruction sequences. This module pre-configures various atomic actions such as "deep isolation," "network blocking," "process suspension," and "evidence rollback." Based on the decision instructions, the strategy orchestration and execution module dynamically combines these actions from the action library to form a handling strategy. For example, for the aforementioned "handling during business downtime" instruction, the module generates a scheduled task: during a predicted low-load period (e.g., 2 AM), it automatically executes "process suspension" to preserve memory evidence, then executes "evidence rollback," and finally triggers "network blocking."

[0051] The visualization control module provides an interactive dashboard to display the overall system status. Security administrators can manually intervene in any automated decisions through this module; for example, escalating an alarm deemed low-risk to high-risk, or temporarily shelving an upcoming isolation policy. This manual intervention serves as feedback samples for adjusting the weight coefficients wi of the intelligent analysis engine module during subsequent offline training.

[0052] In another specific implementation, to further enhance the system's predictive capability, the dynamic response decision module introduces a time decay function to update the terminal's dynamic risk score. When a terminal does not generate a new high-risk alarm within a time period T, its base risk score S0 is updated as follows: Current risk score S_current = S_base + S_decay, where S_base is the base score accumulated based on historical alarms.

[0053] S_decay=-λ*S0*(t_now-t_last) / T,

[0054] λ is the attenuation coefficient. This formula causes the risk score of the terminal to automatically decrease over time, avoiding "permanent stigmatization" and restoring the review threshold for the subsequent behavior of previously infected but recovered terminals to normal, thus reducing false alarms.

[0055] The system's self-learning optimization module periodically collects data from the entire processing flow: raw behavior collected from the terminal, and the output confidence level of the intelligent analysis engine. The dynamic response decision-making module records interventions up to the final outcome. This data forms a closed-loop feedback dataset. Using this dataset, the module incrementally trains the GBDT model within the intelligent analysis engine monthly (either periodic or offline), dynamically adjusting feature weights. This enables the system to adapt to new attack methods and continuously optimize the accuracy of threat detection.

[0056] In summary, this invention, through modular intelligent collaborative design, achieves fully automated control of the entire process from terminal data perception, multi-source fusion analysis, dynamic confidence assessment to adaptive strategy execution, effectively improving the overall security level of enterprise terminals.

[0057] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. An intelligent control system for a terminal detection and response platform, characterized in that, include: The terminal data acquisition module is configured to acquire real-time logs of process creation, network connection, file operation, and registry change behavior of the managed terminals. A multi-source data fusion module is connected to the terminal data acquisition module and is configured to perform spatiotemporal correlation between the behavior log and network traffic log and threat intelligence database data to generate a fusion event. The intelligent analysis engine module, connected to the multi-source data fusion module, is configured to extract multi-dimensional feature vectors of the fused events and, according to the formula... Calculate the overall threat confidence level ,in, For the first One characteristic, These are the preset weight coefficients for the corresponding features. For the normalization function, when A structured alarm is generated when the first threshold is exceeded; The dynamic response decision module, connected to the intelligent analysis engine module, is configured to acquire the structured alarms and their corresponding confidence levels. And by combining the asset value level in the dynamic risk profile database of the controlled terminals with the current business sensitivity, dynamic response decision instructions are generated. The strategy orchestration and execution module is connected to the dynamic response decision module and is configured to receive the dynamic response decision instruction, parse and combine it into an execution sequence of one or more preset atomic actions, and send it to the terminal for execution. The visualization control module is connected to the intelligent analysis engine module and the dynamic response decision module, providing an interactive dashboard to display the system's operating status, and receiving external intervention commands to adjust the weight coefficients of the intelligent analysis engine module or override the dynamic response decision commands.

2. The intelligent control system for a terminal detection and response platform according to claim 1, characterized in that, The terminal data acquisition module includes: The kernel event subscription unit captures process creation and file write operations through operating system hook functions; The network stack filtering unit is configured to detect the destination IP address and port of outbound connections and match them with a pre-set list of malicious IPs. The log cache queue uses a circular buffer to store the behavior logs within the most recent preset time period. When the buffer occupancy rate exceeds a second threshold, the logs are compressed and sent in batches to the multi-source data fusion module.

