A network security method and system for realizing fault prediction based on intelligent analysis

By generating optimal data channels in the security network and monitoring actual channels, and combining historical data flow records and channel performance to predict abnormal fault types, the problem of long processing time for abnormal nodes is solved, thereby improving the processing timeliness and security of the security network.

CN115834141BActive Publication Date: 2026-06-09SHENZHEN INFINOVA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN INFINOVA
Filing Date
2022-11-01
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

The existing security network has a long processing time for abnormal nodes and is vulnerable to vulnerability attacks. The existing fault warning system requires the retrieval of historical performance data for analysis, which leads to an extension of the processing time.

Method used

By marking the target data of the starting node, the optimal data channel is generated, the actual data channel is monitored, consistency is judged, historical data flow records and channel performance are obtained, abnormal fault types are predicted, and processing time is shortened.

Benefits of technology

This enables early detection of abnormal fault types during fault warnings, shortening processing time and enhancing the timeliness and security of security networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115834141B_ABST
    Figure CN115834141B_ABST
Patent Text Reader

Abstract

The application discloses a network security method and system for realizing fault prediction based on intelligent analysis, and relates to the technical field of security networks.The method comprises the following steps: marking all target data passing through a starting node in a security network; generating an optimal data channel of the target data in combination with the starting node and a destination node corresponding to the target data; monitoring an actual data channel of the target data in the security network; judging whether the actual data channel is consistent with the optimal data channel; if the actual data channel is not consistent with the optimal data channel, predicting that the optimal data channel has an abnormal fault; obtaining historical data flow circulation records and channel performance of the optimal data channel; and predicting the abnormal fault type of the optimal data channel in combination with the historical data flow circulation records and the channel performance.The application has the effect of predicting abnormal faults and abnormal fault types of data channels in a security network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of security network technology, and in particular to a network security method and system for fault prediction based on intelligent analysis. Background Technology

[0002] In a computer network, several computers with independent functions can be interconnected through communication equipment and transmission media, and with the support of communication software, information transmission and exchange between computers can be realized. Therefore, network security is of great significance to computer network security.

[0003] A secure network can typically be constructed by combining physical security analysis techniques, network structure security analysis techniques, system security analysis techniques, management security analysis techniques, and other security services and mechanisms. This secure network needs to be built upon a robust and functioning basic computer network structure; therefore, real-time monitoring of its operational status and timely warnings of network system faults and anomalies are necessary. Existing fault warning systems identify abnormal network links by comparing their historical and real-time operational statuses, and then send fault warning information to the network administrator so that the administrator can address the abnormal links promptly.

[0004] Regarding the aforementioned technologies, the inventors believe that the following drawbacks exist: Although network administrators can directly locate abnormal nodes that may be abnormal after receiving fault warning information, they need to retrieve the historical performance data of the abnormal nodes for anomaly analysis. After analyzing and finding the cause of the anomaly, they then handle the cause of the anomaly. This can easily lead to the security network being vulnerable to vulnerability attacks due to the long processing time of abnormal nodes. Summary of the Invention

[0005] To address the vulnerability of security networks to attacks due to the long processing time for abnormal nodes, this application provides a network security method and system based on intelligent analysis to predict faults.

[0006] In a first aspect, this application provides a network security method for fault prediction based on intelligent analysis, the method comprising the following steps:

[0007] Mark all target data that passes through the starting node in the security network;

[0008] The optimal data channel for the target data is generated by combining the starting node and the destination node corresponding to the target data.

[0009] Monitor the actual data channel of the target data in the security network;

[0010] Determine whether the actual data channel is consistent with the optimal data channel;

[0011] If the actual data channel is inconsistent with the optimal data channel, it is predicted that the optimal data channel has an abnormal fault.

[0012] Obtain historical data flow records and channel performance of the optimal data channel;

[0013] The abnormal fault types of the optimal data channel are predicted by combining the historical data flow records and the channel performance.

[0014] By adopting the above technical solution, data passing through the starting node is randomly selected as target data to generate the optimal data channel for the target data in the security network. The actual data channel during the actual transmission of the target data is monitored. When the optimal data channel and the actual data channel are inconsistent, it is possible to predict that the optimal data channel may subsequently experience abnormal failures. At this time, the historical data flow records and channel performance of the optimal data channel are obtained, and the abnormal failure type of the optimal data channel is predicted by combining the historical data flow records and channel performance. This allows the network administrator to know the abnormal failure type of the optimal data channel in subsequent fault warnings, enabling the network administrator to carry out targeted abnormal failure handling, thereby shortening the abnormal failure handling time and enhancing the timeliness and security of the security network during abnormal handling.

