A network access behavior alarm noise reduction method

By constructing a unified evidence object and utilizing multi-agent multi-level noise reduction, the problems of false alarms and duplicate alarms in Web access behavior alarms are solved, achieving efficient alarm noise reduction and interpretable processing actions, and improving the automation level of security operations.

CN122394959APending Publication Date: 2026-07-14BEIJING VENUS INFORMATION SECURITY TECH +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING VENUS INFORMATION SECURITY TECH
Filing Date
2026-06-05
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing security products have a high false alarm rate when generating web access behavior alerts, and cannot effectively distinguish between normal access and attack behavior. This results in a large number of normal accesses being misidentified as security threats, and there are many repeated alerts. Furthermore, there is a lack of auditable intelligent adjudication mechanisms.

Method used

A unified evidence object is constructed, which includes identity features, behavioral features, and network semantic features. Multiple dedicated intelligent agents perform multi-level noise reduction processing and conflict resolution adjudication to generate interpretable processing actions, thereby reducing false alarm rate and duplication rate.

Benefits of technology

It effectively reduced the false alarm rate, improved the automation level and decision interpretability of security operations, reduced alarm fatigue, and enabled the automatic merging and clear handling actions of multiple similar alarms during the same access process.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394959A_ABST
    Figure CN122394959A_ABST
Patent Text Reader

Abstract

The application discloses a network access behavior alarm noise reduction method, and relates to the field of network security, comprising: associating and structurally processing a target alarm and multi-source context data to obtain a unified evidence object containing identity, behavior and network semantic features. The unified evidence object is input into multiple professional agents to trigger each agent to generate a candidate hypothesis. Further, multi-level noise reduction processing is performed on the target alarm to obtain layered noise reduction results. Based on the multiple candidate hypotheses and the layered noise reduction results, conflict resolution and adjudication are performed to obtain a processing action. The application effectively reduces the alarm false alarm rate and repetition rate, and improves the automation level and decision-making interpretability of security operation by constructing a unified evidence object, introducing multi-agent parallel hypothesis and cross-validation, combining three-level joint noise reduction, and outputting an executable action with risk constraints.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a method for reducing noise in network access behavior alarms. Background Technology

[0002] With the rapid development of enterprise information systems, internet business systems, and cloud-native applications, access to web applications, web services, and API interfaces is continuously increasing. Existing security products typically generate security alerts based on rule matching, feature recognition, anomaly detection, or threat intelligence. However, in actual security operation scenarios, existing technical solutions often trigger alerts based on single access logs, single request content, or single attack characteristics, leading to a high false positive rate as many legitimate accesses are misidentified as security threats, which no longer meets the requirements. Summary of the Invention

[0003] In view of the above problems, this application provides a method for reducing network access behavior alarm noise, so as to reduce the false alarm rate, improve the automation level of security operations, and enhance the interpretability of decision-making. The specific solution is as follows:

[0004] The first aspect of this application provides a method for reducing noise in network access behavior alarms, including:

[0005] The acquired target network access behavior alarms and associated multi-source context data are correlated and structured to obtain a unified evidence object; the unified evidence object includes at least: identity feature sub-object, behavior feature sub-object and network semantic feature sub-object;

[0006] The unified evidence object is input into multiple specialized intelligent agents, triggering each specialized intelligent agent to reason about the unified evidence object based on its own analytical perspective and generate corresponding candidate hypotheses.

[0007] The target network access behavior alarm is subjected to multi-level noise reduction processing to obtain a layered noise reduction result;

[0008] Based on the candidate hypotheses and the hierarchical noise reduction results, conflict resolution and adjudication operations are performed to obtain the processing actions for the target network access behavior.

[0009] In one possible implementation, the plurality of dedicated intelligent agents include: a malicious assumption intelligent agent, a benign assumption intelligent agent, and a business exception assumption intelligent agent;

[0010] The malicious hypothesis agent is configured to: analyze the unified evidence object from the perspective of attack behavior, identify whether the unified evidence object has attack characteristics, and output malicious type candidate hypotheses;

[0011] The benign hypothesis agent is configured to: analyze the unified evidence object from the perspective of normal business behavior, identify whether the unified evidence object conforms to the subject's historical behavior baseline or role access boundary, and output benign type candidate hypothesis;

[0012] The business exception hypothesis agent is configured to: analyze the unified evidence object from the perspective of business-permitted abnormal behavior, identify whether the unified evidence object hits the release window, duty schedule or automated task schedule, and output candidate hypotheses for business exception types.

[0013] In one possible implementation, the execution process of each dedicated agent when generating the candidate hypotheses includes:

[0014] Determine the hypothesis type identifier and initial confidence level of the candidate hypotheses;

[0015] Extract key evidence supporting the candidate hypothesis to obtain a set of supporting evidence;

[0016] Identify conflicting evidence that refutes the candidate hypothesis to obtain a set of counter-evidence;

[0017] Generate a set of items to be verified that are suggested for further validation;

[0018] The hypothesis type identifier, the initial confidence level, the supporting evidence set, the counter-evidence set, and the set of items to be verified are packaged into a structured candidate hypothesis object and output.

[0019] In one possible implementation, after generating the candidate hypotheses, the process further includes:

[0020] At least one validation factor generated independently of the candidate hypothesis is invoked, the validation factor including: historical baseline validation factor, role permission validation factor, planned task validation factor, or threat intelligence validation factor;

[0021] The verification factor is used to verify each candidate hypothesis, determine the verification strength and confidence level of each candidate hypothesis, and adjust the confidence level of each candidate hypothesis based on the verification results.

[0022] In one possible implementation, the construction of the unified evidence object also includes:

[0023] Calculate the first consistency measure between the identity feature sub-object and the network semantic feature sub-object;

[0024] Calculate a second consistency measure between the identity feature sub-object and the behavior feature sub-object;

[0025] Calculate the third consistency measure between the behavioral feature sub-object and the network semantic feature sub-object;

[0026] A ternary binding score is generated based on the first consistency measure, the second consistency measure, and the third consistency measure. The ternary binding score is used to characterize the degree of coordination among the identity feature sub-object, the behavioral feature sub-object, and the network semantic feature sub-object, and is used as a component of the unified evidence object.

[0027] In one possible implementation, the multi-level noise reduction processing includes at least two of the following processes: alarm-level noise reduction processing, session-level noise reduction processing, and association graph-level noise reduction processing.

[0028] The alarm-level noise reduction process includes: assessing the independent retention value of the target network access behavior alarm based on the confidence level of the candidate hypothesis, the local risk of the target network access behavior alarm, and the sensitivity of the target asset;

[0029] The session-level noise reduction process includes: acquiring multiple associated alarms belonging to the same access session as the target network access behavior alarm, identifying the redundancy relationship between the multiple associated alarms, and performing a merging operation;

[0030] The process of the associated graph-level noise reduction includes: constructing a heterogeneous relation graph containing multiple session nodes and associated edges, determining the graph-level risk score of the event cluster where the target network access behavior alarm is located, and judging whether the event cluster belongs to an attack chain, a business task cluster or an isolated abnormal event based on the graph-level risk score.

[0031] In one possible implementation, the process of handling conflict resolution and adjudication operations also includes:

[0032] Calculate the noise reduction benefit of suppressing the target network access behavior alarm, the noise reduction benefit being determined based on at least one of the alarm redundancy, low value score, and merging benefit;

[0033] Calculate the risk of false suppression of the target network access behavior alarm, wherein the risk of false suppression is determined based on at least one of the following: the confidence level of the malicious hypothesis, the graph-level risk of the event cluster in which it is located, the sensitivity of the target asset, and the cost of missed reporting;

[0034] The noise reduction benefit is compared with a preset benefit threshold, and the false compression risk is compared with a preset risk threshold. Based on the comparison results, the processing action is selected from a preset action space.

[0035] In one possible implementation, the conflict resolution and adjudication operation includes:

[0036] Obtain the post-verification confidence of each of the multiple candidate hypotheses, and identify whether there are conflicting hypothesis pairs;

[0037] When conflicting pairs of hypotheses exist, the session-level denoising result in the hierarchical denoising result is called to determine the first target hypothesis in the hypothesis pair. The first target hypothesis is characterized by being consistent with the hypothesis distribution of other alarms within the same access session. Alternatively, the association graph-level denoising result in the hierarchical denoising result is called to determine the second target hypothesis in the hypothesis pair. The second target hypothesis is characterized by being consistent with the overall risk label of the event cluster.

