CN117951314A - Scenario generation decision method integrating knowledge graph and large language generation model - Google Patents
Scenario generation decision method integrating knowledge graph and large language generation model Download PDFInfo
- Publication number
- CN117951314A CN117951314A CN202410347766.0A CN202410347766A CN117951314A CN 117951314 A CN117951314 A CN 117951314A CN 202410347766 A CN202410347766 A CN 202410347766A CN 117951314 A CN117951314 A CN 117951314A
- Authority
- CN
- China
- Prior art keywords
- text
- entity
- knowledge graph
- candidate
- proper noun
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000004044 response Effects 0.000 claims abstract description 51
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 4
- 230000006870 function Effects 0.000 claims description 18
- 238000012549 training Methods 0.000 claims description 17
- 238000013515 script Methods 0.000 claims description 5
- 230000004913 activation Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000004927 fusion Effects 0.000 claims description 3
- 230000010354 integration Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000003340 mental effect Effects 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 3
- 238000006116 polymerization reaction Methods 0.000 claims description 3
- 230000010485 coping Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 8
- 230000008901 benefit Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 2
- 239000010931 gold Substances 0.000 description 2
- 229910052737 gold Inorganic materials 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000001502 supplementing effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 208000019901 Anxiety disease Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000036506 anxiety Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
- G06F40/289—Phrasal analysis, e.g. finite state techniques or chunking
- G06F40/295—Named entity recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/02—Knowledge representation; Symbolic representation
- G06N5/022—Knowledge engineering; Knowledge acquisition
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Animal Behavior & Ethology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a scenario generation decision method integrating a knowledge graph and a large language generation model, which comprises the following steps: extracting network security proper nouns and text embedding from the intelligent dialog box, and performing bidirectional matching on the proper noun set and the triplex to generate a proper noun entity set; sending the generated proper noun entity set to ISKS module to obtain hyperbolic embedding of entity class hierarchy structure, fusing entity embedding and text embedding to generate prompt set; in FSTG module, combine the security event with the prompt set into a few sample thoughts as input text; the large language generation model generates decision support of the network security emergency response scenario based on the input text; the scheme has the characteristics of providing reliable decision support for automatic scenario generation of the network safety response robot by utilizing the complementarity of the network safety emergency response knowledge graph and the large language generation model so as to realize the aim of coping with daily complex and frequent safety threats in the modern network environment.
Description
Technical Field
The invention relates to the field of network security, in particular to a scenario generation decision method integrating a knowledge graph and a large language generation model.
Background
In the current digital age, the network security threat is increasingly severe, and the network attack technique is evolving continuously, from traditional viruses and malicious software to more complex advanced threat and zero-day attack. To address this challenge, traditional cyber-security schemes are no longer adequate, requiring advanced technologies to promote cyber-defense and emergency response capabilities, which motivates the cyber-security response robot's brand-new corner.
A network security response robot is a system that utilizes automation technology and Artificial Intelligence (AI) to handle network security events. These robots are typically designed to detect, analyze, and respond to cyber threats to reduce the burden of manual intervention, improving the efficiency and speed of cyber security. In the face of the improvement of attack speed, an automatic decision system is a key that a network safety response robot can quickly make a script and execute a response strategy.
The knowledge graph provides support for automatic decision making of the network security emergency response robot, and is a graphical representation method used for integrating, analyzing and displaying information in the network security field. Specifically, the knowledge graph presents various entities and complex interrelationships thereof in the network security field through clear entity nodes and relationship edges. The entities of attacker, victim system, vulnerability, threat information, etc. form an organic connection in the atlas. Based on comprehensive analysis of entity relation, threat information and attack modes, a team can make more intelligent automatic decisions, generate accurate and effective scripts and realize quick and efficient emergency response. However, knowledge maps are somewhat static and once the build is complete, updates and modifications can be relatively complex. This may limit its flexibility in dealing with rapidly changing network threats.