[0015] Optionally, the historical data flow records include the historical data flow of all optimal intermediate nodes in the optimal data channel. The step of combining the historical data flow records and the channel performance to predict the abnormal fault types of the optimal data channel includes the following steps:

[0016] Obtain the arrival time of the target data when it reaches the destination node;

[0017] Obtain the real-time data flow of all optimal intermediate nodes in the optimal data channel at the arrival time;

[0018] Calculate the real-time average data volume based on the real-time data flow of all the aforementioned optimal intermediate nodes;

[0019] Calculate the historical average data volume based on the historical data flow of all the aforementioned optimal intermediate nodes;

[0020] The data volume difference is calculated by combining the real-time average data volume and the historical average data volume;

[0021] Determine whether the data difference exceeds a preset difference threshold;

[0022] If the data difference exceeds the difference threshold, the abnormal fault type of the optimal data channel is predicted based on the channel performance.

[0023] By adopting the above technical solution, since the transmission efficiency of any data channel in the security network remains basically unchanged under normal circumstances, the historical average data volume can be calculated by the historical data flow of all optimal intermediate nodes. The historical average data volume can reflect the transmission efficiency of the optimal data channel at a certain moment. Then, based on the arrival time of the target data to the destination node, the real-time data flow of all optimal intermediate nodes at the arrival time is obtained, and the real-time average data volume is calculated. Thus, by calculating the data difference between the real-time average data volume and the historical average data volume, the type of abnormal fault that may occur in the optimal data channel can be predicted. If the data difference exceeds the preset difference threshold, it is necessary to further analyze the abnormal fault type of the optimal data channel based on the channel performance.

[0024] Optionally, the channel performance includes the node configuration and real-time node status of all the optimal intermediate nodes, the real-time node status including real-time CPU utilization and real-time memory availability, and the prediction of the abnormal fault type of the optimal data channel based on the channel performance includes the following steps:

[0025] Verify that the node configurations of all the optimal intermediate nodes are correct;

[0026] If the node is misconfigured, the predicted abnormal fault type of the optimal data channel is an abnormal idle state caused by misconfiguration.

[0027] If the node configuration is correct, then determine whether the real-time CPU utilization or the real-time memory balance exceeds the corresponding preset threshold.

[0028] If either the real-time CPU utilization or the real-time memory availability exceeds the corresponding preset threshold, the abnormal fault type of the optimal data channel is predicted to be channel network abnormality.

[0029] If neither the real-time CPU utilization nor the real-time memory balance exceeds the corresponding preset threshold, then the abnormal fault type of the optimal data channel is predicted to be data distribution abnormality.

[0030] By adopting the above technical solution, after predicting that an abnormal failure will occur in the optimal data channel, the specific abnormal failure type can be further predicted based on the node configuration and real-time node status of all optimal intermediate nodes in the optimal data channel. First, it is verified whether the node configuration of all optimal intermediate nodes is incorrect. If the node configuration is correct, then it is determined whether the real-time CPU utilization and real-time memory balance in the real-time node status exceed the corresponding preset thresholds. Since both the real-time CPU utilization and real-time memory balance exceeding the corresponding preset thresholds will cause the response speed and data transmission speed of the corresponding optimal intermediate node to slow down, when either the real-time CPU utilization or the real-time memory balance exceeds the corresponding preset threshold, the specific abnormal failure type of the optimal data channel can be predicted to be a channel network abnormality.

[0031] Optionally, generating the optimal data channel for the target data by combining the starting node and the destination node corresponding to the target data includes the following steps:

[0032] Obtain all intermediate nodes that have node connection relationships with the starting node and the destination node;

[0033] Based on the security policy of the intermediate nodes, secure intermediate nodes are selected from all the intermediate nodes;

[0034] Generate multiple secure links between the starting node and the destination node based on all the aforementioned secure intermediate nodes;

[0035] The average blocking rate of all the aforementioned secure links was calculated;

[0036] The secure link with the lowest average congestion rate is selected as the optimal data channel.

[0037] By adopting the above technical solution, the node connection relationship between all nodes in the security network is obtained through the network topology diagram of the security network. Then, all intermediate nodes with node connection relationships with the starting node and the destination node are found. After filtering by security policy configuration, the secure intermediate nodes among all intermediate nodes are selected. Then, based on the node connection relationship, all secure links that can transmit data from the starting node to the destination node are generated. Finally, the average congestion rate of all secure links is calculated, and the secure link with the lowest average congestion rate is selected as the best data channel.

[0038] Optionally, calculating the average blocking rate of all the secure links includes the following steps:

[0039] Calculate the node congestion rate of all the secure intermediate nodes in the secure link;

[0040] Determine whether the congestion rate of each node exceeds a preset congestion rate threshold.