[0038] Based on the resolution indication of the session-level denoising result or the correlation graph-level denoising result, the weakened hypotheses are eliminated and the strengthened hypotheses are retained to obtain the resolved hypothesis set;

[0039] Based on the resolved hypothesis set and the hierarchical noise reduction results, the noise reduction benefits and false suppression risks of suppressing the current alarm are calculated. Based on the comparison results of the noise reduction benefits and the false suppression risks, a processing action is selected from the preset action space as the final decision result.

[0040] In one possible implementation, the step of acquiring multiple associated alarms belonging to the same access session as the target network access behavior alarm, identifying the redundancy relationship between the multiple associated alarms, and performing a merging operation includes:

[0041] Obtain the session identifier, token identifier, tracking identifier, timestamp, request path, and client fingerprint information associated with the target network access behavior alarm;

[0042] Based on at least one of the following factors: session identifier, token identifier, tracking identifier, temporal proximity decay factor, path similarity, and client fingerprint similarity, calculate the session similarity between the target network access behavior alarm and other alarms;

[0043] Determine whether the session similarity reaches a preset similarity threshold;

[0044] If the target network access behavior alarm is reached, it will be determined that the target network access behavior alarm and the other alarms belong to the same access session. Redundancy analysis will be performed on multiple alarms within the access session, representative sub-alarms will be retained and the remaining alarms will be merged.

[0045] In one possible implementation, the network access behavior alarm noise reduction method further includes:

[0046] Obtain at least one feedback information from the following sources: manual review results, work order closed-loop results, and post-attack confirmation results;

[0047] Based on the feedback information, the sets of false alarms, false negatives, or false true alarms are statistically analyzed.

[0048] The feedback loss function value is calculated based on the statistical results. The feedback loss function value represents the weighted sum of the cost of false alarm, the cost of missed alarm, and the cost of false positives.

[0049] In the direction of minimizing the value of the feedback loss function, update at least one of the following: the weights of the multiple professional agents, the threshold used in the adjudication operation, the historical baseline model, the business exception rule base, or the session aggregation parameters.

[0050] A second aspect of this application provides a computer program product including computer-readable instructions that, when executed on an electronic device, cause the electronic device to implement the network access behavior alarm noise reduction method described in the first aspect or any implementation thereof.

[0051] A third aspect of this application provides an electronic device, comprising at least one processor and a memory connected to the processor, wherein:

[0052] The memory is used to store computer programs;

[0053] The processor is used to execute the computer program so that the electronic device can implement the network access behavior alarm noise reduction method described in the first aspect or any implementation thereof.

[0054] A fourth aspect of this application provides a computer storage medium carrying one or more computer programs, which, when executed by an electronic device, enable the electronic device to implement the network access behavior alarm noise reduction method described in the first aspect or any implementation thereof.

[0055] By employing the aforementioned technical solutions, the network access behavior alarm denoising method provided in this application constructs a unified evidence object encompassing identity, behavior, and network semantics, enabling alarm analysis to possess contextual completeness. This allows for the identification of normal business behaviors (such as scheduled tasks and post-release verification) that cannot be distinguished by a single alarm, thereby effectively reducing false alarms. Through multi-level denoising processing, it can identify the correlation and repetition between alarms at different granularities (single alarm, session, and correlation graph), achieving automatic merging of multiple similar alarms during the same access process and alleviating alarm fatigue. By generating candidate hypotheses in parallel through multiple agents and resolving conflicts based on hypotheses and denoising results, it outputs processing actions with clear operational semantics, making the alarm denoising process auditable and verifiable, and directly driving downstream automated processing systems. Attached Figure Description

[0056] The above and other features, advantages, and aspects of the embodiments of this disclosure will become more apparent from the accompanying drawings and the following detailed description. Throughout the drawings, the same or similar reference numerals denote the same or similar elements. It should be understood that the drawings are schematic, and the originals and elements are not necessarily drawn to scale.

[0057] Figure 1 A flowchart of a network access behavior alarm noise reduction method provided in this application;

[0058] Figure 2 This application provides a schematic diagram of hypothesis generation based on multi-agent systems.

[0059] Figure 3 A schematic diagram of a three-stage joint noise reduction method provided in this application;

[0060] Figure 4 A structural diagram of a network access behavior alarm noise reduction system provided in this application;

[0061] Figure 5 This is a structural diagram of an electronic device provided in this application. Detailed Implementation

[0062] The embodiments of this application are described below with reference to the accompanying drawings. The terminology used in the implementation section of this application is for explaining specific embodiments only and is not intended to limit the scope of this application.

[0063] The embodiments of this application will now be described with reference to the accompanying drawings. Those skilled in the art will recognize that, with technological advancements and the emergence of new scenarios, the technical solutions provided in the embodiments of this application are equally applicable to similar technical problems.

[0064] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such terms are interchangeable where appropriate; this is merely a way of distinguishing objects with the same attributes in the embodiments of this application. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion, so that a process, method, system, product, or apparatus that comprises a series of elements is not necessarily limited to those elements, but may include other elements not explicitly listed or inherent to those processes, methods, products, or apparatuses.

[0065] Currently, in actual security operation scenarios, existing technologies commonly have the following shortcomings in generating web access behavior alerts:

[0066] High false alarm rate: Existing solutions typically trigger alarms based on a single access log, a single request, or a single attack feature. They do not make sufficient use of contextual information such as user identity, terminal environment, business role, time window, historical access baseline, system change status, and session continuity. This leads to a large number of normal operation and maintenance behaviors, batch business calls, system inspections, automated tests, legitimate crawlers, or short-term business fluctuations being mistakenly identified as security threats.

[0067] Numerous duplicate alerts: The same access session, the same abnormal scanning behavior, the same interface call chain, or the same attack phase often triggers multiple security alerts with similar content, adjacent timing, and similar targets. Existing alert centers typically display and handle alerts at the individual alert level, requiring security analysts to manually merge and investigate a large number of duplicate alerts, significantly increasing alert fatigue.

[0068] Existing noise reduction methods are rather crude: although some solutions provide alarm suppression, similar alarm merging, or priority adjustment functions, most of them rely on static thresholds, manual configuration rules, or simple similarity calculations. They are difficult to comprehensively consider the complex relationship between Web request ontology semantics, access subject attributes, degree of behavioral deviation, and business exceptions, which can easily lead to the mistaken suppression of critical alarms or the omission of high-risk alarms.

[0069] Lack of auditable intelligent adjudication mechanisms: With the development of large-scale models and intelligent analysis technologies, some systems have attempted to utilize machine learning or intelligent agents to assist in security analysis. However, most solutions remain at the level of single scoring, simple classification, or generating explanatory text, and have not yet formed an executable, auditable, multi-agent collaborative adjudication mechanism for Web access alarm noise reduction. In particular, there is a lack of a unified noise reduction method that can simultaneously cover single alarm judgment, intra-session aggregation, and cross-session correlation analysis.

[0070] To address the aforementioned problems, this application provides a method for reducing noise in network access behavior alarms. The method for reducing noise in network access behavior alarms according to this application will be described in detail below with reference to the accompanying drawings.

[0071] Reference Figure 1 , Figure 1 The flowchart of a network access behavior alarm noise reduction method provided in the embodiments of this application may include steps S101 to S104, which are described in detail below.

[0072] Step S101: The obtained target network access behavior alarms and associated multi-source context data are correlated and structured to obtain a unified evidence object; the unified evidence object includes at least: identity feature sub-object, behavior feature sub-object and network semantic feature sub-object.

[0073] Specifically, when a relevant alarm signal occurs, the system will be triggered to acquire target network access behavior alarms (e.g., an SQL injection alarm triggered by a web application firewall), and collect multi-source context data associated with the alarm, including but not limited to: web access logs, authentication logs, asset information, threat intelligence, etc. Then, this multi-source context data will be correlated and structured to obtain a unified evidence object. This unified evidence object includes at least:

[0074] Identity feature sub-object: contains information about the entity that initiated the access, such as user account, source IP address, role, terminal fingerprint, etc.

[0075] Behavioral characteristics sub-object: contains access behavior pattern information, such as request frequency, URL template distribution, access time window, request interval, etc.

[0076] Network semantic feature sub-objects contain semantic information about the request, such as URL path, HTTP method, request parameters, payload content, and response status. Ultimately, this elevates what was originally an isolated alert to a structured analysis object with rich context.