The large language model has excellent text processing and understanding capability, can rapidly analyze and interpret a large amount of text information, and shows excellent performance in coping with complex and practical network security threat challenges. Under the condition of higher real-time requirements, the large language model can rapidly respond to security events, deeply analyze threat information and real-time data, assist security teams in providing timely intelligent decision suggestions, assist the security teams in making decisions more rapidly and accurately, improve overall response efficiency, and accordingly better cope with novel, variant and advanced network attacks and strengthen network security defenses. While large language models have potential value in the field of network security emergency response, some challenges and problems are faced. First, large language models are internally complex and bulky, making their decision making process difficult to understand and interpret. In network security emergency response, the transparency of the decision is very important to security professionals. Lack of interpretability of the model may make it difficult to understand why the model makes a particular decision, reducing people's confidence in it. Furthermore, large language models are often pre-trained on large-scale generic corpora, well versed in solving general problems, while the web security domain has its specific terms, context and language characteristics. Thus, models, when faced with text in the field of network security, may make them less than expected to handle network security issues in a particular field.
The knowledge graph and the large language model have advantages and disadvantages in network security emergency response, and the combined use of the knowledge graph and the large language model can make up for the defects of the knowledge graph and the large language model, and improve the overall security analysis and decision level. Therefore, the invention provides a scenario generation decision support method integrating a network security emergency response knowledge graph and a large-scale language generation model.
Disclosure of Invention
In order to achieve the above object, the present inventors provide a scenario generation decision method for fusing a knowledge graph and a large language generation model, comprising the steps of:
S1, extracting network security proper nouns and text embedding in a current security event report from an intelligent dialog box, performing bidirectional matching on a proper noun set formed by the extracted proper nouns and a ternary body in a network security emergency response knowledge graph, and selecting proper nouns which exist simultaneously to generate a proper noun entity set;
S2, sending the generated proper noun entity set to a ISKS module, obtaining corresponding hyperbolic embedding of the entity based on the entity class hierarchical structure in the network security emergency response knowledge graph through a Poincare ball model, and fusing the entity embedding and text embedding according to the correlation to generate a prompt set;
S3, in FSTG module, combining the security event and the generated prompt set into a few sample thinking as an input text;
s4, the large language generation model generates the decision support of the related network security emergency response scenario based on the constructed input text.
As a preferred mode of the present invention, the step S1 further includes the steps of:
S101, extracting text information X from intelligent dialog box, using double text encoder composed of N conversion layers to search K network security proper nouns { e1, e2, …, ek } mentioned in the text information X, and composing proper noun set The double text encoder obtains text representations/>And proper noun representation/>The expression of (2) is:
,
,
Wherein, And/>For two BERT text encoders that do not share weights,/>And/>Token of BERT,/>Representing the classification result of a text sequence,/>Representing delimiters between texts,/>AndA text identifier and a text description, respectively, of the proper noun e;
S102, proper noun retrieval is carried out by taking text information as input, a text encoder is trained through noise comparison and estimation loss functions, and the expression is as follows:
,
Wherein, Representing the matching score between text information X and proper noun e,/>Is a group of non-proper noun sets/>Negative examples of overlap;
s103, integrating the entity matched with the proper noun set into a matched candidate entity set by taking the entity as a starting point and taking a two-hop relationship as a range in the network security response knowledge graph In all the relationships involved are referred to as candidate relationship setsSearching related attributes from the knowledge graph by using the candidate entity set to create a candidate attribute set/>。
As a preferred mode of the present invention, the step S2 further includes the steps of:
S201, candidate entity set As input to ISKS module, learning embedded representation based on hierarchical entity class structure by using Poincarball model, and obtaining the distance between two entities as/>The expression is:
,
Wherein, Representing hyperbolic space,/>Representing arcosh functions;
S202, minimizing the distance between related objects to obtain an entity hyperbolic embedded set Training by taking the cross entropy loss function as an objective function, wherein the expression is as follows:
,
Wherein, Is a cross entropy loss function,/>To observe a set of ambiguous relationships between entities,/>Representation/>Is/>Is a negative sample set of (2);
s203, integrating fusion results of different levels by using M-layer aggregators as knowledge injectors, wherein in each layer aggregator, physical hyperbolic embedding and text token embedding are fed to a multi-headed self-care layer The expression is:
,
Wherein v represents a layer v polymerization, And/>Representing m entity hyperbolic embeddings and n text token embeddings, respectively,/>And/>Respectively representing m entity hyperbolic embedments and n text token embedments after integration;
s204, obtaining a mixed representation by utilizing nonlinear mapping And generates a hint candidate set/>The expression is:
,
,
Wherein, Representing an activation function GELU,/>,/>And/>For the parameters to be trained,/>Is a hint generator.