[0041] If the node congestion rate exceeds the congestion rate threshold, then the node congestion rate exceeding the congestion rate threshold is taken as the average congestion rate of the corresponding secure link;

[0042] If the congestion rate of all nodes does not exceed the congestion rate threshold, then the average of the congestion rates of all nodes is calculated as the average congestion rate of the corresponding secure link.

[0043] By adopting the above technical solution, when the node blocking rate of a certain network node in a network transmission link is too high, it will affect the data transmission efficiency of the entire network transmission link. Therefore, when calculating the average blocking rate of a secure link, it is necessary to first determine whether the node blocking rate of each secure intermediate node in the secure link exceeds the preset blocking rate threshold. If there is a node blocking rate that exceeds the blocking rate threshold, then the blocking rate of that node is used as the average blocking rate of the corresponding secure link. If the blocking rates of all nodes do not exceed the blocking rate threshold, then the average of the blocking rates of all nodes is calculated as the average blocking rate of the corresponding secure link.

[0044] Optionally, determining whether the actual data channel is consistent with the optimal data channel includes the following steps:

[0045] Determine that the number of nodes in the optimal intermediate node of the optimal data channel is greater than or equal to 1;

[0046] If the number of nodes is equal to 1, then the consistency between the actual data channel and the optimal data channel is determined by whether the actual intermediate node in the actual data channel is the same as the optimal intermediate node.

[0047] If the number of nodes is greater than 1, then the number of identical nodes in the actual data channel and the optimal data channel is counted by comparing each node in the actual data channel with each node in the optimal data channel.

[0048] Calculate channel similarity based on the number of identical nodes and the number of nodes;

[0049] Determine whether the channel similarity exceeds a preset similarity threshold;

[0050] If the channel similarity exceeds the similarity threshold, then the actual data channel is determined to be consistent with the optimal data channel;

[0051] If the channel similarity does not exceed the similarity threshold, then it is determined that the actual data channel is inconsistent with the optimal data channel.

[0052] By adopting the above technical solution, the number of identical network nodes in the actual data channel and the optimal data channel can be obtained, and then the channel similarity between the actual data channel and the optimal data channel can be calculated. Finally, the consistency between the actual data channel and the optimal data channel can be determined by comparing the channel similarity with a preset similarity threshold.

[0053] Optionally, after marking all target data passing through the starting node in the security network, the following steps are also included:

[0054] The total amount of data of the starting node within the preset statistical time period is counted at preset statistical time intervals;

[0055] Obtain the response delay of the starting node within the preset time period;

[0056] Determine whether the response delay shows an increasing trend within the preset time period;

[0057] If the response latency shows an upward trend within the preset time period, then determine whether the total data volume shows a downward trend within the preset time period.

[0058] If the total amount of data shows a decreasing trend within the preset time period, it is predicted that the starting node has a node network failure.

[0059] By adopting the above technical solution, in the security network, the starting node may also have faults and anomalies. Therefore, the response delay and total data volume of the starting node within a preset time period can be obtained, and the data change trends of response delay and total data volume can be analyzed. When it is determined that the response time is on the rise and the total data volume is on the fall, it can be predicted that the starting node has a node network fault and anomaly.

[0060] Secondly, this application also provides a network security system for fault prediction based on intelligent analysis, including a processor and a memory, wherein the processor executes the method described in the first aspect when running computer instructions stored in the memory.

[0061] By adopting the above technical solution, through program retrieval, data passing through the starting node is randomly selected as target data to generate the optimal data channel for the target data in the security network. The actual data channel during the actual transmission process of the target data is monitored. When the optimal data channel and the actual data channel are inconsistent, it is possible to predict that the optimal data channel may subsequently experience abnormal failures. At this time, the historical data flow records and channel performance of the optimal data channel are obtained, and the abnormal failure type of the optimal data channel is predicted by combining the historical data flow records and channel performance. In subsequent fault warnings, the network administrator can be informed of the abnormal failure type of the optimal data channel, enabling the network administrator to carry out targeted abnormal failure handling, thereby shortening the abnormal failure handling time and enhancing the timeliness and security of the security network's abnormal handling.

[0062] In summary, this application includes the following beneficial technical effects:

[0063] By randomly selecting data passing through the starting node as target data, the optimal data channel for the target data in the security network is generated. The actual data channel during the actual transmission of the target data is monitored. When the optimal data channel and the actual data channel are inconsistent, it is possible to predict that the optimal data channel may subsequently experience abnormal failures. At this time, the historical data flow records and channel performance of the optimal data channel are obtained, and the abnormal failure type of the optimal data channel is predicted by combining the historical data flow records and channel performance. This allows the network administrator to know the abnormal failure type of the optimal data channel in subsequent fault warnings, enabling the network administrator to carry out targeted abnormal failure handling, thereby shortening the abnormal failure handling time and enhancing the timeliness and security of the security network during abnormal handling. Attached Figure Description

[0064] Figure 1 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0065] Figure 2 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0066] Figure 3 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0067] Figure 4 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0068] Figure 5This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0069] Figure 6 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application.