[0077] Step S102: Input the unified evidence object into multiple professional agents respectively, triggering each professional agent to reason about the unified evidence object based on its own analytical perspective and generate corresponding candidate hypotheses.

[0078] Specifically, the multiple dedicated intelligent agents include at least one agent for judging attack behavior and one agent for judging business exceptions. Each dedicated intelligent agent reasones about the unified evidence object based on its own analytical perspective. For example, the malicious hypothesis agent analyzes whether the URL parameters contain SQL injection features or XSS attack payloads; the business exception hypothesis agent checks whether the current access time matches a preset release window, or whether the access source IP belongs to a known automated testing server. After each agent's reasoning, a corresponding candidate hypothesis is generated, such as: the access is an SQL injection attack, the access is a post-release health check, etc.

[0079] Step S103: Perform multi-level noise reduction processing on the target network access behavior alarm to obtain the layered noise reduction result.

[0080] Specifically, at least two levels of noise reduction processing can be performed, such as alarm-level noise reduction processing: assessing the independent value of the current individual alarm. For example, if the alarm has a very high degree of malicious confidence and the target asset is a core database, its independent value is high. Conversely, if the semantic features of the alarm indicate that it is a simple 404 probe, its value is low.

[0081] Session-level noise reduction: Obtain other alarms belonging to the same access session as the alarm (e.g., multiple consecutive requests under the same Session ID), and identify redundancy relationships among these alarms. If multiple alarms under the same session have highly similar content (e.g., multiple scans of the same URL template by the same IP), they are judged as redundant and merged.

[0082] Step S104: Based on multiple candidate hypotheses and the hierarchical noise reduction results, perform conflict resolution and adjudication operations to obtain the processing actions for the target network access behavior.

[0083] Specifically, conflict resolution and adjudication operations can be performed based on multiple candidate hypotheses (e.g., the malicious hypothesis has a confidence level of 80%, and the business exception hypothesis has a confidence level of 70%) and the results of hierarchical noise reduction (e.g., the alarm has a moderate independent value and belongs to a highly redundant session).

[0084] For example, when there is a conflict between the malicious hypothesis and the business exception hypothesis, the session-level noise reduction results can be combined to find that all alarms in the session show regular scanning characteristics. The behavior is ultimately determined to be a malicious scan, and a processing action with clear semantics is output, such as merging or suppression, so that the final output processing action can be directly used to guide the downstream security operation system.

[0085] As can be seen from the above, this network access behavior alarm denoising method constructs a unified evidence object containing identity feature sub-objects, behavioral feature sub-objects, and network semantic feature sub-objects, placing the originally isolated single alarm within a multi-dimensional user behavior and business scenario for analysis. This allows many scenarios that previously relied on human experience for interpretation (such as on-duty inspections, post-release verification, and automated testing) to be clearly expressed at the algorithm level, effectively reducing the high false alarm rate caused by missing context. The unified evidence object is input into multiple dedicated agents, triggering each agent to generate candidate hypotheses. Further, multi-level denoising processing is performed on the target alarm to obtain hierarchical denoising results. Based on multiple candidate hypotheses and hierarchical denoising results, conflict resolution and adjudication are performed to obtain processing actions. By constructing a unified evidence object, introducing multi-agent parallel hypothesis and cross-validation, combining three-level joint denoising, and outputting executable actions with risk constraints, the method effectively reduces the false alarm rate and repetition rate of alarms, improving the automation level of security operations and the interpretability of decisions.

[0086] In some embodiments, for the convenience of subsequent scheme description, the following symbols are predefined:

[0087] For any original alert related to a web access behavior, denoted as This application does not directly address the original alarm. Instead of performing binary classification, the following mapping process is executed:

[0088] ;

[0089] in, This indicates the process of constructing the evidence object to be analyzed. This represents the process of generating and validating multi-agent hypotheses. This indicates the three-level combined noise reduction and motion decision-making process. This refers to the evidence object to be analyzed, formed after normalization and structuring. Indicates the alarm The set of hypotheses formed. This indicates the final output processing action.

[0090] Action space , can be represented as:

[0091] ;

[0092] in, Indicates inhibition. This indicates a downgrade. Indicates a merger. Indicates observation, Indicates reservation. This indicates an escalation of the response.

[0093] Construction of evidence objects to be analyzed:

[0094] The goal of constructing the evidence object to be analyzed is to elevate a single original web access behavior alert from a single record into a unified evidence object. This object needs to simultaneously contain subject identity information, behavioral pattern information, web request semantic information, business environment information, and local correlation clues, thus becoming a shared input for all subsequent intelligent agents and noise reduction modules.

[0095] First, data collection and normalization are performed: for any target alarm... First, context data is retrieved from multiple data sources. These data sources include at least access logs, authentication logs, endpoint logs, asset profiles, task schedules, whitelists and exception rules, threat intelligence, historical behavior data, and ticket results. Centered on the target alert, the following can be retrieved simultaneously: access logs for the current request and its preceding and following time windows, access sequences of the same subject within adjacent time windows, other requests within the same session or the same trace context, historical access samples of the same URL template or resource object, the same parameter pattern, historical alert samples with the same intelligence hit, the corresponding subject's role and authentication information, the corresponding resource's asset sensitivity and business tags, and whether there are release orders, shift schedules, automated tasks, and other external contexts at the current time.

[0096] Let the standardized context data set be:

[0097] ;

[0098] in, These represent request data, authentication data, asset data, plan data, intelligence data, and historical data, respectively. Further standardization is achieved through mapping functions. Unifying multi-source data:

[0099] ;

[0100] function This includes at least subject identifier mapping, session clue mapping, URL and resource template mapping, IP and network source mapping, unified timestamps, unified alarm levels, and unified asset identifiers. The purpose of this process is to ensure that all subsequent modules work based on the same set of object semantics, rather than repeatedly parsing and defining their own custom fields.

[0101] After standardization, a unified object of evidence to be analyzed is constructed around the original alarm. , can be represented as:

[0102] ;

[0103] in, For the purpose of identification, For the expression of behavior, For Web semantic representation, Representation for business and environmental context; This is an index for a local association graph.

[0104] The process of constructing an identity representation includes:

[0105] The core task of identity representation is to expand a visitor's profile from a simple account into a complete view of their identity and environment. This includes not only the account itself, but also roles, terminals, network information, and session details. Let the identity extraction function be... Then we have:

[0106] ;

[0107] in, Includes: user account, service account, or anonymous entity identifier; role, department, or organization affiliation; login method, authentication status, and MFA status; terminal fingerprint, browser fingerprint, and client information; source IP, network region, geographical location, and egress node; and relationships such as Session, Token, Cookie, and SSO.

[0108] In addition, in order to determine whether the current identity pattern deviates from the norm, the subject is constructed. Historical identity portrait And define identity deviation:

[0109] ;

[0110] in, Euclidean distance, cosine distance, Mahalanobis distance, or other inverse similarity functions can be used.

[0111] The process of constructing behavioral representations includes:

[0112] The purpose of constructing a behavioral representation is to characterize the pattern in which the current access occurs. Let the extraction function of the behavioral representation be... Then we have:

[0113] ;

[0114] Behavioral representations may include at least: the number of requests in the current time window, the number of URL templates in the current time window, the target resource span, the request interval distribution, the intensity of burst access, the failure response ratio, the length of the page flow or call chain, the switching frequency between different resources, and the degree of deviation from the main historical baseline.

[0115] If constructing a profile of the subject's historical behavior Then, the behavioral deviation can be defined:

[0116] ;

[0117] This step helps to distinguish between different patterns such as stable script behavior, natural user behavior, and bursty scanning behavior.

[0118] The process of constructing Web semantic representations includes:

[0119] The purpose of constructing a Web semantic representation is to characterize the semantic rationality of the Web and APIs. Let the Web semantic extraction function be... Then we have:

[0120] ;

[0121] Web semantic representation includes at least: the original URL path and normalized template, path hierarchy and sensitivity, HTTP method, query parameter key set, body field structure, parameter value pattern and length distribution, location of suspicious payload fragments, Referer / Origin / Host consistency, Token / Cookie evolution relationship, response code and response body length, consistency with API schema, and degree of matching with session state machine.

[0122] The semantic consistency score is further defined as follows:

[0123] ;

[0124] in, This indicates consistency with the interface schema; Indicates continuity with the conversation flow; This indicates the degree of matching with the semantic expectations of the resource.