As a preferred mode of the present invention, the step S3 further includes the steps of:
S301, taking the generated prompt candidate set as input, and sending the generated prompt candidate set to a FSTG module;
s302, for selected hints sampled from the hint candidate set Integrating the corresponding security events, candidate entity set/>Candidate relation set/>Candidate attribute set/>Less sample mental reasoning information is obtained.
As a preferred mode of the present invention, step S4 further includes the steps of:
S401, based on the constructed small sample thinking reasoning information, generating a decision support of a related network security emergency response scenario by using a large language generation model;
s402, the network emergency response robot generates a script according to the decision support and executes corresponding operation 。
As a preferred mode of the present invention, the method further comprises the training step of: s5, alternately training ISKS modules and FSTG modules.
As a preferred mode of the present invention, step S5 further includes the steps of:
S501, updating ISKS a module with the aim of maximizing negative behavior entropy, wherein the expression is as follows:
,
Wherein, To give a hint of/>Entropy of/>Generating policies for hints,/>Is a discount factor,/>To give a hint of/>Corresponding thinking.
S502, fine tuning is carried out on the large language model by using the near-end strategy optimization.
Compared with the prior art, the beneficial effects achieved by the technical scheme are as follows:
(1) The method utilizes complementarity of the large language generation model and the network safety emergency response knowledge graph to provide reliable decision support for the network safety emergency response robot generation scenario;
(2) The method consists of two modules, namely ISKS and FSTG, wherein the ISKS module utilizes a Poincare ball model to obtain hyperbolic embedding of entities based on entity class hierarchical structures in a network security emergency response knowledge graph so as to supplement semantic information of target entities identified from a pre-training corpus, and the FSTG module generates a few-sample thinking, so that high-level guidance is provided for solving complex network security emergency response decision tasks, and the method can effectively cope with increasingly complex and frequent security threats in a modern network environment.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment.
Fig. 2 is a block diagram of a FSTG block diagram according to an embodiment.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
As shown in fig. 1 and fig. 2, the present embodiment provides a scenario generation decision method for fusing a knowledge graph and a large language generation model, which includes the following steps:
S1, extracting proper nouns and text embedding in the network security field in a current security event report from an intelligent dialog box, performing bidirectional matching on a proper noun set formed by the extracted proper nouns and a ternary body in a network security emergency response knowledge graph, and selecting the proper nouns which exist simultaneously to generate a proper noun entity set;
S2, sending the generated proper noun entity set to a ISKS module, obtaining corresponding hyperbolic embedding of the entity based on the entity class hierarchical structure in the network security emergency response knowledge graph through a Poincare ball model, and fusing the entity embedding and text embedding according to the correlation to generate a prompt set;
S3, in FSTG module, combining the security event and the generated prompt set into a few sample thinking as an input text;
s4, the large language generation model generates the decision support of the related network security emergency response scenario based on the constructed input text.
In a specific implementation process of this embodiment, step S1 further includes the steps of:
S101, extracting text information X from intelligent dialog box, using double text encoder composed of N conversion layers to search K network security proper nouns { e1, e2, …, ek } mentioned in the text information X, and composing proper noun set The double text encoder obtains text representations/>And proper noun representation/>The expression of (2) is:
,
,
Wherein, And/>For two BERT text encoders that do not share weights,/>And/>Token of BERT,/>Representing the classification result of a text sequence,/>Representing delimiters between texts,/>AndA text identifier and a text description, respectively, of the proper noun e;
s102, carrying out proper noun retrieval by taking text information as input, and training a text encoder by using a noise comparison estimation loss function in the training process to maximize the following targets, wherein the expression is as follows:
,
Wherein, Representing the matching score between text information X and proper noun e,/>Is a group of non-proper noun sets/>Negative examples of overlap; the goal dynamically builds NCE instances, treats one gold proper noun as the only correct answer in each training sample, excludes other gold proper nouns from negative examples, 90% of negative examples are randomly selected, and 10% are selected through hard negative example mining, i.e. the wrong negative examples with highest scores are selected.