[0070] Figure 7 This is a flowchart illustrating one implementation of the network security method for fault prediction based on intelligent analysis, as described in this application. Detailed Implementation

[0071] The following is in conjunction with the appendix Figures 1 to 7 This application will be described in further detail.

[0072] This application discloses a network security method for predicting faults based on intelligent analysis.

[0073] Reference Figure 1 The network security method based on intelligent analysis to achieve fault prediction includes the following steps:

[0074] S101. Mark all target data that passes through the starting node in the security network.

[0075] The starting node typically communicates directly with the external network outside the security network. There can be multiple starting nodes, and their definition depends on the network topology of the security network. If the network topology is a ring topology, the outermost node is defined as the starting node. If the network topology is a tree topology, the root node is defined as the starting node. The marked target data is randomly selected from all data passing through the starting nodes.

[0076] S102. Combine the starting node and the destination node corresponding to the target data to generate the optimal data channel for the target data.

[0077] The starting node can be used to obtain the destination node that the target data needs to reach. The destination node can be any network node in the security network. The optimal data channel can be generated based on the network topology of the security network and the node status of the network nodes between the starting node and the destination node. The target data has the highest transmission efficiency when transmitted in the security network according to the optimal data channel.

[0078] S103. Monitor the actual data channels of target data in the security network.

[0079] Since the target data has been marked, the actual data channel of the target data can be monitored based on the actual network nodes through which the target data passes in the security network.

[0080] S104. Determine whether the actual data channel is consistent with the optimal data channel. If the actual data channel is inconsistent with the optimal data channel, proceed to step S105.

[0081] If the determination result is that the actual data channel is consistent with the optimal data channel, no other operations will be performed.

[0082] S105. An abnormal fault is predicted in the optimal data channel.

[0083] If all network nodes in the optimal data channel are in normal condition, the target data will be distributed to the optimal network nodes in the security network. Therefore, the actual data channel that the target data passes through will be inconsistent with the optimal data channel only when the optimal data channel may have an abnormal failure.

[0084] S106. Obtain historical data flow records and channel performance of the optimal data channel.

[0085] Among them, the historical data flow record includes the historical data flow of all the best intermediate nodes in the best data channel, the channel performance includes the node configuration and real-time node status of all the best intermediate nodes, and the real-time node status includes real-time CPU utilization and real-time memory availability.

[0086] S107. Combine historical data flow records and channel performance to predict the abnormal fault types of the best data channel.

[0087] Among them, the abnormal fault types of the optimal data channel can be predicted by analyzing the historical data flow, node configuration, and real-time node status of all optimal intermediate nodes in the optimal data channel.

[0088] The implementation principle of one embodiment of this application is as follows:

[0089] By randomly selecting data passing through the starting node as target data, the optimal data channel for the target data in the security network is generated. The actual data channel during the actual transmission of the target data is monitored. When the optimal data channel and the actual data channel are inconsistent, it is possible to predict that the optimal data channel may subsequently experience abnormal failures. At this time, the historical data flow records and channel performance of the optimal data channel are obtained, and the abnormal failure type of the optimal data channel is predicted by combining the historical data flow records and channel performance. This allows the network administrator to know the abnormal failure type of the optimal data channel in subsequent fault warnings, enabling the network administrator to carry out targeted abnormal failure handling, thereby shortening the abnormal failure handling time and enhancing the timeliness and security of the security network during abnormal handling.

[0090] In one embodiment of this application, the historical data flow record includes the historical data flow of all optimal intermediate nodes in the optimal data channel, as referred to... Figure 2 Step S107 specifically includes the following steps:

[0091] S201. Obtain the arrival time of the target data when it reaches the destination node.

[0092] This allows for the retrieval of data reception records from the destination node and the retrieval of the arrival time of the target data at the destination node based on the tagging information of the target data.

[0093] S202. Obtain the real-time data flow of all optimal intermediate nodes in the optimal data channel at their arrival times.

[0094] This allows for the retrieval of data reception records from all optimal intermediate nodes in the optimal data channel, and the data flow size at the arrival time can be obtained from the data reception records as the real-time data flow volume.

[0095] S203. Calculate the real-time average data volume based on the real-time data flow of all optimal intermediate nodes.