[0125] This part enables the system to go beyond simply checking if an attack keyword is hit, and instead understand whether the request is legitimate within the context of the interface.

[0126] The process of constructing the context representation includes:

[0127] The purpose of constructing a context representation is to characterize whether the current access is within an interpretable business environment. Let the context extraction function be... Then we have:

[0128] ;

[0129] The context should include at least the following: asset sensitivity level, whether it is under management backend, whether it is exposed to the external network, whether it is in the publishing window, whether it is in the duty window, whether it is an automated task, synchronous task or inspection task, whether it is in the whitelist or business exception rule, and whether there is a work order, publishing order or approval record.

[0130] Furthermore, the construction of the aforementioned unified evidence object also includes:

[0131] Calculate the first consistency measure between identity feature sub-objects and network semantic feature sub-objects.

[0132] Calculate the second consistency measure between identity feature sub-objects and behavioral feature sub-objects.

[0133] Calculate the third consistency measure between behavioral feature sub-objects and network semantic feature sub-objects.

[0134] The ternary binding score is generated based on the first consistency measure, the second consistency measure, and the third consistency measure. The ternary binding score is used to characterize the degree of coordination among the identity feature sub-object, the behavioral feature sub-object, and the network semantic feature sub-object, and is used as a component of the unified evidence object.

[0135] Specifically, unlike general feature sets, a three-element binding relationship is further constructed between identity, behavior, and Web semantics:

[0136] The consistency between identity and Web semantics is defined as: .

[0137] The consistency between identity and behavior is defined as: .

[0138] The consistency between behavior and Web semantics is defined as: .

[0139] The overall ternary binding score is:

[0140] ;

[0141] in, ;

[0142] The lower the score, the more likely the object exhibits an unusual inconsistency in its identity, behavior, and Web semantics. Conversely, a higher score indicates a greater likelihood of conforming to a normal or interpretable pattern.

[0143] Reference Figure 2 As shown, multi-agent hypothesis generation and verification:

[0144] For any object of evidence This application does not perform a single classification, nor does it directly classify whether a single alarm is dangerous. Instead, multiple dedicated intelligent agents generate candidate hypotheses from different interpretation spaces, constructing whether each hypothesis can be interpreted as malicious behavior, normal behavior, or business exception behavior. These dedicated intelligent agents include: a malicious hypothesis agent, a benign hypothesis agent, and a business exception hypothesis agent.

[0145] The malicious hypothesis agent is configured to: analyze the unified evidence object from the perspective of attack behavior, identify whether the unified evidence object has attack characteristics, and output malicious type candidate hypotheses.

[0146] The benign hypothesis agent is configured to: analyze the unified evidence object from the perspective of normal business behavior, identify whether the unified evidence object conforms to the subject's historical behavior baseline or role access boundary, and output benign type candidate hypotheses.

[0147] The business exception hypothesis agent is configured to: analyze the unified evidence object from the perspective of business-permitted abnormal behavior, identify whether the unified evidence object hits the release window, duty schedule or automated task schedule, and output candidate hypotheses for business exception types.

[0148] The execution process of each dedicated intelligent agent includes:

[0149] Determine the hypothesis type identifier and initial confidence level of the candidate hypotheses.

[0150] Extract key evidence that supports the candidate hypothesis to obtain a set of supporting evidence.

[0151] Identify conflicting evidence that refutes the candidate hypothesis to obtain a set of counter-evidence.

[0152] Generate a set of items to be verified that are suggested for further verification.

[0153] The hypothesis type identifier, initial confidence level, supporting evidence set, counter-evidence set, and set of items to be verified are packaged into a structured candidate hypothesis object and output.

[0154] Specifically, let the set of hypotheses be:

[0155] ;

[0156] in, Indicates malicious assumption; This indicates a benign assumption; This indicates a business exception assumption.

[0157] Each hypothesis is not a single label, but a structured object. This applies to any type. ,definition:

[0158] ;

[0159] in, Indicates the initial confidence level; This represents the set of supporting evidence; Denote the set of proofs against contradiction; This indicates an item to be verified.

[0160] Malicious hypothesis generation:

[0161] Malicious Hypothetical Agents: Analysis from an Attack Perspective The initial confidence level is defined as:

[0162] ;

[0163] Expanding further:

[0164] ;

[0165] in, Indicates the hazard level of parameters or loads; Indicates the degree of path detection and resource enumeration; Indicates the degree of suddenness of the anomaly; Indicates participation in high-risk assets; Indicates the strength of intelligence hit rate; This indicates the strength of high-risk connections at the graph level.

[0166] Malicious hypothetical agents focus on high-sensitivity path detection, parameter fuzzing, brute-force request rhythm, cross-resource enumeration, threat intelligence hits, and high-risk graph-level adjacencies, and output explanations for backend probing, parameter probing, abnormal access to high-sensitivity interfaces, and batch path enumeration.

[0167] Benign hypothesis generation:

[0168] Benign Hypothesis: Analyzing Intelligent Agents from the Perspective of Normal Behavioral Behavior Its initial confidence level is defined as:

[0169] ;

[0170] Expanding further:

[0171] ;

[0172] in, Indicates the matching degree of the role's access scope; Indicates the degree of matching of a normal conversation template; This indicates the matching degree of historical normal samples. A benign hypothesis is that the agent's output aligns with historical behavior, normal business access, and normal operational access.

[0173] Business exception assumption generation:

[0174] Business Exception Assumption: Analyzing the intelligent agent from the perspective of its unusual form but reasonable scenario. Its initial confidence level is defined as:

[0175] ;

[0176] Expanding further:

[0177] ;

[0178] in, This indicates whether the plan records match, such as release orders, task orders, and duty rosters. This indicates whether the current time falls within the corresponding window, i.e., the time window matching degree. This indicates whether the access scope is within the planned allowed range, i.e., the access scope matching degree. This indicates whether the behavior conforms to the known exception template, i.e., the exception template matching degree; This indicates whether there are historical exception samples supporting the data, i.e., the historical exception sample matching degree.

[0179] Based on the candidate hypotheses generated above, the following are also included:

[0180] Invoke at least one validation factor independent of the candidate hypothesis generation. Validation factors include: historical baseline validation factor, role permission validation factor, planned task validation factor, or threat intelligence validation factor.

[0181] Verification factors are used to test each candidate hypothesis, determine the verification strength and confidence level of each candidate hypothesis, and adjust the confidence level of each candidate hypothesis based on the verification results.

[0182] Specifically, for the three types of hypotheses mentioned above, their initial confidence levels are not directly compared; instead, verification is performed separately. For any type... The verification score is defined as follows:

[0183] ;

[0184] in, For the corresponding category of the first One validation factor.

[0185] Malicious verification includes: intelligence verification, graph-level high-risk association verification, payload consistency verification, and cross-asset extension verification. Benign verification includes: historical baseline verification, role-based permission verification, endpoint stability verification, and session continuity verification. Business exception verification includes: scheduled task verification, time window verification, access scope verification, approval record verification, and exception rule verification.

[0186] The credibility after verification is defined as:

[0187] ;

[0188] in, Indicates the strength of the counter-evidence; This is the normalization function.

[0189] This expression unifies the initial interpretation, external verification support, and counter-evidence weakening.

[0190] After verification, the maximum value of the three is not immediately taken as the conclusion, but rather... This information is retained for the subsequent three-stage noise reduction process. This is because in real-world scenarios, multiple interpretations often coexist and conflict with each other. Therefore, a single hypothesis layer does not make a final decision; only by combining session-level and graph-level information can a final decision be made.

[0191] Reference Figure 3 As shown, the multi-level noise reduction process includes at least two of the following: alarm-level noise reduction, session-level noise reduction, and association graph-level noise reduction.

[0192] The alarm-level noise reduction process includes: assessing the independent retention value of the target network access behavior alarm based on the confidence level of the candidate hypothesis, the local hazard of the target network access behavior alarm, and the sensitivity of the target asset.

[0193] The session-level noise reduction process includes: acquiring multiple related alarms belonging to the same access session as the target network access behavior alarm, identifying the redundancy relationship between the multiple related alarms, and performing a merging operation.

[0194] The process of graph-level noise reduction includes: constructing a heterogeneous relation graph containing multiple session nodes and relational edges, determining the graph-level risk score of the event cluster where the target network access behavior alarm is located, and judging whether the event cluster belongs to an attack chain, a business task cluster, or an isolated abnormal event based on the graph-level risk score.