Unconstrained execution may introduce noise during matching of relational and attributed proper nouns during bi-directional maximum matching of proper noun sets to network security response knowledge maps. Therefore, S103, integrating the entity matched with the proper noun set into the matched candidate entity set by taking the entity as a starting point and taking the two-hop relationship as a range in the network security response knowledge graphIn all the relationships involved are called candidate relationship set/>Searching related attributes from the knowledge graph by using the candidate entity set to create a candidate attribute set/>。
In a specific implementation process of this embodiment, step S2 further includes the steps of:
S201, candidate entity set The input is sent to ISKS module (network security knowledge supplementing module) where the embedding algorithm in euclidean space is difficult to model for complex patterns due to the dimensions of the embedding space. In addition, the hyperbolic space has stronger representation capability on the hierarchical structure, so that the Poincare ball model is adopted to learn the embedded representation based on the hierarchical entity class structure, and the distance between two entities is/>The expression is:
,
Wherein, Representing hyperbolic space,/>Representing arcosh functions;
S202, minimizing the distance between related objects to obtain an entity hyperbolic embedded set Training by taking the cross entropy loss function as an objective function, wherein the expression is as follows:
,
Wherein, Is a cross entropy loss function,/>To observe a set of ambiguous relationships between entities,/>Representation/>Is/>Is a negative sample set of (2);
In order to fuse the entity 'S hyperbolic embedding and text token embedding, the hyperbolic embedding is integrated into the context representation, S203, with M-layer aggregators as knowledge injectors, integrating different levels of fusion results, in each layer aggregator, the entity' S hyperbolic embedding and text token embedding are fed into a multi-headed self-care layer The expression is:
,
Wherein v represents a layer v polymerization, And/>Representing m entity hyperbolic embeddings and n text token embeddings, respectively,/>And/>Respectively representing m entity hyperbolic embedments and n text token embedments after integration;
s204, obtaining a mixed representation by utilizing nonlinear mapping And generates a hint candidate set/>The expression is:
,
,
Wherein, Representing an activation function GELU,/>,/>And/>For the parameters to be trained,/>Is a hint generator.
In the implementation process of this embodiment, step S3 further includes the steps of:
s301, taking the generated prompt candidate set as input, and sending the generated prompt candidate set to a FSTG module; intuitively, it is challenging to directly generate a decision scheme for a network security emergency response scenario. Therefore, less sample thinking reasoning information is generated for the decision scheme of the network security emergency response scenario to provide a solution idea.
S302, for selected hints sampled from the hint candidate setIntegrating the corresponding security events, candidate entity set/>Candidate relation set/>Candidate attribute set/>Less sample mental reasoning information is obtained. For example, the internal system facing the company is subjected to a phishing attack on employee certificates, and an organic thinking structure is built by integrating the characteristics of ' malicious links ', ' disguised IT department identification ', ' verification ' of request certificate information ', ' certificates ', and the like, and the method comprises the steps of identifying targets of an attacker, such as: stealing the certificates; attack paths, such as: guiding clicking malicious links through disguised mails; potential next actions, such as: further lateral movement is performed using the stolen credentials.
In the implementation process of this embodiment, step S4 further includes the steps of:
S401, based on the constructed small sample thinking reasoning information, a large language generation model is used, such as: chatgpt3.5, generating the decision support of the related network security emergency response scenario;
s402, the network emergency response robot generates a script according to the decision support and executes corresponding operation 。
In the implementation process of this embodiment, the training method further includes the step of: s5, alternately training ISKS modules and FSTG modules.
In this embodiment, the ISKS module (network security knowledge supplementing module) and FSTG module (few sample thinking generating module) train alternately, keeping the other module frozen, on the one hand, the ISKS module selects a hint for the FSTG module that the output is expected to be interpreted by the final network emergency response; thus, the aim of the ISKS module is to reduce the uncertainty of the network emergency response robot in encountering challenging decisions.