[0096] The real-time data flow is obtained by summing the real-time data flow of all the best intermediate nodes, and then the real-time average data flow is calculated by dividing the real-time data flow by the number of the best intermediate nodes.

[0097] S204. Calculate the historical average data volume based on the historical data flow of all best intermediate nodes.

[0098] The historical data flow is the average historical data flow of network nodes at a certain moment. The total historical data flow is obtained by adding the historical data flow of all the best intermediate nodes. The average historical data flow of the best data channel can be calculated by dividing the total historical data flow by the number of the best intermediate nodes.

[0099] S205. Calculate the data volume difference by combining the real-time average data volume and the historical average data volume.

[0100] The difference in data volume is obtained by averaging the differences between the real-time average data volume and the historical average data volume.

[0101] S206. Determine whether the data difference exceeds the preset difference threshold. If the data difference exceeds the difference threshold, proceed to step S207.

[0102] If the determination result is that the data difference does not exceed the difference threshold, the abnormal fault type of the best data channel is predicted to be data distribution abnormality, which may be due to abnormal data distribution configuration of some of the best intermediate nodes in the best data channel.

[0103] S207. Predict the abnormal fault types of the optimal data channel based on channel performance.

[0104] The implementation principle of one embodiment of this application is as follows:

[0105] Since the transmission efficiency of any data channel in a security network remains essentially constant under normal conditions, the historical average data volume can be calculated by analyzing the historical data flow of all optimal intermediate nodes. The historical average data volume reflects the transmission efficiency of the optimal data channel at a given moment. Then, based on the arrival time of the target data at the destination node, the real-time data flow of all optimal intermediate nodes at the arrival time is obtained, and the real-time average data volume is calculated. By calculating the data difference between the real-time average data volume and the historical average data volume, the possible abnormal fault types of the optimal data channel can be predicted. If the data difference exceeds a preset difference threshold, further analysis of the abnormal fault types of the optimal data channel is needed based on the channel performance.

[0106] In one embodiment of this application, channel performance includes the node configuration of all optimal intermediate nodes and real-time node status. Real-time node status includes real-time CPU utilization and real-time memory availability. (Refer to...) Figure 3 Step S207 specifically includes the following steps:

[0107] S301. Verify that the node configuration of all optimal intermediate nodes is correct. If the node configuration is incorrect, proceed to step S302; if the node configuration is correct, proceed to step S303.

[0108] The node configuration includes node firewall configuration, node security policy configuration, etc. If the node configuration of any of the best intermediate nodes is incorrect, the result is that the node configuration is incorrect; if the node configuration of all the best intermediate nodes is correct, the result is that the node configuration is correct.

[0109] S302. The predicted abnormal fault type of the optimal data channel is an abnormal idle state caused by a configuration error.

[0110] In particular, because the best intermediate node in the best data channel is found to have a node configuration error, the best data channel will continue to experience data transmission failures during subsequent data transmission, which will lead to an abnormal idle state in which the data transmission volume of the best data channel is greatly reduced.

[0111] S303. Determine whether the real-time CPU utilization or real-time memory balance exceeds the corresponding preset threshold. If either the real-time CPU utilization or real-time memory balance exceeds the corresponding preset threshold, proceed to step S304. If neither the real-time CPU utilization nor the real-time memory balance exceeds the corresponding preset threshold, proceed to step S305.

[0112] Among them, the real-time CPU utilization and real-time memory balance of the best intermediate node are real-time data of the hardware device used to configure the best intermediate node. The real-time CPU utilization and real-time memory balance each have different preset thresholds. When the real-time CPU utilization exceeds the corresponding preset threshold or the real-time memory balance exceeds the corresponding preset threshold, the response speed and data transmission speed of the corresponding best intermediate node will slow down.

[0113] S304. The predicted fault type for the optimal data channel is channel network anomaly.

[0114] S305. The predicted abnormal failure type for the optimal data channel is data distribution abnormality.

[0115] Among them, data distribution anomalies may be caused by abnormal data distribution configurations of some of the best intermediate nodes in the best data channel.

[0116] The implementation principle of one embodiment of this application is as follows:

[0117] After predicting an abnormal failure in the optimal data channel, the specific type of abnormal failure can be further predicted based on the node configuration and real-time node status of all optimal intermediate nodes in the optimal data channel. First, verify whether the node configuration of all optimal intermediate nodes is incorrect. If the node configuration is correct, then determine whether the real-time CPU utilization and real-time memory balance in the real-time node status exceed the corresponding preset thresholds. Since exceeding the corresponding preset thresholds for real-time CPU utilization or real-time memory balance will slow down the response speed and data transmission speed of the corresponding optimal intermediate node, when either the real-time CPU utilization or real-time memory balance exceeds the corresponding preset threshold, the specific abnormal failure type of the optimal data channel can be predicted as a channel network anomaly.