3. The intelligent control system for a terminal detection and response platform according to claim 2, characterized in that, The multi-source data fusion module is configured as follows: Receive a process creation event from the kernel event subscription unit, the process creation event including a parent process identifier and a child process identifier; Extract network connection events that overlap with the time window of the process creation event from the log cache queue; The process behavior tree is formed by associating processes based on their process identifiers, with each node of the process behavior tree being associated with a corresponding network connection target. The process behavior tree is matched with malicious domain names or IP addresses stored in the external threat intelligence database. If a match is successful, the entire process behavior tree is marked as the fusion event.

4. The intelligent control system for a terminal detection and response platform according to claim 3, characterized in that, The intelligent analysis engine module incorporates a gradient boosting decision tree model. The multi-dimensional feature vector includes process chain depth, file operation entropy value within a preset time window, proportion of non-standard network ports, and the parent process's credit score. The file operation entropy value is based on... calculate, This represents the total number of file operation types. For the first The intelligent analysis engine module also calculates the sequence correlation between the generated structured alarm and the contextual historical events, based on the frequency of occurrence of the type of operation within the preset time window, and adjusts the comprehensive threat confidence level accordingly. .

5. The intelligent control system for a terminal detection and response platform according to claim 3, characterized in that, The dynamic response decision module maintains a dynamic risk profile database indexed by terminal identifier. Each profile entry includes a static asset level, dynamic behavior baseline deviation, and business continuity tag. The dynamic response decision module determines the risk profile based on the comprehensive threat confidence level. In addition to retrieving asset value levels and current business sensitivity from the aforementioned profile database, a pre-set decision matrix table is queried, and the dynamic response decision instruction, containing response type, response latency, and response granularity, is output. The decision matrix table is defined as follows: when... When the value is greater than 0.9 and the asset value level is high, the response type is configured as deep isolation regardless of the level of business sensitivity; when the value is less than 0.7... When the value is ≤0.9 and the business sensitivity is high, the response type is configured as process suspension and a non-zero response delay time is set.

6. The intelligent control system for a terminal detection and response platform according to claim 5, characterized in that, The policy orchestration and execution module includes an atomic action library and a policy compiler. The atomic action library stores at least process termination, network port blocking, file isolation, registry rollback, and memory forensics actions. The policy compiler receives the dynamic response decision instructions, parses the response type and response delay time in the instructions, selects one or more atomic actions from the atomic action library, and combines them into the execution sequence according to a preset logical order. The execution sequence is encapsulated in JSON format and includes action identifiers, action parameters, and conditional execution branches. The policy orchestration and execution module is also configured to check the current resource utilization rate of the terminal before executing the execution sequence. If the CPU utilization rate exceeds a third threshold, the execution is postponed according to the response delay time.

7. The intelligent control system for a terminal detection and response platform according to claim 6, characterized in that, The visualization control module is configured as follows: In the first display area, all structured alerts output by the intelligent analysis engine module and their overall threat confidence levels are shown in a time-series diagram format. The curve of change; In the second display area, the process behavior tree generated by the multi-source data fusion module is displayed in the form of a tree diagram, and nodes matched as malicious are highlighted. In response to the selection operation of the highlighted node, an overwrite interface is provided for receiving the external intervention instruction, which includes modifying the risk label of the node from malicious to false alarm, or forcibly replacing the dynamic response decision instruction output by the dynamic response decision module with a user-defined instruction.

8. The intelligent control system for a terminal detection and response platform according to claim 7, characterized in that, It also includes a self-learning optimization module, which is connected to the intelligent analysis engine module and the visualization control module. The self-learning optimization module is configured to: collect all alarms and corresponding confidence levels output by the intelligent analysis engine module within a preset period. The visualization control module receives all external intervention commands that overwrite the dynamic response decision commands, and the execution results of the strategy orchestration and execution module, forming a closed-loop feedback dataset. This closed-loop feedback dataset is used to incrementally train the gradient boosting decision tree model in the intelligent analysis engine module to update the weight coefficients corresponding to the multidimensional feature vectors. The updated weighting coefficients are then sent to the intelligent analysis engine module.