[0195] Specifically, alarm-level noise reduction processing:

[0196] Alarm-level processing is for single alarms. Assess whether a single alarm has independent retention value. Define alarm level score as follows:

[0197] ;

[0198] in, The local risk level for a single request; Sensitivity to the target asset.

[0199] like If the value is high, it means that the alarm itself should be retained with priority; if If the level is low, then subsequent actions such as downgrading, merging, or suppressing should be considered.

[0200] Session-level noise reduction processing: This can be achieved by obtaining session identifiers, token identifiers, tracking identifiers, timestamps, request paths, and client fingerprint information associated with target network access behavior alarms.

[0201] Based on at least one of the following factors—session identifier, token identifier, tracking identifier, temporal proximity decay factor, path similarity, and client fingerprint similarity—the session similarity between the target network access behavior alarm and other alarms is calculated. Then, it is determined whether the session similarity reaches a preset similarity threshold.

[0202] If the target network access behavior alarm is reached, it will be determined that the alarm belongs to the same access session as other alarms. Redundancy analysis will be performed on multiple alarms within the access session, representative sub-alarms will be retained and the remaining alarms will be merged.

[0203] Specifically, session-level processing identifies whether multiple alerts belong to the same access process. The request... and Session similarity definition:

[0204]

[0205] ;

[0206] When satisfied If so, the two requests are considered to belong to the same session.

[0207] For alarms Participating Session The session-level score is defined as follows:

[0208] ;

[0209] in, This indicates the overall risk of the session; This indicates the redundancy level within the session.

[0210] The core of session-level processing lies in aggregating sub-alarms within the same access process and collapsing redundancy.

[0211] Correlation graph-level noise reduction processing:

[0212] The system further constructs a heterogeneous relationship graph on top of multiple sessions. Among them, nodes This includes main nodes, session nodes, alarm nodes, URL template nodes, parameter pattern nodes, asset nodes, intelligence nodes, and task nodes. This includes access relationship edges, same subject edges, same terminal edges, same session edges, similar parameter edges, intelligence sharing edges, task sharing edges, and temporal adjacency edges.

[0213] For alarms Event cluster The graph-level score is defined as:

[0214] ;

[0215] The significance of graph-level alerts is that seemingly weak alerts should be retained if they are located in high-risk clusters; conversely, seemingly abnormal alerts can be downgraded or observed as a whole if they are located in stable business subgraphs.

[0216] Furthermore, based on the above noise reduction processing, the processing steps for conflict resolution and adjudication also include:

[0217] Calculate the noise reduction benefit of suppressing target network access behavior alarms, the noise reduction benefit being determined based on at least one of the redundancy of the alarms, low value scores, and merging benefits;

[0218] Calculate the risk of false suppression of target network access behavior alarms. The risk of false suppression is determined based on at least one of the following: the confidence of malicious assumption, the graph-level risk of the event cluster, the sensitivity of the target asset, and the cost of underreporting.

[0219] The noise reduction benefit is compared with a preset benefit threshold, and the false compression risk is compared with a preset risk threshold. Based on the comparison results, the processing action is selected from the preset action space.

[0220] Specifically, in order to strike a balance between effective alarm suppression and high-fidelity performance, the benefits of noise reduction and the risk of false alarms are defined as follows:

[0221] ;

[0222] ;

[0223] in, This indicates that the benefits of suppressing the alarm have been eliminated; This indicates that the potential losses from the alarm have been suppressed.

[0224] Combined with the specific implementation process of conflict resolution and adjudication operations:

[0225] Obtain the post-validation confidence of each of the multiple candidate hypotheses and identify whether there are conflicting hypothesis pairs.

[0226] When there are conflicting pairs of hypotheses, the session-level denoising result in the hierarchical denoising result is called to determine the first target hypothesis in the hypothesis pair. The first target hypothesis is characterized as being consistent with the hypothesis distribution of other alarms within the same access session; or the association graph-level denoising result in the hierarchical denoising result is called to determine the second target hypothesis in the hypothesis pair. The second target hypothesis is characterized as being consistent with the overall risk label of the event cluster.

[0227] Based on the resolution indications of the session-level denoising results or the correlation graph-level denoising results, weakened hypotheses are eliminated, and strengthened hypotheses are retained to obtain the resolved hypothesis set.

[0228] Based on the resolved hypothesis set and the hierarchical noise reduction results, the noise reduction benefits and false suppression risks of suppressing the current alarm are calculated. Based on the comparison between the noise reduction benefits and false suppression risks, a processing action is selected from the preset action space as the final decision result.

[0229] That is, when performing conflict resolution and adjudication operations, the system first obtains the post-verification confidence scores of multiple candidate hypotheses. Identify whether there are conflicting hypothesis pairs (e.g., both the malicious hypothesis and the business exception hypothesis have high confidence levels).

[0230] When conflicting pairs of assumptions exist, the system invokes either the session-level denoising result or the correlation graph-level denoising result from the hierarchical denoising results for resolution:

[0231] Using session-level noise reduction results: determine which hypothesis in the hypothesis pair is consistent with the hypothesis distribution of other alarms within the same access session.

[0232] Using the correlation graph-level noise reduction results: determine which hypothesis in the hypothesis pair is consistent with the overall risk label of the event cluster.

[0233] Based on the resolution indications of the session-level or association graph-level denoising results, weakened hypotheses are eliminated, and enhanced hypotheses are retained to obtain the resolved hypothesis set.

[0234] The final action strategy is defined as follows:

[0235] ;

[0236] As can be seen from the above formula, the final action is not simply based on a single assumption or a single level, but rather a comprehensive interpretation of competition, multi-level relationships, and risk costs. This indicates that the present invention does not simply suppress whatever can be suppressed, but rather outputs suppression, degradation, merging, observation, retention, or escalation actions under multiple constraints.

[0237] To further optimize this technical solution, in some other embodiments, the network access behavior alarm noise reduction method further includes:

[0238] Obtain at least one feedback information from the following sources: manual review results, work order closed-loop results, and post-attack confirmation results.

[0239] Based on the feedback information, the sets of false alarms, missed alarms, or false positives are statistically analyzed.

[0240] The feedback loss function value is calculated based on the statistical results. The feedback loss function value represents the weighted sum of the costs of false alarms, false negatives, and false positives.

[0241] In the direction of minimizing the feedback loss function value, update at least one of the following: the weights of multiple professional agents, the threshold used in the adjudication operation, the historical baseline model, the business exception rule base, or the session aggregation parameters.

[0242] Specifically, to enable the system to have long-term adaptability, a feedback loop can be introduced. Let the set of false alarms over a certain time period be... The true report set is The set of missed reports is The feedback loss function is then defined as:

[0243] ;

[0244] in, To pay the price for false alarms As a consequence of underreporting, The price to pay for mistakenly reporting the truth.

[0245] Based on optimization minimization This is used to update hypothesis weights, validation factor weights, session thresholds, graph-level edge weights, action thresholds, exception rule bases, etc.

[0246] This network access behavior alarm noise reduction method constructs a three-element binding of identity, behavior, and web semantics for the evidence object to be analyzed. This allows the system to uniformly consider information such as who the accessing subject is, how the access occurred, whether the current request is reasonable in web semantics, and the business environment in which it takes place. In this way, many scenarios that previously relied on human experience for interpretation, such as on-duty inspections, post-release verification, partner synchronization, and automated testing, can be clearly expressed at the algorithm level, reducing false alarms at the source.

[0247] By constructing three types of explanatory spaces in parallel—malicious assumptions, benign assumptions, and business exception assumptions—the system is equipped to treat business exceptions as independent objects. Especially in actual enterprise operations, business exceptions are often the most concentrated source of alarm noise. This application models and verifies them separately, thus significantly improving stability and accuracy in complex scenarios.

[0248] Alarm-level processing ensures the system doesn't lose valuable local evidence due to session aggregation or graph aggregation. Session-level processing effectively collapses numerous duplicate sub-alarms within the same access process, while graph-level processing enables the system to identify attack chains, business task clusters, and clusters of events originating from the same source, thus avoiding two typical misjudgments: weak single-point alerts with strong global alerts or strong single-point alerts with weak global alerts. Through this three-level linkage, the total number of alarms seen by analysts is reduced without compromising the ability to identify truly high-risk events.