[0118] In one embodiment of the present application, reference is made to Figure 4 Step S102 specifically includes the following steps:

[0119] S401. Obtain all intermediate nodes that have node connection relationships with the starting node and the destination node.

[0120] Specifically, the node connection relationships between all nodes in the security network are obtained based on the network topology diagram of the security network.

[0121] S402. Security policies based on intermediate nodes select secure intermediate nodes from all intermediate nodes.

[0122] S403. Generate multiple secure links between the starting node and the destination node based on all secure intermediate nodes.

[0123] In this system, the starting point of all security links is the starting node, and the ending point is the destination node.

[0124] S404. Calculate the average blocking rate of all secure links.

[0125] The average blocking rate of the secure link can be calculated by obtaining the node blocking rate of all secure intermediate nodes in the secure link, and then dividing the sum of all node blocking rates by the number of nodes in all secure intermediate nodes.

[0126] S405. Select the safest link with the lowest average congestion rate as the best data channel.

[0127] The implementation principle of one embodiment of this application is as follows:

[0128] The network topology diagram of the security network is used to obtain the node connection relationship between all nodes in the security network. Then, all intermediate nodes that have node connection relationship with the starting node and the destination node are found. After filtering by security policy configuration, the secure intermediate nodes among all intermediate nodes are selected. Then, based on the node connection relationship, all secure links that can transmit data from the starting node to the destination node are generated. Finally, the average congestion rate of all secure links is calculated, and the secure link with the lowest average congestion rate is selected as the best data channel.

[0129] In one embodiment of the present application, reference is made to Figure 4 Step S404 specifically includes the following steps:

[0130] S501. Calculate the node congestion rate of all secure intermediate nodes in the secure link.

[0131] The node blocking rate can be understood as the node occupancy rate of network nodes.

[0132] S502. Determine whether the blocking rate of each node exceeds the preset blocking rate threshold. If the blocking rate of a node exceeds the blocking rate threshold, proceed to step S503. If the blocking rate of all nodes does not exceed the blocking rate threshold, proceed to step S504.

[0133] S503. The blocking rate of nodes exceeding the blocking rate threshold is taken as the average blocking rate of the corresponding secure link.

[0134] S504. Calculate the average of the congestion rates of all nodes as the average congestion rate of the corresponding secure link.

[0135] The implementation principle of one embodiment of this application is as follows:

[0136] When the node blocking rate of a certain network node in a network transmission link is too high, it will affect the data transmission efficiency of the entire network transmission link. Therefore, when calculating the average blocking rate of a secure link, it is necessary to first determine whether the node blocking rate of each secure intermediate node in the secure link exceeds the preset blocking rate threshold. If there is a node blocking rate that exceeds the blocking rate threshold, then the blocking rate of that node is used as the average blocking rate of the corresponding secure link. If the blocking rates of all nodes do not exceed the blocking rate threshold, then the average of the blocking rates of all nodes is calculated as the average blocking rate of the corresponding secure link.

[0137] In one embodiment of the present application, reference is made to Figure 6 Step S104 specifically includes the following steps:

[0138] S601. Determine if the number of nodes in the best intermediate node in the best data channel is greater than or equal to 1. If the number of nodes is equal to 1, proceed to step S602; if the number of nodes is greater than 1, proceed to step S603.

[0139] Among them, the best intermediate node is all network nodes in the best data channel except for the starting node and the destination node.

[0140] S602. Determine whether the actual data channel and the optimal data channel are consistent based on whether the actual intermediate node in the actual data channel is the same as the optimal intermediate node.

[0141] Specifically, the consistency between the actual data channel and the optimal data channel is determined by whether the node addresses of the actual intermediate node and the optimal intermediate node are the same.

[0142] S603. By comparing each node in the actual data channel with the optimal data channel, the number of identical nodes in the actual data channel and the optimal data channel is counted.

[0143] One approach is to first obtain the node addresses of all network nodes in the actual data channel and the optimal data channel, and then compare the node addresses in the actual data channel with the node addresses in the optimal data channel one by one. Alternatively, one approach is to compare the node addresses in the optimal data channel with the node addresses in the actual data channel one by one. If the node addresses are found to be the same, the number of identical nodes is incremented by one.

[0144] S604. Calculate channel similarity based on the number of identical nodes and the number of nodes.

[0145] The channel similarity is obtained by dividing the number of identical nodes by the total number of nodes.

[0146] S605. Determine whether the channel similarity exceeds the preset similarity threshold. If the channel similarity exceeds the similarity threshold, proceed to step S606; if the channel similarity does not exceed the similarity threshold, proceed to step S607.