In order to achieve the above objective, in this embodiment, S501 updates ISKS the module with the objective of maximizing negative entropy of behavior, where the expression is:
,
Wherein, To give a hint of/>Entropy of/>In order to prompt the generation of a policy,Is a discount factor,/>To give a hint of/>Corresponding thinking.
S502, on the other hand, the FSTG module aims at effectively solving the specific decision task as a training purpose. Thus, the present embodiment uses near-end policy optimization (PPO) to fine tune the large language generation model.
In order to verify the method, a verification example is also supplemented, and the specific contents are as follows:
The performance comparisons of the method and the existing most advanced models, namely ERNIE-Baidu (religion), ERNIE-THU (comparative learning understanding entity and relationship model), knowBERT (knowledge-enhanced transform-based bi-directional coding model), K-BERT (knowledge-enhanced pre-training language model), KGAP (knowledge-graph enhanced strategic visual angle detection model), DKPLM (resolvable knowledge-enhanced pre-training language model), greaseLM (graph inference enhanced language model), KALM (knowledge-enhanced language model), are presented in Table 1 in five downstream tasks of Named Entity Recognition (NER), text Classification (TC), question answering system (QA), query expansion (QM) and Named Entity Disambiguation (NED) in the field of network security. From the results, it can be observed that: compared with a fine-tuning large language generation model trained on a corpus of the network security domain, the method has the advantages that the network security emergency response domain knowledge is injected into the large language generation model to obtain better results, particularly in the NER aspect; ERNIE-TU and K-BERT achieved best results in baseline, ERNIE-THU performed better on NER tasks; therefore, supposing that the model benefits from ERNIE-THU ingenious knowledge injection paradigm, the model learns rich semantic knowledge in the triples; the method is greatly superior to the strong baseline, especially with an increase of +0.97% in NER tasks and +1.17% in TC tasks. The method effectively utilizes the network security emergency response knowledge graph to enhance professional semantic information, and improves the overall security analysis and decision level when a large language model faces complex problems.
Table 1: comparison table of network security emergency response performance of method and other models
In general, the method aims at providing reliable decision support for automatic scenario generation of the network safety response robot by utilizing the complementarity of the network safety emergency response knowledge graph and the large language generation model so as to realize the aim of coping with increasingly complex and frequent security threats in modern network environments. Firstly, the network security emergency response knowledge graph can process different data sources, clearly presents the relationship among the entities, helps people to better understand complex information structures, and helps to deeply analyze attack links and threat information, but cannot effectively model unseen entities and characterize new knowledge, and limits the capability of coping with continuously evolving network threats. And secondly, the large language generation model has strong language processing capability and generalization capability, and can rapidly and accurately analyze text data and log information in network security events. The method can identify keywords and extract key information, and helps security team to understand attack technique and intrusion more quickly. However, large language generation models are often pre-trained on large-scale generic corpora, and the network security domain has its specific terms, context and language characteristics, and knowledge learned by large language generation models at the time of pre-training may not cover the overall network security threat. And, due to the black box mechanism of the large language generative model, cause anxiety of decision uncertainty of people is induced in the network security emergency response. Therefore, the method provides reliable decision support for the network safety emergency response robot generation scenario by utilizing the complementarity of the large language generation model and the network safety emergency response knowledge graph.
It should be noted that, although the foregoing embodiments have been described herein, the scope of the present invention is not limited thereby. Therefore, based on the innovative concepts of the present invention, alterations and modifications to the embodiments described herein, or equivalent structures or equivalent flow transformations made by the present description and drawings, apply the above technical solution, directly or indirectly, to other relevant technical fields, all of which are included in the scope of the invention.
Claims (7)
1. A scenario decision method for generating a scenario by fusing a knowledge graph and a large language generation model is characterized by comprising the following steps:
S1, extracting network security proper nouns and text embedding in a current security event report from an intelligent dialog box, performing bidirectional matching on a proper noun set formed by the extracted proper nouns and a ternary body in a network security emergency response knowledge graph, and selecting proper nouns which exist simultaneously to generate a proper noun entity set;
S2, sending the generated proper noun entity set to a ISKS module, obtaining corresponding hyperbolic embedding of the entity based on the entity class hierarchical structure in the network security emergency response knowledge graph through a Poincare ball model, and fusing the entity embedding and text embedding according to the correlation to generate a prompt set;
S3, in FSTG module, combining the security event and the generated prompt set into a few sample thinking as an input text;
s4, the large language generation model generates the decision support of the related network security emergency response scenario based on the constructed input text.