[0249] Because this solution outputs executable actions such as suppression, degradation, merging, observation, retention, and escalation, it can directly integrate with alarm centers, ticketing systems, SOAR platforms, and response orchestration systems. It not only tells analysts what the problem is, but also how to proceed.

[0250] By simultaneously evaluating the benefits of noise reduction and the cost of false alarms, the action decision-making is transformed from single-target alarm suppression to constrained safe alarm suppression, making the system more stable in highly sensitive environments and more practical in high-traffic environments.

[0251] Ultimately, the network access behavior processing structure, which consists of a continuous structure including the construction of evidence objects to be analyzed, the generation and verification of multi-agent hypotheses, three-level joint noise reduction, action adjudication, and feedback optimization, is something that existing single-model solutions, whitelist solutions, simple aggregation solutions, or generalized intelligent analysis solutions cannot achieve.

[0252] Based on the same design concept, embodiments of this application also provide a network access behavior alarm noise reduction system, referring to... Figure 4As shown, the network access behavior alarm noise reduction system includes: a data acquisition module 401, an evidence object construction module 402, a multi-agent analysis module 403, a cross-validation module 404, a three-level joint noise reduction module 405, an action adjudication module 406, and a feedback optimization module 407. Among them,

[0253] The data acquisition module 401 is used to access, aggregate, cache, and initially organize multi-source data related to target web access alarms, serving as the upstream entry point for the entire system. This module's role is not limited to log collection; rather, it undertakes the task of providing complete, correlated, and traceable original materials for subsequent evidence object construction. It can access one or more of the following data sources: web server access logs, reverse proxy logs, web application firewall alarm logs, API gateway call logs, application audit logs, authentication logs, single sign-on logs, terminal access logs, asset management platform data, configuration management database data, publishing platform data, task scheduling platform data, work order system data, threat intelligence platform data, and manual review feedback data.

[0254] The data acquisition module includes the following sub-functions: a log access sub-unit, used to access raw data through message queues, log brokers, API interfaces, file retrieval, or database synchronization; a time alignment sub-unit, used to resolve issues such as inconsistent timestamps, time zones, or clock drift across different systems; a field mapping sub-unit, used to uniformly map user identifiers, session identifiers, resource identifiers, asset identifiers, network sources, risk levels, etc., from different sources; a data deduplication and quality control sub-unit, used to remove duplicate, obviously damaged, or uncorrelated records, and to mark missing fields; and a buffering and indexing sub-unit, used to cache and quickly index context data related to target alarms according to dimensions such as subject, session, resource, time window, and event cluster.

[0255] The data acquisition module also has on-demand backtracking capability. When the system receives a target alarm, it not only acquires the alarm itself, but also automatically expands the query to a certain range of contextual data based on the alarm's subject identifier, session clues, resource templates, time windows, or intelligence hit relationships, so as to build a more complete object of evidence to be analyzed later.

[0256] The evidence object construction module 402 transforms the original alarm and its associated context into a high-fidelity, structured, and shareable unified analysis object. The design of this module directly determines the input quality for subsequent multi-agent inference and three-level joint denoising. This module includes at least: an identity representation construction subunit, a behavior representation construction subunit, a Web semantic representation construction subunit, a business context construction subunit, and a binding relationship construction subunit.

[0257] The identity representation construction subunit is used to extract subject information from authentication logs, access logs, terminal data, and organizational profile data, including: account type, role attributes, organization affiliation, login method, authentication strength, MFA status, terminal fingerprint, browser fingerprint, source IP, network region, geographical location, and session identifier. This subunit not only forms a static representation of the current subject but can also be associated with the subject's historical profile for subsequent calculation of identity deviation.

[0258] The behavior representation construction subunit is used to extract behavioral pattern information from the context request sequence, including: the number of requests within the current window, resource access span, URL template distribution, request interval statistics, burst access intensity, failure rate, page transition length, API call chain length, resource switching frequency, parameter change rate, and deviation from the historical behavior baseline. Through this subunit, the system can reconstruct what was originally an isolated single request into a more interpretable behavioral pattern.

[0259] The Web Semantic Representation subunit is used to characterize the legitimacy and risk of a request in terms of Web semantics. This subunit can at least parse the original URL path and template, path hierarchy and sensitivity, HTTP method, query parameter set, Body field structure, parameter value length and character distribution, location of suspicious payload fragments, Host / Origin / Referer consistency, Token / Cookie evolution relationship, response code and response body length pattern, consistency with API schema, and matching degree with session state machine. It enables the system not only to see whether rules are matched, but also to understand whether the request is semantically legitimate in terms of resources.

[0260] The business context construction subunit is used to supplement the business and environmental context in which the behavior occurs, including: asset sensitivity level, whether it is managed by the backend, whether it is exposed to the external network, whether it hits the release window, whether it hits the duty schedule, whether it hits the automated task, whether it hits the partner synchronization plan, whether it hits the whitelist or business exception rules, and whether there are work orders, release orders, approval orders, or plan records, etc. This part directly provides evidence for subsequent business exception assumptions.

[0261] The binding relationship construction subunit is used to establish explicit associations between identity representation, behavioral representation, and Web semantic representation. Its role is not to perform feature concatenation again, but to encode "what subject accessed what resource with what behavioral pattern, and whether this access is appropriate in the current context" into a single object. This binding relationship can be implemented through explicit rules, similarity functions, graph structure links, or vector representations, or a hybrid approach. Ultimately, this module outputs a unified object of evidence to be analyzed. It also includes local graph references and index relationships for all subsequent modules to share.

[0262] The multi-agent analysis module 403 does not simply score the input objects, but rather constructs multiple competing interpretations around the evidence to be analyzed. Unlike many existing parallel scoring schemes, the different agents in this module have clearly defined responsibilities, and the output is a structured hypothesis object, rather than just a single risk score. The multi-agent hypothesis generation module includes at least a malicious hypothesis generation subunit, a benign hypothesis generation subunit, and a business exception hypothesis generation subunit. It may also include a graph-assisted reasoning subunit, a rule enhancement subunit, a template retrieval subunit, and an evidence summarization subunit.

[0263] The malicious hypothesis generation subunit primarily interprets the current object from an attack perspective. Its focus includes, but is not limited to, high-sensitivity path access, abnormal path dispersion, parameter fuzzing, abnormal method access, response failure retry patterns, cross-resource probing, malicious intelligence hits, high-risk parameter fragments, and high-risk graph-level adjacency relationships. The output of this subunit includes not only the name and initial confidence level of the malicious hypothesis, but also supporting evidence, counter-evidence weakening the hypothesis, and items recommended for further verification.

[0264] The benign hypothesis generation subunit primarily interprets the current object from the perspective of normal business and operation. Its focus includes the subject's historical baseline, role access boundaries, commonly used terminal environments, normal call chain templates, and long-term stable sample patterns. For example, if a subject repeatedly exhibits similar behavior on a fixed terminal, a fixed time window, and a fixed resource template, this subunit will tend to generate benign hypotheses such as normal access or normal business link access that match the subject's profile.

[0265] The Business Exception Assumption Generation Subunit specifically handles behaviors that are formally abnormal but cannot be easily categorized as ordinary benign actions, such as post-release health checks, shift inspections, automated regression testing, partner batch synchronization, legal security scanning, compliance audits, load testing, or disaster recovery verification. This subunit generates corresponding assumptions by integrating release plans, shift schedules, task orders, approval records, historical exception templates, and the exception rule base. For example, if the current time is within the release window, the subject is a test task account, and the accessed resource happens to be within the scope of the release task, then this subunit will generate a "Post-Release Verification" business exception assumption.

[0266] Each of the above sub-units outputs a structured hypothesis object, which includes at least the hypothesis category, hypothesis name, initial confidence level, set of supporting evidence, set of counter-evidence, and set of items to be verified. Through this structured output, the system no longer relies on a single risk value, but rather preserves the diversity of interpretations.

[0267] The cross-validation module 404 is used to independently verify the hypotheses generated by multi-agent systems. This module does not simply repeat the verification process; instead, it introduces external evidence and constraints to confirm whether various hypotheses are true, whether they are weakened by strong counter-evidence, and whether they conflict with other known facts. The cross-validation module includes at least the following sub-units: historical baseline verification, role permission verification, terminal stability verification, session continuity verification, scheduled task verification, resource scope verification, whitelist and exception verification, threat intelligence verification, and graph-level high-risk adjacency verification.