[0147] S606. Determine if the actual data channel is consistent with the optimal data channel.

[0148] S607. Determine if the actual data channel is inconsistent with the optimal data channel.

[0149] The implementation principle of one embodiment of this application is as follows:

[0150] The number of identical network nodes in the actual data channel and the optimal data channel can be obtained, and then the channel similarity between the actual data channel and the optimal data channel can be calculated. Finally, the consistency between the actual data channel and the optimal data channel can be determined by comparing the channel similarity with a preset similarity threshold.

[0151] In one embodiment of the present application, reference is made to Figure 7 Following step S101, the following steps are also included:

[0152] S701. Calculate the total amount of data of the starting node within the preset statistical time period at preset statistical time intervals.

[0153] The preset time period is less than or equal to the preset statistical time period. The timing of the statistical time period and the timing of the preset time period can overlap. Therefore, when the preset time period and the statistical time period are equal, the total amount of data of the starting node within the preset time period will be counted repeatedly. The total amount of data is the sum of the data sizes of all data that enter the security network through the starting node within the preset time period.

[0154] S702. Obtain the response delay of the starting node within a preset time period.

[0155] The response latency of the starting node within the preset time period includes the instantaneous response latency of the starting node at each time point within the preset time period.

[0156] S703. Determine whether the response delay shows an upward trend within a preset time period. If the response delay shows an upward trend within the preset time period, then execute step S704.

[0157] The process involves linearly fitting the instantaneous response delay of the starting node at various time points within a preset time period, calculating the slope of the linear fitting result, and determining whether the response delay shows an upward trend within the preset time period based on the slope. If the determination result is that the response delay does not show an upward trend within the preset time period, no further steps are performed.

[0158] S704. Determine whether the total data volume shows a downward trend within a preset time period. If the total data volume shows a downward trend within a preset time period, then execute step S705.

[0159] The process involves calculating the change in the total data volume at each time point within a preset time period, performing a linear fit on all data changes, and calculating the slope of the linear fit result. The slope is then used to determine whether the total data volume shows a downward trend within the preset time period. If the determination is that the total data volume does not show a downward trend within the preset time period, no further steps are performed.

[0160] S705. Predicts that the starting node has a network fault anomaly.

[0161] Since the response latency of the starting node is constantly increasing and the data transmission efficiency is constantly decreasing, it can be predicted that there is a node network failure in the starting node.

[0162] The implementation principle of one embodiment of this application is as follows:

[0163] In security networks, the starting node may also experience faults or anomalies. Therefore, it is possible to obtain the response latency and total data volume of the starting node within a preset time period, and analyze the data change trends of response latency and total data volume. When it is determined that the response time is on the rise and the total data volume is on the fall, it can be predicted that the starting node has a node network fault or anomaly.

[0164] This application also discloses a network security system for fault prediction based on intelligent analysis, including a processor and a memory. When the processor executes computer instructions stored in the memory, it performs actions such as... Figures 1 to 7 The method shown.

[0165] The implementation principle of this embodiment is as follows:

[0166] By retrieving data from the starting node and randomly selecting it as the target data, the optimal data channel for the target data in the security network is generated. The actual data channel during the actual transmission of the target data is monitored. When the optimal data channel and the actual data channel are inconsistent, it can be predicted that the optimal data channel may subsequently experience abnormal failures. At this time, the historical data flow records and channel performance of the optimal data channel are obtained, and the abnormal failure type of the optimal data channel is predicted by combining the historical data flow records and channel performance. This allows the network administrator to know the abnormal failure type of the optimal data channel in subsequent fault warnings, enabling the network administrator to carry out targeted abnormal failure handling, thereby shortening the abnormal failure handling time and enhancing the timeliness and security of the security network's abnormal handling.

[0167] The above are all preferred embodiments of this application, and are not intended to limit the scope of protection of this application. Therefore, all equivalent changes made in accordance with the structure, shape and principle of this application should be covered within the scope of protection of this application.