2. The scenario decision method for fusing knowledge graph and large language generation model as claimed in claim 1, wherein step S1 further comprises the steps of:
s101, extracting text information X from intelligent dialog box, using double text encoder composed of N conversion layers to search K network security proper nouns { e1, e2, …, ek } mentioned in the text information X, and composing proper noun set The double text encoder obtains text representations/>And proper noun representation/>The expression of (2) is:
,
,
Wherein, And/>For two BERT text encoders that do not share weights,/>And/>Token of BERT,/>Representing the classification result of a text sequence,/>Representing delimiters between texts,/>And/>A text identifier and a text description, respectively, of the proper noun e;
S102, proper noun retrieval is carried out by taking text information as input, a text encoder is trained through noise comparison and estimation loss functions, and the expression is as follows:
,
Wherein, Representing the matching score between text information X and proper noun e,/>Is a group of non-proper noun sets/>Negative examples of overlap;
s103, integrating the entity matched with the proper noun set into a matched candidate entity set by taking the entity as a starting point and taking a two-hop relationship as a range in the network security response knowledge graph In all the relationships involved are called candidate relationship set/>Searching related attributes from the knowledge graph by using the candidate entity set to create a candidate attribute set/>。
3. The scenario decision method for fusing knowledge graph and large language generation model as claimed in claim 2, wherein step S2 further comprises the steps of:
S201, candidate entity set As input to ISKS module, learning embedded representation based on hierarchical entity class structure by using Poincarball model, and obtaining the distance between two entities as/>The expression is:
,
Wherein, Representing hyperbolic space,/>Representing arcosh functions;
S202, minimizing the distance between related objects to obtain an entity hyperbolic embedded set Training by taking the cross entropy loss function as an objective function, wherein the expression is as follows:
,
Wherein, Is a cross entropy loss function,/>To observe a set of ambiguous relationships between entities,Representation/>Is/>Is a negative sample set of (2);
s203, integrating fusion results of different levels by using M-layer aggregators as knowledge injectors, wherein in each layer aggregator, physical hyperbolic embedding and text token embedding are fed to a multi-headed self-care layer The expression is:
,
Wherein v represents a layer v polymerization, And/>Representing m entity hyperbolic embeddings and n text token embeddings, respectively,/>And/>Respectively representing m entity hyperbolic embedments and n text token embedments after integration;
s204, obtaining a mixed representation by utilizing nonlinear mapping And generates a hint candidate set/>The expression is:
,
,
Wherein, Representing an activation function GELU,/>,/>And/>For the parameters to be trained,/>Is a hint generator.
4. The scenario decision method for fusing knowledge graph and large language generation model as claimed in claim 3, wherein the step S3 further comprises the steps of:
S301, taking the generated prompt candidate set as input, and sending the generated prompt candidate set to a FSTG module;
s302, for selected hints sampled from the hint candidate set Integrating corresponding security events, candidate entity setsCandidate relation set/>Candidate attribute set/>Less sample mental reasoning information is obtained.
5. The method for generating scenario decision by fusing knowledge graph and large language generation model as claimed in claim 4, wherein step S4 further comprises the steps of:
S401, based on the constructed small sample thinking reasoning information, generating a decision support of a related network security emergency response scenario by using a large language generation model;
s402, the network emergency response robot generates a script according to the decision support and executes corresponding operation 。
6. The method for generating scenario decision making by fusing knowledge base and large language generation model as claimed in claim 5, further comprising training step of: s5, alternately training ISKS modules and FSTG modules.