[0268] The historical baseline verification subunit mainly verifies whether the current access is consistent with the subject's long-term historical pattern, such as whether similar resources are accessed in similar time periods, whether similar terminals and networks are used, and whether similar rhythm and parameter patterns are presented.

[0269] The role-permission verification subunit primarily verifies whether the resources currently accessed by the subject are within the scope of the role's authorization.

[0270] The terminal stability verification subunit mainly checks whether the current access terminal is the terminal that the subject has been using for a long time, or whether it has suddenly switched to an unfamiliar device, an unused network, or an abnormal geographical location.

[0271] The session continuity verification subunit is used to restore page flow or API call chain and determine whether the current request has reasonable preceding steps, such as whether the user is logged in or whether the necessary state transition has been completed.

[0272] The scheduled task verification subunit and the resource scope verification subunit are mainly used to verify business exception assumptions, that is, whether the current access is really within the time and scope allowed by a certain release, inspection, synchronization or test plan.

[0273] The threat intelligence verification subunit is used to confirm whether the source address, User-Agent, parameter fragment, or behavior template matches known malicious intelligence.

[0274] The graph-level high-risk adjacency verification subunit is used to confirm whether the current object has a strong association with existing high-risk sessions, attack event clusters, or malicious parameter patterns.

[0275] The output of the cross-validation module is not a single true / false judgment, but rather provides the credibility, evidence coverage, and strength of refutation for each type of hypothesis. These results are directly passed to the subsequent three-level joint noise reduction and action adjudication module.

[0276] The three-level joint noise reduction module 405 is used to perform redundancy removal, merging, and risk reassessment of alarms at different granularities. This module includes at least: an alarm-level processing subunit, a session-level processing subunit, and an association graph-level processing subunit.

[0277] The alarm-level processing subunit operates on a single original alarm. It combines multiple hypothesis verification results, the local risk level of a single request, the subject deviation, the behavior deviation, and the asset sensitivity to determine whether the alarm itself has independent retention value. If an alarm has strong local malicious intent, its representativeness should be retained even if it needs to be aggregated later; if an alarm itself has low local risk and the exception explanation is sufficient, it can be marked as a "noise reduction candidate".

[0278] The session-level processing subunit handles multiple alerts within the same access process. This subunit aggregates multiple sub-alerts into a single session object based on factors such as Session, Token, Cookie, Trace, subject, terminal, time proximity, URL template similarity, and call chain correlation. After aggregation, it further assesses the overall session risk and internal redundancy, selecting representative sub-alerts that must be retained and collapsing highly repetitive, low-value sub-alerts. Through this subunit, analysts ultimately see a single inspection session or scanning session, rather than dozens of fragmented alerts.

[0279] The relational graph-level processing subunit operates across session relationships. This subunit constructs a heterogeneous relational graph over multiple session objects. Nodes in the graph can include: subjects, sessions, alarms, URL templates, parameter patterns, assets, intelligence, and task nodes. Edges can represent access relationships, shared subject relationships, shared parameter pattern relationships, shared intelligence relationships, shared task relationships, and temporal adjacency relationships. The role of this subunit is to identify higher-level event clusters, thereby determining whether an alarm or session is an isolated anomaly, part of an attack chain, or part of a stable business task cluster.

[0280] These three levels do not work in parallel or in isolation, but rather complement each other. The alert level provides the value of a single point, the session level provides local aggregation relationships, and the graph level provides the global location. Even if an alert is not strong at a single point, it should not be suppressed if the graph level shows that it is at the center of a high-risk attack cluster; conversely, even if an alert is locally abnormal, it can be downgraded or observed if it is in a stable release task graph cluster.

[0281] The action decision module 406 is responsible for unifying the results of multiple hypothesis verification and the three-level joint noise reduction to output the final action. This module does not simply make a binary decision based on a certain score threshold, but simultaneously considers the benefits of suppressing the alarm and the potential risks of false alarm suppression. The action decision module includes at least: a conflict identification subunit, a benefit assessment subunit, a risk assessment subunit, and an action selection subunit.

[0282] The conflict identification subunit is used to determine whether there are obvious conflicts between malicious assumptions, benign assumptions, and business exception assumptions, and whether the conflicts can be resolved through session-level or graph-level results.

[0283] The benefit evaluation subunit is used to evaluate the noise reduction benefits of suppressing, downgrading or merging the current alarm, such as how much redundant display is reduced, how much repetitive workload is reduced, and whether multiple sub-alarms can be collapsed into a single session object.

[0284] The risk assessment subunit is used to assess the potential costs of suppressing a current alert, such as whether the alert is located on a highly sensitive asset, whether it belongs to a high-risk center at the graph level, or whether it may be a critical node in the attack chain.

[0285] The action selection sub-unit outputs actions such as suppression, downgrade, merging, observation, retention, or escalation after considering the overall benefits and risks. It can also include a summary of the action reason, supporting evidence, representative sub-alarms, and session / event cluster identifiers.

[0286] The action adjudication module also supports two operating modes: a conservative strategy and an aggressive strategy. The conservative strategy is suitable for highly sensitive environments and will prioritize avoiding false alarms of high-risk events. The aggressive strategy is suitable for environments with extremely high alarm volumes but with a well-established feedback system and will prioritize maximizing noise reduction benefits.

[0287] The feedback optimization module 407 is responsible for receiving manual review results, work order closure results, post-attack confirmation results, and newly added business rules, and updating the parameters of the aforementioned modules. This module transforms this application from a static rule system into a technical system with continuous adaptive capabilities. The feedback optimization module includes at least: a manual feedback receiving subunit, a closure result feedback subunit, a false alarm statistics subunit, a missed alarm tracing subunit, a parameter update subunit, and a rule update subunit.

[0288] The manual feedback receiving subunit is responsible for receiving the analyst's manual conclusions on a certain alarm or a certain type of alarm.

[0289] The closed-loop result feedback subunit is responsible for receiving the actual conclusions returned by the work order system, the processing system, or the post-investigation system.

[0290] The false alarm statistics subunit and the missed alarm tracing subunit are used to count the noise that was mistakenly retained and the true alarm that was mistakenly suppressed, respectively.

[0291] The parameter update subunit is used to update hypothesis weights, validation factor weights, session aggregation thresholds, graph-level edge weights, and action thresholds.

[0292] The rule update subunit is used to maintain and update whitelists, business exception rules, task templates, and high-risk mode templates.

[0293] This module allows for gradual convergence as business operations change and attacks evolve, rather than remaining in the initial configuration state for an extended period.

[0294] This application also provides an electronic device in its embodiments. (See reference...) Figure 5 The diagram illustrates a structural schematic suitable for implementing the electronic device in the embodiments of this application. The electronic device in the embodiments of this application may include, but is not limited to, fixed terminals such as laptops, desktop computers, etc. Figure 5 The electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.

[0295] like Figure 5 As shown, the electronic device may include a processing unit (e.g., a central processing unit, a graphics processing unit, etc.) 501, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 502 or a program loaded from a storage device 508 into a random access memory (RAM) 503. When the electronic device is powered on, the RAM 503 also stores various programs and data required for the operation of the electronic device. The processing unit 501, ROM 502, and RAM 503 are interconnected via a bus 504. An input / output (I / O) interface 505 is also connected to the bus 504.

[0296] Typically, the following devices can be connected to I / O interface 505: input devices 506 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 507 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 508 including, for example, memory cards, hard drives, etc.; and communication devices 509. Communication device 509 allows electronic devices to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 5 Electronic devices with various devices are shown, but it should be understood that it is not required to implement or have all of the devices shown. More or fewer devices may be implemented or have alternatively.

[0297] This application also provides a computer program product including computer-readable instructions, which, when executed on an electronic device, cause the electronic device to implement any of the network access behavior alarm noise reduction methods provided in this application.

[0298] This application also provides a computer-readable storage medium that carries one or more computer programs. When the one or more computer programs are executed by an electronic device, the electronic device can implement any of the network access behavior alarm noise reduction methods provided in this application.

[0299] It should also be noted that the device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. In addition, in the device embodiment drawings provided in this application, the connection relationship between modules indicates that they have a communication connection, which can be implemented as one or more communication buses or signal lines.