Claims

1. A network security method for fault prediction based on intelligent analysis, characterized in that, Includes the following steps: Mark all target data that passes through the starting node in the security network; The optimal data channel for the target data is generated by combining the starting node and the destination node corresponding to the target data. Monitor the actual data channel of the target data in the security network; Determine whether the actual data channel is consistent with the optimal data channel; If the actual data channel is inconsistent with the optimal data channel, it is predicted that the optimal data channel has an abnormal fault. Obtain historical data flow records and channel performance of the optimal data channel; Based on the historical data flow records and the channel performance, predict the abnormal fault types of the optimal data channel; The step of determining whether the actual data channel is consistent with the optimal data channel includes the following steps: Determine that the number of nodes in the optimal intermediate node of the optimal data channel is greater than or equal to 1; If the number of nodes is equal to 1, then the consistency between the actual data channel and the optimal data channel is determined by whether the actual intermediate node in the actual data channel is the same as the optimal intermediate node. If the number of nodes is greater than 1, then the number of identical nodes in the actual data channel and the optimal data channel is counted by comparing each node in the actual data channel with each node in the optimal data channel. Calculate channel similarity based on the number of identical nodes and the number of nodes; Determine whether the channel similarity exceeds a preset similarity threshold; If the channel similarity exceeds the similarity threshold, then the actual data channel is determined to be consistent with the optimal data channel; If the channel similarity does not exceed the similarity threshold, then it is determined that the actual data channel is inconsistent with the optimal data channel.

2. The network security method for fault prediction based on intelligent analysis according to claim 1, characterized in that, The historical data flow records include the historical data flow volume of all optimal intermediate nodes in the optimal data channel. The step of combining the historical data flow records and the channel performance to predict the abnormal fault types of the optimal data channel includes the following steps: Obtain the arrival time of the target data when it reaches the destination node; Obtain the real-time data flow of all optimal intermediate nodes in the optimal data channel at the arrival time; Calculate the real-time average data volume based on the real-time data flow of all the aforementioned optimal intermediate nodes; Calculate the historical average data volume based on the historical data flow of all the aforementioned optimal intermediate nodes; The data difference is calculated by combining the real-time average data volume and the historical average data volume; Determine whether the data difference exceeds a preset difference threshold; If the data difference exceeds the difference threshold, the abnormal fault type of the optimal data channel is predicted based on the channel performance.

3. A network security method for fault prediction based on intelligent analysis according to claim 2, characterized in that, The channel performance includes the node configuration and real-time node status of all the optimal intermediate nodes. The real-time node status includes real-time CPU utilization and real-time memory availability. Predicting the abnormal fault types of the optimal data channel based on the channel performance includes the following steps: Verify that the node configurations of all the aforementioned optimal intermediate nodes are correct; If the node is misconfigured, the predicted abnormal fault type of the optimal data channel is an abnormal idle state caused by misconfiguration. If the node configuration is correct, then determine whether the real-time CPU utilization or the real-time memory balance exceeds the corresponding preset threshold. If either the real-time CPU utilization or the real-time memory balance exceeds the corresponding preset threshold, the abnormal fault type of the optimal data channel is predicted to be channel network abnormality. If neither the real-time CPU utilization nor the real-time memory balance exceeds the corresponding preset threshold, then the abnormal fault type of the optimal data channel is predicted to be data distribution abnormality.

4. The network security method for fault prediction based on intelligent analysis according to claim 1, characterized in that, The process of generating the optimal data channel for the target data by combining the starting node and the destination node corresponding to the target data includes the following steps: Obtain all intermediate nodes that have node connection relationships with the starting node and the destination node; Based on the security policy of the intermediate nodes, secure intermediate nodes are selected from all the intermediate nodes; Generate multiple secure links between the starting node and the destination node based on all the aforementioned secure intermediate nodes; The average blocking rate of all the aforementioned secure links was calculated; The secure link with the lowest average blocking rate is selected as the optimal data channel.

5. A network security method for fault prediction based on intelligent analysis according to claim 4, characterized in that, The calculation of the average blocking rate of all the secure links includes the following steps: Calculate the node congestion rate of all the secure intermediate nodes in the secure link; Determine whether the congestion rate of each node exceeds a preset congestion rate threshold. If the node congestion rate exceeds the congestion rate threshold, then the node congestion rate exceeding the congestion rate threshold is taken as the average congestion rate of the corresponding secure link; If the congestion rate of all nodes does not exceed the congestion rate threshold, then the average of the congestion rates of all nodes is calculated as the average congestion rate of the corresponding secure link.

6. A network security method for fault prediction based on intelligent analysis according to claim 1, characterized in that, After marking all target data passing through the starting node in the security network, the following steps are also included: The total amount of data of the starting node within the preset statistical time period is counted at preset statistical time intervals; Obtain the response delay of the starting node within the preset time period; Determine whether the response delay shows an increasing trend within the preset time period; If the response latency shows an upward trend within the preset time period, then determine whether the total data volume shows a downward trend within the preset time period. If the total amount of data shows a decreasing trend within the preset time period, it is predicted that the starting node has a node network failure.

7. A network security system based on intelligent analysis to predict faults, characterized in that, It includes a processor and a memory, wherein the processor, when executing computer instructions stored in the memory, performs the method as described in any one of claims 1 to 6.