7. The scenario decision method for fusing knowledge graph and large language generation model as claimed in claim 6, wherein step S5 further comprises the steps of:
S501, updating ISKS a module with the aim of maximizing negative behavior entropy, wherein the expression is as follows:
,
Wherein, To give a hint of/>Entropy of/>In order to prompt the generation of a policy,Is a discount factor,/>To give a hint of/>Corresponding thinking;
s502, fine tuning is carried out on the large language model by using the near-end strategy optimization.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410347766.0A CN117951314B (en) | 2024-03-26 | 2024-03-26 | Scenario generation decision method integrating knowledge graph and large language generation model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410347766.0A CN117951314B (en) | 2024-03-26 | 2024-03-26 | Scenario generation decision method integrating knowledge graph and large language generation model |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117951314A true CN117951314A (en) | 2024-04-30 |
CN117951314B CN117951314B (en) | 2024-06-07 |
Family
ID=90805542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410347766.0A Active CN117951314B (en) | 2024-03-26 | 2024-03-26 | Scenario generation decision method integrating knowledge graph and large language generation model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117951314B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118211652A (en) * | 2024-05-21 | 2024-06-18 | 南京众智维信息科技有限公司 | Network security knowledge graph completion method based on multiple prompt optimization |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110245239A (en) * | 2019-05-13 | 2019-09-17 | 吉林大学 | A kind of construction method and system towards automotive field knowledge mapping |
CN112131393A (en) * | 2020-08-11 | 2020-12-25 | 淮阴工学院 | Construction method of medical knowledge map question-answering system based on BERT and similarity algorithm |
CN115422376A (en) * | 2022-11-07 | 2022-12-02 | 南京众智维信息科技有限公司 | Network security event source tracing script generation method based on knowledge graph composite embedding |
US20230252224A1 (en) * | 2021-01-22 | 2023-08-10 | Bao Tran | Systems and methods for machine content generation |
CN116775847A (en) * | 2023-08-18 | 2023-09-19 | 中国电子科技集团公司第十五研究所 | Question answering method and system based on knowledge graph and large language model |
CN117273003A (en) * | 2023-11-14 | 2023-12-22 | 腾讯科技(深圳)有限公司 | Text data processing method, model training method and named entity recognition method |
CN117436438A (en) * | 2023-10-27 | 2024-01-23 | 北京百度网讯科技有限公司 | Emotion analysis method, training method and device for large language model |
CN117520485A (en) * | 2024-01-08 | 2024-02-06 | 卓世科技(海南)有限公司 | Large language model vector retrieval method based on knowledge graph integration |
CN117609470A (en) * | 2023-12-08 | 2024-02-27 | 中科南京信息高铁研究院 | Question-answering system based on large language model and knowledge graph, construction method thereof and intelligent data management platform |
-
2024
- 2024-03-26 CN CN202410347766.0A patent/CN117951314B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110245239A (en) * | 2019-05-13 | 2019-09-17 | 吉林大学 | A kind of construction method and system towards automotive field knowledge mapping |
CN112131393A (en) * | 2020-08-11 | 2020-12-25 | 淮阴工学院 | Construction method of medical knowledge map question-answering system based on BERT and similarity algorithm |
US20230252224A1 (en) * | 2021-01-22 | 2023-08-10 | Bao Tran | Systems and methods for machine content generation |
CN115422376A (en) * | 2022-11-07 | 2022-12-02 | 南京众智维信息科技有限公司 | Network security event source tracing script generation method based on knowledge graph composite embedding |
CN116775847A (en) * | 2023-08-18 | 2023-09-19 | 中国电子科技集团公司第十五研究所 | Question answering method and system based on knowledge graph and large language model |
CN117436438A (en) * | 2023-10-27 | 2024-01-23 | 北京百度网讯科技有限公司 | Emotion analysis method, training method and device for large language model |
CN117273003A (en) * | 2023-11-14 | 2023-12-22 | 腾讯科技(深圳)有限公司 | Text data processing method, model training method and named entity recognition method |