[0300] Through the above description of the embodiments, those skilled in the art can clearly understand that this application can be implemented by means of software plus necessary general-purpose hardware, or it can be implemented by special-purpose hardware including application-specific integrated circuits, special-purpose CPUs, special-purpose memory, special-purpose components, etc. Generally, any function performed by a computer program can be easily implemented by corresponding hardware, and the specific hardware structure used to implement the same function can also be diverse, such as analog circuits, digital circuits, or special-purpose circuits. However, for this application, software program implementation is more often the preferred implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a readable storage medium, such as a computer floppy disk, USB flash drive, mobile hard disk, ROM, RAM, magnetic disk, or optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, training equipment, or network device, etc.) to execute the network access behavior alarm noise reduction method described in the various embodiments of this application.

[0301] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product.

[0302] The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions may be transmitted from one website, computer, training device, or data center to another website, computer, training device, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that a computer can store or a data storage device such as a training device or data center that integrates one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid-state drives (SSDs)).

Claims

1. A method for reducing noise in network access behavior alarms, characterized in that, include: The acquired target network access behavior alarms and associated multi-source context data are correlated and structured to obtain a unified evidence object; The unified evidence object includes at least: identity feature sub-object, behavior feature sub-object, and network semantic feature sub-object; The unified evidence object is input into multiple specialized intelligent agents, triggering each specialized intelligent agent to reason about the unified evidence object based on its own analytical perspective and generate corresponding candidate hypotheses. The target network access behavior alarm is subjected to multi-level noise reduction processing to obtain a layered noise reduction result; Based on the candidate hypotheses and the hierarchical noise reduction results, conflict resolution and adjudication operations are performed to obtain the processing actions for the target network access behavior.

2. The network access behavior alarm noise reduction method according to claim 1, characterized in that, The multiple dedicated intelligent agents include: malicious assumption intelligent agents, benign assumption intelligent agents, and business exception assumption intelligent agents; The malicious hypothesis agent is configured to: analyze the unified evidence object from the perspective of attack behavior, identify whether the unified evidence object has attack characteristics, and output malicious type candidate hypotheses; The benign hypothesis agent is configured to: analyze the unified evidence object from the perspective of normal business behavior, identify whether the unified evidence object conforms to the subject's historical behavior baseline or role access boundary, and output benign type candidate hypothesis; The business exception hypothesis agent is configured to: analyze the unified evidence object from the perspective of business-permitted abnormal behavior, identify whether the unified evidence object hits the release window, duty schedule or automated task schedule, and output candidate hypotheses for business exception types.

3. The network access behavior alarm noise reduction method according to claim 1, characterized in that, The execution process of each dedicated agent when generating the candidate hypotheses includes: Determine the hypothesis type identifier and initial confidence level of the candidate hypotheses; Extract key evidence supporting the candidate hypothesis to obtain a set of supporting evidence; Identify conflicting evidence that refutes the candidate hypothesis to obtain a set of counter-evidence; Generate a set of items to be verified that are suggested for further validation; The hypothesis type identifier, the initial confidence level, the supporting evidence set, the counter-evidence set, and the set of items to be verified are packaged into a structured candidate hypothesis object and output.

4. The network access behavior alarm noise reduction method according to claim 1, characterized in that, After generating the candidate hypotheses, the process further includes: At least one validation factor generated independently of the candidate hypothesis is invoked, the validation factor including: historical baseline validation factor, role permission validation factor, planned task validation factor, or threat intelligence validation factor; The verification factor is used to verify each candidate hypothesis, determine the verification strength and confidence level of each candidate hypothesis, and adjust the confidence level of each candidate hypothesis based on the verification results.

5. The network access behavior alarm noise reduction method according to claim 1, characterized in that, The construction of the unified evidence object also includes: Calculate the first consistency measure between the identity feature sub-object and the network semantic feature sub-object; Calculate a second consistency measure between the identity feature sub-object and the behavior feature sub-object; Calculate the third consistency measure between the behavioral feature sub-object and the network semantic feature sub-object; A ternary binding score is generated based on the first consistency measure, the second consistency measure, and the third consistency measure. The ternary binding score is used to characterize the degree of coordination among the identity feature sub-object, the behavioral feature sub-object, and the network semantic feature sub-object, and is used as a component of the unified evidence object.

6. The network access behavior alarm noise reduction method according to claim 1, characterized in that, The multi-level noise reduction processing includes at least two of the following: alarm-level noise reduction processing, session-level noise reduction processing, and association graph-level noise reduction processing. The alarm-level noise reduction process includes: assessing the independent retention value of the target network access behavior alarm based on the confidence level of the candidate hypothesis, the local risk of the target network access behavior alarm, and the sensitivity of the target asset; The session-level noise reduction process includes: acquiring multiple associated alarms belonging to the same access session as the target network access behavior alarm, identifying the redundancy relationship between the multiple associated alarms, and performing a merging operation; The process of the associated graph-level noise reduction includes: constructing a heterogeneous relation graph containing multiple session nodes and associated edges, determining the graph-level risk score of the event cluster where the target network access behavior alarm is located, and judging whether the event cluster belongs to an attack chain, a business task cluster or an isolated abnormal event based on the graph-level risk score.

7. The network access behavior alarm noise reduction method according to claim 1, characterized in that, When performing conflict resolution and adjudication procedures, the following are also included: Calculate the noise reduction benefit of suppressing the target network access behavior alarm, the noise reduction benefit being determined based on at least one of the alarm redundancy, low value score, and merging benefit; Calculate the risk of false suppression of the target network access behavior alarm, wherein the risk of false suppression is determined based on at least one of the following: the confidence level of the malicious hypothesis, the graph-level risk of the event cluster in which it is located, the sensitivity of the target asset, and the cost of missed reporting; The noise reduction benefit is compared with a preset benefit threshold, and the false compression risk is compared with a preset risk threshold. Based on the comparison results, the processing action is selected from a preset action space.

8. The network access behavior alarm noise reduction method according to claim 1, characterized in that, The conflict resolution and adjudication operations include: Obtain the post-verification confidence of each of the multiple candidate hypotheses, and identify whether there are conflicting hypothesis pairs; When conflicting pairs of hypotheses exist, the session-level denoising result in the hierarchical denoising result is called to determine the first target hypothesis in the hypothesis pair. The first target hypothesis is characterized by being consistent with the hypothesis distribution of other alarms within the same access session. Alternatively, the association graph-level denoising result in the hierarchical denoising result is called to determine the second target hypothesis in the hypothesis pair. The second target hypothesis is characterized by being consistent with the overall risk label of the event cluster. Based on the resolution indication of the session-level denoising result or the correlation graph-level denoising result, the weakened hypotheses are eliminated and the strengthened hypotheses are retained to obtain the resolved hypothesis set; Based on the resolved hypothesis set and the hierarchical noise reduction results, the noise reduction benefits and false suppression risks of suppressing the current alarm are calculated. Based on the comparison results of the noise reduction benefits and the false suppression risks, a processing action is selected from the preset action space as the final decision result.

9. The network access behavior alarm noise reduction method according to claim 6, characterized in that, The process of acquiring multiple associated alarms belonging to the same access session as the target network access behavior alarm, identifying redundancy relationships among the multiple associated alarms, and performing a merging operation includes: Obtain the session identifier, token identifier, tracking identifier, timestamp, request path, and client fingerprint information associated with the target network access behavior alarm; Based on at least one of the following factors: session identifier, token identifier, tracking identifier, temporal proximity decay factor, path similarity, and client fingerprint similarity, calculate the session similarity between the target network access behavior alarm and other alarms; Determine whether the session similarity reaches a preset similarity threshold; If the target network access behavior alarm is reached, it will be determined that the target network access behavior alarm and the other alarms belong to the same access session. Redundancy analysis will be performed on multiple alarms within the access session, representative sub-alarms will be retained and the remaining alarms will be merged.

10. The network access behavior alarm noise reduction method according to claim 1, characterized in that, Also includes: Obtain at least one feedback information from the following sources: manual review results, work order closed-loop results, and post-attack confirmation results; Based on the feedback information, the sets of false alarms, false negatives, or false true alarms are statistically analyzed. The feedback loss function value is calculated based on the statistical results. The feedback loss function value represents the weighted sum of the cost of false alarm, the cost of missed alarm, and the cost of false positives. In the direction of minimizing the value of the feedback loss function, update at least one of the following: the weights of the multiple professional agents, the threshold used in the adjudication operation, the historical baseline model, the business exception rule base, or the session aggregation parameters.