CN117609470A (en) * | 2023-12-08 | 2024-02-27 | 中科南京信息高铁研究院 | Question-answering system based on large language model and knowledge graph, construction method thereof and intelligent data management platform |
CN117520485A (en) * | 2024-01-08 | 2024-02-06 | 卓世科技(海南)有限公司 | Large language model vector retrieval method based on knowledge graph integration |
Non-Patent Citations (5)
Title |
---|
KARIM M ABADIR 等: "Beyond Co-integration: New Tools for Inference on Co-movements", 《JOURNAL OF FINANCIAL ECONOMETRICS》, 11 May 2023 (2023-05-11), pages 1 - 29 * |
WENHAO LU 等: "TwinBERT: Distilling Knowledge to Twin-Structured Compressed BERT Models for Large-Scale Retrieval", 《CIKM \'20: PROCEEDINGS OF THE 29TH ACM INTERNATIONAL CONFERENCE ON INFORMATION & KNOWLEDGE MANAGEMENT》, 19 October 2020 (2020-10-19), pages 2645, XP059105708, DOI: 10.1145/3340531.3412747 * |
李源 等: "面向知识图谱和大语言模型的因果关系推断综述", 《计算机科学与探索》, vol. 17, no. 10, 12 October 2023 (2023-10-12), pages 2358 - 2376 * |
特日格勒: "林业行业高校及科研机构专利知识图谱构建", 《中国优秀硕士学位论文全文数据库 农业科技辑》, no. 04, 15 April 2020 (2020-04-15), pages 049 - 82 * |
禅与计算机程序设计艺术: "大语言模型与知识图谱的融合:工具与平台", 《CSDN 博客 HTTPS://BLOG.CSDN.NET/UNIVERSSKY2015/ARTICLE/DETAILS/136312043》, 27 February 2024 (2024-02-27) * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118211652A (en) * | 2024-05-21 | 2024-06-18 | 南京众智维信息科技有限公司 | Network security knowledge graph completion method based on multiple prompt optimization |
Also Published As
Publication number | Publication date |
---|---|
CN117951314B (en) | 2024-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Chai et al. | Dynamic prototype network based on sample adaptation for few-shot malware detection | |
Gao et al. | A novel semi-supervised learning approach for network intrusion detection on cloud-based robotic system | |
Yan et al. | Learning URL embedding for malicious website detection | |
Mittal et al. | Thinking, fast and slow: Combining vector spaces and knowledge graphs | |
CN117951314B (en) | Scenario generation decision method integrating knowledge graph and large language generation model | |
CN113705218B (en) | Event element gridding extraction method based on character embedding, storage medium and electronic device | |
Zhuo et al. | Long short‐term memory on abstract syntax tree for SQL injection detection | |
Wali et al. | A bootstrapping approach for developing a cyber-security ontology using textbook index terms | |
Mumtaz et al. | Learning word representation for the cyber security vulnerability domain | |
Song et al. | Generating fake cyber threat intelligence using the gpt-neo model | |
Zhu et al. | Membership inference attacks against sequential recommender systems | |
Zuo et al. | An end-to-end entity and relation joint extraction model for cyber threat intelligence | |
Shakarian et al. | An argumentation-based framework to address the attribution problem in cyber-warfare | |
Yu et al. | Efficient Classification of Malicious URLs: M-BERT-A Modified BERT Variant for Enhanced Semantic Understanding | |
Li et al. | Web application attack detection based on attention and gated convolution networks | |
Li et al. | PipCKG-BS: A Method to Build Cybersecurity Knowledge Graph for Blockchain Systems via the Pipeline Approach | |
CN116192537B (en) | APT attack report event extraction method, system and storage medium | |
CN114579605B (en) | Table question-answer data processing method, electronic equipment and computer storage medium | |
Alhussien et al. | Semantically enhanced models for commonsense knowledge acquisition | |
Wu et al. | Wafbooster: Automatic boosting of waf security against mutated malicious payloads | |
Du et al. | Bidirectional edge-enhanced graph convolutional networks for aspect-based sentiment classification | |
Ables et al. | Eclectic Rule Extraction for Explainability of Deep Neural Network based Intrusion Detection Systems | |
Mandapati et al. | A Hybrid Transformer Ensemble Approach for Phishing Website Detection | |
Zhai et al. | Cdga: A GAN-based Controllable Domain Generation Algorithm | |
Zhang et al. | A Knowledge Graph Completion Algorithm Based on the Fusion of Neighborhood Features and vBiLSTM Encoding for Network Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |